Am Dienstag, den 10.02.2015, 12:35 +0000 schrieb Kevin Chadwick: > On Tue, 10 Feb 2015 10:55:53 +0100 > Reyk Floeter wrote: > > > The standardized attempts to add authentication to NTP are a) fairly > > horrible (ASN.1 etc.) and b) rarely deployed. > > When ntpd acts as a server, could the package signing code be of use > with ntpd keys?
How exactly? You cannot use signing for PSK, Private Cert GK as they require peer-to-peer shared secrets. The rest of the autokey protocols do not provide any usable identity checks anyway. Nice read: http://zero-entropy.de/autokey_analysis.pdf The HTTPS-based scheme is at least able to link a rough time constraint to a PKI (which autokey is not even able to do) and it follows the general design approach of OpenNTPd: Being simple and good enough for most use cases. -- David Dahlberg Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845 Fraunhoferstr. 20, 53343 Wachtberg, Germany | Fax: +49-228-856277
