> I had the same problem, just change this
> ntpd/nts_client.c: const char *label = "EXPORTER-nts/1";
> To this:
> ntpd/nts_client.c: char *label = "EXPORTER-network-time-security/1";
> Then it worked for me.
OK. I just pushed a fix. That will break things until everybody gets updated.
I assume this is a known problem, but just in case...
I getting thing like this:
Job #183070318 ( https://gitlab.com/NTPsec/ntpsec/-/jobs/183070318 )
Stage: build
Name: openSUSE-leap-basic
Trace: to unblock using this file on your own risk. Empty input will discard
the file.
Unblock or
zoo.weinigel.se:4447 works
I think it's using the default port 123 since I don't see a message announcing
a different port.
zoo.weinigel.se:4446 gets through NTS-KE but no response to NTP
nts-test.strangled.net:443 gets through NTS-KE, but no response to NTP
--
These are my opinions. I
> The port assignment thing is much more important.
Yes, but not going to happen this weekend.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
> Wireshark not happy with the NTPsec NTP out packets:
Probably some sort of confusion with NTP extension type assignments. We are
using some numerical values that somebody pulled out of the air.
On the other hand, Wireshark seems to think it knows something about some of
them.
>File
The server response wasn't setting up the right length for the encrypted part.
The client receive side didn't use that field but computed the length another
way so it didn't discover the bug.
--
These are my opinions. I hate spam.
___
devel
> I'm even happier if waf autodetects too old openssl. We can't just support
> the latest/coolest/shiniest
It works with all the old systems I have access to. That includes some that
are older than yours. (where age == version number rather than calendar)
I don't have access to Solaris or
> > > 2019-03-22T12:55:52 ntpd[10362]: DNS: Server skipping:
> > > 2001:470:e815::23
> Looking at this again, when kong connects to pi3, there is no duplicate
> connection.
Then where did that skipping come from? Either there is some other server
slot that has that IP Address, or the NTS
> Uh, oh. You mean I can't have both an NTS and a non-NTS connection to the
> same address? I want that to compare latency and jitter. That needs a very
> clear error message.
Nope. It might be possible to change, but I doubt if it's worth the effort.
You can compare -4 with -6.
I've
>> I have 1.1.0j (Debian) talking to 1.0.2o (FreeBSD)
>> Works.
> And vice-versa?
Yes.
>> 2. A way to see both the NTS name/IP and matching NTPD name/IP
2019-03-22T12:55:52 ntpd[10362]: NTSc: nts_probe connecting to
pi3.rellim.com:123 => [2001:470:e815::23]:123
Is that enough?
> I don't care if it is ntpq, ntpmon, log files, whatever. Right now I don't
> know how to get the info any way.
I still don't know what you want.
I've tried hard to make sure that everything interesting is in the log files
while at the same time not making things too verbose. Please look
>>> Gentoo unstable is on 1.1.0j. Stable is on 1.0.2r. =20
>> I'd expect that case to work.
> Me too.
I have 1.1.0j (Debian) talking to 1.0.2o (FreeBSD)
Works.
>> Do you get an interesting error message?
>Nope. The client gets the 8 cookies, but the NTPD fails, silently.
Does the 8 count
> What's your environment? I'm passing "ntp" to getaddrinfo.
> Ah, that's the bug. Don't do that. There is no offical tcp/ntp port
> assigned. So trying to look it up is not going to work well...
For "not going to work", it took a long time to fail.
Fix pushed.
--
These are my
> Feature requests:
> 1. selectable TCP ports for NTSc and NTSs.
The client side already works. Use
server ntp.example.com:1234 nts
The server side should be easy to add.
> 2. A way to see both the NTS name/IP and matching NTPD name/IP
I'm not sure what you are asking for. It sounds like
You can see a bunch of counters with:
ntpq -c nts
I hope the names are good enough.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
> No rest for the helpful: How do I check if I am an NTS server?
The real check is that somebody can connect to your server.
Other maybe helpful sources of info:
netstat -tl
Should show:
tcp0 0 0.0.0.0:ntp 0.0.0.0:* LISTEN
tcp6 0 0
> Been runnig for a few hours now. ntpq -pn output:
...
> And the log is here: https://pastebin.com/fM9uDwVi
Thanks.
