[cifs-protocol] RE: SNTP issues
Andrew Bartlett
abartlet at samba.org
Wed Jun 11 00:53:26 GMT 2008
On Tue, 2008-06-10 at 10:28 -0700, Richard Guthrie wrote:
> Andrew,
>
> I wanted to see if you have had a chance to review the article below to see if it addresses your issue. Let me know if it did/did not help your team.
Certainly I know that I should talk to the www.ntp.org community and the
NTP working group before blindly deploying the Microsoft protocol, but
what I was looking for was a better statement then the opening
paragraph:
[RFC1305] Appendix C describes a mechanism similar to the authentication
extensions documented
here. The extensions documented here provide for better security by
using a stronger checksum
algorithm, and by using keying material that is more convenient for
Windows systems joined to a
Windows domain.
Instead, perhaps it should be rewritten as a warning, describing the
protocol as a deviation, rather than an improvement (it may not have
been that way when the hacks were first added, but it is now):
[RFC1305] Appendix C describes a mechanism similar to the authentication
extensions documented here. The extensions documented here provide for
better security by using a stronger checksum
algorithm, and by using keying material that is more convenient for
Windows systems joined to a
Windows domain, but should not be used outside this context. Internet
standard authentication extensions such as as proposed and documented in
http://www.ietf.org/internet-drafts/draft-ietf-ntp-autokey-03.txt
provide stronger security and serve as a better basis for interoperable
implementations.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080611/56b93529/attachment.bin
More information about the cifs-protocol
mailing list