[ntp:hackers] ntp Authentification support for X.509v3 against a Certificate Authority (CA)

David L. Mills mills at udel.edu
Wed Jun 21 21:43:56 UTC 2006


Erek, Danny,

A full disclosure about the Autokey public key scheme is in the January 
technical report on the NTP project page linked from www.ntp.org. The 
scheme does hike the CA trail to a trusted host acting as a root CA. 
However, there is a problem. I suppose you need to use a comercial 
authority. Unless they run NTP with Autokey and have their own trusted 
NTP source, the period of validity cannot be verified.

The distribution does include means to generate x509v3 certificates 
using the the ntp-genkeys routine, which uses the OpenSSL library. In 
principle, x509v3 certificates generated by the x509 program in that 
library can be used and in principle any other means that uses the 
common names assumed by the Autokey model. As now, the common names must 
be those provided by the Unix hostname utility. and the must be encoded 
in PEM with a header giving file name and datestamp.

Try running ntp-genkeys, making a host certificate, asking a comercial 
CA to sign it and using it in your trusted host. Presumably, that would 
extend the trail to the CA. That would't work with identify schemes, but 
it would be interesting to try.

Dave

Danny Mayer wrote:

> Laatz, Erek wrote:
>
>> Dear all,
>>
>> we want to set up a larger environment for around 60 NTP servers in 
>> Germany.
>> All these hosts will have the ability to use system specific X509v3
>> certificates issued by a CA. Our idea is to use these certificates 
>> also for ntp
>> authentification as we have the requirement to use some kind of
>> authentification within the ntp installations.
>>
>> I've looked in several sources but found no idea how to realize a 
>> certificate
>> verification against a CA, even found no special hint on how to 
>> realize it
>> within the autokey protocol.
>>
>> Is there anyone who have an idea how to realize a X.509v3 certificate
>> verification against a CA?
>>
>> Best gregards, Yours
>>
>> Erek
>
>
> Dave Mills is the best person to answer these questions but he's not on
> this list, so I have added him to this reply. Have you looked at the
> autokey protocol for details about how it works?
>
> Danny
>



More information about the hackers mailing list