I'd like to add support for multiple keys to the NTS server to enable virtual hosting as is common with web servers. A use case which I thought it could enable would be servers that run only for a limited time to support different products or versions of the product (like an OS), where each has its own certificate included in the installation and is fully trusted to avoid the issues with wrong or missing RTC and failing time checks in certificate verification. This would allow the server keys to be rotated as the products/versions reach their end-of-line and it would also limit the number of devices that need to be updated/fixed when a key is compromised.
I'm not sure how it should be configured. I see the following options: 1) allow multiple files to be specified in ntsservercert and ntsserverkey directives - long lines are not great for inspection and editing - maximum number of keys/certs is limited by the maximum line length 2) allow multiple ntsserverkey/ntsservercert directives - sensitive to order (few directives in chrony have this property) 3) allow glob patterns in ntsserverkey/ntsservercert directive - certs and keys need to have the same naming scheme to pair correctly I think 1) is just not acceptable. From 2) and 3) I'm not sure what is better. For example: ntsservercert /etc/pki/tls/certs/nts-1.example.net ntsserverkey /etc/pki/tls/private/nts-1.example.net ntsservercert /etc/pki/tls/certs/nts-2.example.net ntsserverkey /etc/pki/tls/private/nts-2.example.net ntsservercert /etc/pki/tls/certs/nts-3.example.net ntsserverkey /etc/pki/tls/private/nts-3.example.net vs ntsservercert /etc/pki/tls/certs/nts-*.example.net ntsserverkey /etc/pki/tls/private/nts-*.example.net Any suggestions? -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
