[cifs-protocol] RE: SNTP issues

[Andrew Bartlett]

On Tue, 2008-06-10 at 10:28 -0700, Richard Guthrie wrote:
> Andrew,
> 
> I wanted to see if you have had a chance to review the article below to see if it addresses your issue.  Let me know if it did/did not help your team.

Certainly I know that I should talk to the www.ntp.org community and the
NTP working group before blindly deploying the Microsoft protocol, but
what I was looking for was a better statement then the opening
paragraph:


[RFC1305] Appendix C describes a mechanism similar to the authentication
extensions documented
here. The extensions documented here provide for better security by
using a stronger checksum
algorithm, and by using keying material that is more convenient for
Windows systems joined to a
Windows domain.


Instead, perhaps it should be rewritten as a warning, describing the
protocol as a deviation, rather than an improvement (it may not have
been that way when the hacks were first added, but it is now):


[RFC1305] Appendix C describes a mechanism similar to the authentication
extensions documented here. The extensions documented here provide for
better security by using a stronger checksum
algorithm, and by using keying material that is more convenient for
Windows systems joined to a
Windows domain, but should not be used outside this context.  Internet
standard authentication extensions such as as proposed and documented in
http://www.ietf.org/internet-drafts/draft-ietf-ntp-autokey-03.txt
provide stronger security and serve as a better basis for interoperable
implementations.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080611/56b93529/attachment.bin