What's left to doo on NTS

Gary E. Miller gem at rellim.com
Sun Mar 3 22:25:11 UTC 2019


Yo Hal!

On Sat, 02 Mar 2019 23:49:14 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> devel at ntpsec.org said:
> > Partial validation means you don't follow the cert chain to the
> > root. In the off-net scenario, it means you stop folloing the chain
> > when you'd have to go outside the network perimeter you're
> > in.  ...  
> 
> > https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning  
> 
> Thanks, but I'm missing something critical.
> 
> I thought most systems came with a collection of trusted/root
> certificates. What do I have to go outside-the-network to get?

CRLs: https://en.wikipedia.org/wiki/Certificate_revocation_list

Or, on the flip side, maybe your walled garden is using a private CA
for which your local host has no intermeditate/root certs.

> As far as I can tell, there is no good reason for the intermediate
> certificate if you are small or just testing.

Which is not inclusive of all our use cases.

> I tell the NTS-KE server to use a certificate file that contains both
> the server certificate and the intermediate certificate.  I assume
> the server sends both to the NTS-KE client.  I told the NTS-KE client
> to use/trust the root certificate.  It works.

Sort of.  You are not checking the CRL.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190303/9ff9864d/attachment-0001.bin>


More information about the devel mailing list