Thanks. > If that's a thing you want to do on your system, you can. IMHO, it's not > something that we particularly need to promote, nor would I find it > desirable operationally. If my NTP server changes their CA provider, then I > won't be able to talk to them any more until I take manual action to adjust > the pin.
I was assuming there would be a script that would do the work, say run as a cron job. Probably send you email so you can do the actual edit. > Yes, that's how the CA ecosystem works. That is absolutely a threat. Keep in > mind that if a CA gets caught doing that, they will get the CA death > penalty, ending their money printing business. Some CAs are run by governments. That area gets messy. There was a news item recently (month or 3??) about a Russian social media server located in a German cloud provider that got MITM-ed. The bad guys got a Let's Encrypt certificate. They could do that by just stealing the IP Address for a few minutes which only takes one insider at the hosting service. Researchers Uncover Wiretapping of XMPP-Based Instant Messaging Service https://thehackernews.com/2023/10/researchers-uncover-wiretapping-of-xmpp.htm l I can't tell how paranoid to be. It would be nice if we didn't depend on all the root certificates. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