> 2019-03-22T03:56:32 ntpd[21039]: NTSc: nts_probe: DNS error trying to contact
> pi3.rellim.com: -8, Servname not supported for ai_socktype
What's your environment? I'm
> I found why my pi3 can NTS connect to my kong, but not vice versa.
> My pi3 is running OpenSSL 1.0.2r
> My kong is running 1.1.0j
> Gentoo unstable is on 1.1.0j. Stable is on 1.0.2r.
I'd expect that case to work. Do you get an interesting error message?
[I think I can setup something
>> It was a big/long gpsd log file. Was there something in particular I
>> was supposed to look for?
> Yeah, the munged IPv6 logs that do not tell me the remote IPv6 address.
It's a gpsd log file, not from ntpd.
[IPv6 truncated printout]
> I'll go scan the NTS code.
> Thanks. Funny what
>> Try -n
> Doesn't that just log in the foreground instead of to the log?
> Any other benefit?
The -n was for ntpq/ntpmon to get IP Addresses rather than names.
> Then I forget which, but there are services I run that need matching forward
> and reverse.
I'm rough on this area. I think
> True, but I need something to help me debug NTS.
Try -n
>> You might be able to get what you want if the reverse DNS
>> has a 4/6 in the name. I'm not a wizard in this area.
> Which breaks Lets Encrypt. Not gonna do that.
I setup Lets Encrypt last night without reverse DNS.
> Sort of.
>> No, it's the far end IP address and the local interface you use to
>> get there.
> Look again:
> 2019-03-20T18:11:14 ntpd[3117]: NTSs: TCP accept-ed from [2001:470:e815::%3=
> =3D 589492224]:50860
> What IPv6 address do you think that is?
Maybe it's truncated?
I haven't figured out what's
> So it is the near end network, not the far end IP? I'd really like to know
> the far end IP.
No, it's the far end IP address and the local interface you use to get there.
> And what is the equal sign and the thing after it?
=3D is mail escape stuff. 3D is hex for =. = is the escape
> Hmm, I've got issues. Would be nice if ntpmon showed the IPv4/ipv6 status.
That's not a NTS issue. (Yes, it would be nice if we could improve it, but
not high on my list.)
You might be able to get what you want if the reverse DNS has a 4/6 in the
name. I'm not a wizard in this area.
>
It was easy to find where the DNS code got it, but I didn't trust/understand
what was going on. It was an interesting adventure to trace -4 and -6 through
the parser and configuration code.
--
These are my opinions. I hate spam.
___
devel
> 2019-03-20T18:11:14 ntpd[3117]: NTSs: TCP accept-ed from [2001:470:e815::%3=
> 589492224]:50860
> Wow, that is one wacky IPv6 address! Bad format string?
The % stuff is telling you which network interface it is associated with. At
the ping level, you can use things like xx%eth0 to
> I added nts-ke to: pi3.rellim.com, see how that works for you.
Works.
[-4, -6]
> Ah, there it is right on the man page. I can't try it until the crash bug is
> gone.
It doesn't work yet. That's why I needed testers. Thanks for finding it.
> Odd, I tried it yet again, and this time it
> Uh, no. You can get easily get the FQDN from the IP.
That adds DNS to the security chain. Doesn't sound good to me. It might work
if you are using DNSSEC. Complicated.
> Also, since there is no way to specify IPv4 or IPv6, the only way I can make
> this work is by IP.
> You need to add a
> server 204.17.205.8 nts maxpoll 5 # spidey
> Now the server starts as before, then, silently dies...
Usually it logs a useful message before it exits. If you can't find one,
please try gdb.
It doesn't make sense to use "nts" with an IP Address if you expect to do
certificate checking.
>> As long as the old cookies on the client are used in NTP packets soon
>> enough and hence traded in for new cookies, there is no need for a
>> NTS-KE type rekey.
> Yeah, I had missed that. So I agree your concept looks good so far.
Not my concept. Straight out of the book. (draft?)
> I added this to my ntp.conf:
> nts enable
> cert /etc/letsencrypt/live/kong.rellim.com/fullchain.pem
> key /etc/letsencrypt/live/kong.rellim.com/privkey.pem
> Fail.
You need "nts" in front of the cert and key. Or else one loong line. There
is no "cert" top level command.
If
Gary said:
>>> Only if you figure out how to not have a huge daily rush to rekey.
>> Under normal conditions, there is never any need to rekey.
> We've gone around on that many times before. We disagree.
