< draft-ietf-ntp-autokey-07.txt   draft-ietf-ntp-autokey-08.txt >
Network Working Group B. Haberman, Ed. Network Working Group B. Haberman, Ed.
Internet-Draft JHU/APL Internet-Draft JHU/APL
Intended status: Informational D. Mills Intended status: Informational D. Mills
Expires: May 15, 2010 U. Delaware Expires: September 6, 2010 U. Delaware
November 11, 2009 March 5, 2010
Network Time Protocol Version 4 Autokey Specification Network Time Protocol Version 4 Autokey Specification
draft-ietf-ntp-autokey-07 draft-ietf-ntp-autokey-08
Abstract Abstract
This memo describes the Autokey security model for authenticating This memo describes the Autokey security model for authenticating
servers to clients using the Network Time Protocol (NTP) and public servers to clients using the Network Time Protocol (NTP) and public
key cryptography. Its design is based on the premise that IPsec key cryptography. Its design is based on the premise that IPsec
schemes cannot be adopted intact, since that would preclude stateless schemes cannot be adopted intact, since that would preclude stateless
servers and severely compromise timekeeping accuracy. In addition, servers and severely compromise timekeeping accuracy. In addition,
PKI schemes presume authenticated time values are always available to PKI schemes presume authenticated time values are always available to
enforce certificate lifetimes; however, cryptographically verified enforce certificate lifetimes; however, cryptographically verified
skipping to change at page 2, line 8 skipping to change at page 2, line 8
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 15, 2010. This Internet-Draft will expire on September 6, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 53, line 28 skipping to change at page 53, line 28
For trusted host certificates the subject and issuer HostName is the For trusted host certificates the subject and issuer HostName is the
NTP name of the group, while for all other host certificates the NTP name of the group, while for all other host certificates the
subject and issuer HostName is the NTP name of the host. In the subject and issuer HostName is the NTP name of the host. In the
reference implementation if these names are not explicitly specified, reference implementation if these names are not explicitly specified,
they default to the string returned by the Unix gethostname() routine they default to the string returned by the Unix gethostname() routine
(trailing NUL removed). For other than self-signed certificates, the (trailing NUL removed). For other than self-signed certificates, the
issuer HostName is the unique DNS name of the host signing the issuer HostName is the unique DNS name of the host signing the
certificate. certificate.
It should be noted that the Autokey protocol itself has no provisions
to revoke certificates. The reference implementation is purposely
restarted about once a week, leading to the regeneration of the
certificate and a restart of the Auokey protocol. This restart is
not enforced for the Autokey protocol but rather for NTP
functionality reasons.
Each group host operates with only one certificate at a time and
constructs a trail by induction. Since the group configuration must
form an acyclic graph, with roots at the trusted hosts, it does not
matter which, of possibly several, signed certificates is used. The
reference implementation chooses a single certificate and operates
with only that certificate until the protocol is restarted.
Authors' Addresses Authors' Addresses
Brian Haberman (editor) Brian Haberman (editor)
The Johns Hopkins University Applied Physics Laboratory The Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Road 11100 Johns Hopkins Road
Laurel, MD 20723-6099 Laurel, MD 20723-6099
US US
Phone: +1 443 778 1319 Phone: +1 443 778 1319
Email: brian@innovationslab.net Email: brian@innovationslab.net
 End of changes. 5 change blocks. 
5 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/