IETF Logo Mail Archive

Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certificate checking

Doug Arnold <doug.arnold@meinberg-usa.com> Tue, 19 April 2022 21:06 UTC

Return-Path: <doug.arnold@meinberg-usa.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E49023A16F3 for <ntp@ietfa.amsl.com>; Tue, 19 Apr 2022 14:06:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg-usa.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YG3HIiIhjE99 for <ntp@ietfa.amsl.com>; Tue, 19 Apr 2022 14:06:33 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130044.outbound.protection.outlook.com [40.107.13.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0D4E3A16F1 for <ntp@ietf.org>; Tue, 19 Apr 2022 14:06:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O4RhrgvbbIW6rbcyDnxOd0C0FchmBKb30arcvzkw6D8EwzU5mrInnSjEcW55APp6hSZPwpsXnH3LydHRGLGLSJUC3tfL8shKHItFCr47RJLhgrBfxwx5FFBC92F1kt8SUgVwBzltyao2IgzBKDgkQYHRniA/mCVk8HU+Thw9da7NuJIQsyU89z2q2Z6bExA2u01SK8vbOYxSmEBVUWSDVE1ikPntkI3nlw3q+uiQ0kuEhx+j/XWJclsi3CJlPRFpTdjMKjx8aYI5JCIYyWECJ5puH3cXxXNL3gxKgsRTuq0tTCqawgo+CGsL1vwJRp7aeu029w4yOJHO9emX/coNeQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3R8J85oMrQR6qxwm1o6Uxx7tKeRHvopOAZjlJPniD6E=; b=mbT+GvbO1BcAiPfLZ/1qoSJuChzG0tDOckEZ72SuoWLWgnrNwgyylH4/K5il59YQvn/FWXUCOwjEWtsnppcdX/qdzjHi5PRR0enu2wfBEG0Lln5/paKoTDYgBsXC4Mf/dOBYzC6mWWfvFBjLnKYeo4If9SSYXL9vfAsJjH9tlegvdiTssFBZrPgxrlgmwIN9I/nVRznPmWo7L5YktI0iA89sjhfc7tC14DHM8nOYt6dWfURpMcCswDNKR4J+nJE5TXhBYWIpg/l5T41I1J2rMH01fKXPTJL0Ust9Dl3/Aq0Zc3pzW9Rs4OvU9gA98FkCVxypX4eQV/NXgUC1LWz3nw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meinberg-usa.com; dmarc=pass action=none header.from=meinberg-usa.com; dkim=pass header.d=meinberg-usa.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg-usa.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3R8J85oMrQR6qxwm1o6Uxx7tKeRHvopOAZjlJPniD6E=; b=QkAOfsnTsqlx9okmNwuywKotJd+fnoCf0WKpQ0UiOqPltIY4UZh0VN5iUfG4fE1+SeLRprR2s5WJRKhMiP2sYP2Pbby2RUy+05LSDeFU8ALhHw1S3J9Sbdbww9qkQtJX1OvUiEzatPUqQ31vuG1gISmpz7gVOHxJtKh7R3m2prhAZc9BXDQ7ywp7Sc0DZlQgE5XMN7DMCDh/Qg0f/EIX+J1j38bCaXliV620obv08MZpHgyLN4gk2whk9tcAI4YDaeJ4mSgtQn6jZCZFAcHFa91D0sDZwBj9sP9Xd1JfagvLZGQVLKRKQ4j9czfI9MDWn6MuTrSHHG7EDCIElcz3rQ==
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com (2603:10a6:20b:102::15) by AM6PR02MB4182.eurprd02.prod.outlook.com (2603:10a6:20b:4a::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.18; Tue, 19 Apr 2022 21:06:27 +0000
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::15b0:2390:b775:f0e1]) by AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::15b0:2390:b775:f0e1%7]) with mapi id 15.20.5186.013; Tue, 19 Apr 2022 21:06:27 +0000
From: Doug Arnold <doug.arnold@meinberg-usa.com>
To: Hal Murray <halmurray+ietf@sonic.net>, Daniel Franke <dfoxfranke@gmail.com>
CC: "ntp@ietf.org" <ntp@ietf.org>, Hal Murray <halmurray+ietf@sonic.net>
Thread-Topic: [Ntp] Antw: [EXT] Re: Wildcards in NTS certificate checking
Thread-Index: AQHYVCyRB/o95F2ow0uXqlou0Fbem6z3uVpU
Date: Tue, 19 Apr 2022 21:06:26 +0000
Message-ID: <AM7PR02MB576517D5329F26CC912E52BFCFF29@AM7PR02MB5765.eurprd02.prod.outlook.com>
