IETF Logo Mail Archive

Re: [Ntp] Wildcards in NTS certificate checking

"Salz, Rich" <rsalz@akamai.com> Sat, 16 April 2022 13:58 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FDA43A1156; Sat, 16 Apr 2022 06:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1j95vi2eIc9s; Sat, 16 Apr 2022 06:58:25 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 131B83A114C; Sat, 16 Apr 2022 06:58:23 -0700 (PDT)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23GDqPhK019989; Sat, 16 Apr 2022 14:58:22 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=cM+wfD4mUHaAagDdqVYCvAmj7ywgUtxhfeZfpC5J2LE=; b=OpzkMXUmfHIyreC3tfbmibOtz1G9CgC9aWEOKCCCa4WOCjGnSUNdf4lVZW1kCdD5p9Vb R21StE+Uae5HWOWCb6DhcfKqq0vl4Js2vMfcwqCy7ExeHtJ0c5a7e/R79dRtpHuWlWla sXbgEyFyzr2Fl4WauE333wz1tN/LClmvvAhCeA3pHa9ooZ7eUx06XEqM2y/+eq5L4zXA SjpDFu5vxzNxEW2ZW2UzV1skh5IDpJL48GYrzk5G6jZooAIl1syMe1fvJRy4FVDzkk0X R0XsbhQmRhugBJDXnrTN5N+SOr4RZXn9tQSILHM9ftIUz2n7BxlDmKTBu4NjooYQoVQ9 iQ==
Received: from prod-mail-ppoint6 (prod-mail-ppoint6.akamai.com [184.51.33.61] (may be forged)) by mx0b-00190b01.pphosted.com (PPS) with ESMTPS id 3ffpn59d97-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 14:58:22 +0100
Received: from pps.filterd (prod-mail-ppoint6.akamai.com [127.0.0.1]) by prod-mail-ppoint6.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 23GDo3FR020492; Sat, 16 Apr 2022 09:58:21 -0400
Received: from email.msg.corp.akamai.com ([172.27.91.21]) by prod-mail-ppoint6.akamai.com with ESMTP id 3ffs4y8ggv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 09:58:21 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag4mb6.msg.corp.akamai.com (172.27.91.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.22; Sat, 16 Apr 2022 09:58:20 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Sat, 16 Apr 2022 09:58:20 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.033; Sat, 16 Apr 2022 09:58:20 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Hal Murray <halmurray+ietf@sonic.net>, "Marco Davids (IETF)" <mdavids=40forfun.net@dmarc.ietf.org>
CC: "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: [Ntp] Wildcards in NTS certificate checking
Thread-Index: AQHYUQf0yiq96q7J2UqxrNSbXdK12KzykfcA
Date: Sat, 16 Apr 2022 13:58:18 +0000
Message-ID: <277EB42F-0583-4FD1-8A92-FA2DAEF691AD@akamai.com>
References: <mdavids=40forfun.net@dmarc.ietf.org> <f7a50921-7c79-f2bb-6d4e-1416b4b86320@sidn.nl> <20220415203242.60DAF28C1D1@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20220415203242.60DAF28C1D1@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.60.22041000
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <49AF80F394294842BBF88EEB95F8DA2C@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-04-15_06:2022-04-15, 2022-04-15 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 bulkscore=0 adultscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204160096
X-Proofpoint-ORIG-GUID: AlvjHTnNHMwYp6rUvUPIJmF1IoVZzBSc
X-Proofpoint-GUID: AlvjHTnNHMwYp6rUvUPIJmF1IoVZzBSc
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_02,2022-04-15_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 clxscore=1015 phishscore=0 adultscore=0 bulkscore=0 impostorscore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204160097
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/T7jWGi_q_fytCevmNpEeqSRnUx0>
Subject: Re: [Ntp] Wildcards in NTS certificate checking
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Apr 2022 13:58:31 -0000

>    Do server operators advertise that they do/don't use wildcards?  Do they ever 
    change their minds?

There is no way to find out until the client has the cert and sees a "*" in the SAN field.  I am sure people have changed their minds about whether they use wildcards or not; the Internet is a big place.

>    Another last thing we need is to get a reputation for not being secure.

You will not get a reputation for being insecure if you support wildcards.  I mean, c'mon, Marco has pointed out that the software is inconsistent and I've pointed out that it is really common practice and that your policy decisions seem based on lack of knowledge. I've also suggested other places you could go to (the UTA and TLS working groups).  What more do you want?  I'm can’t imagine how else I can useful contribute to this conversation.

>    Where are the NTS servers using wildcards?

It's early days.

>    Did something happen recently to trigger this discussion?

I believe it started with Marco's first post on this thread.

>    Is there NTS deployment activity or discussion that I've missed?

Not that I am aware of.  But with any luck, there are organizations planning NTS deployments that will never get mentioned here.

v2.23.0 | Report a Bug | By Email