NTS, Big picture

[Hal Murray]

> IIRC draft 10 didn't specify any certificate signing or out of channel
> distribution. 

I thought I saw something like that, but that was a while ago and I was 
expecting it and I wasn't reading that section carefully.


Plan A is to piggyback on the web certificate structure.  Basically, the 
OS/distro includes a collection of trusted certificates.  On Fedora, it's 
ca-certificates

Description  : This package contains the set of CA certificates chosen by the
             : Mozilla Foundation for use with the Internet PKI.

Those are roughly equivalent to the root servers in DNS.

The catch is that the web certificates have expiration times and the code 
assumes the clock is reasonable.  It doesn't have to be super good, just 
reasonably close.  Setting the clock from a broken RTC or setting it from the 
file system after the system has been on the shelf for a week/month/year may 
not be good enough.  We could add something to the API to indicate that the 
time checks should be assumed OK.

Anybody can get a web certificate.  It doesn't tell you that the guy isn't a 
crook or knows how to run a NTP server.


Plan B is for each site to setup their own collection of trusted certificates.

That would work OK for the cases where an admin selects servers by hand.  
They would have to find a server's certificate as well as finding convenient 
well run servers like they do now.

If you want your board to sit on the spares shelf for many years, then you 
have to have long expiration times which means the owners have to be very 
careful about keeping their certificates safe.


Plan C would be for something like the pool.  In addition to keeping track of 
the servers and distributing the load and ..., somebody would have to figure 
out which sites are trustworthy.

I haven't thought about the pool case much.



-- 
These are my opinions.  I hate spam.