Maybe not so easy in practice, given the CT issues today:
https://www.reddit.com/r/sysadmin/comments/ugwkh2/all_of_the_sudden_seeing_chrome_error_err/
--
Richard
> On May 3, 2022, at 03:40, Richard Laager wrote:
>
> That seems like low-hanging fruit. We would have to ship an
> application-sp
ther hand, sites that don't use wildcard certificates can use
CAA to prevent issuance of them.
C. A legitimate wildcard certificate from some other server at example.com.
This seems like the most likely scenario.
So this knob gives me a way, as the client, to ensure that a server that
is no
I think I've figured out why I think my knob is interesting.
For the web, there are zillions of clients, most non-technical. A client is
likely to connect to many servers, often new/different ones on different days.
It all has to just work, straight out of the box.
For NTS-KE, an at least som
ng, but I see how some people woule need them.
See https://datatracker.ietf.org/doc/draft-ietf-uta-rfc6125bis/ section 3 which
says:
A technology MAY disallow the use of the wildcard character in DNS
names. If it does so, then the specification MUST state that
wildcard certificates as defined
Yo Hal!
On Tue, 22 Feb 2022 14:39:21 -0800
Hal Murray via devel wrote:
> They don't work. See https://gitlab.com/NTPsec/ntpsec/-/issues/729
>
> There is a single line of code that disables them.
>
> They are less secure. But is that "less" practical or theoretical?
>
> They are deprecated i
They don't work. See https://gitlab.com/NTPsec/ntpsec/-/issues/729
There is a single line of code that disables them.
They are less secure. But is that "less" practical or theoretical?
They are deprecated in RFC 6125
https://datatracker.ietf.org/doc/html/rfc6125#section-7.2
Should we:
rem
> Is it not possible to use self-signed certificates? Or am I missing some
> steps; is there a recipe that works for machines on private networks?
I use self signed certificates for testing so it should be reasonable for you
to get it working.
I used a recipe I found on the web. It s
ntp/certs/
> for root certificates.
Did you read that? Do so again.
> Is it not possible to use self-signed certificates?
Yes. That "self" creates your own root cert.
> Or am I missing
> some steps;
AFAIK, you forgot to put your new root i
I would like to test NTPsec on an internal network without Internet access.
I have created self-signed certificates on both server and client. But
NTPsec on the server complains
NTS: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert *unknown ca*
and on the client:
2020-05-06T22:38:42 ntpd
WTO without a lot of work.
> That's CA pinning rather than certificate pinning. It only makes sense (to
> me anyway) if you expect to have multiple different certificates that refer
> to that CA, so maybe if you have a local CA that you don't want to advertise
> system-wide
ach system.
> One option is to extract the appropriate certificate from the installed root
> collection.
That's CA pinning rather than certificate pinning. It only makes sense
(to me anyway) if you expect to have multiple different certificates
that refer to that CA, so maybe if you h
The current simple setup of something like
server ntp.example.com nts
depends on the OS root server collection.
Suppose you don't trust all those CAs. What can you do?
One option is to extract the appropriate certificate from the installed root
collection.
server ntp.example.com nts ca
T
Yo Richard!
On Mon, 18 Nov 2019 14:51:30 -0600
Richard Laager via devel wrote:
> On 11/18/19 2:36 PM, Gary E. Miller via devel wrote:
> > I would say another config option. Both for client and server.
>
> I don't see why we would need a config option for the server. If you
> don't want a wil
On 11/18/19 2:36 PM, Gary E. Miller via devel wrote:
> I would say another config option. Both for client and server.
I don't see why we would need a config option for the server. If you
don't want a wildcard cert there, don't use one. If you do, do. No need
to configure.
If someone wants an opt
Yo Hal!
On Sun, 17 Nov 2019 22:59:52 -0800
Hal Murray via devel wrote:
> rlaa...@wiktel.com said:
> > Does commit 74308fa20545ae1b34708ec06e38ea244dda7c54 disable the
> > use of wildcard certificates for NTS? If so, why was that done?
