On 4/19/22 17:01, Hal Murray via devel wrote:
One is to update the nts cert documentation to say
that it doesn't do any checking on the certificate.

-  Present the certificate in _file_ as our certificate.
+  Present the certificate (chain) in _file_ as our certificate.
+  +
+  Note that there is no checking on the certificate.
+  In particular, it may have expired or may not cover the host name
+  used to get to this server or may not be signed by a CA that
+  is in the clients root-server collection.

Sure, that's all true. But, I'm not sure why you felt the need to mention this. That is how everything works. In general, it's not even guaranteed that a TLS-speaking daemon knows its own (external) hostname. It obviously can't know what is in the client's trust store.

The only one of those things it could possibly check is whether the certificate is expired. But I recommend against trying to do that. It's not an expectation that daemons check that. More importantly, as always in the NTP space, that can lead to chicken-and-egg problems. If I have an isolated (not connected to the Internet) server with GPS, it might not have correct time when ntpd starts, but will get it once the GPS locks.

--
Richard

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel

Reply via email to