IETF Logo Mail Archive

Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certificate checking

"Salz, Rich" <rsalz@akamai.com> Tue, 19 April 2022 17:48 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E2BE3A111B for <ntp@ietfa.amsl.com>; Tue, 19 Apr 2022 10:48:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ngOCnx-EzCQP for <ntp@ietfa.amsl.com>; Tue, 19 Apr 2022 10:48:07 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D56893A1131 for <ntp@ietf.org>; Tue, 19 Apr 2022 10:47:56 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.17.1.5/8.17.1.5) with ESMTP id 23JGlbX1016708; Tue, 19 Apr 2022 18:47:54 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=7bG5ozD+UtTjNZYKsFqawRn9VfpWR0vbiDuaSQmszMQ=; b=fJq5qOjsnH2lvOAbzAhvqFSJZ7YrkTJFgOGAKSfTjwsOc8OvSwygJMcd/m+oOExKf4vo YHEoD1wp2Ck5lahPk7FHSVgk5Bs4IO14w8/RXTexCiwCUH6iBDxMtov7N06RVYiAuLds lppTTNcQCxnrXtPMBl1Rh0cTyNAsN5muiPMSjJb06y/AW2xAe81rUTagYlAxDCCaRYKp IRQLq+gHfFfKhtXWdXuUjKIcEThFZcXSbQbr+gqvXXQYJgKZDjicOhfvha9tQw3yrr11 SUR2y4FefZTybjjcl+UGDeaYN7kr2NO1pAdxlvT8tyjEP+TCU+R6r4YIKI8VkuMiASq4 Dg==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18] (may be forged)) by m0050096.ppops.net-00190b01. (PPS) with ESMTPS id 3ffphaxyn0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Apr 2022 18:47:54 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 23JHatCI007103; Tue, 19 Apr 2022 13:47:53 -0400
Received: from email.msg.corp.akamai.com ([172.27.91.24]) by prod-mail-ppoint1.akamai.com with ESMTP id 3ffs4y64vj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Apr 2022 13:47:53 -0400
Received: from USMA1EX-DAG1MB4.msg.corp.akamai.com (172.27.123.104) by usma1ex-dag4mb4.msg.corp.akamai.com (172.27.91.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.22; Tue, 19 Apr 2022 13:47:53 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 19 Apr 2022 13:47:53 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.033; Tue, 19 Apr 2022 13:47:53 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Daniel Franke <dfoxfranke@gmail.com>, Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
CC: "ntp@ietf.org" <ntp@ietf.org>, Hal Murray <halmurray@sonic.net>, "mdavids=40forfun.net@dmarc.ietf.org" <mdavids=40forfun.net@dmarc.ietf.org>
Thread-Topic: [Ntp] Antw: [EXT] Re: Wildcards in NTS certificate checking
Thread-Index: AQHYVA9Q1TxzJmk7IUegbOeCJZZiIqz3gw+A
Date: Tue, 19 Apr 2022 17:47:52 +0000
Message-ID: <E2AFFD69-3A11-439A-B5C4-91F787848DFA@akamai.com>
References: <DEBE05CE020000C5FDA5B133@gwsmtp.uni-regensburg.de> <C72B1BFF020000657BE0EBB5@gwsmtp.uni-regensburg.de> <C47F79BB02000008FDA5B133@gwsmtp.uni-regensburg.de> <5865E3950200000D7BE0EBB5@gwsmtp.uni-regensburg.de> <DFB7955F020000B8DC344014@gwsmtp.uni-regensburg.de> <8E9786F3020000E1FDA5B133@gwsmtp.uni-regensburg.de> <625E5A02020000A1000496FA@gwsmtp.uni-regensburg.de> <CAJm83bC=t7uM916vRS1brUq-i=LQ0_TRuNxQXLhAFqFC1y0Dqw@mail.gmail.com>
In-Reply-To: <CAJm83bC=t7uM916vRS1brUq-i=LQ0_TRuNxQXLhAFqFC1y0Dqw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.60.22041000
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <C97AFC8B413C9C48B2700FCC20A0C64C@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-04-19_06:2022-04-15, 2022-04-19 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 bulkscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 mlxscore=0 phishscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204190099
X-Proofpoint-GUID: 6XN7rz2IcvwhTtYk72D8E3nPMPb-19m3
X-Proofpoint-ORIG-GUID: 6XN7rz2IcvwhTtYk72D8E3nPMPb-19m3
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-19_06,2022-04-15_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 impostorscore=0 priorityscore=1501 malwarescore=0 adultscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 clxscore=1015 lowpriorityscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204190102
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/kSTbOFaHh_0xJP-otbRXRJZNkr0>
Subject: Re: [Ntp] Antw: [EXT] Re: Wildcards in NTS certificate checking
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2022 17:48:19 -0000

+1 many times.  Good points, Daniel.

On 4/19/22, 1:02 PM, "Daniel Franke" <dfoxfranke@gmail.com> wrote:

    On Tue, Apr 19, 2022 at 2:43 AM Ulrich Windl
    <Ulrich.Windl@rz.uni-regensburg.de> wrote:
    > Well I think the client's security policy actually may decide.
    > A related question would be: Is "certificate pinning" allowed for the client?
    > The server may think it has the right to change certificates any time.

    Absent any specific arrangement with its clients to the contrary, the
    server is free to use wildcard certificates and to change certificates
    at any time. The client is free to pin certificates or to prohibit
    wildcards, but, absent any specific arrangement with the server
    operator to the contrary, should anticipate that this will lead to
    sudden breakage that it will be incumbent on the user to debug. Having
    this as a default does not make for a good user experience.

    _______________________________________________
    ntp mailing list
    ntp@ietf.org
    https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ntp__;!!GjvTz_vk!VlXGZhXhKqFTbtG_O1nGxYBQT4MhrxlDVKzVCvGo1iz1xAA6po6XIkUYuYdyQSyo7F9cHiSkC_pOl37k$

v2.23.0 | Report a Bug | By Email