>
> Looks that way.
Not good
On 11/18/19 12:59 AM, Hal Murray wrote:
> rlaa...@wiktel.com said:
>> Does commit 74308fa20545ae1b34708ec06e38ea244dda7c54 disable the use of
>> wildcard certificates for NTS? If so, why was that done?
>
> Looks that way. No specific reason. I was just cleaning up and tig
rlaa...@wiktel.com said:
> Does commit 74308fa20545ae1b34708ec06e38ea244dda7c54 disable the use of
> wildcard certificates for NTS? If so, why was that done?
Looks that way. No specific reason. I was just cleaning up and tightning
things down. It seems like it would make things sl
Does commit 74308fa20545ae1b34708ec06e38ea244dda7c54 disable the use of
wildcard certificates for NTS? If so, why was that done?
--
Richard
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
Hal Murray via devel writes:
> What do I type to find out when my certificate expires? We should make a
> script that can be called from cron.
This will return 0 if the certificate doesn't or 1 if the certificate
does expire within the next 90 days:
openssl x509-in /path/to/cert -noout -checken
On Wed, Sep 11, 2019 at 7:43 PM Hal Murray via devel
wrote:
>
> Any openssl command line wizards?
>
Probably, not me though.
> What do I type to find out when my certificate expires? We should make a
> script that can be called from cron.
>
generally something like the following works fairly
Any openssl command line wizards?
What do I type to find out when my certificate expires? We should make a
script that can be called from cron.
What do I type to figure out which cert in the root collection for my
OS/distro that a NTS-KE server is using? I'd like some code I can cut-paste
On 3/20/19 2:57 PM, Hal Murray via devel wrote:
>
> I've been testing with self-signed certificates. It's time to shift to real
> certificates. They need a FQDN which I don't have, so it's time to get a
> domain. (I want one for other reasons anyway.) Anybody
Murray via devel
wrote:
>
> I've been testing with self-signed certificates. It's time to shift to
> real
> certificates. They need a FQDN which I don't have, so it's time to get a
> domain. (I want one for other reasons anyway.) Anybody have suggest
I've been testing with self-signed certificates. It's time to shift to real
certificates. They need a FQDN which I don't have, so it's time to get a
domain. (I want one for other reasons anyway.) Anybody have suggestions for
vendors? Low cost is obviously good, but
> You also have to add a few lines on the NTP server to reject requests without
> certificates.
I expect that just that "simple" feature would eliminate most of the trash.
For a while.
--
These are my opinions. I hate spam.
_
Yo Project Manager via devel!
On Thu, 14 Feb 2019 20:54:06 -0800
"Mark Atwood, Project Manager via devel" wrote:
> How hard would it be to implement, and what does it buy us?
My WAG is under 100 lines of code to implement. The client needs to
send his client cert, and the server needs to chec
> and what does it buy us?
Gary suggested it would allow a server to restrict its clients without having
to know their IP Address.
> How hard would it be to implement
Depends what "it" is.
If the spec is "signed by one of these (root) certs", that's probably only an
evening/weekend. Round
How hard would it be to implement, and what does it buy us?
--
Mark Atwood
http://about.me/markatwood
+1-206-604-2198
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
On 2/6/19 11:34 AM, Eric S. Raymond wrote:
> Richard Laager via devel :
>> On 2/5/19 7:49 PM, Richard Laager wrote:
>>> I have a specific proposal that I'll hopefully write up tonight, which
>>> may address the needs in this space.
