Are we thrashing?
Gary E. Miller
gem at rellim.com
Sun Feb 3 00:21:46 UTC 2019
Yo Richard!
On Sat, 2 Feb 2019 18:17:17 -0600
Richard Laager via devel <devel at ntpsec.org> wrote:
> On 2/2/19 5:45 PM, Hal Murray via devel wrote:
> > Another thing that might help is to keep the time scale in mind.
> > What do we need for first ship? What can wait? How much do we
> > need to think about issues that can wait to make sure we don't
> > paint ourselves into a corner?
>
> For first ship on the client, you need:
>
> nts <host>
> or
> server <host> nts
>
> You do need to pick which one, though, for first ship, keeping in mind
> that there will be several per-host options in the future.
>
> NTP server negotiation (the "ask" and "require" options discussed) are
> optional, so not required for first ship.
>
> Handling a pool is not required for first ship, especially since there
> is no pool yet and there are still questions about how it would work.
>
> You can accept all of the TLS defaults for first ship, so no minver,
> no ciphers/ciphersuite strings, or root certificate option. Though
> those are all pretty straightforward to implement.
>
> There is a required algorithm for NTP crypto, so you can implement
> only that one for first ship, so no need for an ntpciphers option.
>
> You can require that all testing be done with valid certs (e.g. from
> Let's Encrypt), so you can skip "noval" for first ship. Though that
> one is trivial to implement.
>
> Likewise for the above on the TLS of the NTS-KE server first ship. You
> do need obviously need to specify the server key, certificate, and
> intermediate certificate, though if you want to go full minimal, those
> could be hard-coded file paths, not config options.
Absolutely agree, for first ship. But that is not what got 'decided'.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/61669287/attachment-0001.bin>
More information about the devel
mailing list