What's left to doo on NTS

Achim Gratz Stromeko at nexgo.de
Sun Mar 3 21:25:31 UTC 2019


Kurt Roeckx via devel writes:
> I don't see how it can work with the current pool system. You look
> something up like pool.ntp.org and get some IP addresses. But none
> of those will have a certificate for pool.ntp.org, so the
> verification of the certificate will fail.

You will still look up a pool address, just for the NTS-KE of that pool,
which will have a proper certificate by definition.  The NTS-KE will
then give you back a different NTS server to use.  Since this server
needs to agree on the master key and the initial set of cookies with the
NTS-KE, if you can successfully communicate with the NTS, it is indeed
the server that the NTS-KE has assigned to you.  No certificate for that
server is needed.

> ntp.org currently doesn't use dnssec, so that DNS is not even
> secure, so there really isn't much changed compared to what we
> have now.

That is a separate issue.

> I think what we need is a secure way to get a list of hostnames.

No, this is not needed for NTS to work.

> One way is to run some https query. This will probably require
> more resources to run the pool then what it currently uses.

I don't think anyone will invent yet another protocol (or add-on) just
for the NTP pool.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada



More information about the devel mailing list