IETF Logo Mail Archive

Re: [TICTOC] [ntpwg] security ID submitted for review

Kurt Roeckx <kurt@roeckx.be> Wed, 07 August 2013 15:16 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46E1921E8137 for <tictoc@ietfa.amsl.com>; Wed, 7 Aug 2013 08:16:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.265
X-Spam-Level:
X-Spam-Status: No, score=-3.265 tagged_above=-999 required=5 tests=[AWL=-0.666, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Ip7X2iEIZpO for <tictoc@ietfa.amsl.com>; Wed, 7 Aug 2013 08:16:39 -0700 (PDT)
Received: from jacques.telenet-ops.be (jacques.telenet-ops.be [195.130.132.50]) by ietfa.amsl.com (Postfix) with ESMTP id 0BD8911E8143 for <tictoc@ietf.org>; Wed, 7 Aug 2013 08:16:38 -0700 (PDT)
Received: from intrepid.roeckx.be ([94.226.199.45]) by jacques.telenet-ops.be with bizsmtp id 9rGd1m00o0zFtyu0JrGdxs; Wed, 07 Aug 2013 17:16:37 +0200
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 2C9B0EB20B; Wed, 7 Aug 2013 17:16:37 +0200 (CEST)
Date: Wed, 07 Aug 2013 17:16:37 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: NTP Working Group <ntpwg@lists.ntp.org>, "tictoc@ietf.org" <tictoc@ietf.org>
Message-ID: <20130807151637.GA31292@roeckx.be>
References: <51FAC820.3090401@udel.edu> <20130803174008.GA17578@roeckx.be>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20130803174008.GA17578@roeckx.be>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [TICTOC] [ntpwg] security ID submitted for review
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tictoc>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 15:16:45 -0000

On Sat, Aug 03, 2013 at 07:40:08PM +0200, Kurt Roeckx wrote:
> 
> I really don't understand how such a man in the middle attack
> can work.  Either the certificate + the chain validate, or they
> don't.  It is of course important to you check that the CommonName
> in the certificate matches the server you're trying to reach,
> and that the root CA is in your list of trusted CAs.  But there
> really isn't anything new or hard about this.

So thinking about this so more, I do see 1 problem with this.  I
would like to be able to use this for the pool for those that wish
to use it.  But if you're verify the certificate you're not going
to know which server you're talking too, so there is no way to
check the CommonName.  Does it make sense to just skip this
check in case of the pool?


Kurt

v2.23.0 | Report a Bug | By Email