NTS, Big picture

James Browning jamesb.fe80 at gmail.com
Thu May 31 18:04:39 UTC 2018


On Wed, May 30, 2018, 1:05 PM Hal Murray via devel <devel at ntpsec.org> wrote:

> One of the key areas that I'm missing is the plans for deployment.  Are we
> intending to use the normal certificate distribution mechanism as used by
> the
> web?  That depends on time.  Is there a way around that?  Do we need our
> own
> certificate distribution mechanism?  Can we copy what DNSSEC does?  ...


IIRC draft 10 didn't specify any certificate signing or out of channel
distribution.

Instead I got the distinct impression that the certificate along with the
s2c & c2s keys were transfered during the initial handshake on tcp123 (or
other port).

I also got the impression that the keys should only be good for 48 hours
and depreceated for half that.

The only thing I was able to notice was that an nts client would have to go
through 8 NTP poll intervals after the keys expire before before starting
another NTS KE session to get new keys.

All of this is based on old information so I'm not sure how much of it is
accurate anymore.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20180531/8007d69d/attachment.html>


More information about the devel mailing list