On Wed, May 30, 2018, 1:05 PM Hal Murray via devel <devel@ntpsec.org> wrote:
> One of the key areas that I'm missing is the plans for deployment. Are we > intending to use the normal certificate distribution mechanism as used by > the > web? That depends on time. Is there a way around that? Do we need our > own > certificate distribution mechanism? Can we copy what DNSSEC does? ... IIRC draft 10 didn't specify any certificate signing or out of channel distribution. Instead I got the distinct impression that the certificate along with the s2c & c2s keys were transfered during the initial handshake on tcp123 (or other port). I also got the impression that the keys should only be good for 48 hours and depreceated for half that. The only thing I was able to notice was that an nts client would have to go through 8 NTP poll intervals after the keys expire before before starting another NTS KE session to get new keys. All of this is based on old information so I'm not sure how much of it is accurate anymore.
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
