Certificate geekery
Richard Laager
rlaager at wiktel.com
Mon Dec 4 18:11:45 UTC 2023
On 2023-12-03 03:22, Hal Murray via devel wrote:
> I'm working on devel-TODO-NTS. (mostly deleting things)
>
> Currently, if a bad guy hacks or arm-twists a certificate authority, they can
> sign a certificate that the bad guy can use for a MITM attack.
Yes, that's how the CA ecosystem works. That is absolutely a threat.
Keep in mind that if a CA gets caught doing that, they will get the CA
death penalty, ending their money printing business. CAA records and
Certificate Transparency are also mitigations of this threat.
> We can make that a lot harder if we lookup the current root certificate that a
> server is currently using, find that certificate in a system's root cert
> collection, and add a ca xxx to the server line. That doesn't take any
> changes to ntpd.
If that's a thing you want to do on your system, you can. IMHO, it's not
something that we particularly need to promote, nor would I find it
desirable operationally. If my NTP server changes their CA provider,
then I won't be able to talk to them any more until I take manual action
to adjust the pin.
> Is that called pinning? If not, is there a term for it?
> Wiki has a page for a related proposal:
> https://en.wikipedia.org/wiki/Certificate_pinning
It sounds like pinning to me, at least a form of the general idea.
--
Richard
More information about the devel
mailing list