Yo Hal! On Fri, 01 Mar 2019 15:46:49 -0800 Hal Murray via devel <devel@ntpsec.org> wrote:
> > What still needs to be done to fully land this feature? Key
> > rotation? Anything else?
>
> I've been collecting major items in devel/TODO-NTS
It is missing key rotation. Also how to share keys between
standalone NTS-KE and NTPD.
Have you tested NTS-KE and NTPD on different hosts, talking to each other?
How about multipls NTS-KE and NTPD in a cluster?
> Mostly, it needs testing and probably an overview level
> documentation. Something high level rather than the details of how to
> configure it. Maybe a HOWTO too.
That too.
> We have to decide how paranoid we want to be about security. The
> sort of things that are good for debugging enable operation in
> insecure modes. For example, the "noval" option on certificates.
> Maybe we should have a configure time option.
Please; no more configure time options!
"noval" is not mostly for debugging. It is essential for off
network operation.
> I assume your "key rotation" includes saving keys to disk for
> recovery after restart.
Not by my definition. The master key(s) need to change regularly,
probably ever 24 hours is good.
Also, the cookies need to be retired after X days.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpy7WrbdrQ_M.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