> Using the same master key (with a ratchet) will eventually give the attacker
> enought
Gary said:
> Only if you figure out how to not have a huge daily rush to rekey.
Under normal conditions, there is never any need to rekey.
The server holds 2 cookie keys. When it makes a new key, the current key gets
moved to the old key and the previous old key is lost.
Cookies using either
I've been testing with self-signed certificates. It's time to shift to real
certificates. They need a FQDN which I don't have, so it's time to get a
domain. (I want one for other reasons anyway.) Anybody have suggestions for
vendors? Low cost is obviously good, but so is low hassle and
Gary said:
> I' waiting for Gentoo to have the required openssl version.
It should work -- unless Gentoo is using something really pre-historic. There
are a handful of #ifdef-s to handle old versions. NetBSD 8 ships with 1.0.2k.
I test that. It builds on 1.0.1, but I'd have to check to
Is anybody else testing things?
I just fixed the cookie-key timer so that it actually rotates cookies. You
need to delete your current cookie file at /var/lib/ntp/nts-keys
The timer is set to an hour rather than a day. So if your clients poll
interval gets up to 1024, it will use some old
Is that the right thing to do? Most of our stuff gets installed in
/usr/local/ and similar where it doesn't overwrite any system files.
ntpd.service is the only exception I know of.
---
If we are going to install it, can we bypass the install if the currently
installed file is
There is another big worm in that can.
libntp/lib_strbuf allocates strings for temporary use. It's simple,
round-robin from an array. There is no garbage collection. That works if the
array is big enough.
Actually, "big enough" only works in the single threaded case.
It's used for things
Eric: Add this discussion to your background info for the great REFCLOCK
cleanup.
There is an optional control slot in the refclock dispatch vector. It's used
for both reading and writing driver specific variables including fudging. The
outer layer handles most fudging.
--
These are my
Should strings be copied over?
case T_Cert:
my_node->ctl.nts_cfg.cert = option->value.s;
break;
case T_Cert:
ntsconfig.cert = estrdup(nts->value.s);
break;
Should we free up
> Can you check if it happens in: 41427efeec and 1ac4406fb5 ?
I don't have any DCF77 gear. You can probably test it as easily as I can.
Try setting one up with a serial port that isn't connected to anything.
--
These are my opinions. I hate spam.
> clock_var_list="name,timecode,poll,noreply,badformat,baddata,fudgetime1,fudget
> ime2,stratum,refid,flags,device,clock_var_list,refclock_ppsskew,refclock_ppsti
> me,refclock_time,ref clock_status,refclock_format,refclock_states,,\x0c\x0c\x0
> 1,\x01",
refclock_ppsskew is only in
> I thought that you, Gary, and I were in favor of random keys (as opposed to
> ratchet), nobody was speaking against that, and nobody was in favor of
> ratcheting (at least in a non-pool case).
Ahh... I haven't written the ratchet code. It's not high on my list, But
I'm trying to keep the
Gary said:
>>> Is /etc/ssl/certs somewhat standard? at least for the root certs?
>> Somewhat, but I don't know to what extent the contents of it are
>> standard.
> We are making the standard.
No we aren't. We are using whatever OpenSSL and the distro support.
Looks messy. We'll have to
> Here's a proposal off the top of my head:
> 1) server private key = SYSCONFDIR/ntp/nts.key
> 2) server certificate = SYSCONFDIR/ntp/nts.crt
> 3) cookie key file= LOCALSTATEDIR/lib/ntpkeys
We would have to add things like SYSCONFDIR to config.h.
The certificate and private key should
man trust may be interesting.
> Is /etc/ssl/certs somewhat standard? at least for the root certs?
That's where they are on Debian - lots of stuff.
It looks like the directory format that libssl is expecting - a hash links to
a sensible name. Example:
67495436.0 ->
rlaa...@wiktel.com said:
>> The draft suggests a way to derive the next key from the current key.
> I thought there was a rough consensus here to avoid that, using
> fully-random keys each time.
I don't remember that. Any chance you can find it in the archives?
--
These are my opinions. I
Gary said:
>> So maybe master.keys?
> Works for me. Hal?
Seems misleading to me. There is nothing master-ish about it. It only lets
you unlock a subset of the cookies associated with a single system.
> I care to reduce the vocabulary, and to make the vocabulary match the
> Proposed RFC.
Gary said:
>>> Let us not call it the "cookie key", lets use the terminology of
>>> the RFC.
