What's left to doo on NTS
Gary E. Miller
gem at rellim.com
Sat Mar 2 17:36:33 UTC 2019
Yo Daniel!
On Sat, 2 Mar 2019 09:40:30 -0500
Daniel Franke <dfoxfranke at gmail.com> wrote:
> On Fri, Mar 1, 2019 at 11:39 PM Gary E. Miller via devel
> <devel at ntpsec.org> wrote:
> > Not complete security, but at least encryption. And there are
> > levels of validation. If you are off net, you can't completely
> > validate the cert, but you can partially validate it. Maybe you
> > would want to pin it.
>
> Encryption doesn't work without authentication; a MitM can cause you
> to negotiate keys with *him* instead of the endpoint you think you're
> communicating with.
Yes, but you seriously reduce the attack time window. Instead of
a possible MitM every few seconds, you need to grab the one time the
cookies are shared.
> You can skip the notBefore/notAfter constraints under the
> circumstances described in the RFC.
Which should be a config option.
> Otherwise, either do full
> validation or don't bother with NTS at all. Pinning counts as full
> validation.
I'd be happy if we had per host pinning instead of "noval".
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190302/22a1e547/attachment.bin>
More information about the devel
mailing list