First round of my stupid questions about NTS

Gary E. Miller gem at rellim.com
Fri Jan 18 20:02:05 UTC 2019 

Yo Hal!

On Fri, 18 Jan 2019 01:50:21 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> Gary said:
> >> Suppose you want to change the cookie format.  
> > Why would you?  Without knowing how much it would change
> > your have to assume that the whole thing gets thrown out, and
> > reinvented.  
> 
> Because you asked:
> > So, how does the NTS-KE and NTPD server know what cookie format(s)
> > are in use?  How does the NTS-KE server know which cookie formats
> > to issue for which NTPD servers?   
> 
> That was tangled up in a discussion of generating cookies on the
> NTS-KE server in parallel with generating them on the NTP server.

No.  What is in the cookie is unrelated to where a cookie is generated.

>  In
> the normal case, there is only one cookie format wired into both.

Say what?  Where is that in the Proposed RFC?  Just take a quick
look at the history of SSL and TLS to see how fast the cookies
will evolve.

I'll bet a nice dinner that chrony cookies are not like NTPsec
cookies, but they both interoperate soon after they are deployed.

> The way to make the which-format question interesting would be to
> change the format on the fly, so I described a way to do that.

I musta missed the description of that way.  More a handwaving...

> > Yes, as Section 6 of the Proposed RFC suggests:  
> 
> That's not a detailed spec, just an outline.

Yup, and just a suggestion.

> We might decided to
> change the size of a field.  Not likely, but worth thinking about.

Not likely?  I bet it happens all the time as support for other brands
of NTS-KE and NTPD are added.  Also as the threat models evolve.  Once
again, look at the SSL/TLS evolution for how frequent this will be.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190118/babb4216/attachment.bin>

More information about the devel mailing list