NTS off the ground - time for testing

Hal Murray hmurray at megapathdsl.net
Wed Feb 20 13:26:50 UTC 2019


> If I have a real certifucate, I don't know it.

You have one on any web server that supports https.  I don't know where it 
lives.  Probably someplace in apache land.

Gary says it's easy to get them via Lets Encrypt.  Their web page says you 
need to control the domain. Gary said you only need a FQDN which makes more 
send.

For non public IP Addresses (aka behind a NAT box) you can use self signed 
certificates.  When I suggested a HOWTO, there was back pressure.  If anybody 
wants help along those lines, I'll dig out my notes.


>> If you want to write code, we need to save the current K and I to disk.
>> We also need to rotate keys occasionally.

> When sould the saves occur> After every cookie fetch?

No, only when they get rotated which is ballpark of 24 hours.

Asking that means it's time to read the draft carefully (again).

The idea is that K is used to encrypt stuff in a cookie.  You need to use that 
K to decrypt the cookie when it comes back.  If you restart your ntpd, it 
wants to use the same K so all the cookies in clients out there are still 
valid.

We also need to rotate K occasionally and remember the old one.  The cookie 
tells you which K to use.

For debugging, we can rotate them every hour and save more than one old one.  
Good clients will ramp up to 1024 seconds.  That's a bit over 2 hours, so we 
need 3 old ones.

The disk file needs to save the K/I pairs and the time it was written.

-- 
These are my opinions.  I hate spam.





More information about the devel mailing list