First round of my stupid questions about NTS
Gary E. Miller
gem at rellim.com
Fri Jan 18 05:58:56 UTC 2019
Yo Hal!
On Thu, 17 Jan 2019 17:11:42 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> >> We could restart
> >> NTP-server or NTS-KE-server as long as the other end stayed up and
> >> we arranged to send the keys in both directions.
>
> > well, you sorta need a key to do that, right? Seems circular...
>
> When they are up and running, both the NTP server and the NTS-KE
> server know the master key. If you restart one end, it can ask the
> other for the key.
Assuming they are both up. Everything has to be up before anything
can run. This adds serious delays, and traffic, when a data center
restarts.
> Do both NTP-server and NTS-KE-server have to know the new-cookie
> recipe?
Yes, and they share the same library that does it.
> Does NTS-KE-server need the master key for anything other
> than generating cookies?
Minimally, no. I'm not gonna say never.
> Does it work if only the NTP-server has the
> master key and the NTS-KE-server gets cookies and S2C and C2S from
> the NTP server?
Nope. And storing plaintext S2C and C2S for thousands of clients is
problematic...
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190117/120029e8/attachment-0001.bin>
More information about the devel
mailing list