Implementing NTS options

Eric S. Raymond esr at thyrsus.com
Sat Feb 2 05:30:07 UTC 2019 

>From nts.adoc
>*tlsport XXX* Contact the NTS-KE server on TCP port XXX.
>
>*ntpport YYY* Request an NTPD server on UDP port YYY.

These are easy. If I don't do them before I sleep they'll be in place
some time tomorrow.

>*ask [address]* Request a particular NTPD server, but do not require
>it. [address] is an ASCII-encoded [ANSI.X3-4.1986] string conforming to
>the syntax of the Host subcomponent of a URI (Section 3.2.2 of RFC3986).
>*address* may be a hostname, a FQDN, an IPv4 numeric address, an IPv6
>numeric address (in square brackets).
>
>*require [address]* Require a particular NTPD server, fail if it is not
>the NTPD sevver address returned.  Otherwise same as *ask*.

Done, as previously noted..

>*noval* do not validate the server certificate

Done and pushed.

>*cert [file]*  Present the certificate in *file* as our client certificate
>
>*ca [location]*  Use the file, or directory, specified by *location* to
>validate the NTS-KE server certificate.  Do not use any other CA.

Easy.  Will do tomorrow

>*tls1.2* Allow TLS1.2 connection.
>
>*tls1.3* Allow TLS1.3 connection.

They'd be easy, but I have two issues with these. First, I want
embedded punctuation out of the names - I don't want that
defect-attractor/complexity-escalator in the scanner.  I don't care
what they're named otherwise.

Second, why would you ever want one of these allow bits off?  I want
to hear a good story here not just to convince me that they're worth
the complexity but so it can go in the documentation.

If nobody has a convincing story, they stay out until we get an RFE
from a real user.  KISS principle.

>*tls1.2ciphers [list]*  List of TLS 1.2 ciphers to negotiate, in prefered
>order.  The list is one or more cipher names, separated by colons.
>
>*tls1.3ciphers [list]*  List of TLS 1.3 ciphers to negotiate, in prefered
>order.  TLS 1.2 and 1.3 ciphers are different and must be specified
>separately as OpenSSL needs them separately.

Again. The barrier to entry for these is higher because they
would need a non-trivial grammar modification. Tell me a real use
case; explain why we should pay the complexity cost before we get
an RFE from a real user.

>*ntpciphers [list]* List of ciphers to negotiate, in prefered order for
>the NTPD connection.  The server must support AEAD_AES_SIV_CMAC_256.

And again.  OK name this time, but still looks like  gingerbread and
chrome to me.

>*expire [seconds]*  How long to use an NTPD association before rekeying
>with the NTS-KE server.

Done, not yet pushed.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

What, then is law [government]? It is the collective organization of
the individual right to lawful defense."
	-- Frederic Bastiat, "The Law"

More information about the devel mailing list