NTS: config and initialization

Gary E. Miller gem at rellim.com
Fri Mar 8 06:34:21 UTC 2019 

Yo Hal!

On Thu, 07 Mar 2019 21:18:28 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> Gary said:
> > Why do you need a cookie file?  I would think those should never be
> > stored. Ever.   
> 
> The cookies are sent from client to server in the clear.

Of course.

> It's the "cookie key" file, not a cookie file.  Do you have
> suggestions for a better name?

What cookie key?  

> It holds the K/I used to decode cookies

Let us not call it the "cookie key", lets use the terminology of
the RFC.

> -- but those are cookies
> stored on other clients.

Yes, clients store cookies.  Servers store K/I/date tuples.

> The cookies that a client has are for use with other servers.  The
> client's K/I won't work with them, and the client may not even have a
> K/I.

The client better not have the K/I/date date!

> > How does it know which of the myriad locations that the CA and
> > intermediate certs can be installed in to use?   
> 
> System defaults unless you specify a file or directory using "nts ca
> <file|dir> ".

And how do you know system defaults at configure time?

> I'm assuming that the system defaults will cover 99+% of the normal
> cases.  I don't have to do anything special for my browser to work.

Because your browser includes its own cert store!  Or it was customized
for your distro.  There is no "normal" case.

> Yes, you will have to do something special for self signed
> certificates.  Same for pinning.  You can either install them in the
> system default directory or cat them together into a file.

I hope those are not the only options.  But too early to get that
correct.

> The API has separate calls to set the file and directory.  It
> searches the file first.  I'm assuming that the system uses directory
> mode so we can use the file.

Which fails when not using the system directory.

>  It may get more complicated than that,
> but I'm pretty sure we can work something out.

It will get much more complicated, but not needed yet.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190307/d2279211/attachment.bin>

More information about the devel mailing list