Bernhard Schmidt <be...@debian.org> writes: > - Since NTS leverages X.509, how does it work with a broken clock on > boot that is ticking outside of the certificate validity period?
I don't know how it is intended to work, but it seems pretty obvious that NTS certificate validation must ignore the validity period. If you have a validating DNS resolver with correct time, then you might replace it with DANE validation (i.e if the certificate matches the current DNS TLSA record then it is valid regardless of current time). But I don't know if you can make that a requirement. Bjørn
