Wildcards on NTS certificates -- security
Gary E. Miller
gem at rellim.com
Fri Feb 25 20:02:34 UTC 2022
Yo Hal!
On Tue, 22 Feb 2022 14:39:21 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> They don't work. See https://gitlab.com/NTPsec/ntpsec/-/issues/729
>
> There is a single line of code that disables them.
>
> They are less secure. But is that "less" practical or theoretical?
>
> They are deprecated in RFC 6125
> https://datatracker.ietf.org/doc/html/rfc6125#section-7.2
>
> Should we:
> remove or comment out that line of code
> add an option to the server line to allow wildcards
> reject the bug report
> ...
I'd go with making it optional, not the default.
> Anybody have any opinions? How strong?
Not strong, but I see how some people woule need them.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20220225/9875ef0f/attachment.bin>
More information about the devel
mailing list