Re: [Ntp] Antw: Re: [EXT] Danny's Review (was Re: draft‑ietf‑ntp‑roughtime‑05: tag change makes implementation more complex)

Watson Ladd <> Thu, 07 October 2021 02:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DC10C3A0965 for <>; Wed, 6 Oct 2021 19:43:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Rmw-AQrov84B for <>; Wed, 6 Oct 2021 19:43:35 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9322E3A0938 for <>; Wed, 6 Oct 2021 19:43:35 -0700 (PDT)
Received: by with SMTP id d8so17191885edx.9 for <>; Wed, 06 Oct 2021 19:43:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ep8biGgyC7GVt1JRhC+lRD+S0STMHIoIEhflPyAfZYg=; b=lxyQiOGRv6QN/2/maIwNnwR3FYW/q81atVm8mFdr773D23ygkcr+v2nPg+GD7ZLAF7 HAtGRQNgoi0yQoQi/VkR0Z/Sm7QaUuQhFn5BFnDUJVLxIrOxCZDfyrVTjXH3NMmyneP/ poM2Odnf31beMQ2+lWYuAEXBvOCcG1ZMl8k0x8koTmn3QAyLiiuwkPG944rpXxXlPNw/ GII8TQsfDmr4nj1fih4DG3SIO36PvSjlSr6ZGdUrlypmCkgYrB7lVJSqSgI5PiqKVHjy U8wn3mr7xLKLLeluo1yX59Cugz6xajw+ytSVDcRWE9CoFx7lwbaFRzXarFqMK/Pjd3Po uE2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ep8biGgyC7GVt1JRhC+lRD+S0STMHIoIEhflPyAfZYg=; b=UALBIBvN44LqkYbgdyeeCvroJiy5hiU57eaJWMOVUhO6U/uBhDL7qIRYXts4QSB/R4 6qf++2z3HpiQFrFa5Q1hRViOTsEWGRIMMZ4YBGApndZJjEUxVn15tL+hyNVQgsgq9+Se 3n2cTRHHyIGAXBQg+Z06zgoxIXR5Fbnr1Z69m9bEe/U/5xppsexlsz61wOgrgQhMN5vG cnKeCwt8z49J21iaNIr7LSy5l/9S3Vye8q9fAYyFp63B/J42KrctEtCWfjmD6UGVl5NG uX/ne+TbRilPZpbyav9PmXI1qrXy/vgHAZHvhHgmoHWGOtasWJsmNlCetV5PxQuQZJxi W3Wg==
X-Gm-Message-State: AOAM533W1ILhEOWWoVbjI5rdmapdhzQ0z+tQtQ6Fd5x705nIUX0dJuWJ pKBPBEZPqToUWIrEvP0exuGBgyU4kbDMvr978GA=
X-Google-Smtp-Source: ABdhPJyM9osbl8I/pXdjYaSLYOsgdGnMKyXi2jIsNf/74M/TniW7WpNBjV5x0FVWYna/Z1iLfvXTgin3NbnD8SEzXuw=
X-Received: by 2002:a50:cf0d:: with SMTP id c13mr2518192edk.269.1633574613537; Wed, 06 Oct 2021 19:43:33 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Wed, 6 Oct 2021 19:43:21 -0700
Message-ID: <>
To: "Salz, Rich" <>
Cc: Danny Mayer <>, Ulrich Windl <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Ntp] =?utf-8?q?Antw=3A_Re=3A_=5BEXT=5D_Danny=27s_Review_=28was_?= =?utf-8?b?UmU6IGRyYWZ04oCRaWV0ZuKAkW50cOKAkXJvdWdodGltZeKAkTA1OiB0YWcg?= =?utf-8?q?change_makes_implementation_more_complex=29?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Oct 2021 02:43:40 -0000

On Tue, Oct 5, 2021 at 9:10 AM Salz, Rich <> wrote:
> >    That was my point. You can put an ID into the protocol to reference the
>     hashing algorithm used which references an ID maintained by IANA. That
>     way the protocol doesn't change if you need to replace the protocol.
>     It's okay to reference a minimum required protocol in the document
>     provided that can be updated if the algorithm becomes compromised. I'm
>     sure you can find a list of supported hashing algorithms on IANA.

I think it's important to understand the reality of negotiation. We
have to have roughtime 1 and roughtime 2: Clients that support both
can discover what a server supports and use the highest supported

Now if we say that we must have Hash X and Hash Y we must then have
another negotiation mechanism. But why? If hash X is broken, define
roughtime 2, exactly the same as roughtime 1 but with X replaced by Y.
In TLS we've found that it is very difficult to make negotiation work,
and that using a single well-trod mechanism is better than a wide
variety. Why do we need both Hash X and Hash Y? We don't. If a signer
is signing data hashed with hash X and hash Y is that secure? It's not
usually considered! Now, if there is a good reason SHA-256 would be
preferable we can use it.

While TLS supports a lot of junk, in practice people would like to
support very few ciphersuites, and only 3 signature algorithms are
permitted for the Web PKI. For Roughtime it's essential to maximize
compatibility between servers, clients, and auditors and having
versioning is necessary. Additional extension points for the core of
signing and verifying time correctness run the risk of fragmentaton.
Furthermore what we've seen with TLS is that configurable, pickable
suites lead to persistence of bad choices, and aren't understood.

Watson Ladd

Astra mortemque praestare gradatim