What's left to doo on NTS
Achim Gratz
Stromeko at nexgo.de
Sun Mar 3 21:25:31 UTC 2019
Kurt Roeckx via devel writes:
> I don't see how it can work with the current pool system. You look
> something up like pool.ntp.org and get some IP addresses. But none
> of those will have a certificate for pool.ntp.org, so the
> verification of the certificate will fail.
You will still look up a pool address, just for the NTS-KE of that pool,
which will have a proper certificate by definition. The NTS-KE will
then give you back a different NTS server to use. Since this server
needs to agree on the master key and the initial set of cookies with the
NTS-KE, if you can successfully communicate with the NTS, it is indeed
the server that the NTS-KE has assigned to you. No certificate for that
server is needed.
> ntp.org currently doesn't use dnssec, so that DNS is not even
> secure, so there really isn't much changed compared to what we
> have now.
That is a separate issue.
> I think what we need is a secure way to get a list of hostnames.
No, this is not needed for NTS to work.
> One way is to run some https query. This will probably require
> more resources to run the pool then what it currently uses.
I don't think anyone will invent yet another protocol (or add-on) just
for the NTP pool.
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
More information about the devel
mailing list