On Tue, 10 Feb 2015 13:03:27 +0000 David Dahlberg wrote: > > > The standardized attempts to add authentication to NTP are a) fairly > > > horrible (ASN.1 etc.) and b) rarely deployed. > > > > When ntpd acts as a server, could the package signing code be of use > > with ntpd keys? > > How exactly? You cannot use signing for PSK, Private Cert GK as they > require peer-to-peer shared secrets. The rest of the autokey protocols > do not provide any usable identity checks anyway. Nice read: > http://zero-entropy.de/autokey_analysis.pdf > > The HTTPS-based scheme is at least able to link a rough time constraint > to a PKI (which autokey is not even able to do) and it follows the > general design approach of OpenNTPd: Being simple and good enough for > most use cases.
I was meaning just for internal OpenBSD use between ntpds really (you would still need a trusted or checked source with a decent crystal) without resorting to handing axes out, outside the standards meeting with the time_t pdf link enscribed in the handle ;-).
