Getting ready for a release, wildcards

Richard Laager rlaager at wiktel.com
Wed Apr 20 20:47:53 UTC 2022


On 4/19/22 17:01, Hal Murray via devel wrote:
> One is to update the nts cert documentation to say
> that it doesn't do any checking on the certificate.

-  Present the certificate in _file_ as our certificate.
+  Present the certificate (chain) in _file_ as our certificate.
+  +
+  Note that there is no checking on the certificate.
+  In particular, it may have expired or may not cover the host name
+  used to get to this server or may not be signed by a CA that
+  is in the clients root-server collection.

Sure, that's all true. But, I'm not sure why you felt the need to 
mention this. That is how everything works. In general, it's not even 
guaranteed that a TLS-speaking daemon knows its own (external) hostname. 
It obviously can't know what is in the client's trust store.

The only one of those things it could possibly check is whether the 
certificate is expired. But I recommend against trying to do that. It's 
not an expectation that daemons check that. More importantly, as always 
in the NTP space, that can lead to chicken-and-egg problems. If I have 
an isolated (not connected to the Internet) server with GPS, it might 
not have correct time when ntpd starts, but will get it once the GPS locks.

-- 
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20220420/741dcaea/attachment.bin>


More information about the devel mailing list