Re: The future of src:ntp

To: debian-devel@lists.debian.org
Subject: Re: The future of src:ntp
From: Bjørn Mork <bjorn@mork.no>
Date: Thu, 20 Jan 2022 10:13:13 +0100
Message-id: <[🔎] 8735liojme.fsf@miraculix.mork.no>
References: <[🔎] 454d0e14-7448-5cef-ad68-cbdff7467edd@debian.org> <[🔎] bbf31462-c651-54f3-e0ef-320f4ece889c@debian.org> <[🔎] 4ba63521-526c-a523-b69c-ad94abf0fa8e@debian.org> <[🔎] 20220119T203822.blubb.9a7ff.stse@fsing.rootsland.net> <[🔎] cd8a1a2c-3d8e-63cd-8b47-8b25827c7885@debian.org>

Bernhard Schmidt <berni@debian.org> writes:

> - Since NTS leverages X.509, how does it work with a broken clock on
>   boot that is ticking outside of the certificate validity period?

I don't know how it is intended to work, but it seems pretty obvious
that NTS certificate validation must ignore the validity period.

If you have a validating DNS resolver with correct time, then you might
replace it with DANE validation (i.e if the certificate matches the
current DNS TLSA record then it is valid regardless of current
time). But I don't know if you can make that a requirement.

Bjørn

Reply to:

References:
- The future of src:ntp
  - From: Bernhard Schmidt <berni@debian.org>
- Re: The future of src:ntp
  - From: Bernhard Schmidt <berni@debian.org>
- Re: The future of src:ntp
  - From: Richard Laager <rlaager@debian.org>
- Re: The future of src:ntp
  - From: Stephan Seitz <stse+debian@rootsland.net>
- Re: The future of src:ntp
  - From: Bernhard Schmidt <berni@debian.org>

Prev by Date: Re: build-depend on autoconf-archive and rm convenience copy in orig.tar.gz?
Next by Date: Re: The future of src:ntp
Previous by thread: Re: The future of src:ntp
Next by thread: Re: The future of src:ntp
Index(es):
- Date
- Thread