Yo Hal! On Mon, 04 Mar 2019 01:58:23 -0800 Hal Murray via devel <devel@ntpsec.org> wrote:
> Gary said:
> >> Otherwise, either do full validation or don't bother with NTS
> >> at all. Pinning counts as full validation.
>
> > I'd be happy if we had per host pinning instead of "noval".
>
> How is per-host pinning normally implemented?
Well, if Firefox, when the cert fails, you are presented with a dialog
that asks you to temporarily, or permanently, accept the cert.
Also, Firefox does automatic, invisible, key pinning using the HPKP
extension to html.
Here is a page on how the user sees pinning:
https://www.thesslstore.com/blog/an-introduction-to-pinning/
Here is how to get a hash of a remote cert for pinning:
$ openssl x509 -in example.crt -pubkey -noout | openssl rsa -pubin -outform der
| openssl dgst -sha256 -binary | base64
writing RSA key
VhFYptFYvVRv1KVvcUg3EfHvv15wkBFpRU332RNC2sM=
> We have the option to use a local file of trusted/root certificates.
> Can you easily get one per host to put in there?
I don't see how. I would suspect your would put a hash of the cert
in the ntp.conf file.
Here is how to get a hash of a remote cert for pinning:
$ openssl x509 -in example.crt -pubkey -noout | openssl rsa -pubin -outform der
| openssl dgst -sha256 -binary | base64
writing RSA key
VhFYptFYvVRv1KVvcUg3EfHvv15wkBFpRU332RNC2sM=
Given the Comodo mess of last week I expect a lot more people will want to
do pinning next month.
Maybe something like this in ntp.conf:
cert example.com VhFYptFYvVRv1KVvcUg3EfHvv15wkBFpRU332RNC2sM=
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpyECJIB5hcl.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
