What's left to doo on NTS
Gary E. Miller
gem at rellim.com
Mon Mar 4 20:11:07 UTC 2019
Yo Hal!
On Mon, 04 Mar 2019 01:58:23 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> Gary said:
> >> Otherwise, either do full validation or don't bother with NTS
> >> at all. Pinning counts as full validation.
>
> > I'd be happy if we had per host pinning instead of "noval".
>
> How is per-host pinning normally implemented?
Well, if Firefox, when the cert fails, you are presented with a dialog
that asks you to temporarily, or permanently, accept the cert.
Also, Firefox does automatic, invisible, key pinning using the HPKP
extension to html.
Here is a page on how the user sees pinning:
https://www.thesslstore.com/blog/an-introduction-to-pinning/
Here is how to get a hash of a remote cert for pinning:
$ openssl x509 -in example.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
writing RSA key
VhFYptFYvVRv1KVvcUg3EfHvv15wkBFpRU332RNC2sM=
> We have the option to use a local file of trusted/root certificates.
> Can you easily get one per host to put in there?
I don't see how. I would suspect your would put a hash of the cert
in the ntp.conf file.
Here is how to get a hash of a remote cert for pinning:
$ openssl x509 -in example.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
writing RSA key
VhFYptFYvVRv1KVvcUg3EfHvv15wkBFpRU332RNC2sM=
Given the Comodo mess of last week I expect a lot more people will want to
do pinning next month.
Maybe something like this in ntp.conf:
cert example.com VhFYptFYvVRv1KVvcUg3EfHvv15wkBFpRU332RNC2sM=
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190304/1c0c07d1/attachment.bin>
More information about the devel
mailing list