Splitting NTS-KE out from ntpd

Gary E. Miller gem at rellim.com
Thu Sep 3 18:19:23 UTC 2020 

Yo Hal!

On Thu, 03 Sep 2020 00:14:52 -0700
Hal Murray <hmurray at megapathdsl.net> wrote:

> Thanks.
> 
> Gary said:
> > It is not happening, just a request.  It seems to raise its hand
> > every few weeks.   
> 
> I was trying to ask how/where/what you were hearing/seeing such
> requests? Mailing list?  usenet?  at the local pub?

This mailing list,  the IETF NTP WG,   And #ntpsec.

> > The idea is that you want NTP on a bunch of servers, but only want
> > your private keys on a very secure server.  Otherwise you have to
> > manage TPM on every server, which is a PITA.  
> 
> Seems like a reasonable request.  If you have a bunch of NTP servers,
> do you want to add a single point of failure?

Uh?  Nothing in the request says that.

> Is anybody seriously interested, or is this just discussing corner
> cases?

They seemed like serious requests, but I'll not take the time to be their
proxy.

> I haven't worked with TPM.  How well does it work with OpenSSL?

Pretty seamless.  It is just another place to store keys and run
crypto algos.  I thought my new Ryzen motherboard would do TPM, but
it is known buggy woth Linux.

The Asus TPM modules is $12, so when it works, the masses can use TPM.

> Would our code have to change or do they magically cooperate without
> any help from our code?

My guess is no.  When openssl asks the kernel to handle keys, randomness,
and crypto algos, the kernel decides to use TPM, emulate TPM, or just
do the traditional.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200903/f774fb65/attachment.bin>

More information about the devel mailing list