| Re: [chrony-users] NTS: Limiting |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] NTS: Limiting
- From: Karol Babioch <karol@xxxxxxxxxx>
- Date: Tue, 19 Jan 2021 18:50:15 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=babioch.de; s=24406; t=1611078616; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UwYak3fxX6sOvHoKXC6AezqZd4abklF/j1Fca5eOJS0=; b=HdwvZdclvTk931IaES0pxPlcggzq14PnbKhWFYjPsVzdZlxOfeZ8UvHjeb3S/oYTgFUSBx YpzaTRYxMH8aZSblznEGv5u8gIg24pPi3Pc1E1ShZXQIXZBmxp/LoENzx7mJ5SSXkJUWKt 3qIK6MQ0RlJTchOMGi7sM0CdO4QMjssPs3w8yze20/0i9N8mVCGALzje9t8TGcr3fCF+Mk Xk6mX92+DnFddt6PDSHNrBictjSfLVWG/uznaexn1oKUO0fKT3J0WZOKaA/apMGrcbsgf2 vaUMgdQfwAH7CmmtZlBYhQpW+2Wy53KmOTUaOuKKSwEwZNzkwh/Zr6AKg47GjA==
- Dkim-signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=babioch.de; s=43975; t=1611078616; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UwYak3fxX6sOvHoKXC6AezqZd4abklF/j1Fca5eOJS0=; b=M9ZfUd6hhG6+GDnbUavDVy9i4u/wN+Txx8Is2OkM8VkXijfdJFTYB/pV8WjyfpPdc20cef 6xkeXfz5v/J4G7AA==
Hi,
Am 19.01.21 um 18:18 schrieb Kurt Roeckx:
> Using only the Let's Encrypt root CA is what you want to do.
> The name in the certificate is checked against the hostname you've
> put in the config. So if you only trust Let's encrypt, you're
> also limiting it to matching hostnames issued by Let's encrypt.
No, that's not as strict / secure as checking for specific certificates
issued by a given CA.
All security then comes down to what kind of servers I have specified in
my configuration. In case of pools, etc., there might be somewhat of an
attack surface.
Best regards,
Karol Babioch
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.