[ntp:hackers] ntp Authentification support for X.509v3 againstaCertificate Authority (CA)

todd glassey todd.glassey at worldnet.att.net
Thu Jun 22 04:16:23 UTC 2006


Greg/David
this is the material that we need to turn into USE/PRACTICE Statements so
that we can better plug time maintenance into Auditing. We also need to come
up with several pre-approved topologies for working inside a corporate
network.

Todd
----- Original Message ----- 
From: "David L. Mills" <mills at udel.edu>
To: <hackers at support.ntp.org>
Cc: "Laatz, Erek" <laatz at makdata.de>
Sent: Wednesday, June 21, 2006 7:13 PM
Subject: Re: [ntp:hackers] ntp Authentification support for X.509v3
againstaCertificate Authority (CA)


> Greg,
>
> On the NTP project page at www.ntp.org there are three security
> briefings
> http://www.eecis.udel.edu/~mills/database/brief/autokey/autokey.pdf,
> http://www.eecis.udel.edu/~mills/database/brief/secalgor/secalgor.pdf and
> http://www.eecis.udel.edu/~mills/database/brief/secproto/secproto.pdf,
> two (large) HTML pages http://www.eecis.udel.edu/~mills/proto.html and
> http://www.eecis.udel.edu/~mills/ident.html, a 56-page technical report
> http://www.eecis.udel.edu/~mills/database/reports/stime1/stime.pdf, as
> well as two chapters in das Buch. Which document do you have in mind?
> The documents might not all be complete, consistent and may have errors.
> The only thing I truly trust is das Buch. Nobody's perfect. Whatever
> questions you might have should be answered in the docuemnts cited, even
> if they are wordy, intricate and plain boring.
>
> The x509v3 certificates are generated, signed and the trails hiked in
> the same way as PKIX. The trails end on a self-signed trusted
> certificate held by the same dude that generated the (optional) identity
> key. I expect that, if the PKIX infrastructure was required, very minor
> modifications might have to be made in the extension fields. I would
> dearly like a volunteer to actually try generating and signing a
> certificate in the old fashion way and report what breaks in ntpd.
>
> Dave
>
> Greg Dowd wrote:
>
> >Is there something in the doc that talks about how to walk a cert trail?
> >I think the openssl list is a good place to start.  The Autokey doc
> >mentions more protocol aspect issues such as "distributed via secure
> >means".  Where is the "hiking a CA trail" doc?  As far as I know, the
> >autokey implementation is still just sending a single cert, which in
> >reality is expected to end in a self-signed cert via proventic check.
> >In the identity schema doc, there is a mention of 5 schemes in the first
> >4 paras, then it drops to 4 schemes and TC goes away, right?
> >
> >Typical mechanisms for cert validation and crl distribution are x.500
> >dirs or ldap.  This is typically org specific based on whose ca software
> >is installed.
> >
> >
> >
> >Greg Dowd
> >gdowd at symmetricom dot com (antispam format)
> >Symmetricom, Inc.
> >www.symmetricom.com
> >"The current implementation is non-obvious and may need to be improved."
> >
> >
> >
> >
> >-----Original Message-----
> >From: hackers-bounces at support.ntp.org
> >[mailto:hackers-bounces at support.ntp.org] On Behalf Of David L. Mills
> >Sent: Wednesday, June 21, 2006 2:44 PM
> >To: hackers at support.ntp.org
> >Cc: Laatz, Erek
> >Subject: Re: [ntp:hackers] ntp Authentification support for X.509v3
> >againsta Certificate Authority (CA)
> >
> >Erek, Danny,
> >
> >A full disclosure about the Autokey public key scheme is in the January
> >technical report on the NTP project page linked from www.ntp.org. The
> >scheme does hike the CA trail to a trusted host acting as a root CA.
> >However, there is a problem. I suppose you need to use a comercial
> >authority. Unless they run NTP with Autokey and have their own trusted
> >NTP source, the period of validity cannot be verified.
> >
> >The distribution does include means to generate x509v3 certificates
> >using the the ntp-genkeys routine, which uses the OpenSSL library. In
> >principle, x509v3 certificates generated by the x509 program in that
> >library can be used and in principle any other means that uses the
> >common names assumed by the Autokey model. As now, the common names must
> >be those provided by the Unix hostname utility. and the must be encoded
> >in PEM with a header giving file name and datestamp.
> >
> >Try running ntp-genkeys, making a host certificate, asking a comercial
> >CA to sign it and using it in your trusted host. Presumably, that would
> >extend the trail to the CA. That would't work with identify schemes, but
> >it would be interesting to try.
> >
> >Dave
> >
> >Danny Mayer wrote:
> >
> >
> >>Laatz, Erek wrote:
> >>
> >>
> >>>Dear all,
> >>>
> >>>we want to set up a larger environment for around 60 NTP servers in
> >>>Germany.
> >>>All these hosts will have the ability to use system specific X509v3
> >>>certificates issued by a CA. Our idea is to use these certificates
> >>>also for ntp authentification as we have the requirement to use some
> >>>kind of authentification within the ntp installations.
> >>>
> >>>I've looked in several sources but found no idea how to realize a
> >>>certificate verification against a CA, even found no special hint on
> >>>how to realize it within the autokey protocol.
> >>>
> >>>Is there anyone who have an idea how to realize a X.509v3 certificate
> >>>
> >
> >>>verification against a CA?
> >>>
> >>>Best gregards, Yours
> >>>
> >>>Erek
> >>>
> >>
> >>Dave Mills is the best person to answer these questions but he's not
> >>on this list, so I have added him to this reply. Have you looked at
> >>the autokey protocol for details about how it works?
> >>
> >>Danny
> >>
> >>
> >
> >_______________________________________________
> >hackers mailing list
> >hackers at support.ntp.org
> >https://support.ntp.org/mailman/listinfo/hackers
> >
> >
> >
>
> _______________________________________________
> hackers mailing list
> hackers at support.ntp.org
> https://support.ntp.org/mailman/listinfo/hackers



More information about the hackers mailing list