First round of my stupid questions about NTS
Gary E. Miller
gem at rellim.com
Fri Jan 18 20:02:05 UTC 2019
Yo Hal!
On Fri, 18 Jan 2019 01:50:21 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> Gary said:
> >> Suppose you want to change the cookie format.
> > Why would you? Without knowing how much it would change
> > your have to assume that the whole thing gets thrown out, and
> > reinvented.
>
> Because you asked:
> > So, how does the NTS-KE and NTPD server know what cookie format(s)
> > are in use? How does the NTS-KE server know which cookie formats
> > to issue for which NTPD servers?
>
> That was tangled up in a discussion of generating cookies on the
> NTS-KE server in parallel with generating them on the NTP server.
No. What is in the cookie is unrelated to where a cookie is generated.
> In
> the normal case, there is only one cookie format wired into both.
Say what? Where is that in the Proposed RFC? Just take a quick
look at the history of SSL and TLS to see how fast the cookies
will evolve.
I'll bet a nice dinner that chrony cookies are not like NTPsec
cookies, but they both interoperate soon after they are deployed.
> The way to make the which-format question interesting would be to
> change the format on the fly, so I described a way to do that.
I musta missed the description of that way. More a handwaving...
> > Yes, as Section 6 of the Proposed RFC suggests:
>
> That's not a detailed spec, just an outline.
Yup, and just a suggestion.
> We might decided to
> change the size of a field. Not likely, but worth thinking about.
Not likely? I bet it happens all the time as support for other brands
of NTS-KE and NTPD are added. Also as the threat models evolve. Once
again, look at the SSL/TLS evolution for how frequent this will be.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190118/babb4216/attachment.bin>
More information about the devel
mailing list