Yo Richard! On Thu, 28 Mar 2019 18:43:15 -0500 Richard Laager via devel <devel@ntpsec.org> wrote:
> You've mentioned DANE a couple of times. I've been mostly ignoring > that, as I was discussing manually pinning in ntp.conf. Bad idea. We are both discussing manual pinning in ntp.conf > Do we want to support DANE? If so, instead of or in addition to manual > pinning in ntp.conf? Nope. At least not for a long time. I bring up DANE because it is very well documented. we;ll understood, and well deployed. Even ntpsec.org uses it. The DANE people thought of all the different ways you might want to do the hash and what gets hashed. That hash, with its options of hash type and what is hashed, can go in DNS, or just in the ntp.conf file. So 90% of the RFC can be the template for what goes in ntp.conf. Oh, just to make this fraudulent cert thing real, I'll remind everyone of when someone got a valid *.google.com cert: https://www.esecurityplanet.com/browser-security/fraudulent-ssl-cert-for-google-revoked.html A simple google will bring up many other serious events. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpl8OdiPyX4J.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel