Yo Hal! On Sat, 02 Mar 2019 23:49:14 -0800 Hal Murray via devel <devel@ntpsec.org> wrote:
> devel@ntpsec.org said: > > Partial validation means you don't follow the cert chain to the > > root. In the off-net scenario, it means you stop folloing the chain > > when you'd have to go outside the network perimeter you're > > in. ... > > > https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning > > Thanks, but I'm missing something critical. > > I thought most systems came with a collection of trusted/root > certificates. What do I have to go outside-the-network to get? CRLs: https://en.wikipedia.org/wiki/Certificate_revocation_list Or, on the flip side, maybe your walled garden is using a private CA for which your local host has no intermeditate/root certs. > As far as I can tell, there is no good reason for the intermediate > certificate if you are small or just testing. Which is not inclusive of all our use cases. > I tell the NTS-KE server to use a certificate file that contains both > the server certificate and the intermediate certificate. I assume > the server sends both to the NTS-KE client. I told the NTS-KE client > to use/trust the root certificate. It works. Sort of. You are not checking the CRL. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpXLZ9RfX2vw.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
