Kurt Roeckx via devel writes: > I don't see how it can work with the current pool system. You look > something up like pool.ntp.org and get some IP addresses. But none > of those will have a certificate for pool.ntp.org, so the > verification of the certificate will fail.
You will still look up a pool address, just for the NTS-KE of that pool, which will have a proper certificate by definition. The NTS-KE will then give you back a different NTS server to use. Since this server needs to agree on the master key and the initial set of cookies with the NTS-KE, if you can successfully communicate with the NTS, it is indeed the server that the NTS-KE has assigned to you. No certificate for that server is needed. > ntp.org currently doesn't use dnssec, so that DNS is not even > secure, so there really isn't much changed compared to what we > have now. That is a separate issue. > I think what we need is a secure way to get a list of hostnames. No, this is not needed for NTS to work. > One way is to run some https query. This will probably require > more resources to run the pool then what it currently uses. I don't think anyone will invent yet another protocol (or add-on) just for the NTP pool. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
