On 12/13/2011 11:56 PM, Dave Hart wrote: > Again you seem to be ignoring the point that a generic policy to avoid > MD5, or SHA1, is probably not applicable to NTP's use of those > algorithms. Fine, I'm not going to beat that drum anymore.
No, you are ignoring the point that when the government says don't use MD5 or some other hashing algorithm in any software provided to the government, you can't use it and you have to find a replacement for it. Worse still some governments may say that you cannot use algorithm X. Saying that it is probably not applicable is like sticking your head in the sand; it doesn't solve the underlying problem. > > You are mistaken in assuming ntpd detects the algorithm based on the > digest size. The algorithm is configured into both sides and not > communicated on the wire at all for symmetric authed NTP. > That assumes a lot, including the fact that each server communicating with an single host may want to use different algorithms. Not signalling which one is being used is a really bad idea and a very poor design. Danny _______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
