NTS: config and initialization

Gary E. Miller gem at rellim.com
Fri Mar 8 22:44:24 UTC 2019 

Yo Richard!

On Fri, 8 Mar 2019 16:30:22 -0600
Richard Laager via devel <devel at ntpsec.org> wrote:

> On 3/8/19 3:03 PM, Gary E. Miller via devel wrote:
> >> Here's a proposal off the top of my head:
> >> 1) server private key = SYSCONFDIR/ntp/nts.key
> >> 2) server certificate = SYSCONFDIR/ntp/nts.crt
> >> 3) cookie key file    = LOCALSTATEDIR/lib/ntpkeys  
> > 
> > I'd like an extention on #3.  Maybe .conf, but I'm not picky.  
> 
> It doesn't really feel like a .conf to me. It's not something the user
> edits. I like "ntp.keys", but unfortunately that has a meaning and man
> page already. So maybe master.keys?

Works for me.  Hal?

> > Also, the standard never talks of a cookie key, only master
> > key(s).  
> 
> I don't really care whether we call it a "cookie key file" or "master
> key file" or something else.

I care to reduce the vocabulary, and to make the vocabulary match the
Proposed RFC.

> I was trying to draw a distinction between NTS key/cert and NTP
> (master/cookie) key.

master.keys does that.  Right?
> 
> >> Where SYSCONFDIR would be /etc and LOCALSTATEDIR would be /var in a
> >> distro-package on Linux.  
> > 
> > We are sort of in a bind.  If the users is supposed to edit
> > LOCALSTATEDIR/lib/ntpkeys then it is not supposed to be in the
> > LOCALSTATEDIR.  
> 
> The user surely is not (manually) editing the master/cookie keys file.
> The keys will be created by ntpd, so LOCALSTATEDIR is correct.

Uh, say what?  How/when/where does ntpd create the master keys?  I thought
those were an input.  At least the initial master key(s).

> >> LOCALSTATEDIR normally defaults (in GNU [0]) to PREFIX/var and thus
> >> /usr/local/var. If you want to default it to /var/local for better
> >> FHS compliance, that would work too.  
> ...
> > My general rule is to follow FHS over GNU if there is a conflict.  
> 
> Sure, that's reasonable. We should (and do) use the GNU/autoconf names
> for the variables (PREFIX, SYSCONFDIR, etc.) absent a good reason.
> NTPsec practice is to all caps them (PREFIX vs prefix). So that's why
> I used LOCALSTATEDIR.

Works for me.  The default is reasonable, and easy for packagers to 
change to their requirements.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190308/67c8f874/attachment.bin>

More information about the devel mailing list