Re: [Ntp] Antw: Re: [EXT] Danny's Review (was Re: draft‑ietf‑ntp‑roughtime‑05: tag change makes implementation more complex)

"Salz, Rich" <> Thu, 07 October 2021 12:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E5F4D3A101B for <>; Thu, 7 Oct 2021 05:56:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KwiR8ubvLJod for <>; Thu, 7 Oct 2021 05:56:32 -0700 (PDT)
Received: from ( [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A3A953A101F for <>; Thu, 7 Oct 2021 05:56:32 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id 197CI4st032684; Thu, 7 Oct 2021 13:56:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=w8rueGTBDcVU5Bohd1FNO2N8NJmo9Y07Y5e5F7vNqG0=; b=DBnQySjgRuRA2ZBLnMxlBAaxwnUZf+9wd49tTF94Sln/VtJCbpmGDOEfv2+jyltQgPT8 T2rszI+Io9FvKhVSMHCXB+WCEPi+fdm9YxUEr/Y7lsH5U69FYAPPPVPrpqCepJeoq7qI ozPzvknRflo82VDH5fYKsFd2wvelAFv6gipKRicibVLV7vez0LLgJ7kVi62aZsIWV4qF tMmLhVtIplEpdSdEyTFnO8xANctx9uZOwxk2X2xZj69KjIPy4dilpvAV0DBI8ZyOYjTo urdQanIUfk5q58eq/ydV9tRCl43a4Fw6mOXHoPFt+cwoFpvtf989LrwSMMqbavsGBI0e RA==
Received: from prod-mail-ppoint1 ( [] (may be forged)) by with ESMTP id 3bhjht51nt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 07 Oct 2021 13:56:28 +0100
Received: from pps.filterd ( []) by ( with SMTP id 197CokUQ025831; Thu, 7 Oct 2021 08:56:27 -0400
Received: from ([]) by with ESMTP id 3bgv6tavsh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 07 Oct 2021 08:56:27 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.23; Thu, 7 Oct 2021 08:56:27 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.23; Thu, 7 Oct 2021 08:56:26 -0400
Received: from ([]) by ([]) with mapi id 15.00.1497.023; Thu, 7 Oct 2021 08:56:26 -0400
From: "Salz, Rich" <>
To: Watson Ladd <>
CC: Danny Mayer <>, Ulrich Windl <>, "" <>
Thread-Topic: =?utf-8?B?W050cF0gQW50dzogUmU6IFtFWFRdIERhbm55J3MgUmV2aWV3ICh3YXMgUmU6?= =?utf-8?B?IGRyYWZ04oCRaWV0ZuKAkW50cOKAkXJvdWdodGltZeKAkTA1OiB0YWcgY2hh?= =?utf-8?Q?nge_makes_implementation_more_complex)?=
Thread-Index: AQHXuyUhdUKErBJYbE+4dyeiafIRnavHfy8A
Date: Thu, 7 Oct 2021 12:56:25 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/16.54.21092901
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-10-07_02:2021-10-07, 2021-10-07 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 bulkscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 mlxscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110070087
X-Proofpoint-GUID: 5ofFMJB2zQB0QSZJx5cUqXlt0U1eL8X2
X-Proofpoint-ORIG-GUID: 5ofFMJB2zQB0QSZJx5cUqXlt0U1eL8X2
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-10-07_01,2021-10-07_02,2020-04-07_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 priorityscore=1501 adultscore=0 impostorscore=0 clxscore=1015 mlxscore=0 bulkscore=0 phishscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110070087
Archived-At: <>
Subject: Re: [Ntp] =?utf-8?q?Antw=3A_Re=3A_=5BEXT=5D_Danny=27s_Review_=28was_?= =?utf-8?b?UmU6IGRyYWZ04oCRaWV0ZuKAkW50cOKAkXJvdWdodGltZeKAkTA1OiB0YWcg?= =?utf-8?q?change_makes_implementation_more_complex=29?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Oct 2021 12:56:38 -0000

I think that if you are going to make that argument, you need to make it very clearly and explain why "algorithm agility" does not apply.

At a minimum, why not include the digest identifier in the messages?

On 10/6/21, 10:43 PM, "Watson Ladd" <> wrote:

    On Tue, Oct 5, 2021 at 9:10 AM Salz, Rich <> wrote:
    > >    That was my point. You can put an ID into the protocol to reference the
    >     hashing algorithm used which references an ID maintained by IANA. That
    >     way the protocol doesn't change if you need to replace the protocol.
    >     It's okay to reference a minimum required protocol in the document
    >     provided that can be updated if the algorithm becomes compromised. I'm
    >     sure you can find a list of supported hashing algorithms on IANA.

    I think it's important to understand the reality of negotiation. We
    have to have roughtime 1 and roughtime 2: Clients that support both
    can discover what a server supports and use the highest supported

    Now if we say that we must have Hash X and Hash Y we must then have
    another negotiation mechanism. But why? If hash X is broken, define
    roughtime 2, exactly the same as roughtime 1 but with X replaced by Y.
    In TLS we've found that it is very difficult to make negotiation work,
    and that using a single well-trod mechanism is better than a wide
    variety. Why do we need both Hash X and Hash Y? We don't. If a signer
    is signing data hashed with hash X and hash Y is that secure? It's not
    usually considered! Now, if there is a good reason SHA-256 would be
    preferable we can use it.

    While TLS supports a lot of junk, in practice people would like to
    support very few ciphersuites, and only 3 signature algorithms are
    permitted for the Web PKI. For Roughtime it's essential to maximize
    compatibility between servers, clients, and auditors and having
    versioning is necessary. Additional extension points for the core of
    signing and verifying time correctness run the risk of fragmentaton.
    Furthermore what we've seen with TLS is that configurable, pickable
    suites lead to persistence of bad choices, and aren't understood.

    Watson Ladd

    Astra mortemque praestare gradatim