Certificate pinning

[Hal Murray]

[It's been quite recently.]

I was thinking about certificates ...

I think we can implement pinning with the current code.

We need a script to fetch the certificate, follow the chain to see which root 
certificate it is using, find that certificate in the local root cert 
collection, and copy it to a safe place.

Then adjust ntp.conf to include ca <safe place>
ntpd will use that cert to verify the chain.

We need another script to verify/update things.  Maybe they are the same 
script with different options.

Does that sound right?

Is anybody familiar enough with the OpenSSL utilities to write that script?



-- 
These are my opinions.  I hate spam.