[ntp:questions] Problem using ntp autokey with the trusted ce rtificate identity s scheme
David Mills
mills at udel.edu
Tue Feb 17 15:41:54 UTC 2009
Alain,
The stime.pdf has been updated as an Internet Draft and in has been in
the pipeline for some years, but has not yet appeared as an RFC. There
are some minor differences, but probably do not affect you. I don't
know what you mean by indirect client,; you probably mean a client with
a cretificate trail to a trusted host. No problem with that.
My best advice is to use the development version and the documentation
included. The release version is all mixed up with file versions that
well might be incompatible. The development version documentation has
been substantially rewritten and the configuration is much simpler.
There are examples involving multiple nested trust groups that probably
apply to your design.
Dave
Bartholome, Alain wrote:
>In my opinion, a trust group consists of direct and indirect clients.
>
>I would like to get the correct definition.
>
>Let met give you the two arguments on which I base my understanding:
>
>In the ntp-keygen documentation, I read this sentence:
>
>1)
>--Trusted Hosts and Secure Groups
>--As described on the Authentication Options page, an NTP secure group
>--consists of one or more low-stratum THs as the root from which all other
>--group hosts derive synchronization directly or indirectly.
>
>2)
>In the stime.pdf documentation , the Figure 13: Trusted certificate (TC)
>scheme on page 42 and the Appendix E3 would let me think that indirect
>clients are permitted.
>
>I would like to have your understanding.
>
>Cordially
>
>Alain BARTHOLOMÉ
>
>
>
>-----Message d'origine-----
>De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
>[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
>part de Steve Kostecke
>Envoyé : vendredi 13 février 2009 03:58
>À : questions at lists.ntp.org
>Objet : Re: [ntp:questions]Problem using ntp autokey with the trusted ce
>rtificate identity s scheme
>
>On 2009-02-11, Bartholome, Alain <alain.bartholome at eads.com> wrote:
>
>
>
>>I have 3 systems, serverT1 which is trusted, server2 not trusted
>>connected to serverT1 and server3 not trusted connected to server2.
>>
>>I want to have one group with one trusted host serverT1.
>>
>>
>
>A trust group consists of one server and its direct clients. So for you
>to have one trust group server2 and server3 must be clients of serverT1.
>
>
>
>>Can you tell me what makes "the OP to set up a chain of 2 trust groups"?
>>
>>
>
>Your current NTP architecture is two trust groups.
>
>The first trust group has serverT1 as its server and server2 as its only
>client member.
>
>The second trust group has server2 as its server and server3 as its only
>client member.
>
>
>
>>As I read in the release documentation, a secure group in a subnet in
>>
>>
>which
>
>
>>the non trusted hosts derive synchronization directly or indirectly.
>>It seems that with the release version, with the trusted certificate the
>>
>>
>non
>
>
>>trusted hosts derive synchronization directly only. Is that right?
>>
>>
>
>Not as I understand NTP Authentication (based on my reading of
>stime.pdf).
>
>
>
More information about the questions
mailing list