[ntp:questions] using certificates produced by a third party PKI instead of ntp-k eygen

David Mills mills at udel.edu
Thu Apr 23 22:10:52 UTC 2009


Alain,

For simplicity a self-signed certificate is used as a certificate 
request to an ascendent server acting as a certificate signing authority 
to  return a signed certificate that can be provided to a descendent 
client. Only the trusted host acting as a certificate authority returns 
a self-signed certificate when asked. Presumably, that certificate can 
be verified by independent means, whidh is what the IFF group key can be 
used for. The code now requires a self-signed certificate for that 
possibility, but that can easily be changed, as can the certificate 
length limit.

Tthe problem is not who can construct aself-signed trusted root 
certificate, but how it can be verified by independent means. An NTP 
server could in principle obtain a root certificate and ipso facto 
become a trusted host. In the IFF scheme, possession of the IFF private 
key is equivalent to becoming a cerificate signing authority, since 
clients can verify the certificate is genuine using the protocol. A 
client having only the IFF public key can't do this.

It is true and you have verified that certificates can be generated and 
parsed using means other than NTP, butI don't know how to interpret the 
results, unless Verisign oprates an NTP trusted host.

Dave

Bartholome, Alain wrote:

>Hi,
>I made some preliminary testing, using a third party certificate.
>I am using NTP version 4.2.5p158 on windows sever 2003.
>
>In the test, there are 2 hosts, no group key, the third party certificate is
>on the client.
>
>First of all I added a filestamp at the beginning of the certificate.
>I start NTP in debug mode on the client.
>
>NTP aborts (Dr Watson) during the scanning of the certificate.
>
>The last lines of the debug execution are :
>cert_parse: X509v3 Basic Constraints
>cert_parse: X509v3 Certificate Policies
>cert_parse: X509v3 CRL Distribution Points
>cert_parse: X509v3 Subject Alternative Name
>cert_parse: X509v3 Key Usage
>cert_parse: X509v3 Subject Key Identifier
>cert_parse: X509v3 Authority Key Identifier
>
>The certificate is not self signed (the issuer name is not the hostname),
>contrary to the NTP specifications. (I cannot have self-signed certificate
>for now.) 
>
>The third party certificate I am using is 2 kb long. In a Meinberg
>documentation, a maximum certificate size of 1024 bytes is specified.
>
>I would like to know if this abort is due to that maximum certificate size.
> 
>Regards,
>
>
>Alain BARTHOLOMÉ
>
>-----Message d'origine-----
>De la part de David Mills
>Envoyé : mercredi 22 avril 2009 20:09
>À : 'questions at lists.ntp.org'
>Objet : Re: [ntp:questions] using certificates produced by a third party PKI
>instead of ntp-k eygen
>
>Alain,
>
>The syntax and semantics for certificates are in an appendix to the 
>Autokey ID now in review. That document also explains some additional 
>assumptions that might not be consistent with other uses. However, the 
>trusted certificate (TC) scheme is most vanilla and should not be a 
>problem. One problem I anticipate is the need to support the case of the 
>certificate for the trusted host itself and the public IFF group key, 
>which require an X509 extension field.
>
>Dave
>
>Bartholome, Alain wrote:
>
>  
>
>>Hi,
>>
>>I need to do some testing with certificates produced by a third party PKI
>>instead of ntp-keygen.
>>
>>I would like to have the constraints and some guidelines in order   to test
>>TC  and IFF identity schemes.
>>
>>Regards,
>>
>>
>>
>>Alain BARTHOLOMÉ
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>_______________________________________________
>>questions mailing list
>>questions at lists.ntp.org
>>https://lists.ntp.org/mailman/listinfo/questions
>> 
>>
>>    
>>
>
>
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>  
>





More information about the questions mailing list