[ntp:hackers] ntp Authentification support for X.509v3 againstaCertificate Authority (CA)

David L. Mills mills at udel.edu
Thu Jun 22 01:18:28 UTC 2006


Todd,

I don't think you understand. The Autokey scheme is specifically 
designed to work with PKIX certificates and authorities, if the user so 
wishes. So, there is no reason why OCSP could not be used. However, I 
intended the scheme to be able to work entirely self-contained and 
without reliance on DNS or external authorities if this is within the 
security envelope. Or, it could be used in conjunction with Autokey, but 
OSCP itself has problems with authoritive time.

An anticipated scenario is a sensor network which must start up from a 
completely dark state and light up protocols that depend on time. So, 
the first thing to do is confirm time is proventic throughout the 
network, then start up the dependent protocols. It must be possible to 
do this without external services. This is not to say this is the only 
scenario, only that it is a possible scenario and happens to be the default.

Dave

todd glassey wrote:

> There is nothing like OCSP or otherwise in Autokey so it cannot really do
> anything to verify the certificate now Greg.
>
> Todd
>
> ----- Original Message -----
> From: "Greg Dowd" <GDowd at symmetricom.com>
> To: "David L. Mills" <mills at udel.edu>; <hackers at support.ntp.org>
> Cc: "Laatz, Erek" <laatz at makdata.de>
> Sent: Wednesday, June 21, 2006 3:24 PM
> Subject: RE: [ntp:hackers] ntp Authentification support for X.509v3
> againstaCertificate Authority (CA)
>
>
> Is there something in the doc that talks about how to walk a cert trail?
> I think the openssl list is a good place to start. The Autokey doc
> mentions more protocol aspect issues such as "distributed via secure
> means". Where is the "hiking a CA trail" doc? As far as I know, the
> autokey implementation is still just sending a single cert, which in
> reality is expected to end in a self-signed cert via proventic check.
> In the identity schema doc, there is a mention of 5 schemes in the first
> 4 paras, then it drops to 4 schemes and TC goes away, right?
>
> Typical mechanisms for cert validation and crl distribution are x.500
> dirs or ldap. This is typically org specific based on whose ca software
> is installed.
>
>
>
> Greg Dowd
> gdowd at symmetricom dot com (antispam format)
> Symmetricom, Inc.
> www.symmetricom.com
> "The current implementation is non-obvious and may need to be improved."
>
>
>
>
> -----Original Message-----
> From: hackers-bounces at support.ntp.org
> [mailto:hackers-bounces at support.ntp.org] On Behalf Of David L. Mills
> Sent: Wednesday, June 21, 2006 2:44 PM
> To: hackers at support.ntp.org
> Cc: Laatz, Erek
> Subject: Re: [ntp:hackers] ntp Authentification support for X.509v3
> againsta Certificate Authority (CA)
>
> Erek, Danny,
>
> A full disclosure about the Autokey public key scheme is in the January
> technical report on the NTP project page linked from www.ntp.org. The
> scheme does hike the CA trail to a trusted host acting as a root CA.
> However, there is a problem. I suppose you need to use a comercial
> authority. Unless they run NTP with Autokey and have their own trusted
> NTP source, the period of validity cannot be verified.
>
> The distribution does include means to generate x509v3 certificates
> using the the ntp-genkeys routine, which uses the OpenSSL library. In
> principle, x509v3 certificates generated by the x509 program in that
> library can be used and in principle any other means that uses the
> common names assumed by the Autokey model. As now, the common names must
> be those provided by the Unix hostname utility. and the must be encoded
> in PEM with a header giving file name and datestamp.
>
> Try running ntp-genkeys, making a host certificate, asking a comercial
> CA to sign it and using it in your trusted host. Presumably, that would
> extend the trail to the CA. That would't work with identify schemes, but
> it would be interesting to try.
>
> Dave
>
> Danny Mayer wrote:
>
>> Laatz, Erek wrote:
>>
>>> Dear all,
>>>
>>> we want to set up a larger environment for around 60 NTP servers in
>>> Germany.
>>> All these hosts will have the ability to use system specific X509v3
>>> certificates issued by a CA. Our idea is to use these certificates
>>> also for ntp authentification as we have the requirement to use some
>>> kind of authentification within the ntp installations.
>>>
>>> I've looked in several sources but found no idea how to realize a
>>> certificate verification against a CA, even found no special hint on
>>> how to realize it within the autokey protocol.
>>>
>>> Is there anyone who have an idea how to realize a X.509v3 certificate
>>
>
>>> verification against a CA?
>>>
>>> Best gregards, Yours
>>>
>>> Erek
>>
>>
>> Dave Mills is the best person to answer these questions but he's not
>> on this list, so I have added him to this reply. Have you looked at
>> the autokey protocol for details about how it works?
>>
>> Danny
>>
>
> _______________________________________________
> hackers mailing list
> hackers at support.ntp.org
> https://support.ntp.org/mailman/listinfo/hackers
>
>
> _______________________________________________
> hackers mailing list
> hackers at support.ntp.org
> https://support.ntp.org/mailman/listinfo/hackers
>



More information about the hackers mailing list