[ntp:hackers] ntp Authentification support for X.509v3 againstaCertificate Authority (CA)

Laatz, Erek laatz at makdata.de
Thu Jun 22 14:04:03 UTC 2006 

Dear all,

that was a very encouraged discussion last night, thank you for your kind
support! Due to a long meeting in the morning it was impossible for me to
answer earlier:-(

Let me give a short summary of what I've learned in this discussion:
- Dave links to the stime.pdf paper, where the infrastructure modell is
  referenced. But there's no further description on how to realise the
  certificate verification.

- In my understanding, I have to do the following:
  + create my own host certificate,
  + let it sign by the public CA,
  + use it in my trusted host.
  As Dave wrote, presumably the certificate trail will be extended up
  to the CA. Does it mean, it was not tested before?

- Usually a certificate verification against a CA will be done using
  OCSP or LDAP protocol connected to a X.500 directory.
  Both protocols will not contain into the NTP sources (4.2.0 at 1.116).
  Dave wrote that there's no reason why OCSP could not be used...
  That means (IMHO), that OCSP should work. But how? Would that be done
  by the linked OpenSSL libraries? Ehst about LDAP access?

- If PKIX was required, very minor modifications have to be made in the
  certificate extension fields. I think that might be the URL to the CA,
  e.g. ocsp://ca-root.foo.bar. Do you agree?

- Greg worte, that there has to exist a scheme allowing an external
  certificate veerification. Would that actually handled ba OpenSSL?

- In his last mail Dave relates to the TC scheme but even told us that
  public infrastructure procedures and resources are not specified as
  intended.

Now I'm a little confused... Does it mean that certificate verification
against a CA is even impossible or not?!..!

Best regards, yours

Erek



David L. Mills schrieb:
> Greg,
> 
> The TC scheme described in the briefing, book and technical report, but
> it was not intended to be secure, as the text says. The public
> infrastructure procedures and resources are not specified as intended.
> If there is serious interest in doing just that, I would be most happy
> if somebody else worked out what needs to be done; I am preoccupied with
> other aspects of the work.
> 
> By the way, I caught in one version of your latest product description
> that the unit supported public key cryptography. Is this true? I got a
> question about this from my BlueCrossBlueShield consulting clients.
> 
> Dave
> 
> Dave
>

More information about the hackers mailing list