[chrony-dev] Multiple NTS keys on server

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


I'd like to add support for multiple keys to the NTS server to enable
virtual hosting as is common with web servers. A use case which I
thought it could enable would be servers that run only for a limited
time to support different products or versions of the product (like an
OS), where each has its own certificate included in the installation
and is fully trusted to avoid the issues with wrong or missing RTC and
failing time checks in certificate verification. This would allow the
server keys to be rotated as the products/versions reach their
end-of-line and it would also limit the number of devices that need to
be updated/fixed when a key is compromised.

I'm not sure how it should be configured. I see the following options:

1) allow multiple files to be specified in ntsservercert and
ntsserverkey directives
- long lines are not great for inspection and editing
- maximum number of keys/certs is limited by the maximum line length
2) allow multiple ntsserverkey/ntsservercert directives
- sensitive to order (few directives in chrony have this property)
3) allow glob patterns in ntsserverkey/ntsservercert directive
- certs and keys need to have the same naming scheme to pair correctly

I think 1) is just not acceptable. From 2) and 3) I'm not sure what is
better.

For example:

ntsservercert /etc/pki/tls/certs/nts-1.example.net
ntsserverkey /etc/pki/tls/private/nts-1.example.net
ntsservercert /etc/pki/tls/certs/nts-2.example.net
ntsserverkey /etc/pki/tls/private/nts-2.example.net
ntsservercert /etc/pki/tls/certs/nts-3.example.net
ntsserverkey /etc/pki/tls/private/nts-3.example.net

vs

ntsservercert /etc/pki/tls/certs/nts-*.example.net
ntsserverkey /etc/pki/tls/private/nts-*.example.net

Any suggestions?

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/