NTS - lesson in certificates/keys please

Gary E. Miller gem at rellim.com
Fri Jan 18 05:35:00 UTC 2019


Yo Hal!

On Thu, 17 Jan 2019 19:34:48 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> Could somebody give me a lesson in certificates and keys?

I'd hate to try to reinvent that wheel.  It is, intentionally, just
like https uses.

Here is a fair desciption:

https://robertheaton.com/2014/03/27/how-does-https-actually-work/

> I'm somewhat familiar with certificates as used in HTTPS.  Are there
> other common uses?

smtp, imap, pop, sip, etc.

> What sort of certificates do we need for testing?  Where do we get
> them

Let's Encrypt: https://letsencrypt.org/

> I think the NTS-KE-server needs the private key for the
> certificate(s) it supports.

Nope.  Only for its own cert.

>  Should we put it in a separate process
> so bugs in ntpd can't expose the private key?

Nah, Let's Encrypt puts it in a file with a standard location.

> That also allows us to write NTS-KE-server in a HLL.

Uh, lost me?

> There is an interesting corner case.  Telco companies like to put
> spares on the shelf and expect them to work 10 years later.  How
> often do root certificates roll over?

Let's Encrypt does this every 90 days.  Commercial certs can be up
to five years, but then can be canceled when the CA gets hacked.

> I assume the normal  TLS stuff uses a collection of root certificates
> that are distributed via the normal OS/Distro update mechanism.

Mostly.  Usually in /etc/ssl/certs

> That
> won't work if the box is sitting on a shelf.  Can

Many root certs are for 10 years or more.  I would shoot any admin that
put a server live that had been sitting around for 10 years w/o updates.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190117/798fb296/attachment.bin>


More information about the devel mailing list