What's left to doo on NTS

Daniel Franke dfoxfranke at gmail.com
Sat Mar 2 14:40:30 UTC 2019


On Fri, Mar 1, 2019 at 11:39 PM Gary E. Miller via devel
<devel at ntpsec.org> wrote:
> Not complete security, but at least encryption.  And there are
> levels of validation.  If you are off net, you can't completely
> validate the cert, but you can partially validate it.  Maybe you
> would want to pin it.

Encryption doesn't work without authentication; a MitM can cause you
to negotiate keys with *him* instead of the endpoint you think you're
communicating with.

You can skip the notBefore/notAfter constraints under the
circumstances described in the RFC. Otherwise, either do full
validation or don't bother with NTS at all. Pinning counts as full
validation.


More information about the devel mailing list