[ntp:questions] NTP 4.2.4p2-RC3 Released

David Woolley david at djwhome.demon.co.uk
Tue May 29 07:03:45 UTC 2007

In article <slrnf5mnq1.jvc.kostecke at stasis.kostecke.net>,
Steve Kostecke <kostecke at ntp.isc.org> wrote:
> On 2007-05-28, Per Jessen <per at computer.org> wrote:
> > Steve Kostecke wrote:
> >
> >>>> Are you offering to underwrite the cost of an SSL certificate for
> >>>> us?
> >>>
> >>> You could try http://www.cacert.org/
> >> 
> >> I've considered that. However the cacert root certificate is not
> >> preinstalled in MSIE. So you still have the issue of the scary dialog
> >> box and the ensuing confusion.

> Cacert will send anyone a server cert. No verification is performed; all
> you need is an e-mail address in the domain. How, exactly, is that a big
> improvement over a self signed cert?

They have two levels of certificate (this is also an issue with Verisign,
etc. - most people trust all IE's root certificates, whereas some are better
authenticated than others).  Even the basic level verifies email routing.

> They could just as well load the NTP root cert.

The issue with certificates isn't about getting rid of the scary message,
it is about getting rid of the reason for the scary message.  If you are
not able to use a trusted third party or to use alternatively authenticated
means of distributing your certificate, e.g. sending the fingerprint as 
paper mail on headed paper when requested by paper mail, your best option
is not to use SSL, as the real risk of a passive tap is very little more than
that of a man in the middle tap.

The message is scary, because the whole basis of SSL is undermined by
self signed certificates.  Although sold to the public as about 
encryption, SSL is really about authentication.  Without authentication,
you don't need certificates.

CACERT's root certificates are much better publicised than ntp.isc's, and
I believe are now in some browsers, so there is much less chance of 
being given a bogus root certificate.  (The weakest link for most 
certificates is the browser distribution.)

Theoretically, it is also possible to use SSL without a certificate.  That
would be honest, as the certificate is about authentication, not encryption,
but I'm not sure that it is supported by servers, and therefore might not
be supported by all browsers.

More information about the questions mailing list