NTS client configuration support has landed
Eric S. Raymond
esr at thyrsus.com
Sat Feb 2 12:14:23 UTC 2019
Hal Murray <hmurray at megapathdsl.net>:
> I believe that
> server ntp.example.com nts
> should work in many/most cases.
That was my design goal, yes.
> We'll have to provide sensible defaults for all of the options.
>
> We need to setup a mechanism to review the defaults occasionally. Maybe with
> each release. Maybe on Mark's birthday. The idea is to track progress in the
> crypto community. If the default today is to allow TLS 1.2, sometime we
> should bump the min up to 1.3. Yes, that means breaking backwards
> compatibility. Lots of warning...
I think it's easier than that.
We have a min option.
We pay attention when the crypto guys declare an emergency. When that
happens we need to bump min to disallow the busted version. Unless the
busted version is current, in which case No Policy Will Help.
Otherwise we just link the default TLS library when we build. Let the
normal upgrade cycle do the work.
The difference between my policy and yours is that we never time out
old versions - min is failure-driven.
Can you think of a scenario where this fails and yours doesn't?
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
More information about the devel
mailing list