It is an interesting article, thank you.
I do run NTS servers using chrony and noticed that, once it’s established a secure connection to another NTS server, it would reject non NTS servers.
However, upon start, it might not validate its NTS servers, because its time was too far off to validate their certificates, so it might linger unsynchronized. Then, it’s necessary to there be non NTS servers to set the initial time accurately in order to validate the NTS servers. That’s when it’s vulnerable to attacks, as any NTP server, which might be used even to establish an impostor NTS server.
I use Ubuntu’s NTS bootstrap service to prevent that. It uses certificates that have an extremely long validity so that even devices without RTC, whose clock may be off as far as the Unix epoch, will accept them, and set initial time off of those servers before transitioning to use the other NTS servers as well.
That works only with Ubuntu out of the box, which comes with a special certificate pre installed.
Yes, on other systems, it requires manual configuration. I have a tar file that I can just extract on new hosts. Ultimately, I guess it depends on how badly one wants to prevent the issue you describe, and how much effort one is willing to spend. The infrastructure and the means are there. YMMV.
It does not work on other systems without Ubuntu’s certificate file installed. AFAIK, this certificate is not officially publicly available.
Yes, that is what I meant by “manual configuration”: Get the certificate, and two configuration snippets needed to make use of the certificate, and put them in their proper places.
Not sure what exactly you consider “not officially publicly”. It is available through different publicly accessible means that one could consider “official” in the sense that they are run by Ubuntu. To my knowledge, it is not explicitly presented for download on a dedicated page like a CA such as Let’s Encrypt would publish their root certificates.
Not sure whether there is some sort of license needed to “officially” be allowed to make use of it once obtained, or permission to “officially” be allowed to access the server (which Ubuntu users might both be granted automatically).
Which way one gets the certificate depends on the way one wants to establish the chain of trust for the certificate, and how important this topic is, i.e., how much effort to spend.
You are suggesting a weak chain of trust that defeats the purpose of NTS.
It’s better to configure a plain NTP server than the illusion of a trusted NTS server.
You pointed out that there may be an issue. I pointed to a potential solution. Whether that suits your needs is up to you.
On the chain of trust, as I re-iterated several times, some aspect of this depends on how important this issue is, and how much effort one is willing to spend. If it is important, and one is willing to spend a little effort, one can achieve the exact same level of trust as an Ubuntu user would when they install the certificate via their package manager.
Also, again up to you obviously whether it is sufficient for your purposes, simply downloading from a trusted source may also be sufficient.
On the other hand, one can also exxaggerate things and put requirements on this step that by far outsize the security guarantees that other steps/aspects of the whole construct of using NTS provide. When one assumes that the server from which one downloads the certificate has been hacked, and the protections afforded by the certificate that “protect” that server have been broken, what makes you assume that the same thing cannot happen with the NTS server itself? And why do you trust the root certificates that some vendor has placed on your system and that are the basis for trusting other NTS servers such as Cloudflare’s, SIDN’s, or pretty much any other out there? Have you ensured every step from their generation and them ending up on your system was trustworthy, when you probably simply downloaded the packages for your OS from some source on the Internet?
Anyway, as said, I just provided information I considered relevant, what you do with it is up to you. If it is not helpful to you and does not meet your requirements, sorry to hear. But maybe it helps other people that have similar expectations as myself, which I believe to be reasonable: Get a similar level of trust as an Ubuntu user who installed the certificate via their package manager. Nothing more, nothing less.