>> Please suggest a file name.
> Just for grins: /usr/local/etc/ntp/keys.conf
Why the "etc"?
"conf" suggests a manually edited configuration file.
"keys" doesn't distinguish it from the certificate key.
> Let us not call it the "cookie key", lets use the terminology of the RFC.
Please suggest a file name.
>> I'm assuming that the system defaults will cover 99+% of the normal
>> cases. I don't have to do anything special for my browser to work.
> Because your browser includes its own cert
> I cant find that in the Proposed RFC. Got a citation?
Bottom of page 21. Last paragraph of section 5.
> And what is the point of storing cookies and K/I pair together? The client
> has no K/I pair. A server is to regenerate the cookies from K/I pairs.
> Mixing the roles is bad.
I didn't
Gary said:
> Why do you need a cookie file? I would think those should never be stored.
> Ever.
The cookies are sent from client to server in the clear.
It's the "cookie key" file, not a cookie file. Do you have suggestions for a
better name?
It holds the K/I used to decode cookies -- but
The client side is easy: just add "nts" to the server line. There are no
parameters needed so the initialization for the client side just works.
That assumes the certificates for the servers you want to use are covered by
the default root certificates on your system.
--
For the server
> If the cookie key file is unexpectedly removed, what other useful option is
> there? If the file was permanently deleted, there's really nothing to be done
> but re-create it anyway.
The question is does the admin know something happened.
> Also, by the way, the cookie key file is storing
Eric said:
> This raises an interesting point. ntpd can now tell when its on first
> startup (absence of this file). I'm not a fan of this kind of statefulness -
> worked hard at avoiding it in GPSD - but since NTS's requirements stick us
> with it there's a question: what else should trigger
e...@thyrsus.com said:
>> Can we and/or should we make the default file names OS dependent?
> I recommend trying to avoid that. Follow the Filesystem Hierarchy Standard
> and let other OSes be their local packagers' problem.
That seems reasonable, but only if you provide an easy way for the
Gary said:
> Remeber, user installed codes should NEVER use /usr or /var.
> I do realize this is a rule frequently violated, but givin how often users
> install both the distro ntpd/gpsd and the source ntpd/gpsd it is good to keep
> their files in different places.
Interesting. But this is
> Documentation isn't a problem. The docs can and should get the same waf subst
> behavior anyway. So the docs should always mention the paths that match how I
> built my ntpd.
That gets interesting. Many copies of documentation end up on the web. Can
we arrange things so the default says
Gary said:
>> Or, we could fix SHM so the client side is read-only.
> As Eric has said: Changing the SHM protocol is not an option.
I believe there is a reasonable way to do it.
GPSD writes to both old and new forms.
ntpd supports two drivers (or a mode bit)
If you want to add SHM via
Gary said:
> My idiosyncratic read of the FHS would, by default, put the master keys in
> /usr/local/var/lib:
Is that a typo? There is no /usr/local/var/ or /usr/var/ on Fedora or Debian.
> We can pick a default, but no default would be fine for most linux.
> It needs to be configurable for
Gary said:
>> What would ntpd need root for?
> SHM(0) and SHM(1).
That would mean that you would have to restart ntpd to add SHM drivers.
Or, we could fix SHM so the client side is read-only.
The comments in ntpd.c
#ifdef ENABLE_EARLY_DROPROOT
/* drop root privileges */
/* This
>> Where should we put the file used to store the key used to make cookies?
It
>> gets read at startup and updated daily.
> Nowhere. Those keys are ephemeral and shouldn't be stored at all, except
> maybe for debugging.
They are needed to use old cookies after restarting ntpd.
A side
> One problem that just occured to me is that any actual restart will have to
> be done with dropped privileges already. The PID shouldn't change during
> restart anyway, so maybe that's taken care of already.
Currently, one of the privs it drops is being able to change privs so there is
no
Where should we put the file used to store the key used to make cookies? It
gets read at startup and updated daily.
Fedora and Debian put things like that in /var/lib/ntp/
NetBSD and FreeBSD put them in /var/db/ntp/
There used to be a man/web page with a list of the default file names. I
Interesting, but...
Why isn't refclock_gpsd a good example?
Is there a good package for working with JSON?
I'm not convinced that NTP is a good example. Sure, in hindsight, we can see
some problems, but it's not obvious to me that JSON is the answer. Are there
any interesting alternatives?
