> IIRC draft 10 didn't specify any certificate signing or out of channel > distribution.
I thought I saw something like that, but that was a while ago and I was expecting it and I wasn't reading that section carefully. Plan A is to piggyback on the web certificate structure. Basically, the OS/distro includes a collection of trusted certificates. On Fedora, it's ca-certificates Description : This package contains the set of CA certificates chosen by the : Mozilla Foundation for use with the Internet PKI. Those are roughly equivalent to the root servers in DNS. The catch is that the web certificates have expiration times and the code assumes the clock is reasonable. It doesn't have to be super good, just reasonably close. Setting the clock from a broken RTC or setting it from the file system after the system has been on the shelf for a week/month/year may not be good enough. We could add something to the API to indicate that the time checks should be assumed OK. Anybody can get a web certificate. It doesn't tell you that the guy isn't a crook or knows how to run a NTP server. Plan B is for each site to setup their own collection of trusted certificates. That would work OK for the cases where an admin selects servers by hand. They would have to find a server's certificate as well as finding convenient well run servers like they do now. If you want your board to sit on the spares shelf for many years, then you have to have long expiration times which means the owners have to be very careful about keeping their certificates safe. Plan C would be for something like the pool. In addition to keeping track of the servers and distributing the load and ..., somebody would have to figure out which sites are trustworthy. I haven't thought about the pool case much. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel