NTS update
Hal Murray
hmurray at megapathdsl.net
Wed Mar 20 22:22:33 UTC 2019
Gary said:
> Only if you figure out how to not have a huge daily rush to rekey.
Under normal conditions, there is never any need to rekey.
The server holds 2 cookie keys. When it makes a new key, the current key gets
moved to the old key and the previous old key is lost.
Cookies using either the new or old key will work. When the client uses an
old key, it gets back a new key. So as long as the client polling interval is
fast enough, it gets new keys while all its old keys still work.
The keys are saved on disk so you can restart the server without rekey
problems.
If that doesn't make sense, I'll try again.
8*1024 is less then 24 hours. So it will be fine. It's not less than 1 hour
so we get to test things.
--------
> Ah, Gentoo unstable updated to openssl 1.1.0j on March 6th.
> Do I need any change in basic NTPsec build?
It should just build and work.
The server ask, require, expire, cert, and ca options are not implemented.
I wanted the ca option, but it's not simple to implement. I'll have to think
about it.
--
These are my opinions. I hate spam.
More information about the devel
mailing list