What's left to doo on NTS.

Gary E. Miller gem at rellim.com
Sat Mar 2 00:00:55 UTC 2019

Yo Hal!

On Fri, 01 Mar 2019 15:46:49 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> > What still needs to be done to fully land this feature? Key
> > rotation? Anything else?  
> I've been collecting major items in devel/TODO-NTS

It is missing key rotation.  Also how to share keys between
standalone NTS-KE and NTPD.

Have you tested NTS-KE and NTPD on different hosts, talking to each other?
How about multipls NTS-KE and NTPD in a cluster?

> Mostly, it needs testing and probably an overview level
> documentation. Something high level rather than the details of how to
> configure it.  Maybe a HOWTO too.

That too.

> We have to decide how paranoid we want to be about security.  The
> sort of things that are good for debugging enable operation in
> insecure modes.  For example, the "noval" option on certificates.
> Maybe we should have a configure time option.

Please; no more configure time options!

"noval" is not mostly for debugging.  It is essential for off
network operation.

> I assume your "key rotation" includes saving keys to disk for
> recovery after restart.

Not by my definition.  The master key(s) need to change regularly,
probably ever 24 hours is good.

Also, the cookies need to be retired after X days.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190301/7fac66e9/attachment.bin>

More information about the devel mailing list