[ntp:questions] IFF autokey issue

David L. Mills mills at udel.edu
Fri May 11 01:29:56 UTC 2007


Garrett,

That's why the identity schemes are provided. See the Autokey protocol 
on the NTP project pageand links from there. See 
http://www.eecis.udel.edu/~mills/proto.html.

While it is assumed the trusted host has both the trusted (self-signed) 
certificate and identity keys and a secure way to retrieve the encrypted 
keys, it is possible in printiple, just like a conventional CA, to 
infiltrate a legitimate CA and assume its identity.

Dave

Garrett Wollman wrote:
> In article <slrnf41h14.te9.kostecke at stasis.kostecke.net>,
> Steve Kostecke  <kostecke at ntp.isc.org> wrote:
> 
> 
>>There is no Central Scrutinizer who decrees whether or not a server is
>>"authentic" or "trusted".
>>
>>The entity generating the host parameters marks them as trusted by using
>>the '-T' switch during the generation process.
> 
> 
> It is not up to the server operator whether clients should believe
> some random self-signed "certificate" proffered by a server (or
> someone masquerading as a server).
> 
> -GAWollman
> 




More information about the questions mailing list