Yo Hal! On Thu, 17 Jan 2019 19:34:48 -0800 Hal Murray via devel <[email protected]> wrote:
> Could somebody give me a lesson in certificates and keys? I'd hate to try to reinvent that wheel. It is, intentionally, just like https uses. Here is a fair desciption: https://robertheaton.com/2014/03/27/how-does-https-actually-work/ > I'm somewhat familiar with certificates as used in HTTPS. Are there > other common uses? smtp, imap, pop, sip, etc. > What sort of certificates do we need for testing? Where do we get > them Let's Encrypt: https://letsencrypt.org/ > I think the NTS-KE-server needs the private key for the > certificate(s) it supports. Nope. Only for its own cert. > Should we put it in a separate process > so bugs in ntpd can't expose the private key? Nah, Let's Encrypt puts it in a file with a standard location. > That also allows us to write NTS-KE-server in a HLL. Uh, lost me? > There is an interesting corner case. Telco companies like to put > spares on the shelf and expect them to work 10 years later. How > often do root certificates roll over? Let's Encrypt does this every 90 days. Commercial certs can be up to five years, but then can be canceled when the CA gets hacked. > I assume the normal TLS stuff uses a collection of root certificates > that are distributed via the normal OS/Distro update mechanism. Mostly. Usually in /etc/ssl/certs > That > won't work if the box is sitting on a shelf. Can Many root certs are for 10 years or more. I would shoot any admin that put a server live that had been sitting around for 10 years w/o updates. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 [email protected] Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpZeT9F4Ypaj.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
