[Ntp] Google Roughtime Comments
Ben Laurie <benl@google.com> Wed, 30 November 2022 16:08 UTC
Return-Path: <benl@google.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28439C152710 for <ntp@ietfa.amsl.com>; Wed, 30 Nov 2022 08:08:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.597
X-Spam-Level:
X-Spam-Status: No, score=-22.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nJvMrnMLQF3w for <ntp@ietfa.amsl.com>; Wed, 30 Nov 2022 08:07:59 -0800 (PST)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B8E8C1522BC for <ntp@ietf.org>; Wed, 30 Nov 2022 08:07:59 -0800 (PST)
Received: by mail-yb1-xb35.google.com with SMTP id 7so22135057ybp.13 for <ntp@ietf.org>; Wed, 30 Nov 2022 08:07:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=/5U1vr6qS+EX4Co9kKVp1ulI6KVyPkA3Ji4itPwGLsg=; b=Sbs9iEdp+FQ8KpH4F+601CnyQmWy7Zq3i5EjAJKaG0jDnnq4FJWT/TkO8wHkrDY48k TTr6tp06K5ccEjcEH2PAgdfYO8Px3CHqTkB+6qzVoc91ih8kYbyGdoggdGs3Tg3RZfmd o56jZm+UpzgjvWeBzSS/Ur/oxEmgsug3aR7qBF1IYo80BlhASzUDorhmQ+i5HkFnv+1e t0ccPea9HKw3KFU88SI/HzIZRFx6V2Jdrd1knLoiQyXMJVj/QL9gPYDXIs3a8/XkZ0oT G/oK4smjFWTapVlvxC0JUUNKwdBRay6k/zncp6+MQjWRvBWhcvD+jc65mMLf75Sxr/ZL YB0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=/5U1vr6qS+EX4Co9kKVp1ulI6KVyPkA3Ji4itPwGLsg=; b=iVZ7mjyGSYIb+6CFb4198gM3Rv6Q9FLByMUmhKSuWC1CW2CNyfLaWrtIWA7DSkiWm8 OXLadWeJOmtx5vALgm67G3CaxUwUbFeIZBkvzMJs7SX8ha3xyyZ38JGk/G2qYUl+iuKC RB1Au9fBn/0ehIm7/zIZwdQ/UFQR8izitPmSSJhbGjWPR0ndZo4vMjMgxQOw/hTJGrqM dIQ+z18zDFZwoEUr4rSpNCxR3PCf/5dJs7rEHMXsHeyCrWg7i6YHhRnoIjuQCQrEVKjk /bRcu2g/ouS0cVIUi9jPKKpvK53Nw0h1m2umEjxIpkqApg9hpeLzn3x1OqedcevGMghP t9Vw==
X-Gm-Message-State: ANoB5pnJNbPW2QBqvMLYicbcyzOFqImTH35DcHvIUxpkfwis3Lw8Wb4l LOMY8ugwow1LX27CEz86TDQF+5PrEILXGOMzrwomtgSOwd+G1tZJ
X-Google-Smtp-Source: AA0mqf4p94eIQxDIrkWwskfTDlmIgAiIE7fjnJm2RTtLBKp8GFVbOHjxg8Zj2P0CCtmDO/Sx6Pc+skey7jkkTHMHDQM=
X-Received: by 2002:a25:8e0f:0:b0:6f8:2968:b6a5 with SMTP id p15-20020a258e0f000000b006f82968b6a5mr11515887ybl.492.1669824477507; Wed, 30 Nov 2022 08:07:57 -0800 (PST)
MIME-Version: 1.0
From: Ben Laurie <benl@google.com>
Date: Wed, 30 Nov 2022 16:07:45 +0000
Message-ID: <CABrd9SRr=Dka9y6mRdefOrt0mEm-j99=TKoRZ+rdKX=W1MKA-g@mail.gmail.com>
To: ntp@ietf.org, Ceri Coghlan <cdriskill@google.com>, Hayden Blauzvern <hblauzvern@google.com>, Asra Ali <asraa@google.com>, Razieh Behjati <razieh@google.com>, Sarah de Haas <dehaass@google.com>
Content-Type: multipart/alternative; boundary="000000000000d21c3905eeb24e17"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Ofe0blVqpcz2ZMj_7q6QgsLLc1E>
Subject: [Ntp] Google Roughtime Comments
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 16:08:03 -0000
At the meeting in London I said I'd send our comments on the Roughtime I-D. Apologies for the delay, but here they are - the original authors are copied in case of discussion. By way of introduction, we represent several security focused teams in google who are particularly interested in the Roughtime draft: https://datatracker.ietf.org/doc/html/draft-ietf-ntp-roughtime. Time is important to security protocols in general, and Roughtime potentially provides a system of accountability that would be very interesting for us. In particular the properties of verifiability and diversification of trust are key for our use cases. We have a few bits of feedback on the current draft and are keen to progress to the draft to RFC: [Ceri] The introduction states that “the Roughtime protocol provides cryptographic proof of malfeasance, enabling clients to detect and prove to a third party a server's attempts to influence the time a client computes” but the mechanism by which clients detect this malfeasance, chaining Roughtime requests/responses, is not described in this paper. To prove the thesis of the paper, a description of how clients accomplish chaining and how they can detect malfeasance within the chain should be included since those are essential parts of the protocol’s usage. Examples of what clients do once they detect malfeasance would then fit well into the separate Roughtime ecosystem paper. [Hayden] Section 6.3 describes the use of a Merkle tree in the response. Merkle trees are used to allow the server to batch requests while providing an efficient format for clients that consume the request. This is not clear from the description in 6.3 however, and I would propose adding in more details from blogposts such as https://int08h.com/post/to-catch-a-lying-timeserver and https://blog.cloudflare.com/roughtime. [Hayden] The I-D mandates the use of Ed25519 due to the signature size and efficiency in computation of the signature. Roughtime server operators may have other requirements on key usage however, and may prefer to use different signature schemes. I would propose making the signature algorithm configurable by the server. This will also be beneficial when considering post-quantum, as we can simply update the list of recommended algorithms. [Ben] Requiring the signing certificate to be sent in every packet means that some algorithms will not be usable, since their certificates won’t fit, and probably also means it won’t be possible to fit more than one signature in the same packet (though I am not sure there’s a need for this). It might be sensible to instead send a hash of the certificate and have a separate way to request certificates which can then be cached. [Ben] The language around versioning is confusing. The I-D says “The VER tag MUST include at least one Roughtime version supported by the client.” This obviously allows the client to send versions it does not support. Why would a client ever want to do that? I feel like I’m missing something. Also, “The client MUST ensure that the version numbers and tags included in the request are not incompatible with each other or the packet contents.” would seem to require authors of client code to do some deep thinking, possibly incorrectly, to decide whether they will meet these criteria. Given that there is currently only one version defined, perhaps language around what can and can’t be done with versions should be a) more explicit and b) in relation to particular versions - and hence not needed until there actually is more than one version. [Asra] Section 7 describes integrations into NTP and starts to mention applications such as X.509 verification, for example, for short-lived certificates. Like RFC 3161 support in X.509 verification (for proof of signature creation time), it would be interesting to get alignment and/or propose augmenting X.509 verification with Roughtime timestamps. Some considerations would be length of responses and configuration of out of band client trust for Roughtime server public keys, but the benefits would extend for systems already using X.509 PKI.
- [Ntp] Google Roughtime Comments Ben Laurie
- Re: [Ntp] Google Roughtime Comments Watson Ladd