Cert pinning
Gary E. Miller
gem at rellim.com
Thu Mar 28 23:50:16 UTC 2019
Yo Richard!
On Thu, 28 Mar 2019 18:43:15 -0500
Richard Laager via devel <devel at ntpsec.org> wrote:
> You've mentioned DANE a couple of times. I've been mostly ignoring
> that, as I was discussing manually pinning in ntp.conf.
Bad idea. We are both discussing manual pinning in ntp.conf
> Do we want to support DANE? If so, instead of or in addition to manual
> pinning in ntp.conf?
Nope. At least not for a long time.
I bring up DANE because it is very well documented. we;ll understood,
and well deployed. Even ntpsec.org uses it. The DANE people thought
of all the different ways you might want to do the hash and what gets
hashed.
That hash, with its options of hash type and what is hashed, can go in
DNS, or just in the ntp.conf file. So 90% of the RFC can be the
template for what goes in ntp.conf.
Oh, just to make this fraudulent cert thing real, I'll remind
everyone of when someone got a valid *.google.com cert:
https://www.esecurityplanet.com/browser-security/fraudulent-ssl-cert-for-google-revoked.html
A simple google will bring up many other serious events.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190328/88e284d0/attachment.bin>
More information about the devel
mailing list