Big picture half-baked thoughts
What's the right way to think about how security fits into our priorities? How should we use that to prioritize our work? Should we split this discussion into NTP and TLS/KE? Eric wants to convert our current code base to Go. In terms of security, how does that compare with getting our code running on Windows? How do we think about that sort of trade off? There is another feature we need. The current code wakes up every second. That's evil if you want to save battery power. How important are laptops? Our code doesn't do OCSP. How important is that? Alternatives? [One example I looked at cached the answer for a week. How does that fit into security?] One of the attack modes with TLS is that one of the CAs on a distro's root cert list gets compromised, either due to company incompetence or state level arm twisting. How important is it to restrict the root CAs? Do we need features/code on the NTP package for that? [We have a ca option on the server command. I think we need a script to tell somebody which root CA a site is using.] -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Getting ready for a release, wildcards
Thanks again for your helpful comments. On the cert documentation ... What is our target audience? Admins who already know about certificates or newbies who are getting a certificate for the first time? (This was my first.) Is there a certificates-for-newbies document we can reference? If not, should we write one? On my knobs... What is our role in this corner of the security world? Should we explore the edges where convenient, or blindly follow what everybody else is doing? Is there a document discussing the big picture security of TLS? I'm looking for something that describes what "everybody else" is doing and the risks of various options, things to think about, ... --- Thanks for the wildcard link: https://gist.github.com/joepie91/7e5cad8c0726fd6a5e90360a754fc568 Should we add that to our documentation? Where? I like your "science fair project" tag. Science fairs can be educational. What is the tradeoff between clutter and education? How should we decide? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel