Re: Let's get moving on NTS

Sun, 06 Jan 2019 14:30:29 -0800 


On 01/06/2019 02:55 PM, Gary E. Miller via devel wrote:

Seems to me that Section 6 of the proposed RFC defines this pretty well.
Once you can figure out who Clarlie (NTPD) and Delta (NTS-KE) are.



Partially. It gives an example of a way to do it, but no protocol or 
message scheme; just what the cookies could look like. It is missing the 
primary piece that you want in that section of the design.



Hardly qualifies as a transaction as there is no reciprocity (See the
dictionary).  In the dark past, either the NTPD told the NTS-KE what
keys to use, or vice versa.  Not even a need for an ACK.


Fair enough, I'm not versed in the terminology here.


"It's whatever is needed to verify the cookie from Alpha."

Yes, the blob as defined in Section 6.


Whatever needs to be communicated on that channel it can't be
verifying cookies and also be "only an occasional ???". Verifying
cookies means every single ntp packet that comes in to Charlie has to
be checked with Delta.

Nope.  Reread the Proposed RFC.  NTS-KE and NTP agree before hand on
some long lived keys to use.  They actually don't need to 'agree'.
Either the NTS-KE tells the NTP, or vice versa.  Maybe no need for any
negotiation.  Then use them for hours, days, weeks or months.

Section 6 proposes a simple means to keep generating new short term
keys fomr old keys, so no need for further communication between the
NTS-KE and NTPD.  Just once is enough.

Not to say that it can't, or shouldn't, get a bit more complicated, but
it is not required.



Verifying /cookies/ would be NTPD asking NTS-KE for the data the cookie 
represents. The only reason to do that would be if NTPD never handles 
key storage / creation / ratcheting / etc itself and offloads all of 
that to NTS-KE.



That is the one option that has been universally shot down as bad. I've 
pushed an update to nts.adoc.


--

/"In the end; what separates a Man, from a Slave? Money? Power? No. A 
Man Chooses, a Slave Obeys."/ -- Andrew Ryan



/"Utopia cannot precede the Utopian. It will exist the moment we are fit 
to occupy it."/ -- Sophia Lamb



I work for the Internet Civil Engineering Institute <https://icei.org/>, 
help us save the Internet from Entropy!



_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel






















					Reply via email to