What's the right way to think about how security fits into our priorities? How should we use that to prioritize our work?
Should we split this discussion into NTP and TLS/KE? Eric wants to convert our current code base to Go. In terms of security, how does that compare with getting our code running on Windows? How do we think about that sort of trade off? There is another feature we need. The current code wakes up every second. That's evil if you want to save battery power. How important are laptops? Our code doesn't do OCSP. How important is that? Alternatives? [One example I looked at cached the answer for a week. How does that fit into security?] One of the attack modes with TLS is that one of the CAs on a distro's root cert list gets compromised, either due to company incompetence or state level arm twisting. How important is it to restrict the root CAs? Do we need features/code on the NTP package for that? [We have a ca option on the server command. I think we need a script to tell somebody which root CA a site is using.] -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
