Usefuleness of noval

Gary E. Miller gem at rellim.com
Wed Mar 27 23:07:44 UTC 2019


Yo Hal!

On Wed, 27 Mar 2019 15:57:16 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:

> Richard Laager  said:
> > Does NTS with noval actually buy us anything over plain NTP?  
> 
> It's handy for debugging.

Yes.  Otherwise NTPsec could not have reached 100% at the hackathon.
That would have been bad...

> It breaks security if the bad guy can do a MITM.

Only if the cert is not pinned.  Pretty much every else I do with
certs eventually requires pinning.  NTPsec will be no different.

> I was thinking along the same lines.  Should we have a command line
> switch, say "--secure", that requires nts (without noval) or shared
> key on all servers?  Or make that the default, and require --insecure
> for testing.

I could see the use for --insecure.  --secure does not need an option, it
should be the default.

The problem with command line options is that systemd makes them harder
to change than before.  It should prolly be an ntp.conf options.  But
then it just duplicates "noval".

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190327/d61137b8/attachment-0001.bin>


More information about the devel mailing list