[ntp:questions] Re: AutoKey protocol question
David L. Mills
mills at udel.edu
Tue Jan 11 03:36:14 UTC 2005
Dori,
The protocol hikes the certificate trail in the standard way; in fact,
inustry standard certificates can in general be used. However, the
subject and issuer names must at preent be the canonical host names (aka
hethostbyname()).
You hit on one of the most interesting (to me) issues about the protocol
- how can you trust the valid period if you don't know the time? Well,
you don't know that for sure until the clock is about to be set as per
the mitigations algorithms. At this time the truechimers are known from
the falsetickers and the valid periods can be checked. If somebody has a
an expired certificatge, it is disbarred. I unwittingly tested that
recently when I forgot to renew a certificate and it did expire.
Everything worked as expected.
That appendix reference could be a typo. There is more info on the
project page.
Dave
Eldar, Dori wrote:
> couple of Newbie questions:
>
> 1. How does the Server Certificate validation performed by NTP clients,
> differ from standard PKI certificate validation defined in RFC 2459 ?
> Specifically the AutoKey Protocol draft dated Aug 2003, briefly mentions
> the Certificate's Validity Period field in Appendix G. and refers the
> reader to Appendix E. for additional information, I did not find any
> relevant information in this Appendix describing the content of this
> field.
>
> 2. My main question is the following: If an NTP client has no notion of
> the current time, how can the client validate an NTP server certificate
> validity period? Is the intent to simply ignore this field when
> validating certificates?
>
> Thanks In Advance
> Dori
More information about the questions
mailing list