Comments to draf

All,

Karen has urgently requested comments to draft-mizrahi-tictoc-security-requirements.  So here are my
comments. They are based on version 01 from March 12, 2012.

This draft is meant to be for PTP and NTP. Yet please note that I'm not very familar with PTP. So my comments are
formulated with NTP in mind.

(i) Section 1., question (3).
I don't understand this question. Please expressed it more clearly?

(ii) Section 4.1.2 (Proventication of Masters)
This requirement might be natural in PTP. However in NTP - as far as I understand it - the root of the time
sychronization tree and the authentication tree can be different. To illustrate this: consider the case
in which a stratum 2 server is connected to  two stratum 1 servers: let the first be the end of the authority
tree, the  so-called trusted authority (TA) and let us assume the second one does not provide
authentication at all. 
If we further assume that the first stratum 1 server has the better clock then eventually the stratum 2
server will choose the first stratum 1 server as system peer because NTP's selection algorithm does not
consider authentication. Now we end up in a situation that for a NTP client that is connected to the stratum
2 server the time synchronization tree ends at the second stratum 1 server whereas his authorization tree
ends at the first stratum 1 server. 
This requirement therefore would conflict with the current specification of autokey. So, an alternative
formulation could be: Proventication of the authentication root. So the authentication root and time
sync root can but have not to be on the same clock. Furthermore, I think this requirement is somewhat
redundant to 4.9.1/2.

(iii) Section 4.3
In your discussion to this  requirement you claim, that authentication of clocks is sufficient to achieve
this goal. This presumes that all authenticated clocks behave well which you can only assure if you have