Implementing NTS options

Gary E. Miller gem at rellim.com
Sat Feb 2 22:01:30 UTC 2019 

Yo Achim!

On Sat, 02 Feb 2019 10:08:17 +0100
Achim Gratz via devel <devel at ntpsec.org> wrote:

> Gary E. Miller via devel writes:
> >> >*tls1.3ciphers [list]*  List of TLS 1.3 ciphers to negotiate, in
> >> >prefered order.  TLS 1.2 and 1.3 ciphers are different and must be
> >> >specified separately as OpenSSL needs them separately.    
> >> 
> >> Again. The barrier to entry for these is higher because they
> >> would need a non-trivial grammar modification. Tell me a real use
> >> case; explain why we should pay the complexity cost before we get
> >> an RFE from a real user.  
> >
> > Real use case?  Because they are required by multiple RFCs.  We
> > are supposed to be implementing the RFCs.  Right?  
> 
> Changing the OpenSSL ciphersuites is typically done on system-level,
> application-level is not unheard of, but I haven't personally seen a
> per-server configuration.

Very common in the Apache, nginc, postfix and sendmail communities.

For example. you set one virtual server for cell phone clients, using
less strong ciphers, and another for admin clients with the strongest
ciphers.  So the cell phones are fast, and the admin is safe.



> >> And again.  OK name this time, but still looks like  gingerbread
> >> and chrome to me.  
> >
> > As required in the Proposed RFC.  
> 
> The RFC says the client needs to tell the NTS-KE all supported
> ciphers. It doesn't say it must support different ciphers for
> different servers.

True, but it makes testing a LOT harder.  Making test easy is important.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/b56276a3/attachment.bin>

More information about the devel mailing list