[ntp:questions] Private certificate authentication
David L. Mills
mills at udel.edu
Sun Sep 9 20:56:39 UTC 2007
Steve & Co.,
I'm uneasy about the usefulness of PC in its current form. It probably
should be avoided in favor of ordinary symmetric keys. The problem is,
once you distribute certificates it is really hard to update them
throughout the network. Also, the MV scheme should be considered a work
in progress; there is no good way to take advantage of the revocation
property that this scheme provides. The ntp-keygen program needs new
work for that.
I'm putting final touches on changes that should make the Autokey puppy
much easier to configure and maintain, as well as providing multiple
group hierarchies and multiple IFF/GQ schemes in the same host. The
documentation has been revised, but the paint ain't completely dry.
Dave
Steve Kostecke wrote:
> On 2007-09-08, David L. Mills <mills at udel.edu> wrote:
>
>
>>Mike Toler wrote:
>>
>>
>>>Does anyone know where I can find an example of using Private
>>>Certificates for authentication of NTP servers (or can write a quick
>>>example of how to set it up)?
>>
>>Use -P -T options with the ntp-keygen program to generate parameters,
>>keys and a private certificate.
>
>
> On the trust group server, correct?
>
>
>>But, remember that the PC scheme is essentially a symmetric key
>>scheme.
>
>
> So the ntpkey_RSA-MD5cert_... file from the server then distributed to
> the clients.
>
More information about the questions
mailing list