[ntp:questions] All the members of a network are trusted ho sts

Bartholome, Alain alain.bartholome at eads.com
Mon Feb 16 09:58:32 UTC 2009

I have a network of about 200 servers which must be time synchronized with
I project to use Autokey with Trusted Certificate identity scheme.

I need to divide the network in trusted groups.

I lack arguments in order to decide how to define or select  trusted hosts
and groups among the network.

The definition of trusted host I found in the documentation is:

A trusted host has the lowest stratum in the group and has trusted
certificates (in my understanding, if ntp-keygen is used,  ntp-keygen -T was

Could you give a list of characteristics a trusted host should comply with?

-secured system (example the physical access to the system is controlled  ..
-The   server is a reliable source of time (even though it does not have the
lowest stratum of the network)

The documentation shows groups composed of 2 to 4 systems with a maximum of
3 levels (the trusted server connected to a non trusted server itself
connected to an other non trusted system.)
I plan to follow these rules.



-----Message d'origine-----
De : Danny Mayer [mailto:mayer at ntp.org] 
Envoyé : dimanche 15 février 2009 16:33
À : Bartholome, Alain
Cc : 'questions at lists.ntp.org'
Objet : Re: [ntp:questions] All the members of a network are trusted hosts

Bartholome, Alain wrote:
> Hi,
> Could you tell me what are the consequences especially from the  security
> point of view , if  all the members of the network which must be
> synchronized are trusted hosts, have trusted generated certificates.

Well you can rely on them when using the autokey protocol to provide you
with a reliable source of time.

> Does this make any  sense?
> Does this makes sense for  trusted certificate only?

It's a little hard to interpret since you haven't defined what you mean
by trusted hosts and trusted generated certificates. Are the trust hosts
trusted because you've used DNSSEC to find them, or some other method?
What is trusted about them? With certificates, who and what generated
the certificates and how were they distributed to other nodes?

Maybe a little more explanation of your needs would help so we can
answer the question.

> Thanks for your answer.
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/questions

More information about the questions mailing list