On Fri, Mar 1, 2019 at 11:39 PM Gary E. Miller via devel <devel@ntpsec.org> wrote: > Not complete security, but at least encryption. And there are > levels of validation. If you are off net, you can't completely > validate the cert, but you can partially validate it. Maybe you > would want to pin it.
Encryption doesn't work without authentication; a MitM can cause you to negotiate keys with *him* instead of the endpoint you think you're communicating with. You can skip the notBefore/notAfter constraints under the circumstances described in the RFC. Otherwise, either do full validation or don't bother with NTS at all. Pinning counts as full validation. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
