Yo Eric! On Fri, 1 Feb 2019 23:13:53 -0500 "Eric S. Raymond" <e...@thyrsus.com> wrote:
> Gary E. Miller via devel <devel@ntpsec.org>:
> > Well, it was in nts.adoc, after consensus had been reached, before
> > Eric removed it.
>
> Everything I removed I removed because I implemented it and descrubed
> the new options in docs/includes.assoc-options.adoc
Sorry, don't agree.
> From now on, you can assume that if I remove stuff from that section
> without discussion, another part of the commit has moved it to
> docs/includes.assoc-options.adoc
OK. But can we hold off until we are all agreed?
> > *require [address]* Require a particular NTPD server, fail if it is
> > not the NTPD sevver address returned. Otherwise same as *ask*.
>
> These are already implemented, but they currently stash the raw
> string rather than parsing it for the address and port elenent. I
> don't think it makes a lot of difference whether this is done at
> parse time or at peer initialization time.
Has to be before peer intialization. One: for good error messages.
Two: we need to do the NTS-KE dance before peering.
> I just copied the address-argument description to the official docs
> for the NTS options.
Which were not done yet.
> I thought the miniumum TLS level was supposed to be 1.3. Why are we
> supporting 1.2 options.
Not according to the Proposed RFC. And, as a practical matter, TLS 1.3
does not exist yet in practice. Yeah, I know about all the PR, but
it does not really work yet.
> Would somebody dig me up lists of the cipher names?
openssl ciphers -v | fgerp TLS
Which is incomplete since Gentoo, like almost all distros, does not
implement TLS 1.3. Also incomplete as I have not looked up the AEAD
ciphers which are also different.
These ciphers are very dynamic. In time, by distro, by install options,
and by user configuration. They should not be hard coded We can punt
and just feed the lists to OpenSSL and have that tell us which are valid
at this exact moment and place.
> I'd prefer not to have option names with embedded punctuation - I
> think tha might force unpleasant complications in the scanner. Try
> again?
Roger and I have already gone around on this. These are WIP. Not
remotely close to final. Suggestions welcome.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpfDrFj5iIDE.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
