Are we thrashing?
Richard Laager
rlaager at wiktel.com
Sun Feb 3 00:17:17 UTC 2019
On 2/2/19 5:45 PM, Hal Murray via devel wrote:
> Another thing that might help is to keep the time scale in mind. What do we
> need for first ship? What can wait? How much do we need to think about
> issues that can wait to make sure we don't paint ourselves into a corner?
For first ship on the client, you need:
nts <host>
or
server <host> nts
You do need to pick which one, though, for first ship, keeping in mind
that there will be several per-host options in the future.
NTP server negotiation (the "ask" and "require" options discussed) are
optional, so not required for first ship.
Handling a pool is not required for first ship, especially since there
is no pool yet and there are still questions about how it would work.
You can accept all of the TLS defaults for first ship, so no minver, no
ciphers/ciphersuite strings, or root certificate option. Though those
are all pretty straightforward to implement.
There is a required algorithm for NTP crypto, so you can implement only
that one for first ship, so no need for an ntpciphers option.
You can require that all testing be done with valid certs (e.g. from
Let's Encrypt), so you can skip "noval" for first ship. Though that one
is trivial to implement.
Likewise for the above on the TLS of the NTS-KE server first ship. You
do need obviously need to specify the server key, certificate, and
intermediate certificate, though if you want to go full minimal, those
could be hard-coded file paths, not config options.
--
Richard
More information about the devel
mailing list