On Thu, Mar 12, 2020 at 02:23:54AM -0700, Hal Murray wrote: > If all goes well, the NTS-KE step is very rare. The client gets 8 cookies. > Each NTP exchange uses a cookie and gets back a new cookie. If an occasional > packet is lost, the client can ask for extras. The NTP side just keeps > running if the server's certificate expires.
If that's the case, I suggest that the draft should get changed so that the client takes the expiration date into account, and that the client does the NTS-KE at least every few days to check that the certificate is still the same/valid. I also expect the client to do OCSP, and would urge the server to do OCSP stapling. The time to do an new NTS-KE could then depend on how long the OCSP response is valid. Kurt _______________________________________________ pool mailing list pool@lists.ntp.org http://lists.ntp.org/listinfo/pool