What's left to doo on NTS
Gary E. Miller
gem at rellim.com
Sat Mar 2 04:39:24 UTC 2019
Yo Hal!
On Fri, 01 Mar 2019 19:55:15 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> Gary said:
> > It is missing key rotation. Also how to share keys between
> > standalone NTS-KE and NTPD.
>
> Why do we need a standalone NTS-KE server?
Because that is the initial use case. If each ntpd had nts-ke in it
then there would be no need for such a complicated protocol.
The way Mark explained it to me, you want one NTS-KE per aisle, or
per rack. That limits the number of servers, with keys, that need
to be protected.
> > Gary said:
> > "noval" is not mostly for debugging. It is essential for off
> > network operation.
>
> I don't understand that use case. Without checking the certificate,
> you have no real security.
Not complete security, but at least encryption. And there are
levels of validation. If you are off net, you can't completely
validate the cert, but you can partially validate it. Maybe you
would want to pin it.
> > Have you tested NTS-KE and NTPD on different hosts, talking to each
> > other?
>
> Yes. NetBSD and FreeBSD too.
And the NTS-KE and NTPD are NOT on the same host?
> > How about multipls NTS-KE and NTPD in a cluster?
>
> Nope. I've been assuming things like that are stage 2. I've been
> working on stage 1.
Fair enough. Just don't confuse people by saying almost done.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190301/9b1b3454/attachment.bin>
More information about the devel
mailing list