Usefuleness of noval
Gary E. Miller
gem at rellim.com
Thu Mar 28 21:26:51 UTC 2019
Yo Hal!
On Thu, 28 Mar 2019 14:20:39 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:
> Gary said:
> > I don't think anyone suggest blocking non NTS servers, yet.
>
> I think we should be thinking about it. Seems like a good check-box
> for an auditor.
>
> It's what I had in mind with something like a "secure yes" option.
> (I included shared-key authentication as secure)
As we learned earlier, OpenSSL has levels of security. Maybe something
like this:
# anything goes (current default):
securelevel 0
# must use NTS or shared key, but noval OK
securelevel 1
# must use NTS or shared key, noval only with cert pinning
securelevel 2
But, in the same vein, you'd like a global option to limit TLS versions...
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190328/432adae0/attachment-0001.bin>
More information about the devel
mailing list