Yo Hal! On Wed, 27 Mar 2019 15:57:16 -0700 Hal Murray via devel <devel@ntpsec.org> wrote:
> Richard Laager said:
> > Does NTS with noval actually buy us anything over plain NTP?
>
> It's handy for debugging.
Yes. Otherwise NTPsec could not have reached 100% at the hackathon.
That would have been bad...
> It breaks security if the bad guy can do a MITM.
Only if the cert is not pinned. Pretty much every else I do with
certs eventually requires pinning. NTPsec will be no different.
> I was thinking along the same lines. Should we have a command line
> switch, say "--secure", that requires nts (without noval) or shared
> key on all servers? Or make that the default, and require --insecure
> for testing.
I could see the use for --insecure. --secure does not need an option, it
should be the default.
The problem with command line options is that systemd makes them harder
to change than before. It should prolly be an ntp.conf options. But
then it just duplicates "noval".
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpsz3EJ7RbwB.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
