NTS: config and initialization

Fri Mar 8 22:30:22 UTC 2019

On 3/8/19 3:03 PM, Gary E. Miller via devel wrote:
>> Here's a proposal off the top of my head:
>> 1) server private key = SYSCONFDIR/ntp/nts.key
>> 2) server certificate = SYSCONFDIR/ntp/nts.crt
>> 3) cookie key file    = LOCALSTATEDIR/lib/ntpkeys
> 
> I'd like an extention on #3.  Maybe .conf, but I'm not picky.

It doesn't really feel like a .conf to me. It's not something the user
edits. I like "ntp.keys", but unfortunately that has a meaning and man
page already. So maybe master.keys?

> Also, the standard never talks of a cookie key, only master key(s).

I don't really care whether we call it a "cookie key file" or "master
key file" or something else.

I was trying to draw a distinction between NTS key/cert and NTP
(master/cookie) key.

>> Where SYSCONFDIR would be /etc and LOCALSTATEDIR would be /var in a
>> distro-package on Linux.
> 
> We are sort of in a bind.  If the users is supposed to edit
> LOCALSTATEDIR/lib/ntpkeys then it is not supposed to be in the
> LOCALSTATEDIR.

The user surely is not (manually) editing the master/cookie keys file.
The keys will be created by ntpd, so LOCALSTATEDIR is correct.

>> LOCALSTATEDIR normally defaults (in GNU [0]) to PREFIX/var and thus
>> /usr/local/var. If you want to default it to /var/local for better FHS
>> compliance, that would work too.
...
> My general rule is to follow FHS over GNU if there is a conflict.

Sure, that's reasonable. We should (and do) use the GNU/autoconf names
for the variables (PREFIX, SYSCONFDIR, etc.) absent a good reason.
NTPsec practice is to all caps them (PREFIX vs prefix). So that's why I
used LOCALSTATEDIR.

-- 
Richard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190308/43261f03/attachment.bin>