NTS: config and initialization

Gary E. Miller gem at rellim.com
Fri Mar 8 21:03:58 UTC 2019 

Yo Richard!

On Fri, 8 Mar 2019 14:50:38 -0600
Richard Laager via devel <devel at ntpsec.org> wrote:

> On 3/8/19 1:42 PM, Gary E. Miller via devel wrote:
> > Is /etc/ssl/certs somewhat standard?  at least for the root certs?  
> 
> Somewhat, but I don't know to what extent the contents of it are
> standard.

We are making the standard.

> Here's a proposal off the top of my head:
> 1) server private key = SYSCONFDIR/ntp/nts.key
> 2) server certificate = SYSCONFDIR/ntp/nts.crt
> 3) cookie key file    = LOCALSTATEDIR/lib/ntpkeys

I'd like an extention on #3.  Maybe .conf, but I'm not picky.

Also, the standard never talks of a cookie key, only master key(s).

> Where SYSCONFDIR would be /etc and LOCALSTATEDIR would be /var in a
> distro-package on Linux.

We are sort of in a bind.  If the users is supposed to edit
LOCALSTATEDIR/lib/ntpkeys then it is not supposed to be in the
LOCALSTATEDIR.

So that would be only if the initial master key(s) come from elsewhere.

> LOCALSTATEDIR normally defaults (in GNU [0]) to PREFIX/var and thus
> /usr/local/var. If you want to default it to /var/local for better FHS
> compliance, that would work too.
> 
> [0]
> https://www.gnu.org/prep/standards/html_node/Directory-Variables.html

Interesting, yet another conflict between GNU and FHS.  It looks like
autoconf, which we do not use, follows the GNU convention, not the FHS
one.

My general rule is to follow FHS over GNU if there is a conflict.  But
that inevitably leads to conflicts.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190308/693ca642/attachment-0001.bin>

More information about the devel mailing list