> If I have a real certifucate, I don't know it. You have one on any web server that supports https. I don't know where it lives. Probably someplace in apache land.
Gary says it's easy to get them via Lets Encrypt. Their web page says you need to control the domain. Gary said you only need a FQDN which makes more send. For non public IP Addresses (aka behind a NAT box) you can use self signed certificates. When I suggested a HOWTO, there was back pressure. If anybody wants help along those lines, I'll dig out my notes. >> If you want to write code, we need to save the current K and I to disk. >> We also need to rotate keys occasionally. > When sould the saves occur> After every cookie fetch? No, only when they get rotated which is ballpark of 24 hours. Asking that means it's time to read the draft carefully (again). The idea is that K is used to encrypt stuff in a cookie. You need to use that K to decrypt the cookie when it comes back. If you restart your ntpd, it wants to use the same K so all the cookies in clients out there are still valid. We also need to rotate K occasionally and remember the old one. The cookie tells you which K to use. For debugging, we can rotate them every hour and save more than one old one. Good clients will ramp up to 1024 seconds. That's a bit over 2 hours, so we need 3 old ones. The disk file needs to save the K/I pairs and the time it was written. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
