Yo Richard! On Sat, 2 Feb 2019 18:17:17 -0600 Richard Laager via devel <[email protected]> wrote:
> On 2/2/19 5:45 PM, Hal Murray via devel wrote:
> > Another thing that might help is to keep the time scale in mind.
> > What do we need for first ship? What can wait? How much do we
> > need to think about issues that can wait to make sure we don't
> > paint ourselves into a corner?
>
> For first ship on the client, you need:
>
> nts <host>
> or
> server <host> nts
>
> You do need to pick which one, though, for first ship, keeping in mind
> that there will be several per-host options in the future.
>
> NTP server negotiation (the "ask" and "require" options discussed) are
> optional, so not required for first ship.
>
> Handling a pool is not required for first ship, especially since there
> is no pool yet and there are still questions about how it would work.
>
> You can accept all of the TLS defaults for first ship, so no minver,
> no ciphers/ciphersuite strings, or root certificate option. Though
> those are all pretty straightforward to implement.
>
> There is a required algorithm for NTP crypto, so you can implement
> only that one for first ship, so no need for an ntpciphers option.
>
> You can require that all testing be done with valid certs (e.g. from
> Let's Encrypt), so you can skip "noval" for first ship. Though that
> one is trivial to implement.
>
> Likewise for the above on the TLS of the NTS-KE server first ship. You
> do need obviously need to specify the server key, certificate, and
> intermediate certificate, though if you want to go full minimal, those
> could be hard-coded file paths, not config options.
Absolutely agree, for first ship. But that is not what got 'decided'.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
[email protected] Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpxZPVv2Nuvr.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
