NTS draft 16 change
Ian Bruene
ianbruene at gmail.com
Fri Feb 8 21:18:59 UTC 2019
Someone wondered what the changes in draft 16 were. Aside from date
update miscellanea the only change is in section 9.3.
This paragraph:
Do not process time packets from servers if the time computed from
them falls outside the validity period of the server's
certificate. However, clients should not perform a new NTS-KE
handshake solely based on the fact that the certificate used by
the NTS-KE server in a previous handshake has expired, if the
client has previously received valid NTS protected NTP replies
that lay within the certificate's validity time.
Was changed to this:
NTP time replies are expected to be consistent with the NTS-KE TLS
certificate validity period, i.e. time replies received
immediately after an NTS-KE handshake are expected to lie within
the certificate validity period. Implementations are recommended
to check that this is the case. Performing a new NTS-KE handshake
based solely on the fact that the certificate used by the NTS-KE
server in a previous handshake has expired is normally not
necessary. Clients that still wish to do this must take care not
to cause an inadvertent denial-of-service attack on the NTS-KE
server, for example by picking a random time in the week preceding
certificate expiry to perform the new handshake.
--
/"In the end; what separates a Man, from a Slave? Money? Power? No. A
Man Chooses, a Slave Obeys."/ -- Andrew Ryan
/"Utopia cannot precede the Utopian. It will exist the moment we are fit
to occupy it."/ -- Sophia Lamb
I work for the Internet Civil Engineering Institute <https://icei.org/>,
help us save the Internet from Entropy!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190208/c22cb0f6/attachment-0001.html>
More information about the devel
mailing list