Hal Murray via devel writes: > They are needed to use old cookies after restarting ntpd.
I'd not go there. If you do a cold restart, you lose the cryptographic state, end of story. Now, doing a warm restart that doesn't lose all state is something that's useful independent of the topics around NTS, but it would likely solve this problem, too. > A side benefit is that it enables something like a KE server for a pool. I don't think so either. You will have to have a key per NTS-KE to NTS pairing. You don't want to persist keys to disk, not in unencrypted form anyway… which ends up requiring some sort of an extra layer of key management just for the persisted keys that has to come from somewhere else. Both ends of that association will need to have TLS certificates anyway, so I still think that the most useful way to create keys are via the TLS session facilities. Persisting TLS sessions is a thing, but again the problem of storing the requisite data (session identifiers or tickets) rears its head. But at least this data is useless on a different machine due to failing the certificate check. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf rackAttack: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
