[ntp:hackers] ntp Authentification support for X.509v3againstaCertificate Authority (CA)

todd glassey todd.glassey at worldnet.att.net
Thu Jun 22 02:14:27 UTC 2006


No David I do understand that I have it running here at the shop... The OCSP
functions would need to be added to NTP was the point.

Todd
----- Original Message ----- 
From: "David L. Mills" <mills at udel.edu>
To: <hackers at support.ntp.org>
Cc: "Laatz, Erek" <laatz at makdata.de>
Sent: Wednesday, June 21, 2006 6:18 PM
Subject: Re: [ntp:hackers] ntp Authentification support for
X.509v3againstaCertificate Authority (CA)


> Todd,
>
> I don't think you understand. The Autokey scheme is specifically
> designed to work with PKIX certificates and authorities, if the user so
> wishes. So, there is no reason why OCSP could not be used. However, I
> intended the scheme to be able to work entirely self-contained and
> without reliance on DNS or external authorities if this is within the
> security envelope. Or, it could be used in conjunction with Autokey, but
> OSCP itself has problems with authoritive time.
>
> An anticipated scenario is a sensor network which must start up from a
> completely dark state and light up protocols that depend on time. So,
> the first thing to do is confirm time is proventic throughout the
> network, then start up the dependent protocols. It must be possible to
> do this without external services. This is not to say this is the only
> scenario, only that it is a possible scenario and happens to be the
default.
>
> Dave
>
> todd glassey wrote:
>
> > There is nothing like OCSP or otherwise in Autokey so it cannot really
do
> > anything to verify the certificate now Greg.
> >
> > Todd
> >
> > ----- Original Message -----
> > From: "Greg Dowd" <GDowd at symmetricom.com>
> > To: "David L. Mills" <mills at udel.edu>; <hackers at support.ntp.org>
> > Cc: "Laatz, Erek" <laatz at makdata.de>
> > Sent: Wednesday, June 21, 2006 3:24 PM
> > Subject: RE: [ntp:hackers] ntp Authentification support for X.509v3
> > againstaCertificate Authority (CA)
> >
> >
> > Is there something in the doc that talks about how to walk a cert trail?
> > I think the openssl list is a good place to start. The Autokey doc
> > mentions more protocol aspect issues such as "distributed via secure
> > means". Where is the "hiking a CA trail" doc? As far as I know, the
> > autokey implementation is still just sending a single cert, which in
> > reality is expected to end in a self-signed cert via proventic check.
> > In the identity schema doc, there is a mention of 5 schemes in the first
> > 4 paras, then it drops to 4 schemes and TC goes away, right?
> >
> > Typical mechanisms for cert validation and crl distribution are x.500
> > dirs or ldap. This is typically org specific based on whose ca software
> > is installed.
> >
> >
> >
> > Greg Dowd
> > gdowd at symmetricom dot com (antispam format)
> > Symmetricom, Inc.
> > www.symmetricom.com
> > "The current implementation is non-obvious and may need to be improved."
> >
> >
> >
> >
> > -----Original Message-----
> > From: hackers-bounces at support.ntp.org
> > [mailto:hackers-bounces at support.ntp.org] On Behalf Of David L. Mills
> > Sent: Wednesday, June 21, 2006 2:44 PM
> > To: hackers at support.ntp.org
> > Cc: Laatz, Erek
> > Subject: Re: [ntp:hackers] ntp Authentification support for X.509v3
> > againsta Certificate Authority (CA)
> >
> > Erek, Danny,
> >
> > A full disclosure about the Autokey public key scheme is in the January
> > technical report on the NTP project page linked from www.ntp.org. The
> > scheme does hike the CA trail to a trusted host acting as a root CA.
> > However, there is a problem. I suppose you need to use a comercial
> > authority. Unless they run NTP with Autokey and have their own trusted
> > NTP source, the period of validity cannot be verified.
> >
> > The distribution does include means to generate x509v3 certificates
> > using the the ntp-genkeys routine, which uses the OpenSSL library. In
> > principle, x509v3 certificates generated by the x509 program in that
> > library can be used and in principle any other means that uses the
> > common names assumed by the Autokey model. As now, the common names must
> > be those provided by the Unix hostname utility. and the must be encoded
> > in PEM with a header giving file name and datestamp.
> >
> > Try running ntp-genkeys, making a host certificate, asking a comercial
> > CA to sign it and using it in your trusted host. Presumably, that would
> > extend the trail to the CA. That would't work with identify schemes, but
> > it would be interesting to try.
> >
> > Dave
> >
> > Danny Mayer wrote:
> >
> >> Laatz, Erek wrote:
> >>
> >>> Dear all,
> >>>
> >>> we want to set up a larger environment for around 60 NTP servers in
> >>> Germany.
> >>> All these hosts will have the ability to use system specific X509v3
> >>> certificates issued by a CA. Our idea is to use these certificates
> >>> also for ntp authentification as we have the requirement to use some
> >>> kind of authentification within the ntp installations.
> >>>
> >>> I've looked in several sources but found no idea how to realize a
> >>> certificate verification against a CA, even found no special hint on
> >>> how to realize it within the autokey protocol.
> >>>
> >>> Is there anyone who have an idea how to realize a X.509v3 certificate
> >>
> >
> >>> verification against a CA?
> >>>
> >>> Best gregards, Yours
> >>>
> >>> Erek
> >>
> >>
> >> Dave Mills is the best person to answer these questions but he's not
> >> on this list, so I have added him to this reply. Have you looked at
> >> the autokey protocol for details about how it works?
> >>
> >> Danny
> >>
> >
> > _______________________________________________
> > hackers mailing list
> > hackers at support.ntp.org
> > https://support.ntp.org/mailman/listinfo/hackers
> >
> >
> > _______________________________________________
> > hackers mailing list
> > hackers at support.ntp.org
> > https://support.ntp.org/mailman/listinfo/hackers
> >
>
> _______________________________________________
> hackers mailing list
> hackers at support.ntp.org
> https://support.ntp.org/mailman/listinfo/hackers



More information about the hackers mailing list