Yo Hal! On Thu, 28 Mar 2019 16:26:55 -0700 Hal Murray via devel <devel@ntpsec.org> wrote:
> Gary said:
> >> There is a downside. Every time it changes, you have to take
> >> a leap of faith when you re-pin it, rather than getting normal
> >> CA validation.
> > You miss the point, this is addition to normal CA validation, not an
> > alternative to it. Just like HPKP.
>
> I'm missing something important. Why would I need additional
> validation? Isn't normal certificate validation good enough?
There have been many cases, some in the last year, where black
hats have tricked CA's into issuing them certs for major domains.
Then the bogus certs used for fraud. That is why HPKP and DANE
were invented.
Please note, I am not suggesting this will be a problem for ntpd like it
has become a problem for XMPP, smtp, https, etc. Yet.
One cool thing about HPKP and DANE is that zero user configuration
is required to get the extra security.
Potential extra security is just an added feature that you get for free
once you add certificate pinning to handle the ostfalia case.
Check the pin, but do not check the chain:
server ostfalie.de noval pin XXXXXXX
Check the pin, and check the chain:
server rellim.com pin YYYYYY
Now if someone can trick a CA into giving them a valid rellim.com cert
the connection will still be secure.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgprpKl0_6vk6.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
