I think I've figured out why I think my knob is interesting. For the web, there are zillions of clients, most non-technical. A client is likely to connect to many servers, often new/different ones on different days. It all has to just work, straight out of the box.
For NTS-KE, an at least somewhat technical admin sets things up. A client will only ever contact the few servers that are explicitly configured by the admin. The S in NTS-KE is security. It seems reasonable to me for the admin setting things up, or at least some of them, to be willing to spend a bit of time making things more secure. My knob is a tiny step in that direction. I think we need a man/web page to cover this area. What can an admin do to make things more secure? I'm far from a security wizard. The biggest risk that I can see is the root server collection that comes packaged with most distros. We should be able to write a script that figures out what cert in the root collection each server needs. I've poked a bit in that area, but don't have a recpie yet --------- Note that NTS doesn't tell you anything about the quality of the time you will get, just that you will get it (probably) from the site you expect to get it from rather than from a bad guy doing some sort of MITM attack. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
