[chrony-dev] Multiple NTS keys on server

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-dev] Multiple NTS keys on server
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Tue, 2 Feb 2021 17:03:56 +0100
Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1612281842; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=IqbqQSDCWBewrOdWG2HoRypGwtICe9TXg2aIbsX/6Ko=; b=de2isVnXBfGI6JlhJ7Ovl0OZkS0WzMNCLI/h6uYKMQBaMdrrAD/qF09qRIMrv66PcrOzfO S/4usqq6T0KhECpXrcs4ElujViGc8Y/Lx/vaUPWZRj2+4pHKlNjQ6/ISIN9ECO6jGQqrmh UU6p0sHI88g9w+vxir685LVr0O9KXZw=

I'd like to add support for multiple keys to the NTS server to enable
virtual hosting as is common with web servers. A use case which I
thought it could enable would be servers that run only for a limited
time to support different products or versions of the product (like an
OS), where each has its own certificate included in the installation
and is fully trusted to avoid the issues with wrong or missing RTC and
failing time checks in certificate verification. This would allow the
server keys to be rotated as the products/versions reach their
end-of-line and it would also limit the number of devices that need to
be updated/fixed when a key is compromised.

I'm not sure how it should be configured. I see the following options:

1) allow multiple files to be specified in ntsservercert and
ntsserverkey directives
- long lines are not great for inspection and editing
- maximum number of keys/certs is limited by the maximum line length
2) allow multiple ntsserverkey/ntsservercert directives
- sensitive to order (few directives in chrony have this property)
3) allow glob patterns in ntsserverkey/ntsservercert directive
- certs and keys need to have the same naming scheme to pair correctly

I think 1) is just not acceptable. From 2) and 3) I'm not sure what is
better.

For example:

ntsservercert /etc/pki/tls/certs/nts-1.example.net
ntsserverkey /etc/pki/tls/private/nts-1.example.net
ntsservercert /etc/pki/tls/certs/nts-2.example.net
ntsserverkey /etc/pki/tls/private/nts-2.example.net
ntsservercert /etc/pki/tls/certs/nts-3.example.net
ntsserverkey /etc/pki/tls/private/nts-3.example.net

ntsservercert /etc/pki/tls/certs/nts-*.example.net
ntsserverkey /etc/pki/tls/private/nts-*.example.net

Any suggestions?

--
Miroslav Lichvar

--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-dev] Multiple NTS keys on server
  - From: Christian Ehrhardt

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-dev] Frequency transfer in NTP
Next by Date: Re: [chrony-dev] Multiple NTS keys on server
Previous by thread: Re: [chrony-dev] Frequency transfer in NTP
Next by thread: Re: [chrony-dev] Multiple NTS keys on server

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/