What's left to doo on NTS
Kurt Roeckx
kurt at roeckx.be
Sun Mar 3 20:35:18 UTC 2019
On Sun, Mar 03, 2019 at 08:56:55PM +0100, Achim Gratz via devel wrote:
> Hal Murray via devel writes:
> > There is no security in the pool anyway, so let's put that discussion
> > aside for a while.
>
> I'd take exception with that statement. If the pool was upgraded to use
> NTS one way or the other, it _would_ provide some extra security over
> the status quo. It's a different kind of security than what you get
> from running your own time servers, but if I can be sure that I'm
> talking to the NTP server that the pool has assigned me instead of
> talking to some random IP address that the pool thinks is an NTP server
> but can't be sure of, then that's a lot better than what we have today.
I don't see how it can work with the current pool system. You look
something up like pool.ntp.org and get some IP addresses. But none
of those will have a certificate for pool.ntp.org, so the
verification of the certificate will fail.
ntp.org currently doesn't use dnssec, so that DNS is not even
secure, so there really isn't much changed compared to what we
have now.
I think what we need is a secure way to get a list of hostnames.
One way is to run some https query. This will probably require
more resources to run the pool then what it currently uses.
Kurt
More information about the devel
mailing list