NTS client configuration support has landed
Eric S. Raymond
esr at thyrsus.com
Sat Feb 2 08:49:01 UTC 2019
Hal Murray <hmurray at megapathdsl.net>:
> What's wrong with MAC authentication when used with a good algorithm?
Nothing much. I wrote that when I thought MD5 and SHA-1 were still
all we had.
I do like removing features when they've been functionally superseded.
I lean heavily on reduction of complexity and attack surface because
that's the only kind of security-hardening I know how to do really
well.
That said, I know the point at which it's all NTS all the time and we
can ditch MAC authentication is years out from now.
> Actually, we should move it to an extension so we can phase out the old mode.
I like that thought.
> I'd be happy to reject MD5 and SHA1. The current code supports any algorithm
> that libcrypto supports. attic/digest-find will list a bunch of them.
Oh jeez. I had no iea. Would you please update
docs/authentication.adoc so it comes somewhere close to reflecting
reality?
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
More information about the devel
mailing list