* Henning Brauer <hb-openbsdt...@ml.bsws.de> [2015-02-10 13:21]: > * Kevin Chadwick <ma1l1i...@yahoo.co.uk> [2015-02-10 13:14]: > > On Tue, 10 Feb 2015 10:55:53 +0100 > > Reyk Floeter wrote: > > > The standardized attempts to add authentication to NTP are a) fairly > > > horrible (ASN.1 etc.) and b) rarely deployed. > > When ntpd acts as a server, could the package signing code be of use > > with ntpd keys? > getting the signature into the ntp packets in a way that doesn't break > compatibility is the challenge.
let me elaborate slightly: even if we came up with a überauth mechanism that doesn't suck and doesn't break compat, it wouldn't be of much use unless the servers you sync from support it - one of the pools for most. even if you could completely trust them and whatever model of key distribution, for them to support this, you have to get it standarized. and even if we managed to get it pushed through the standards corpses^Wbodies, it would take ages until it gets deployed, IF it ever gets widely deployed. That's a lot of ifs, I leave the judgement on likeliness to you. constraints from https, however - that works today. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/