[ntp:questions] Re: AutoKey protocol question

David L. Mills mills at udel.edu
Tue Jan 11 03:36:14 UTC 2005


Dori,

The protocol hikes the certificate trail in the standard way; in fact, 
inustry standard certificates can in general be used. However, the 
subject and issuer names must at preent be the canonical host names (aka 
hethostbyname()).

You hit on one of the most interesting (to me) issues about the protocol 
- how can you trust the valid period if you don't know the time? Well, 
you don't know that for sure until the clock is about to be set as per 
the mitigations algorithms. At this time the truechimers are known from 
the falsetickers and the valid periods can be checked. If somebody has a 
an expired certificatge, it is disbarred. I unwittingly tested that 
recently when I forgot to renew a certificate and it did expire. 
Everything worked as expected.

That appendix reference could be a typo. There is more info on the 
project page.

Dave

Eldar, Dori wrote:

> couple of Newbie questions:
>  
> 1. How does the Server Certificate validation performed by NTP clients,
> differ from standard PKI certificate validation defined in RFC 2459 ?
> Specifically the AutoKey Protocol draft dated Aug 2003, briefly mentions
> the Certificate's Validity  Period field in Appendix G. and refers the
> reader to Appendix E. for additional information, I did not find any
> relevant information in this Appendix describing the content of this
> field. 
>  
> 2. My main question is the following: If an NTP client has no notion of
> the current time, how can the client validate an NTP server certificate
> validity period? Is the intent to simply ignore this field when
> validating certificates?
>  
> Thanks In Advance
>  Dori  



More information about the questions mailing list