Big picture half-baked thoughts
Hal Murray
halmurray at sonic.net
Mon Apr 25 09:04:09 UTC 2022
What's the right way to think about how security fits into our priorities?
How should we use that to prioritize our work?
Should we split this discussion into NTP and TLS/KE?
Eric wants to convert our current code base to Go. In terms of security, how
does that compare with getting our code running on Windows? How do we think
about that sort of trade off?
There is another feature we need. The current code wakes up every second.
That's evil if you want to save battery power. How important are laptops?
Our code doesn't do OCSP. How important is that? Alternatives?
[One example I looked at cached the answer for a week. How does that fit into
security?]
One of the attack modes with TLS is that one of the CAs on a distro's root
cert list gets compromised, either due to company incompetence or state level
arm twisting. How important is it to restrict the root CAs? Do we need
features/code on the NTP package for that? [We have a ca option on the server
command. I think we need a script to tell somebody which root CA a site is
using.]
--
These are my opinions. I hate spam.
More information about the devel
mailing list