NTS Wildcard Certificates

Richard Laager rlaager at wiktel.com
Mon Nov 18 07:57:01 UTC 2019

On 11/18/19 12:59 AM, Hal Murray wrote:
> rlaager at wiktel.com said:
>> Does commit 74308fa20545ae1b34708ec06e38ea244dda7c54 disable the use of
>> wildcard certificates for NTS? If so, why was that done? 
> Looks that way.  No specific reason.  I was just cleaning up and tightning 
> things down.  It seems like it would make things slightly more secure.  The 
> bad guy who wants to play MITM now has to break into your time server.  
> Breaking into one of its friends isn't good enough.
> What did I break?  What's the use case for using wildcards?  How often are 
> they used?

I can't speak to their prevalence.

One possible use case is for a cluster of time servers. For example,
that Internet exchange time cluster I volunteered to help with (which
generated the PPS splitting questions) is time{1,2,3}.example.com for
the three servers individually and time.example.com as a round-robin.
That could be handled with a time*.example.com certificate on each.

I'm not bringing it up because of that particular case, just using that
as an example. In that particular case, my intended plan was to get a
certificate for each server with that server's name and the round-robin
name, like this: {time1,time}, {time2,time}, {time3,time}.

> Do we want to just remove that line, or add a config file option to set or 
> not-set it?

Absent other information on why it should be prohibited, my personal
view would be: wildcard certificates are a normal, not obscure, feature
of TLS and ntpd should not be an outlier by arbitrarily disabling them.


More information about the devel mailing list