[chrony-users] NTS: Limiting

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-users] NTS: Limiting
From: Karol Babioch <karol@xxxxxxxxxx>
Date: Tue, 19 Jan 2021 16:51:39 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=babioch.de; s=24406; t=1611071499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aO8KYDoHjWkLInypZNrB4MC6V49DAWCGL+JGGmQmUIE=; b=W78OfFVSyf2NPd8XzCW0YgdKLHP6TzQUGPXUQ9SeW2izBMh6coqW+aQwOfcKB8Pun9ndGW PY6AQDvXMcl6CUa868bxnaQESEaGWcSqBaD8xVRStnyIRaomXvR25KnUpdkpP8Ks03+hhE Q3s6NdYbc6bTcdSLeDmp2AUTYglEhz79UgreCr4rERzwlPUKMekkq+10JZJDWcQckPJsEZ 5LQs/DdLID5Z9OaEzW+xP0uhPpizcNx3n8Fsk1CGI9FgSlA9vcfmRMDOg5mOMYcCUKmblN BQicRETJU2aK7zrqspklyRLdabIYlmmBkPY9B9EMhx5NJVkjIu6WoiTNae6O+g==
Dkim-signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=babioch.de; s=43975; t=1611071499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aO8KYDoHjWkLInypZNrB4MC6V49DAWCGL+JGGmQmUIE=; b=IfArPiTKbCudYLJXoIUzdS6S1Lz8fSH6gd0A4yBXsZDUBUTi+KY1LdCcGsKi7kEccXtKxy rECQQ3JPTyDeixAA==

Hi all,

first of all let me thank you for being involved with the development
and implementation of NTS. It's great to see NTS support in chrony!

I'm still somewhat new to the topic, but read through the available
documentation.

I'm currently wondering whether it is possible to put more specific
constrains on the certificates that are to be considered valid for
initial contact with NTS servers.

My understanding is that by default any certificate signed by the
system's default trusted CAs will be accepted. This can be narrowed down
by the "ntstrustedcerts". Along with "nosystemcerts" we have some
control over which CAs are to be allowed.

However, in my particular use-case I want to have NTS with certificates
signed by Let's Encrypt, but only for specific domains (e.g. the ones
that I control). I don't want to trust any server that has a valid Let's
Encrypt certificate, so specifying the Let's Encrypt root CA won't do.

Is there any way (currently or planned) to put in such constrains based
on common name and/or subject alternative names (along with a specific CA)?

Or can my use case be addressed differently?

Best regards,
Karol Babioch

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-users] NTS: Limiting
  - From: Miroslav Lichvar
- Re: [chrony-users] NTS: Limiting
  - From: Kurt Roeckx

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] Large ppm clock slew rate
Next by Date: Re: [chrony-users] NTS: Limiting
Previous by thread: Re: [chrony-users] Large ppm clock slew rate
Next by thread: Re: [chrony-users] NTS: Limiting

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/