Yo Hal! On Fri, 01 Mar 2019 19:55:15 -0800 Hal Murray via devel <devel@ntpsec.org> wrote:
> Gary said:
> > It is missing key rotation. Also how to share keys between
> > standalone NTS-KE and NTPD.
>
> Why do we need a standalone NTS-KE server?
Because that is the initial use case. If each ntpd had nts-ke in it
then there would be no need for such a complicated protocol.
The way Mark explained it to me, you want one NTS-KE per aisle, or
per rack. That limits the number of servers, with keys, that need
to be protected.
> > Gary said:
> > "noval" is not mostly for debugging. It is essential for off
> > network operation.
>
> I don't understand that use case. Without checking the certificate,
> you have no real security.
Not complete security, but at least encryption. And there are
levels of validation. If you are off net, you can't completely
validate the cert, but you can partially validate it. Maybe you
would want to pin it.
> > Have you tested NTS-KE and NTPD on different hosts, talking to each
> > other?
>
> Yes. NetBSD and FreeBSD too.
And the NTS-KE and NTPD are NOT on the same host?
> > How about multipls NTS-KE and NTPD in a cluster?
>
> Nope. I've been assuming things like that are stage 2. I've been
> working on stage 1.
Fair enough. Just don't confuse people by saying almost done.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpJPeArhVjzn.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
