First round of my stupid questions about NTS
James Browning
jamesb.fe80 at gmail.com
Fri Jan 18 02:17:43 UTC 2019
On Thu, Jan 17, 2019, 5:54 PM Hal Murray via devel <devel at ntpsec.org wrote:
>
> Ian Bruene said:
> > NTS-KE needs cookie generation because it has to render onto the client
> the
> > initial cookie stock.
>
> Right. But it doesn't actually have to generate them itself. It could
> also
> get them from the NTP-server.
>
> The idea is to take advantage of a connection to the NTP-server to offload
> as much complexity as possible. What does the NTP-KE-server do with the
> master key? Can we push all that to the NTP-server?
>
You would have to shove all of the complexity into an ntpd thread. OpenSSL
*seems* to be annoyingly non-reentrant which would limit you to switching
between ntp w/ nts and nts-ke. One particular daemon seems to work around
that by generating lots of processes.
I like Gary's suggestion of making most of the NTS-KE-client a library so
> we can package it stand alone or with NTP-client. I think the same applies
> to NTS-KE-server.
>
I tried something not completely unlike that in !842 but it was buggy,
nonfunctional and leaky.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190117/d8835eac/attachment.html>
More information about the devel
mailing list