Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certificate checking
Daniel Franke <dfoxfranke@gmail.com> Tue, 19 April 2022 17:02 UTC
Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DC303A08FC for <ntp@ietfa.amsl.com>; Tue, 19 Apr 2022 10:02:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBkOqXFBjmrK for <ntp@ietfa.amsl.com>; Tue, 19 Apr 2022 10:02:40 -0700 (PDT)
Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEB1B3A0910 for <ntp@ietf.org>; Tue, 19 Apr 2022 10:02:40 -0700 (PDT)
Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-2f18982c255so63709717b3.1 for <ntp@ietf.org>; Tue, 19 Apr 2022 10:02:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JnIGFZ0Ep8DRzK6zeSFBkW8/q5dN7nlhTp1ymOkKSbQ=; b=oU3unC1q5/IEm2P4IjJZazfcFCU16RrkIE3hAd25B7pbdxHugp9S2vTK1F0GOKHWdV bCz+wKmB4U2kZ07yTqlnzHQqkLrPxokI/XJ3WXz83JorPalmYBYSLA5A7RHdM9ntPoPX CLOOcZxg30u+VXOVlwcPT3EQ6sTaLs52dZmBx6de1Phb8wOwzaI75dTxYwGl+tvXUJYm MQxZ5/8enxPtIKzy1/IqpIi+CGEoHIKvynL+WIqVhgC6jz83TmTkTvqQLXPNbTfrxQDm F7quYl0AfvQ3z+p/1MBiFW1NgkJUiUeCqIc03JFcfa0S+436tJim2zGDoVCJs5Wwf7V2 tKBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JnIGFZ0Ep8DRzK6zeSFBkW8/q5dN7nlhTp1ymOkKSbQ=; b=KoSo+maCEnaw0XQvc78/wfGBrDMx5CLQbZYUX9TQmfNhEbsC3Q+y+e7mTzTMNQkTiU F9b8N6YtMMgctEQLpVqJrkkuI5XsmEW/3u0xUSMrvPVvFcjTHwFEOFDUATY1juaq3/mH J01PkCxE5bacTKyQvnkCOwAIlncNyUqMnFmfu+YY6kq8c/vHS+G0/gmTJLmptpZPyZTI dw5n7DQHhIbuTNIupcyzlfdrzkI/eX5Hqf+Nt7wru5zyJSNqbf0UjwVNCvlv427MUG4K MhG9DGgBBrN5EiCsAQE21p+vl1kfxg6mHh5/qF6H4N+HCQosIjGkVspfvuiGfMBNuRA1 QRvA==
X-Gm-Message-State: AOAM5322MrOxMwiuWrWcdd/N4AgCL7cTBfNc0z/DtJVip6Ilxq56SMr9 KchegaFCZxXhQN2C0U1ewgQlxMLuMpHBVSG6H1U=
X-Google-Smtp-Source: ABdhPJwJv/anyGbPtB7MH1Chccp+Q5GmwGGKCxzJdTlje4eV2GSrjzvZ2HSW/W2v/AFr9a327iNEOygCckusqSRjKh8=
X-Received: by 2002:a81:9b57:0:b0:2f1:49eb:1ad9 with SMTP id s84-20020a819b57000000b002f149eb1ad9mr16819924ywg.130.1650387759595; Tue, 19 Apr 2022 10:02:39 -0700 (PDT)
MIME-Version: 1.0
References: <DEBE05CE020000C5FDA5B133@gwsmtp.uni-regensburg.de> <C72B1BFF020000657BE0EBB5@gwsmtp.uni-regensburg.de> <C47F79BB02000008FDA5B133@gwsmtp.uni-regensburg.de> <5865E3950200000D7BE0EBB5@gwsmtp.uni-regensburg.de> <DFB7955F020000B8DC344014@gwsmtp.uni-regensburg.de> <8E9786F3020000E1FDA5B133@gwsmtp.uni-regensburg.de> <625E5A02020000A1000496FA@gwsmtp.uni-regensburg.de>
In-Reply-To: <625E5A02020000A1000496FA@gwsmtp.uni-regensburg.de>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Tue, 19 Apr 2022 13:02:29 -0400
Message-ID: <CAJm83bC=t7uM916vRS1brUq-i=LQ0_TRuNxQXLhAFqFC1y0Dqw@mail.gmail.com>
To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Cc: mdavids=40forfun.net@dmarc.ietf.org, Hal Murray <halmurray@sonic.net>, "ntp@ietf.org" <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/CXW5KLUtZn9JGtAN_xcdTo4Z3Xw>
Subject: Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certificate checking
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2022 17:02:45 -0000
On Tue, Apr 19, 2022 at 2:43 AM Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> wrote: > Well I think the client's security policy actually may decide. > A related question would be: Is "certificate pinning" allowed for the client? > The server may think it has the right to change certificates any time. Absent any specific arrangement with its clients to the contrary, the server is free to use wildcard certificates and to change certificates at any time. The client is free to pin certificates or to prohibit wildcards, but, absent any specific arrangement with the server operator to the contrary, should anticipate that this will lead to sudden breakage that it will be incumbent on the user to debug. Having this as a default does not make for a good user experience.
- [Ntp] Antw: [EXT] Re: Wildcards in NTS certificat… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certif… Daniel Franke
- Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certif… Salz, Rich
- Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certif… Hal Murray
- Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certif… Daniel Franke
- Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certif… Doug Arnold
- Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certif… Watson Ladd
- [Ntp] Antw: Re: Antw: [EXT] Re: Wildcards in NTS … Ulrich Windl