[ntp:questions] Problem using ntp autokey with the trusted ce rtificate identity s scheme

David Mills mills at udel.edu
Tue Feb 17 15:41:54 UTC 2009


Alain,

The stime.pdf has been updated as an Internet Draft and in has been in 
the pipeline for some years, but has not yet appeared as an RFC. There 
are some minor differences, but probably do  not affect you. I don't 
know what you mean by indirect client,; you probably mean a client with 
a cretificate trail to a trusted host. No problem with that.

My best advice is to use the development version and the documentation 
included. The release version is all mixed up with file versions that 
well might be incompatible. The development version documentation has 
been substantially rewritten and the configuration is much simpler. 
There are examples involving multiple nested trust groups that probably 
apply to your design.

Dave

Bartholome, Alain wrote:

>In my opinion, a trust group consists of direct and indirect clients.
>
>I would like to get the correct definition.
>
>Let met give you the two arguments on which I base my understanding:
>
>In the ntp-keygen documentation, I read this sentence:
>
>1)
>--Trusted Hosts and Secure Groups
>--As described on the Authentication Options page, an NTP secure group
>--consists of one or more low-stratum THs as the root from which all other
>--group hosts derive synchronization directly or indirectly.
> 
>2)
>In the stime.pdf documentation , the Figure 13: Trusted certificate (TC)
>scheme  on page 42 and the Appendix E3 would let me think that indirect
>clients are permitted.
>
>I would like to have your understanding.
>
>Cordially
>
>Alain BARTHOLOMÉ
>
> 
>
>-----Message d'origine-----
>De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
>[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
>part de Steve Kostecke
>Envoyé : vendredi 13 février 2009 03:58
>À : questions at lists.ntp.org
>Objet : Re: [ntp:questions]Problem using ntp autokey with the trusted ce
>rtificate identity s scheme
>
>On 2009-02-11, Bartholome, Alain <alain.bartholome at eads.com> wrote:
>
>  
>
>>I have 3 systems, serverT1 which is trusted, server2 not trusted
>>connected to serverT1 and server3 not trusted connected to server2.
>>
>>I want to have one group with one trusted host serverT1.
>>    
>>
>
>A trust group consists of one server and its direct clients. So for you
>to have one trust group server2 and server3 must be clients of serverT1.
>
>  
>
>>Can you tell me  what makes "the OP to set up a chain of 2 trust groups"?
>>    
>>
>
>Your current NTP architecture is two trust groups.
>
>The first trust group has serverT1 as its server and server2 as its only
>client member.
>
>The second trust group has server2 as its server and server3 as its only
>client member.
>
>  
>
>>As I read in the release documentation, a secure group in a subnet  in
>>    
>>
>which
>  
>
>>the non trusted hosts derive synchronization directly or indirectly.
>>It seems that with the release version, with the trusted certificate the
>>    
>>
>non
>  
>
>>trusted hosts derive synchronization directly only. Is that right?
>>    
>>
>
>Not as I understand NTP Authentication (based on my reading of
>stime.pdf).
>
>  
>




More information about the questions mailing list