>> I did some brainstorming on this with a colleague. I initially s
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
Mark said:
> This sounds somewhat similar to the brilliant hack that is
> https://github.com/ioerror/tlsdate
Brilliant? Maybe if you do it for yourself. Not if you publish it in a way
that encourages others to do it.
https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#Tardis_and_Trinit
This sounds somewhat similar to the brilliant hack that is
https://github.com/ioerror/tlsdate
On Wed, Feb 6, 2019 at 9:34 AM Eric S. Raymond via devel
wrote:
> Richard Laager via devel :
> > On 2/5/19 7:49 PM, Richard Laager wrote:
> > > I have a specific proposal that I'll hopefully write up to
Richard Laager via devel :
> On 2/5/19 7:49 PM, Richard Laager wrote:
> > I have a specific proposal that I'll hopefully write up tonight, which
> > may address the needs in this space.
> I did some brainstorming on this with a colleague. I initially started
> with an approach that would consider t
d && !system_clock_set_once_by_ntpd)
This is suggested in the draft:
Allow the system administrator to specify that certificates should
*always* be strictly validated. Such a configuration is
appropriate on systems which have a battery-backed clock and which
can reaso
On 2/3/19 1:39 PM, Sanjeev Gupta wrote:
> The Google resolver checks for valid DNSSEC, and sets the bit.
and does not return a result if DNSSEC fails.
$ dig dnssec.fail @8.8.8.8 | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35621
$ dig dnssec-failed.org @8.8.8.8 | grep status
On Sat, Feb 2, 2019 at 8:57 AM Richard Laager via devel
wrote:
>
> About 19% of the world is doing DNSSEC validation, in large part because
> apparently 15% of the world is using Google's recursive DNS service.
>
Actually,things are much worse.
The Google resolver checks for valid DNSSEC, and s
Hal Murray via devel writes:
> Is it practical to bypass the DNS lookup and use a certificate for the IP
> Address?
You'd have to use a self-signed certificate for that and check that your
library actually recognized the IP as an IP in the cert. So if you can
avoid doing that you'd be better off
On 2/1/19 5:24 PM, Hal Murray via devel wrote:
> If I start with a name, translate that to an IP Address, make a TLS
> connection
> to that system, I expect to get a certificate that matches the name.
Yep.
> But that
> translation step adds another layer of security considerations.
It's actua
Yo Hal!
On Fri, 01 Feb 2019 15:24:09 -0800
Hal Murray via devel wrote:
> If I start with a name, translate that to an IP Address, make a TLS
> connection to that system, I expect to get a certificate that matches
> the name.
Yup, but not always. Some will want to stop on mismatch, some want
to
If I start with a name, translate that to an IP Address, make a TLS connection
to that system, I expect to get a certificate that matches the name. But that
translation step adds another layer of security considerations.
Is it practical to bypass the DNS lookup and use a certificate for the I
[resent, first try was never posted to the list]
Hal Murray via devel writes:
> Could somebody give me a lesson in certificates and keys?
A key is something random or very close to random that is used as a
parameter to a crypt algorithm to either/or encrypt plaintext to
ciphertext and decr
ficate and intermediate bundle are provided in a single file, and
sometimes they are provided in two files.
As an additional complication, right now we seem to be in a transition
away from RSA towards ECDSA, so some daemons will support providing both
types of keys (and thus two separate certificate
Yo Hal!
On Thu, 17 Jan 2019 19:34:48 -0800
Hal Murray via devel wrote:
> Could somebody give me a lesson in certificates and keys?
I'd hate to try to reinvent that wheel. It is, intentionally, just
like https uses.
Here is a fair desciption:
https://robertheaton.com/2014/03/27/
Hal Murray via devel :
> Could somebody give me a lesson in certificates and keys?
Me, too. This is an area I'm even more ignorant in than Hal describes
himself as being.
--
http://www.catb.org/~esr/";>Eric S. Raymond
My work is funded by the Internet C
Could somebody give me a lesson in certificates and keys?
I'm somewhat familiar with certificates as used in HTTPS. Are there other
common uses?
What sort of certificates do we need for testing? Where do we get them
I think the NTS-KE-server needs the private key for the certificate(
45 matches
Mail list logo
