> IIRC draft 10 didn't specify any certificate signing or out of channel
> distribution.
I thought I saw something like that, but that was a while ago and I was
expecting it and I wasn't reading that section carefully.
Plan A is to piggyback on the web certificate structure. Basically, the
OS/distro includes a collection of trusted certificates. On Fedora, it's
ca-certificates
Description : This package contains the set of CA certificates chosen by the
: Mozilla Foundation for use with the Internet PKI.
Those are roughly equivalent to the root servers in DNS.
The catch is that the web certificates have expiration times and the code
assumes the clock is reasonable. It doesn't have to be super good, just
reasonably close. Setting the clock from a broken RTC or setting it from the
file system after the system has been on the shelf for a week/month/year may
not be good enough. We could add something to the API to indicate that the
time checks should be assumed OK.
Anybody can get a web certificate. It doesn't tell you that the guy isn't a
crook or knows how to run a NTP server.
Plan B is for each site to setup their own collection of trusted certificates.
That would work OK for the cases where an admin selects servers by hand.
They would have to find a server's certificate as well as finding convenient
well run servers like they do now.
If you want your board to sit on the spares shelf for many years, then you
have to have long expiration times which means the owners have to be very
careful about keeping their certificates safe.
Plan C would be for something like the pool. In addition to keeping track of
the servers and distributing the load and ..., somebody would have to figure
out which sites are trustworthy.
I haven't thought about the pool case much.
--
These are my opinions. I hate spam.
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
