What's left to doo on NTS

[Hal Murray]

devel at ntpsec.org said:
> Partial validation means you don't follow the cert chain to the root. In the
> off-net scenario, it means you stop folloing the chain when you'd have to go
> outside the network perimeter you're in.  ...

> https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

Thanks, but I'm missing something critical.

I thought most systems came with a collection of trusted/root certificates.  
What do I have to go outside-the-network to get?

I'm not a certificate wizard.  I'm debugging with self signed certificates.  
I'm using root, intermediate, and server certificates.  As far as I can tell, 
there is no good reason for the intermediate certificate if you are small or 
just testing.  It was in the cookbook I was following and I got past here 
before I figured out that I didn't need it.

I tell the NTS-KE server to use a certificate file that contains both the 
server certificate and the intermediate certificate.  I assume the server 
sends both to the NTS-KE client.  I told the NTS-KE client to use/trust the 
root certificate.  It works.


-- 
These are my opinions.  I hate spam.