Hal Murray hmurray at megapathdsl.net
Mon Jan 13 03:52:22 UTC 2020

The current simple setup of something like
  server ntp.example.com nts
depends on the OS root server collection.

Suppose you don't trust all those CAs.  What can you do?

One option is to extract the appropriate certificate from the installed root 
  server ntp.example.com nts ca <cert-file-here>
That means the bad guys have to compromise a particular CA rather than any one 
in the collection.

Does anybody know how to do that?  It's probably slightly different on every 

Is there a better approach?

These are my opinions.  I hate spam.

More information about the devel mailing list