First round of my stupid questions about NTS
Gary E. Miller
gem at rellim.com
Fri Jan 18 05:19:06 UTC 2019
Yo Hal!
On Thu, 17 Jan 2019 17:54:28 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> Ian Bruene said:
> > NTS-KE needs cookie generation because it has to render onto the
> > client the initial cookie stock.
>
> Right. But it doesn't actually have to generate them itself. It
> could also get them from the NTP-server.
True.
> The idea is to take advantage of a connection to the NTP-server to
> offload as much complexity as possible.
Seems more comples to me. Now there are a ton of cookies that the
NTS-KE has to store, and yet another connection protocol.
> What does the NTP-KE-server
> do with the master key?
Make cookies.
> Can we push all that to the NTP-server?
Can? Yes. Good idea? No.
> I think what I'm proposing is that NTP-KE-server is minimal. Can we
> make it just a TLS wrapper on an initial connection from NTP-client
> (via NTS-KE-client) to NTP-server?
Minimal, except now a large cookie storage acquisition and storage
problem. This could be tens of thousands of cookies!
> I like Gary's suggestion of making most of the NTS-KE-client a
> library so we can package it stand alone or with NTP-client. I think
> the same applies to NTS-KE-server.
Maybe parts of it, but only the NTS-KE needs to have a TLS server.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190117/115aaf55/attachment.bin>
More information about the devel
mailing list