Re: [Dtls-iot] Secure Time (again)

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 11 August 2015 10:34 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4E481A802A for <dtls-iot@ietfa.amsl.com>; Tue, 11 Aug 2015 03:34:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qWJVAF2gadME for <dtls-iot@ietfa.amsl.com>; Tue, 11 Aug 2015 03:34:32 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8CCD1A8028 for <dtls-iot@ietf.org>; Tue, 11 Aug 2015 03:34:31 -0700 (PDT)
Received: from [192.168.131.134] ([80.92.114.74]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MEFIm-1Za9Ur0wLw-00FV9g; Tue, 11 Aug 2015 12:34:29 +0200
Message-ID: <55C9CFB4.5070702@gmx.net>
Date: Tue, 11 Aug 2015 12:34:28 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Michael StJohns <msj@nthpermutation.com>, dtls-iot@ietf.org
References: <55C4D1CE.6010802@gmx.net> <55C79A90.5070900@nthpermutation.com>
In-Reply-To: <55C79A90.5070900@nthpermutation.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="mx9fmVtWbxWj7tKjLXX9FwoOp5aWORdFP"
X-Provags-ID: V03:K0:EY/OvBlB1QWjiZFpBkkvdpivMIMGQ91n7SRo2FOwdTR3/MVrGOe Gsa+Q+ChO4un7lgjGK+FFzEaqjYF5LmA25CmtUwJtL09KDDBsul5DVHDqMFk0lIQ6E2AZ34 RM5zyprPmx1ctzlJAPzeC7p0hoG8XMd8qtarlOvbDXZ1euTDnGeV2OxFNxAuBuQ54wFZKQS 6zKLkll2HIK3M8P55cIoA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:NRkUc4EG4KY=:quPu+jVkWkldcsIkrF/tJw 5vESwbRP18khNfEpxr13fvKGkUtys6/UeLNDgE+6YxQLgS6oXBcp42Ylf0l3j8IdOdg+2nOcM ORERREUiLUo98RKIvrYy96VW2nfdsrQ6VNBZsvOhC6RvjzP4P5Kv11+MYNPWa/BaDkOA5S1zU /GnZicStpY7VjNb1vKbZru9G3Tda4naxVNXhUBGITPk57xwTnyqJ14kpxOPO396CYOs5nUVOB t/lC7QT/MFx/u6av8RpolYiTrsv65EmgmK/IM9wkLQN4elWvDPqtRfU+NcpPRYWiaCscybfsl ToK7rodCKQmxhgSDoEf8mmZl8qf/wzSx++7YnMjBWBVX9h19wI8CgPkB7Bfb8VXHZANehWzft oF2QyvObG7yPA8pxJHR9gGqv372r2KbCqeGvA93QG1+h17p5Od/3FmG8kfAVUAZf/k2oSbx+g EDDBoQrDYFF3UWdCdQViEkVK1OItNiSlSHyiGpULUuytZPbTMp8YlvtgR6DqGvTLSsrt53ydF qKWIj9f9BR70cLQX5d1N4otGGbvkgdZXZi5OvPF+RJcx3MW4O+IR6fmogUx5+JBNN2LfJW/DD W1R/16uElfYzJ/5YqECn4696VWBuQvMFiI1qLZj+Cif3GxiFeTk1YqULTChcvqznE79uldWWq r2zKgPpKQELwQ/de3nvzSSoNDihnuBBUFpnFndPAbnrS+/O4Q8IO3iTPVNtMRc7UNYv7637GH gdrrnGIbW09h4pMJ
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/GsQou8PMDfZ64WfFr5NFeet0Trs>
Subject: Re: [Dtls-iot] Secure Time (again)
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 10:34:33 -0000

Hi Mike,

yes, there have been discussions about removing this server-provided
time information in TLS 1.3.

Although the current profiles focus on TLS 1.2 this might cause some
problems in the future.

Ciao
Hannes


On 08/09/2015 08:23 PM, Michael StJohns wrote:
> On 8/7/2015 11:42 AM, Hannes Tschofenig wrote:
>> It turns out that TLS has a way to communicate time information from the
>> server to the client as part of the ServerHello message. Of course, it
>> is not a good idea to trust every server when they return time
>> information since this allows an adversary to trick the client into
>> accepting an expired certificate.
> 
> I think this has been deprecated and removed for TLS1.3?
> 
> Mike
> 
> _______________________________________________
> dtls-iot mailing list
> dtls-iot@ietf.org
> https://www.ietf.org/mailman/listinfo/dtls-iot