NTS Wildcard Certificates

Gary E. Miller gem at rellim.com
Mon Nov 18 20:36:59 UTC 2019

Yo Hal!

On Sun, 17 Nov 2019 22:59:52 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> rlaager at wiktel.com said:
> > Does commit 74308fa20545ae1b34708ec06e38ea244dda7c54 disable the
> > use of wildcard certificates for NTS? If so, why was that done?   
> Looks that way.

Not good.

> What did I break?  What's the use case for using wildcards?  How
> often are they used?

Wild card certs are pretty common for cloud deployments and large

If you are running in the cloud then you have no idea what your hostname
and IP will be before you start a cloud instance.  So you use a wildcard.
You do not use a Let's Encrypt cert because "real companies" buy "real"
certs.  Partly because your google rank improves the longer your certi
expiration is.  Partly because updating a large number of certs every
80 days is a PITA.  "real" certs take time to get, and are expensive
per host.  So you plan ahead and get a wild card cert.  Which is also
cheaper if you have a lot of hosts, and easy to deploy.

> Do we want to just remove that line, or add a config file option to
> set or not-set it?

I would say another config option.  Both for client and server.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20191118/ea369dce/attachment.bin>

More information about the devel mailing list