[Git][NTPsec/ntpsec][master] nts.adoc: Add description of new config file options.

Gary E. Miller gitlab at mg.gitlab.com
Thu Jan 31 23:05:20 UTC 2019 

Gary E. Miller pushed to branch master at NTPsec / ntpsec


Commits:
3a26a144 by Gary E. Miller at 2019-01-31T23:04:18Z
nts.adoc: Add description of new config file options.

How to ask for an NTS association.

- - - - -


1 changed file:

- devel/nts.adoc


Changes:

=====================================
devel/nts.adoc
=====================================
@@ -114,15 +114,17 @@ For AEAD, we need libaes_siv.so, RFC 5297
 It's not in OpenSSL yet.
   https://github.com/dfoxfranke/libaes_siv
 
-TODO: Is the NTP client going to initiate NTS for servers by default?
-If so, it SHOULD (MUST?) provide a configuration parameter to disable
-NTS for a given server.
-
-While it is technically permitted (see RFC5280, page 35) to put an
-IP address in a subjectAltName in a certificate, this is essentially
-never done in practice, and certainly not with public CAs.
-Accordingly, the NTP client SHOULD NOT initiate NTS for servers
-specified by IP address (whether IPv4 or IPv6).
+An NTP client SHOULD NOT initiate NTS-KE by default.  Configuration
+parameters from the NTPD config file will tell the NTPD client when and
+how to initiate NTS-KE.
+
+While it is technically permitted (see RFC5280, page 35) to put an IP
+address in a subjectAltName in a certificate, this is essentially never
+done in practice, and rarely with public CAs.  Accordingly, the NTS-KE
+client SHOULD NOT generally initiate NTS for servers specified by IP
+address (whether IPv4 or IPv6).  The NTS-KE client MAY initiate NTS
+for servers specified by IP address (whether IPv4 or IPv6) for testing
+purposes.
 
 Additionally, the NTP client SHOULD NOT initiate NTS for pool
 associations by default.  The most common pool is the public pool at
@@ -230,6 +232,30 @@ configure an OpenSSL cipher string for the TLS connection.
 The NTS-KE server SHOULD provide a configuration paramter to
 configure an OpenSSL cipher string for the AEAD algorithms.
 
+== Configuration parameters ==
+
+To specify that an NTPD client should initiate a connection to
+a remote NTS-KE (nts-ke.example.com), and accept the provided
+NTPD server hostname or IP:
+
+....
+nts nts-ke.example.com
+....
+
+Use the optional keyword `ask` to ask for, but not require, a cookie and
+association to a given server (ntpd.example.com).
+
+....
+nts nts-ke.example.com ask ntpd.example.com
+....
+
+Use the optional keyword `require` to require a cookie and association
+to a given server (ntpd.example.com). server (ntpd.example.com).
+
+....
+nts nts-ke.example.com require ntpd.example.com
+....
+
 == Key Generation and Usage ==
 
 NTS makes use of three keys:



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/3a26a1442230faef74d557fae12fa2fd5aea4af3

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/3a26a1442230faef74d557fae12fa2fd5aea4af3
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190131/c2d73574/attachment-0001.html>

More information about the vc mailing list