What's left to doo on NTS.
Gary E. Miller
gem at rellim.com
Sat Mar 2 00:00:55 UTC 2019
Yo Hal!
On Fri, 01 Mar 2019 15:46:49 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> > What still needs to be done to fully land this feature? Key
> > rotation? Anything else?
>
> I've been collecting major items in devel/TODO-NTS
It is missing key rotation. Also how to share keys between
standalone NTS-KE and NTPD.
Have you tested NTS-KE and NTPD on different hosts, talking to each other?
How about multipls NTS-KE and NTPD in a cluster?
> Mostly, it needs testing and probably an overview level
> documentation. Something high level rather than the details of how to
> configure it. Maybe a HOWTO too.
That too.
> We have to decide how paranoid we want to be about security. The
> sort of things that are good for debugging enable operation in
> insecure modes. For example, the "noval" option on certificates.
> Maybe we should have a configure time option.
Please; no more configure time options!
"noval" is not mostly for debugging. It is essential for off
network operation.
> I assume your "key rotation" includes saving keys to disk for
> recovery after restart.
Not by my definition. The master key(s) need to change regularly,
probably ever 24 hours is good.
Also, the cookies need to be retired after X days.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190301/7fac66e9/attachment.bin>
More information about the devel
mailing list