Re: [Ntp] Of Roughtime's algorithm agility, and host attestation

Robert Nagy <rob@deepdivenetworking.com> Sat, 27 July 2019 03:05 UTC

Return-Path: <rob@deepdivenetworking.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADD88120229 for <ntp@ietfa.amsl.com>; Fri, 26 Jul 2019 20:05:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.119
X-Spam-Level:
X-Spam-Status: No, score=-1.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vXFKfnuCZsMM for <ntp@ietfa.amsl.com>; Fri, 26 Jul 2019 20:05:38 -0700 (PDT)
Received: from sender4-op-o19.zoho.com (sender4-op-o19.zoho.com [136.143.188.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39B6E12021B for <ntp@ietf.org>; Fri, 26 Jul 2019 20:05:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564196734; cv=none; d=zoho.com; s=zohoarc; b=jdRKYmXIQ8Ptl4D9A8U7fLr4o4pBftTh6T7o6pgUhPa2MQQgNHPDZQDtdDCKdAgSDR/n40Js0dgDt0Au7Um8om5AfIcBjeEcxAoYvfOBK4D6UxtSai0/dO0fhAobzoL+HEj1o6DY0WPnTYReEIjQdSfjSepOrhF2v2y93HJJ0Os=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1564196734; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results; bh=Vz1ImAnwCd39n6UG2h7sxwxv+pMl7Whj567A0mhL8co=; b=FfAos1IEzqrwNd/45kDGyXDiZ8LuKPcGFjP8HAbYWOWw+VkLHRyv2JAEB39lxaAHr/mKYaYTZqqA2RQDww5tfTaBjtFnImSCiPzIn0N5VtNu/K/Aqmp2QaC68SSJnjCytDOvIbIn6othGn3/S/si61O+frS5J9ZKNx0E3vKgNaI=
ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass header.i=deepdivenetworking.com; spf=pass smtp.mailfrom=rob@deepdivenetworking.com; dmarc=pass header.from=<rob@deepdivenetworking.com> header.from=<rob@deepdivenetworking.com>
Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1564196732319541.922780130925; Fri, 26 Jul 2019 20:05:32 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-5F39718A-3986-4361-B0D0-8D825AB61E8B
Content-Transfer-Encoding: 7bit
From: Robert Nagy <rob@deepdivenetworking.com>
Mime-Version: 1.0
Message-Id: <3C2EBBE8-3970-4B8C-BFE4-BB7F247EF7C3@deepdivenetworking.com>
Date: Fri, 26 Jul 2019 22:05:31 -0500
References: <07725d0b-74ec-ec92-70fe-e27f0c4eee8c@gmail.com> <1564190434519110001_8FF0F819-5F81-41B3-A7F1-B4E97E22E0F7@akamai.com>
To: "Salz, Rich" <rsalz@akamai.com>
In-Reply-To: <1564190434519110001_8FF0F819-5F81-41B3-A7F1-B4E97E22E0F7@akamai.com>
Cc: Thomas Peterson <nosretep.samoht@gmail.com>, "ntp@ietf.org" <ntp@ietf.org>
User-Agent: Zoho Mail
X-Mailer: Zoho Mail
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/8xH99kaJh3TJN44jCMmG348u4R0>
Subject: Re: [Ntp] Of Roughtime's algorithm agility, and host attestation
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jul 2019 03:05:40 -0000

This seems within the use case of the already existing TLSA records in DNS. Unless I missed something. 

Robert Nagy
CEO/ Senior Dive Master
DeepDive Networking, Inc
C: 408.480.5133
www.deepdivenetworking.com


Sent from my iPhone

> On Jul 26, 2019, at 8:20 PM, Salz, Rich <rsalz@akamai.com>; wrote:
> 
> 
>>   To answer the first point, one suggestion by Erik Klein[0] is to create 
>    a new DNS RR type that includes the long term certificate of the 
>    Roughtime server.
> 
> Look at https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-00 which attempts to provide various useful information. One possibility is a "cert digest" field.  Certs are generally too big for DNS, only keys appear.
> 
> For crypto types, re-use an existing registry and profile it to make things MUST NOT.  There are various options, including TLS, JOSE, etc. 
> 
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp