Andrew, Thank you for your review of our SNTP documentation. We have considered your request regarding the introductory paragraph in our MS-SNTP documentation. The purpose of the MS-SNTP document is to describe a Microsoft extension to NTP, so it would be inappropriate to make a value statement such as the one suggested. The way in which keying material is used outside of this protocol is up to an implementer. It is assumed that a person implementing a protocol that utilizes cryptographic material is skilled in the use and safety of said material. The paragraph in question has been adjusted to make it clearer that the checksum algorithm and keying material described in MS-SNTP is relevant to Windows domains.
We have adjusted the documentation as follows MS-SNTP Introduction (2nd paragraph): [RFC1305] Appendix C describes a mechanism similar to the authentication extensions documented here. The extensions documented here provide a strong checksum algorithm and use keying material that is readily available to Windows systems joined to a Windows domain. The original text read: [RFC1305] Appendix C describes a mechanism similar to the authentication extensions documented here. The extensions documented here provide for better security by using a stronger checksum algorithm, and by using keying material that is more convenient for Windows systems joined to a Windows domain. Please let us know if you have any additional comments/questions to consider around this issue. Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2" Tel: +1 469 775 7794 E-mail: [EMAIL PROTECTED] We're hiring <http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted> -----Original Message----- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 10, 2008 7:53 PM To: Richard Guthrie Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: SNTP issues On Tue, 2008-06-10 at 10:28 -0700, Richard Guthrie wrote: > Andrew, > > I wanted to see if you have had a chance to review the article below to see > if it addresses your issue. Let me know if it did/did not help your team. Certainly I know that I should talk to the www.ntp.org community and the NTP working group before blindly deploying the Microsoft protocol, but what I was looking for was a better statement then the opening paragraph: [RFC1305] Appendix C describes a mechanism similar to the authentication extensions documented here. The extensions documented here provide for better security by using a stronger checksum algorithm, and by using keying material that is more convenient for Windows systems joined to a Windows domain. Instead, perhaps it should be rewritten as a warning, describing the protocol as a deviation, rather than an improvement (it may not have been that way when the hacks were first added, but it is now): [RFC1305] Appendix C describes a mechanism similar to the authentication extensions documented here. The extensions documented here provide for better security by using a stronger checksum algorithm, and by using keying material that is more convenient for Windows systems joined to a Windows domain, but should not be used outside this context. Internet standard authentication extensions such as as proposed and documented in http://www.ietf.org/internet-drafts/draft-ietf-ntp-autokey-03.txt provide stronger security and serve as a better basis for interoperable implementations. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