Achim said:
> In a nutshell, SIGHUP is already taken, but USR1 and USR2 are still
> available. Thte idea is that one of these does the equivalent of
> re-configuring via ntpq or a restart without loss of internal state (as far
> as possible).
USR1 and USR2 are already used to bump the debug
James Browning said:
> It would pave the way to be rid of the symmetric signing mess though.
What symmetric signing mess?
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
dfoxfra...@gmail.com said:
> The intended design for running NTS with pool servers is that only the pool
> operator runs an NTS-KE server. The NTS-KE server then picks an NTS-enabled
> NTP server out of the pool and serves you an appropriate NTPv4 Server
> Negotiation Record. Individual server
Eric said:
>> I don't want the UI side of HTTP in ntpd.
> I'd like to understand better what you mean by "the UI side" and
> what your objection is.
Web stuff is complicated. We'll get into UI wars.
You can't easily script things.
If you want a web UI, we should build that on top of Mode 6
dfoxfra...@gmail.com said:
[using ALPN]
> I've never tried it myself, but I think Nginx can handle this. Use
> ngx_stream_ssl_preread_module to check ALPN, then based on what's there
> either terminate TLS locally or forward traffic at the TCP layer to some
> other port on ::1. AFAIK Apache
> Maybe this isn't a good path to go down after all.
This has been requested for a long time. I think it's worth the effort. We
just have to find the right person (team?) and the right time.
It may involve cleaning up that area, but that's not bad. Or maybe just
rearranging, or maybe just a
wscript says MacOS doesn't have it.
timer_create seems pretty basic. Is that still accurate? Or perhaps leftover
from an old version that is no longer supported?
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
Gary said:
> But I would like something like SIGHUP to get ntpd to re-read the config file
> and yet keep state.
I think something like that is possible. It's not simple, but not horrible.
The HUP logic is there. It works for a new leap file and new log file when it
gets rotated.
The
> The spec already mandates that ALPN always be used and allocates a tag with
> IANA.
My call to
SSL_CTX_set_alpn_protos(client_ctx, alpn, sizeof(alpn));
is inside
#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
> tcp/123 is already a new firewall hole. If you want to work around
>
Eric said:
> You yourself advocated that Mode 6 ought to be replaced by an HTTP service on
> TCP port 123. I think that's a good idea, if we can do it. The problem is
> than NTS-KE *also* wants to have TCP 123.
I don't want the UI side of HTTP in ntpd.
> What that says to me is that whatever
> There is one interesting area that it doesn't cover. The kernel (on most
> OSes) has an optional PLL that locks on to a PPS source. ntpd acts as a
> sanity check and turns that on and off. If we want to use that mode, we need
> a back channel, or an ugly wart in ntpd. We can probably get
> The intended design for running NTS with pool servers is that only the pool
> operator runs an NTS-KE server. The NTS-KE server then picks an NTS-enabled
> NTP server out of the pool and serves you an appropriate NTPv4 Server
> Negotiation Record. Individual server operators, on a one-time
e...@thyrsus.com said:
>> Do you have an example of where we need to change a
>> driver variable on the fly?
> No, I'm bothered because I'm (a) not sure we'll never need to do it, and (b)
> pretty sure what the Dread God Finagle will arrange if I assume we won't. :-)
I just looked at the code.
e...@thyrsus.com said:
> The two most obvious pain points here are the fudgetime variables. Some
> refclocks set their own custom clock variables, as well; the generic driver
> in particular, I think one other as well.
The fudgetime variables can remain in ntpd.
If the problem is the driver
dfoxfra...@gmail.com said:
> If you try to measure the cost of the authentication code using log messages
> you're going to get total noise, because the cost of logging a message is
> higher than the cost of doing the authentication. Each invocation of AES-SIV
> should take, in round numbers,
dfoxfra...@gmail.com said:
> One thing to keep in mind is that if the client is using SO_TIMESTAMP but the
> server isn't, or vice versa, you're going to introduce a persistent
> inaccuracy on the order of a microsecond, due to the resulting asymmetry in
> the point at which the timestamp is
rlaa...@wiktel.com said:
> CNAMEs don't really help. Certificate validation uses the original name
> anyway.
I was assuming we could intercept the CNAME and use that for certificate
validation. Maybe I should have said SRV or TXT or ???
The normal getaddrinfo and friends automatically
Gary said:
>> I would assume that critical infrastructure would be run in a less
>> insecure environment.
