Re: [chrony-users] NTS: Limiting

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Wed, Jan 20, 2021 at 09:25:59AM +0000, FUSTE Emmanuel wrote:
> Le 20/01/2021 à 10:15, Miroslav Lichvar a écrit :
> > Yes, NTS can work with pools. The servers need to have the same name
> > in their certificates, one that matches the name specified in the
> > chrony config.
> Ok very specific case, but perfectly usable for "private" pool.

Yes, easy to implement if you control all the servers, but it could work
even in a big pool like pool.ntp.org if some automation around
certificates was implemented.

The main problem with the pool.ntp.org pool is different. How much
sense does it make to enable NTS if an attacker can simply join the
pool and get the certificate (or get its name in a signed SRV record
if the pool was relying on SRV protected by DNSSEC)?

BTW, this is a good example why the clients need to check the validity
of certificates and DNS records properly. If the attacker was removed
from the pool (and didn't bother to join again under different
account), he could still perform a MITM attack on clients that don't
know the current time to be able to reject the old data.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.