[chrony-dev] Multiple NTS keys on server |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: [chrony-dev] Multiple NTS keys on server
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Tue, 2 Feb 2021 17:03:56 +0100
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1612281842; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=IqbqQSDCWBewrOdWG2HoRypGwtICe9TXg2aIbsX/6Ko=; b=de2isVnXBfGI6JlhJ7Ovl0OZkS0WzMNCLI/h6uYKMQBaMdrrAD/qF09qRIMrv66PcrOzfO S/4usqq6T0KhECpXrcs4ElujViGc8Y/Lx/vaUPWZRj2+4pHKlNjQ6/ISIN9ECO6jGQqrmh UU6p0sHI88g9w+vxir685LVr0O9KXZw=
I'd like to add support for multiple keys to the NTS server to enable
virtual hosting as is common with web servers. A use case which I
thought it could enable would be servers that run only for a limited
time to support different products or versions of the product (like an
OS), where each has its own certificate included in the installation
and is fully trusted to avoid the issues with wrong or missing RTC and
failing time checks in certificate verification. This would allow the
server keys to be rotated as the products/versions reach their
end-of-line and it would also limit the number of devices that need to
be updated/fixed when a key is compromised.
I'm not sure how it should be configured. I see the following options:
1) allow multiple files to be specified in ntsservercert and
ntsserverkey directives
- long lines are not great for inspection and editing
- maximum number of keys/certs is limited by the maximum line length
2) allow multiple ntsserverkey/ntsservercert directives
- sensitive to order (few directives in chrony have this property)
3) allow glob patterns in ntsserverkey/ntsservercert directive
- certs and keys need to have the same naming scheme to pair correctly
I think 1) is just not acceptable. From 2) and 3) I'm not sure what is
better.
For example:
ntsservercert /etc/pki/tls/certs/nts-1.example.net
ntsserverkey /etc/pki/tls/private/nts-1.example.net
ntsservercert /etc/pki/tls/certs/nts-2.example.net
ntsserverkey /etc/pki/tls/private/nts-2.example.net
ntsservercert /etc/pki/tls/certs/nts-3.example.net
ntsserverkey /etc/pki/tls/private/nts-3.example.net
vs
ntsservercert /etc/pki/tls/certs/nts-*.example.net
ntsserverkey /etc/pki/tls/private/nts-*.example.net
Any suggestions?
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.