[ntp:hackers] A stop-gap authenticated time service
terje at tmsw.no
Mon Nov 16 00:45:36 UTC 2015
Poul-Henning Kamp wrote:
> Here is a summary of the very crude proof-of-concept experiment
> I left simmering the last week:
To me this seems like an invitation to advocate bare-bones HTTPS service
on as many pool servers as possible, the cheapest way to achieve this
would be to make the pool a CA, i.e. avoiding the cost of normal
Verisign etc certificates.
This ntp CA would of course be compiled in to our code so that it would
be valid for this special form of sanity checking.
OTOH, what's wrong with just doing the same thing for authenticating
normal ntp requests.
If we limit the certificates we issue to hosts that have been part of
the pool for at least N months and behaved well during that period, it
would make it extremely hard to take over a plurality of the selected
(This obviously requires pool.ntp.org to support DNSSEC!)
- <Terje at tmsw.no>
"almost all programming can be viewed as an exercise in caching"
More information about the hackers