[ntp:hackers] ntp Authentification support for X.509v3
againstaCertificate Authority (CA)
laatz at makdata.de
Thu Jun 22 14:04:03 UTC 2006
that was a very encouraged discussion last night, thank you for your kind
support! Due to a long meeting in the morning it was impossible for me to
Let me give a short summary of what I've learned in this discussion:
- Dave links to the stime.pdf paper, where the infrastructure modell is
referenced. But there's no further description on how to realise the
- In my understanding, I have to do the following:
+ create my own host certificate,
+ let it sign by the public CA,
+ use it in my trusted host.
As Dave wrote, presumably the certificate trail will be extended up
to the CA. Does it mean, it was not tested before?
- Usually a certificate verification against a CA will be done using
OCSP or LDAP protocol connected to a X.500 directory.
Both protocols will not contain into the NTP sources (4.2.0 at 1.116).
Dave wrote that there's no reason why OCSP could not be used...
That means (IMHO), that OCSP should work. But how? Would that be done
by the linked OpenSSL libraries? Ehst about LDAP access?
- If PKIX was required, very minor modifications have to be made in the
certificate extension fields. I think that might be the URL to the CA,
e.g. ocsp://ca-root.foo.bar. Do you agree?
- Greg worte, that there has to exist a scheme allowing an external
certificate veerification. Would that actually handled ba OpenSSL?
- In his last mail Dave relates to the TC scheme but even told us that
public infrastructure procedures and resources are not specified as
Now I'm a little confused... Does it mean that certificate verification
against a CA is even impossible or not?!..!
Best regards, yours
David L. Mills schrieb:
> The TC scheme described in the briefing, book and technical report, but
> it was not intended to be secure, as the text says. The public
> infrastructure procedures and resources are not specified as intended.
> If there is serious interest in doing just that, I would be most happy
> if somebody else worked out what needs to be done; I am preoccupied with
> other aspects of the work.
> By the way, I caught in one version of your latest product description
> that the unit supported public key cryptography. Is this true? I got a
> question about this from my BlueCrossBlueShield consulting clients.
More information about the hackers