Re: [Ntp] NTS Pools

Watson Ladd <> Wed, 17 April 2024 18:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8B5E7C14F69B for <>; Wed, 17 Apr 2024 11:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i2Mo6d9Lxxiz for <>; Wed, 17 Apr 2024 11:11:07 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 119C3C14F5F2 for <>; Wed, 17 Apr 2024 11:11:07 -0700 (PDT)
Received: by with SMTP id ffacd0b85a97d-346f4266e59so4253739f8f.3 for <>; Wed, 17 Apr 2024 11:11:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1713377465; x=1713982265;; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=V22ERImRXCsG9gcCM85GEHtFjot8OKhvvZzXtLkmsHY=; b=TE7+6KDGw/FhgnX3390uqHR/bhykyjGERQ2ZGXoClBFsZxWfXZlxdVRfrI9KYxEsRs Kzew+dzdaxVnPrN+9KMUPO6n7Q8Nx0zTrXEfQbdA6RO1qNi9b7cgivjJtzHQfRkMeThR iLx/97rK2/U9jBPaoOJAZfPJBFcHzU9Di5lCabsw9cpe1IJ64AguDkewM3DQZrboLZmY UcyefR3pfwUmrUV45RRL+G1FPl3SF/bXZQJSaUoL5B/NvLlm9vGFOs3gRYHtMDhxrz1g WABAZskUNqM8LgFZF98LKUlYZa1GFZyUXOYxM6/vSRfp1ZfJfXh7fTOdr47ZJ6Kct8J1 K1vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1713377465; x=1713982265; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=V22ERImRXCsG9gcCM85GEHtFjot8OKhvvZzXtLkmsHY=; b=OnxNlGQP0XvxSF2HCENAkq+/pDPNpjgrDUGAqkvFPZjuveYL/Zmi5s6ghlCRhbEwyc LTj03Qdx5SdB6uMq+cH/JNU92lxs9PWMUxKlJNtmVU61j5QGpH1/qVwBfqEUS7VH8zf9 RzdEOIfZ23Tif9Guq3uiTymgwihEsLXDxll0tlGYO6zpfnp9ly8UmNVLSPaf9I5/7uNT tv3kvZBUxx8ZFnZIr1JO4u5I8lc60Y9i/p9PHeRSFSUeDDR6nfZsEFgZnyAxN7t9toJy 2CTYf7+4mkzT5oLIHz745FUtq06zlHbBlMlzsNF1bnZTB1KXYjoWaylTupg1iDms5BdC BzZw==
X-Forwarded-Encrypted: i=1; AJvYcCUd7u+QsBKrv1JPiJMoXH+UUqT5f1n/VfFwyHT9GtFuJzz0fr3QJShp+kyU2KIUWosgXc60vih9sgSh4Nw=
X-Gm-Message-State: AOJu0YyOk1iPR95DYUsIJJ6npTtDSofaLQmoVz6gWky6v0ACwovGV14V LbEpoMmeZDZpGKNZzRNXw6M2ckIdVvHSxoLKz3iW1mct6gxFmSDgVH28USgl9pqBTAS+2+wgle0 5Kl/Rlr5YMuit690vV/45ez5nOsspFQ==
X-Google-Smtp-Source: AGHT+IHMQy/TbIQo8t5ouM4yIyT8J5cBm/tr6hT4GVHhW2ZJJC/YiZdOG4yyR5wfvzlKOzIAKVksVmXUJ7vE2iMR3xM=
X-Received: by 2002:a05:6000:12d1:b0:345:edfd:9530 with SMTP id l17-20020a05600012d100b00345edfd9530mr66940wrx.53.1713377464834; Wed, 17 Apr 2024 11:11:04 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Wed, 17 Apr 2024 11:10:53 -0700
Message-ID: <>
To: "Salz, Rich" <>
Cc: Luke Valenta <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Ntp] NTS Pools
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Apr 2024 18:11:09 -0000

On Wed, Apr 17, 2024 at 11:06 AM Salz, Rich
<> wrote:
> Luke’s note spurred me to throw in my late feedback as well.
> > My primary goal currently is to work towards a pool or pool-like solution that
> > 1) Is drop in for end-users. I.e. if you have a working NTS client,
> > the pool can be used without any changes to software.
> Which software?  Can you accept recent additions to the TLS library?  If so, look at RFC 9345, Delegated Credentials. In this situation, the pool “owner” (or team) has a certificate, and they issue periodic short-term signed data to the pool members, which the members use like the TLS key. Adoption isn’t widespread; for example it’s not supported by OpenSSL, but it has some very nice security and admin properties.

The effort involved seems considerably more than the SRV approach.
With SRV we don't need to muck about with issuing any sort of
credential: what you have now works, its just signing up with a domain
not an IP. To integrate with the DC approach means getting the DC
requests signed by volunteers and authenticated and put on the
responding machines.

Watson Ladd

Astra mortemque praestare gradatim