On 2/2/19 5:45 PM, Hal Murray via devel wrote: > Another thing that might help is to keep the time scale in mind. What do we > need for first ship? What can wait? How much do we need to think about > issues that can wait to make sure we don't paint ourselves into a corner?
For first ship on the client, you need: nts <host> or server <host> nts You do need to pick which one, though, for first ship, keeping in mind that there will be several per-host options in the future. NTP server negotiation (the "ask" and "require" options discussed) are optional, so not required for first ship. Handling a pool is not required for first ship, especially since there is no pool yet and there are still questions about how it would work. You can accept all of the TLS defaults for first ship, so no minver, no ciphers/ciphersuite strings, or root certificate option. Though those are all pretty straightforward to implement. There is a required algorithm for NTP crypto, so you can implement only that one for first ship, so no need for an ntpciphers option. You can require that all testing be done with valid certs (e.g. from Let's Encrypt), so you can skip "noval" for first ship. Though that one is trivial to implement. Likewise for the above on the TLS of the NTS-KE server first ship. You do need obviously need to specify the server key, certificate, and intermediate certificate, though if you want to go full minimal, those could be hard-coded file paths, not config options. -- Richard _______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
