The current simple setup of something like server ntp.example.com nts depends on the OS root server collection.
Suppose you don't trust all those CAs. What can you do? One option is to extract the appropriate certificate from the installed root collection. server ntp.example.com nts ca <cert-file-here> That means the bad guys have to compromise a particular CA rather than any one in the collection. Does anybody know how to do that? It's probably slightly different on every distro. Is there a better approach? -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
