[ntp:questions] IFF identity scheme on an intermediate server

Steve Kostecke kostecke at ntp.org
Mon May 11 17:40:43 UTC 2009

"Bartholome, Alain" said:

>I am confused with your client/server definition.
>(I copied the iffpar file to the "intermediate server", it is OK).
>II would like to have an example of use of the iff server key file.

The IFF Identity Scheme uses two files. For the NTP Development releases
these files are:

IFFkey - this is the server's private key. It _never_ leaves the server

IFFpar - this is the server's public key. It is distributed to all
members of this server's Trust Group

Each member of a Trust Group based on the IFF Identity Scheme needs to
have the Trust Group server's IFFpar file in addition to its own host
parameters (e.g. RSA-MD5cert and RSAkey).

You have two Trust Groups:

1. Server: "TH" Members: "intermediate"

2. Server: "intermediate" Members: "client"

In your case the intermediate server is both a member of the upstream
Trust Group (the TH is that Trust Group's server) _and_ it is the server
for for the Trust Group which includes the client.

So, the intermediate system will have:

1. Its own host parameters:

2. Its own IFFkey: ntpkey_IFFkey_intermediate.nonce

3. The IFFpar file from the "TH" : ntpkey_IFFpar_trustedhost.nonce

Plus the usual sym-links.

The intermediate system gives its ntpkey_IFFkey_intermediate.nonce file
to the client.

Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project http://support.ntp.org/
Public Key at http://support.ntp.org/Users/SteveKostecke

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the questions mailing list