> Bad assumption. Just look at any data center. There is no way to secure
> customer machines. Unless you get rid of the customers.
Right. But why would you run your NTS-KE server on a
e...@thyrsus.com said:
>> You need it to verify that you don't need it.
> Interesting point. How do you account for the fact that nobody noticed when
> it was accidentally disabled for six months, though? Definitely the kind of
> thing I'd expect either you or Gary to pick up on, if it made an
Eric said:
>> I don't understand. All I was trying to say is that splitting
>> out the refclock drivers to another process shouldn't make
>> any difference that is easily visible.
> Maybe. The devil is in the details.
> I expect some issues around Mode 6. We'd still need to exchange control
>
Gary said:
> Think data center. The data center controls the LAN, but the customers
> control what is in the containers. Or the hacker that used the latest
> Wordpress bug to take over the contrainer. And breaking out of a container
> to infect the motherboard is not that hard.
I would
Eric said:
> Trying to change that by breaking out a separate NTS-KE server would
> introduce a lot of complexity when we could achieve the same result by
> pointing the ntpd instances at a common key on a fileshare.
That adds the fileshare to the security tangle and probably complicates the
Gary said:
>> Otherwise, either do full validation or don't bother with NTS
>> at all. Pinning counts as full validation.
> I'd be happy if we had per host pinning instead of "noval".
How is per-host pinning normally implemented?
We have the option to use a local file of trusted/root
>> There is no security in the pool anyway, so let's put that discussion
>> aside for a while.
> I'd take exception with that statement. If the pool was upgraded to use NTS
> one way or the other, it _would_ provide some extra security over the status
> quo. It's a different kind of security
> We've established not so long ago that a single NTP server can serve a lot of
> clients. The number of servers is driven by the network topology more
> likely, i.e. say you want one NTP server per network span or subnet, so the
> server has low latency to each of its clients and doesn't send
e...@thyrsus.com said:
>> My strawman for REFCLOCKD is something like the touring test.
>> You can't tell the difference by poking around with ntpq. (Maybe
>> you don't get to poke too deep.)
> It'd need its own UDP port.
I don't understand. All I was trying to say is that splitting out the
I will be seriously disappointed if you drop that code.
You need it to verify that you don't need it.
Some of us are interested in that level of detail. If you start removing
things like that, I will probably spend less time here.
Your comments in the tour document are biased. (I'm
My strawman for REFCLOCKD is something like the touring test. You can't tell
the difference by poking around with ntpq. (Maybe you don't get to poke too
deep.)
There are two parts to the refclock code.
The first operates on the second time scale. The main thread calls the
refclock
Eric said:
> I meant to mention that there are actually *two* big benefits in prospect
> from a Go port. The obvious one is being able to junk a lot of fiddly,
> error-prone C memory-management stuff.
I'm actually surprised that you haven't simplified a lot of that yet.
There are several
k...@roeckx.be said:
> If this is something you're worried about, this can be solved with the
> interleave mode, which was removed.
How well does it work?
Is there an option to get a kernel timestamp on transmit packets?
--
These are my opinions. I hate spam.
> Let me take a different tack: can we move the aut computation off path?
Nope. The auth includes the whole packet. Can't do the auth until you know
the time that you are going to put in the packet.
We can measure how long it takes and advance the time to compensate.
--
These are my
devel@ntpsec.org said:
> Partial validation means you don't follow the cert chain to the root. In the
> off-net scenario, it means you stop folloing the chain when you'd have to go
> outside the network perimeter you're in. ...
>
Achim Gratz said:
>> Why do we need a standalone NTS-KE server?
> Because you only want one NTS-KE per any number of ntpd on a large fleet of
> hardware (think a warehouse full of compute racks) and of course the NTP pool
> servers will not work with NTS any other way.
There is no security in
Gary said:
>> Which ones do you intend to relax? And in any case you don't need a
>> whole CA, you can pin a self-signed cert and still do full validation
>> on it.
> Except we can't. The current NTPsec code does not support any cert
> fanciness.
For some value of "any" or "fancy".
You can
e...@thyrsus.com said:
>> My big concern is that nobody else seems to be testing it. There may be
>> dragons that I haven't poked.
> Understood. Unfortunately I myself can't be much help here - my outside view
> of NTP is still weak, I have only limited ability to recognize what normal
>
701 - 800 of 2329 matches
Mail list logo