What's left to doo on NTS
Gary E. Miller
gem at rellim.com
Sun Mar 3 22:25:11 UTC 2019
Yo Hal!
On Sat, 02 Mar 2019 23:49:14 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> devel at ntpsec.org said:
> > Partial validation means you don't follow the cert chain to the
> > root. In the off-net scenario, it means you stop folloing the chain
> > when you'd have to go outside the network perimeter you're
> > in. ...
>
> > https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
>
> Thanks, but I'm missing something critical.
>
> I thought most systems came with a collection of trusted/root
> certificates. What do I have to go outside-the-network to get?
CRLs: https://en.wikipedia.org/wiki/Certificate_revocation_list
Or, on the flip side, maybe your walled garden is using a private CA
for which your local host has no intermeditate/root certs.
> As far as I can tell, there is no good reason for the intermediate
> certificate if you are small or just testing.
Which is not inclusive of all our use cases.
> I tell the NTS-KE server to use a certificate file that contains both
> the server certificate and the intermediate certificate. I assume
> the server sends both to the NTS-KE client. I told the NTS-KE client
> to use/trust the root certificate. It works.
Sort of. You are not checking the CRL.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190303/9ff9864d/attachment-0001.bin>
More information about the devel
mailing list