[Ntp] Getting started using NTS -- clock accuracy vs certificates
Hal Murray <halmurray@sonic.net> Fri, 29 July 2022 18:11 UTC
Return-Path: <halmurray@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9035BC157B3A for <ntp@ietfa.amsl.com>; Fri, 29 Jul 2022 11:11:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UXzs7vgG6X_C for <ntp@ietfa.amsl.com>; Fri, 29 Jul 2022 11:11:21 -0700 (PDT)
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41F54C14CF1D for <ntp@ietf.org>; Fri, 29 Jul 2022 11:11:21 -0700 (PDT)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (107-137-68-211.lightspeed.sntcca.sbcglobal.net [107.137.68.211]) (authenticated bits=0) by c.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 26TIBJmB010786 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 29 Jul 2022 11:11:20 -0700
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id A49C928C1CA; Fri, 29 Jul 2022 11:11:19 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1
To: ntp@ietf.org
cc: Hal Murray <halmurray@sonic.net>
From: Hal Murray <halmurray@sonic.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 29 Jul 2022 11:11:19 -0700
Message-Id: <20220729181119.A49C928C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVaz8dvN5sa3IrO1A2ZkNnio3/fHMLiLumhGn+9gAHOs4U/Ki7+Ks00yVj48y1jvBjmWFoIRqPQuuLfryRRoO3umT0Vp7nuXKj8=
X-Sonic-ID: C;4BOe2GkP7RGgN/U2He8XJw== M;0vfH2GkP7RGgN/U2He8XJw==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/9FfL38g7tFz5GAB_cV65yteavmA>
Subject: [Ntp] Getting started using NTS -- clock accuracy vs certificates
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2022 18:11:25 -0000
Checking certificates requires that the clock be close enough. How close is that? Assume you have an embedded system without a battery backed clock. Assume it has something like fake-hwclock that stores the time in a file and restores it on booting. So the clock is within an hour of the last time the system was running. https://manpages.debian.org/stretch/fake-hwclock/fake-hwclock.8.en.html What happens if the system sits on the shelf for a month? The system will try to verify certificate chains with a clock that is a month out of date. Do certificate geeks consider that case? When they setup a new certificate, do they back-date the starting time or just use "now"? If not, then the max clock error is the time since the certificate was issued. Has this issue come up in other contexts? Is there a good description of the problem that I can refer to? Should we consider things like coordinating certificate updates so that the update times are staggered? Lets-encrypt certificates are only good for 90 days. So there is a 1/3 chance one of their certificates will be too-new if a system has been sitting on the shelf for 30 days. (Probably a bit more since the operator won't wait until the last minute to renew the certificate.) ------- There is also DNSSEC. -- These are my opinions. I hate spam.
- [Ntp] Getting started using NTS -- clock accuracy… Hal Murray
- [Ntp] Antw: [EXT] Getting started using NTS ‑‑ cl… Ulrich Windl
- Re: [Ntp] Getting started using NTS -- clock accu… Miroslav Lichvar
- Re: [Ntp] Getting started using NTS -- clock accu… Hal Murray
- Re: [Ntp] Getting started using NTS -- clock accu… Miroslav Lichvar
- Re: [Ntp] Getting started using NTS -- clock accu… Salz, Rich
- Re: [Ntp] Getting started using NTS -- clock accu… Marcus Dansarie
- Re: [Ntp] Getting started using NTS -- clock accu… Danny Mayer
- Re: [Ntp] Getting started using NTS -- clock accu… Salz, Rich
- Re: [Ntp] Getting started using NTS -- clock accu… Danny Mayer
- Re: [Ntp] Getting started using NTS -- clock accu… Miroslav Lichvar