Usefuleness of noval

Gary E. Miller gem at rellim.com
Thu Mar 28 21:26:51 UTC 2019


Yo Hal!

On Thu, 28 Mar 2019 14:20:39 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:

> Gary said:
> > I don't think anyone suggest blocking non NTS servers, yet.  
> 
> I think we should be thinking about it.  Seems like a good check-box
> for an auditor.
> 
> It's what I had in mind with something like a "secure yes" option.
> (I included shared-key authentication as secure)


As we learned earlier, OpenSSL has levels of security.  Maybe something
like this:

# anything goes (current default):
securelevel 0

# must use NTS or shared key, but noval OK
securelevel 1

# must use NTS or shared key, noval only with cert pinning
securelevel 2

But, in the same vein, you'd like a global option to limit TLS versions...


RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190328/432adae0/attachment-0001.bin>


More information about the devel mailing list