[ntp:questions] Private certificate authentication

David L. Mills mills at udel.edu
Sun Sep 9 20:56:39 UTC 2007


Steve & Co.,

I'm uneasy about the usefulness of PC in its current form. It probably 
should be avoided in favor of ordinary symmetric keys. The problem is, 
once you distribute certificates it is really hard to update them 
throughout the network. Also, the MV scheme should be considered a work 
in progress; there is no good way to take advantage of the revocation 
property that this scheme provides. The ntp-keygen program needs new 
work for that.

I'm putting final touches on changes that should make the Autokey puppy 
much easier to configure and maintain, as well as providing multiple 
group hierarchies and multiple IFF/GQ schemes in the same host. The 
documentation has been revised, but the paint ain't completely dry.

Dave

Steve Kostecke wrote:
> On 2007-09-08, David L. Mills <mills at udel.edu> wrote:
> 
> 
>>Mike Toler wrote:
>>
>>
>>>Does anyone know where I can find an example of using Private
>>>Certificates for authentication of NTP servers (or can write a quick
>>>example of how to set it up)?
>>
>>Use -P -T options with the ntp-keygen program to generate parameters,
>>keys and a private certificate.
> 
> 
> On the trust group server, correct?
> 
> 
>>But, remember that the PC scheme is essentially a symmetric key
>>scheme.
> 
> 
> So the ntpkey_RSA-MD5cert_... file from the server then distributed to
> the clients.
> 




More information about the questions mailing list