What's left to doo on NTS
Eric S. Raymond
esr at thyrsus.com
Sat Mar 2 16:36:03 UTC 2019
Gary E. Miller via devel <devel at ntpsec.org>:
> The way Mark explained it to me, you want one NTS-KE per aisle, or
> per rack. That limits the number of servers, with keys, that need
> to be protected.
I now think this plan is a mistake and that Hal did the right thing by
building key service into ntpd itself.
Trying to change that by breaking out a separate NTS-KE server would
introduce a lot of complexity when we could achieve the same result by
pointing the ntpd instances at a common key on a fileshare.
If you don't trust that your LAN is secured enough to do that, you can't
trust it enough to pass NTS-KE traffic over it either.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190302/b696e3ec/attachment.bin>
More information about the devel
mailing list