FRESH

Hacker News

An effort to secure the Network Time Protocol

12 points by voxadam

by westurner

0 subcomment

Building on these ideas for replacing DNS and PKI from the other day, https://news.ycombinator.com/item?id=47212280 ; why not NTP too?
From "Decentralized DNS/PKI Enhances NTP Security" https://gemini.google.com/share/686f916c97cb :
> Securing NTP at scale requires moving away from fragile, centralized, trustful X.509 infrastructure. By assigning Decentralized Identifiers (like did:tdw or SSH-key DIDs) to individual time servers and managing their state with Key Event Receipt Infrastructure (KERI), we can completely bypass the TLS chicken-and-egg problem where a client needs the correct time to validate a server's certificate.
> To future-proof such a protocol, we can replace heavy certificate chains with stateless hash-based signatures (SPHINCS+, XMSS^MT) paired with lightweight zkSNARKs. If a node is compromised, its identity can be instantly revoked and globally broadcast via Merkle Tree Certificates and DID micro-ledgers, entirely removing DNS from the security dependency chain.

by westurner

1 subcomments

> Despite NTS becoming an IETF standard in 2020, uptake has been slow. There's been some success: Canonical, which maintains its own time servers, switched to NTS in 25.10. But the NTP reference implementation, ntpd, does not support NTS. A number of clients, such as NTPsec, chrony, and ntpd-rs, do support NTS. They are not, however, widely adopted.
> [...]
> To help spur wider adoption of NTS on Linux distributions, other Trifecta staff are also working on a patch for systemd-timesyncd.
"NTS support for systemd-timesyncd" https://github.com/systemd/systemd/pull/39010
"RFC 8915: Network Time Security for the Network Time Protocol" (2020) https://www.rfc-editor.org/rfc/rfc8915.html

0 subcomment