Implementing NTS options
Eric S. Raymond
esr at thyrsus.com
Sat Feb 2 21:52:45 UTC 2019
Gary E. Miller via devel <devel at ntpsec.org>:
> Yo Eric!
>
> On Sat, 2 Feb 2019 05:11:54 -0500
> "Eric S. Raymond via devel" <devel at ntpsec.org> wrote:
>
> > Hal Murray <hmurray at megapathdsl.net>:
> > > Implementations MUST NOT negotiate TLS versions earlier than 1.2,
> > > SHOULD negotiate TLS 1.3 [RFC8446] or later when possible, and MAY
> > > refuse to negotiate any TLS version which has been superseded by a
> > > later supported version.
> >
> > I'm not seeing anything in that 'graph which would ever *require* you
> > to disable down-version TLS. The last normative is a MAY, not a MUST.
>
> But years of crypto experience show us this happens every few years.
That's a different claim from "the RFC requires it". The RFC does not.
Yes, I know we need a mintls option to deal with crypto emergencies. That's
in nts.adoc, I have not implemented it yet.
I probably will soon, but it's not a requirement for first ship.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/6e7cf431/attachment-0001.bin>
More information about the devel
mailing list