NTS Wildcard Certificates
Richard Laager
rlaager at wiktel.com
Mon Nov 18 07:57:01 UTC 2019
On 11/18/19 12:59 AM, Hal Murray wrote:
> rlaager at wiktel.com said:
>> Does commit 74308fa20545ae1b34708ec06e38ea244dda7c54 disable the use of
>> wildcard certificates for NTS? If so, why was that done?
>
> Looks that way. No specific reason. I was just cleaning up and tightning
> things down. It seems like it would make things slightly more secure. The
> bad guy who wants to play MITM now has to break into your time server.
> Breaking into one of its friends isn't good enough.
>
> What did I break? What's the use case for using wildcards? How often are
> they used?
I can't speak to their prevalence.
One possible use case is for a cluster of time servers. For example,
that Internet exchange time cluster I volunteered to help with (which
generated the PPS splitting questions) is time{1,2,3}.example.com for
the three servers individually and time.example.com as a round-robin.
That could be handled with a time*.example.com certificate on each.
I'm not bringing it up because of that particular case, just using that
as an example. In that particular case, my intended plan was to get a
certificate for each server with that server's name and the round-robin
name, like this: {time1,time}, {time2,time}, {time3,time}.
> Do we want to just remove that line, or add a config file option to set or
> not-set it?
Absent other information on why it should be prohibited, my personal
view would be: wildcard certificates are a normal, not obscure, feature
of TLS and ntpd should not be an outlier by arbitrarily disabling them.
--
Richard
More information about the devel
mailing list