References: Message from Daniel Franke <dfoxfranke@gmail.com> of "Tue, 19 Apr 2022 13:02:29 -0400." <CAJm83bC=t7uM916vRS1brUq-i=LQ0_TRuNxQXLhAFqFC1y0Dqw@mail.gmail.com> <20220419203203.1FAFC28C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20220419203203.1FAFC28C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=meinberg-usa.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1207c16f-1bcb-4a58-5db7-08da224877db
x-ms-traffictypediagnostic: AM6PR02MB4182:EE_
x-microsoft-antispam-prvs: <AM6PR02MB41826912CD03E33FF5ED63C7CFF29@AM6PR02MB4182.eurprd02.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +OKbyhojUAN8oLpUEU9mzKyj1N8+axZlujtj0fSsgo0k3J01WsSLmwjBHTwZH8rCLDC+7VebYtbe/AKc5F0nXgI8HTVITEBLr6JwR1aUBFRqVue2LWbcXT5cjYHhGNixR/o40MRfX2PHsrZSsU4hVA1AOeFTn7NtYFRSVTVj4pTreBvGQJbQLbkN80xlJ32B7S5ugrs3uft9DJouk+ErQW0vNaanSjIMa1cUKsnRbapgjrfIsLCAWpjAyOC3z5naC8YZUYoQhMSbU8wjhRZVXVHv3DBKnQhthw/61Z7qoSXIoqNnpfaf8LxjSc6cSBIOxLhj3H6VoGTwBsRQVEgj6SXkEwfMyJVVe/3fqcxrDSxAw5NXddK/3IaTBWbsi9R9HxAUnPIF9JunAzUEwd8iW2LwIuyl++otBeXa9kZ7u7DzLtF87hJKtFjDFOSi80O5HTHM0ayIjeh0exguIDk8PofRISm1B6yUVBCIcquErDkcAHAu9AIwLM8cgJEi4YLCUbitlC/BtW9sqWZlznlaH+mYmLE8th8OVt9ifeha036m53m7hrLhDnK0XsZj+EnNNjPwGHomoZGQFkHNKONFn1xVhEgGBdd2nZwDwxpW/DdO82bkdece19xo8emEkowhc01a5Tn2k8dsnV0DhxGQNxkVxv1Y0SifDwcHX0DpAM7uOt9yfsViCffcD0BhfkpjJfTdL2MsY+MhXqZsrVU5LSEHqveXFApRJ/52q1nBsvWZx4Cfbti9MhObyvi2oXHLGHmhyqt/pNuQyWglIakT+AhZuMiXR5n+pC7OL+irtMI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR02MB5765.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(346002)(396003)(136003)(39840400004)(376002)(9686003)(83380400001)(66556008)(55016003)(316002)(54906003)(66476007)(7696005)(8676002)(6506007)(76116006)(508600001)(38100700002)(33656002)(44832011)(122000001)(966005)(8936002)(52536014)(64756008)(71200400001)(91956017)(4326008)(38070700005)(53546011)(66446008)(66946007)(110136005)(166002)(86362001)(26005)(2906002)(5660300002)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XSj3ZvY2WmdDkHIzwc5V6EjVjdQjCFFKhZIP/HXI42L30zkSg/2euCllj2R0casPCkuAJZergEf1juiL0rDgmWFUDn9BPZNLzewt7eHql/PZ6+YSzJKVSbOCFEzcPkxD+Sgclyjy3HYRBlAZq8fiLMbTWUXbRHPncRLhZ1FHM4d/pjBYNeG9To4OVkYAsDAt8kgRrCHlulrb+jCgo1tSyWjne4WhMkiQOkfEzEtbmrzCKmwR0Trb1BHTwKLtZT7v2kCRckbq3UrJnxb1xYW6i6Ut4Y8KKi0dyf/271iDv2xy3Q8XjV3FhW16ffBtknKmYUufzGfQuoSxkooU6Z6HTGqmE5zy/6lF33Moh5/Leuo5hPvBUpVd42XAk0ESlprHG/vCog5anG2n608WPqQlPj4/JIslzfSzhkMj1eqebZ3moX8bWJQmrphhVOI8EPr8ny/5KgC4hHmsgZH8fde3+rZG0t+Yns2K5W2qypDqPswSlRYch+k1uy+fAonGkVQ9dzN24V5VCXRMUkyHSzlfozT2wJacs+sjZwfVTkLIC0qCTDT30q+mvyyBDuB6eYc2Xg042KKtTy/iGkk8dXaE/Vp1FkL4nScaEYNUSAr8m+6ew4AZUjFm+N2hPnRLOo5b/+cfo16WDFvrqunMLX9NFO1b2JKS22m+K4cEdTxRfDb7Y4DR+p6io5EmvyUrB2teTsOlpIaVzrZZ0AFhbKPU+GhztrwETieK6XLaOnusvQsUYqTvdqENM3o2z5Dmn4+iLedkJCL/kLMHql8lyzvPavkKn6XuSiLmIPaMmbq+YwWJRjMgQYR2FO3qFKh/2N1pggQz7Fg9ZgAm9sbMmKWfa4IMCDaAPj2dx7PCsNVZ2MtIJFjf57bW4bEU4N3OOgSqo+vgXbX8r88BMM7hQGtLl3vP2m2K6M93/sqiHdrgRv8Q9F5/y9uy/MN91SD6i2AIKHm319ny9zJ/qf2dW82SSbn1qyvtF3Gatcu12+mdQpeLcVFdj8Mrt2hQPe88crDAEhlgqCYtV1IvcyeAUGBu3TJ/JC5lBf6E+E7vJbL9MdAvQoItgnVful+1jVDzq8KJznm0p4k5SdZoavYpm3BuYLSz/X0Z7MduZPyuHfesV6yYIr0vRBC56CPt9//V4844ORjmryjqtY8PTslDyG8XU2w/kuILl/0mV697lci9y1SSp8u0T9x+1wk5R8dDXo2nGO2vppE6lCj7Yql9VcP8CvkDPA5Sm8TcenhAQOoM+D+PWpD5jmBUJ00hSaTcF48Ti0CbFQBxV00WQGiNLcPu2ARpO9yBWeTaMt+M2z6EW2xa+D0gGjRh6toFm2ng480NFJmawHPnPvDIzidGaR0Ql6Mhs6U0MW8ieiTF0Mwe1C0oBX9tp6kTDP6dAj/I/KekHY94OX0VUfAa8g2+SKDmuepqPtDYik3JLDlYlaTLaiXuwZf1E0B9cs18TSs7aNlmQLCQiEvqrzkfA51m62X+dUWnkUJB1o5uOBEsMNODYz1FQDxNRP4dhwzSFheJ9M9SOkY9HHAzIDd3OeaNzb9Mpyabb7o1ePWZlkUjXy1MIDKUMmQ12cpglhjpdeLdUrvJ698ngNj4MsPFWa3MSSIbn658ImSv/HwgUH8MR9ILwxWSQjE6RpNn83pLMWFkE2cTYy1OsKNv/bBPkVYF6I7yhbxuwimj0gwBBG+M7XiQm8oEXfgUoVP7D1oSoODwFxo56SUP+6y8+QdGih1493djzam6zWjxTiobeeYTjJ4fp/2ipLhKI6K9uwpFKAymVush
Content-Type: multipart/alternative; boundary="_000_AM7PR02MB576517D5329F26CC912E52BFCFF29AM7PR02MB5765eurp_"
MIME-Version: 1.0
X-OriginatorOrg: meinberg-usa.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR02MB5765.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1207c16f-1bcb-4a58-5db7-08da224877db
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Apr 2022 21:06:26.9732 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d59904cd-769f-4368-8bd0-f5f435893a38
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8aWqs3SiisueOiiKRl3mAkaFNzy1OrtWDysqH7iHqiC35iQ5IJ2SFSrw4DdrNWF4Tl1dR2i5emi41YIdS1cyOQFd9TzlOwk7uWLIs4uY47w=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR02MB4182
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/j8kofvo8T_HA7B-2MLNzoJamLNo>
Subject: Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certificate checking
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2022 21:06:42 -0000

Organizations that are serious about security run secure versions of protocols even inside their firewall.

Doug

From: ntp <ntp-bounces@ietf.org> on behalf of Hal Murray <halmurray+ietf@sonic.net>
Date: Tuesday, April 19, 2022 at 4:32 PM
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: ntp@ietf.org <ntp@ietf.org>, Hal Murray <halmurray+ietf@sonic.net>
Subject: Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certificate checking

dfoxfranke@gmail.com said:
> Absent any specific arrangement with its clients to the contrary, the server
> is free to use wildcard certificates and to change certificates at any time.
> The client is free to pin certificates or to prohibit wildcards, but, absent
> any specific arrangement with the server operator to the contrary, should
> anticipate that this will lead to sudden breakage that it will be incumbent
> on the user to debug. Having this as a default does not make for a good user
> experience.

Good point.  But what about people who are willing to work a bit for better
security?  Would they even use NTS, or would they all install a GPS box inside
their firewall?

What is the target audience?  Do we have more than one?

Should we be collecting ideas for a BCP?

What are the units of (in)security?  How do we even discuss how much feature X
adds to security?

Here is one to think about...  You don't want all of your servers using the
same CA.


--
These are my opinions.  I hate spam.



_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email