What's left to doo on NTS

[Achim Gratz]

Hal Murray via devel writes:
> I thought most systems came with a collection of trusted/root certificates.  
> What do I have to go outside-the-network to get?

You'll have to check the cert chain until you hit one of those trust
anchors that can't be otherwise checked since they're the start of the
chain.  Also, you'll usually check for revoked certificates (OCSP).

> I'm not a certificate wizard.  I'm debugging with self signed certificates.  
> I'm using root, intermediate, and server certificates.  As far as I can tell, 
> there is no good reason for the intermediate certificate if you are small or 
> just testing.  It was in the cookbook I was following and I got past here 
> before I figured out that I didn't need it.

Yes, in a local network you will usually not need intermediates… but
it's nice to have them anyway, since it lets you more easily delegate or
automate cert creation without creating too much of a problem if you
need to revoke some CA keys.  If you need to revoke a root CA key, then
you're royally hosed unless you really are just plaing with certs for a
bit.

> I tell the NTS-KE server to use a certificate file that contains both the 
> server certificate and the intermediate certificate.  I assume the server 
> sends both to the NTS-KE client.  I told the NTS-KE client to use/trust the 
> root certificate.  It works.

As it should.  :-)


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds