Yo Daniel! On Sat, 2 Mar 2019 09:40:30 -0500 Daniel Franke <dfoxfra...@gmail.com> wrote:
> On Fri, Mar 1, 2019 at 11:39 PM Gary E. Miller via devel
> <devel@ntpsec.org> wrote:
> > Not complete security, but at least encryption. And there are
> > levels of validation. If you are off net, you can't completely
> > validate the cert, but you can partially validate it. Maybe you
> > would want to pin it.
>
> Encryption doesn't work without authentication; a MitM can cause you
> to negotiate keys with *him* instead of the endpoint you think you're
> communicating with.
Yes, but you seriously reduce the attack time window. Instead of
a possible MitM every few seconds, you need to grab the one time the
cookies are shared.
> You can skip the notBefore/notAfter constraints under the
> circumstances described in the RFC.
Which should be a config option.
> Otherwise, either do full
> validation or don't bother with NTS at all. Pinning counts as full
> validation.
I'd be happy if we had per host pinning instead of "noval".
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpTy3LvRTdTf.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
