Yo Richard! On Sun, 31 Mar 2019 18:47:35 -0500 Richard Laager via devel <devel@ntpsec.org> wrote:
> This option would allow Gary's scenario to validate, without needing > to trust that root system-wide. He would presumably then eliminate > "noval" from that configuration line. Failing to match a root CA in the local cert is only one of many ways that a cert can fail to validate. Before noval can be removed there must be a workaround for all of them. There are also checks for validity dates, certificate revocation, hostname matching, etc. > 2) If we want more, implement some form of pinning. As the intention > of pinning is to further restrict the trust anchors, this would be in > addition to normal validation, not instead of it. Why? Many other protocols use pinning sometimes to suplement a cert chain, sometimes in addition to it. No reason not to support both options. > The pinning options > would be mutually exclusive of "noval" to keep the implementation > straightforward and to help prevent people from shooting themselves in > the foot. We should be so lucky... RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpXkf3cRtqnB.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel