Re: [openpgp] Dealing with clock skew
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 19 December 2019 14:36 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDE4312083B for <openpgp@ietfa.amsl.com>; Thu, 19 Dec 2019 06:36:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6_dF8rKdS6JK for <openpgp@ietfa.amsl.com>; Thu, 19 Dec 2019 06:36:38 -0800 (PST)
Received: from mail-oi1-f181.google.com (mail-oi1-f181.google.com [209.85.167.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE72B1201CE for <openpgp@ietf.org>; Thu, 19 Dec 2019 06:36:38 -0800 (PST)
Received: by mail-oi1-f181.google.com with SMTP id i1so2848686oie.8 for <openpgp@ietf.org>; Thu, 19 Dec 2019 06:36:38 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K6UK7ZX1UFp9jgJL9yQYwa8FIz44ziUKo6q8w7h3CO4=; b=ZQT+gigdLb3iOdWd9XmosTOzSh+7O30FpXuV/6xB7aZ0+Qd+OEYdQkW0JLRqZ1Wv8Q +OvYoW3Lcpn4Nu2APNd99Fgx7CspnHkBYOcdIXTP12fsGf2Xda+0AVqK/AufhPjy+hAo qahHewkvY7byxzrX1hf+n6dcJQ9z7wNHIoAKxmOjfZJkG3VNJ8t/B6sxTNYdouIQW3Bw dWDyOgDin5hGLfyGq1KPDGusQwSY54X7z9TVDY94kDR1xrfGYvvS+hKFTBw7rHTQ0saK /Qy9GgPO4YWrrT/BCY1K3zIgTygXafB1GrxcGysINhfwCEHCnDZMa2TI12G6cLobTQXs 7qPQ==
X-Gm-Message-State: APjAAAUYItCt7GwQzfccteogDqmKsgUgYzXF836hKsJVauymJ9+VNwn1 i2BXlyHZzSNo6JPnCdr2rGhzDwzycMRtel5jqPQ=
X-Google-Smtp-Source: APXvYqxpeRgevFtgNFWvsN5EwP8Bx6a8vF8GozDVACpDs1di7ZTMxv/M/uIBwYfy1M2V1wXmm52CQoXj+vEIwAisO2U=
X-Received: by 2002:aca:cdd6:: with SMTP id d205mr2200300oig.90.1576766197872; Thu, 19 Dec 2019 06:36:37 -0800 (PST)
MIME-Version: 1.0
References: <87zhgxo0bm.wl-neal@walfield.org> <e91c2197-e7f4-b17a-7c6e-81c6e03a3966@pep.foundation> <E1285219-4AF1-4C92-89D1-38B0D57FBC47@icloud.com> <20191118095001.GM32847@mit.edu>
In-Reply-To: <20191118095001.GM32847@mit.edu>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 19 Dec 2019 09:36:26 -0500
Message-ID: <CAMm+LwjmZw7XP_HSLzMuWU-f4ym=iZLQEsuwaoHeFWO7=EPTKQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Jon Callas <joncallas=40icloud.com@dmarc.ietf.org>, Claudio Luck <claudio.luck@pep.foundation>, IETF OpenPGP <openpgp@ietf.org>, Jon Callas <joncallas@icloud.com>
Content-Type: multipart/alternative; boundary="0000000000001e3dac059a0f7dbf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/8Kyy1xt4WnLyRA2n9jv7FxQHdyE>
Subject: Re: [openpgp] Dealing with clock skew
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2019 14:36:40 -0000
Getting back to the original question, why reject a signature because it claims to be signed in the future in the first place? One of the things that held back use of S/MIME was idiot MUAs which would shout WARNING THIS MESSAGE IS DIGITALLY SIGNED. Use of TLS with self signed certificates resulted in warnings when visiting sites without TLS did not. It is highly unlikely that the time value in the document is relevant at all. So forget 5 minute windows. Applications SHOULD NOT reject messages unless they have a really good reason. The fact that a document is signed tells us nothing about the truth value of the claims made inside the document. So while I have a really hard time believing that the purported time stamp value actually matters, it is in any case the wrong technology to use in the case that it actually does. The only circumstances where a signing time is likely to matter in a protocol is when it is necessary to determine whether event A happened before or after event B. And for the reasons outlined by Jon, the only tool that is going to be able to provide that assurance reliably is some form of notary agent. There is no a priori ordering of events. It is always necessary to specify the frame of reference. OpenPGP provides a cryptographic message syntax. It is not designed to provide a security assertion capability. If people want that capability, they should use SAML (or something like it) which was built on a framework originally designed to support transactional applications. That is what the conditions and advice slots were originally designed to support in the TAXI (Trust Assertion XML Infrastructure) scheme. So just stop checking the timestamps at all. Best case is it provides no value. On Mon, Nov 18, 2019 at 4:50 AM Benjamin Kaduk <kaduk@mit.edu> wrote: > On Sat, Nov 16, 2019 at 03:06:13PM -0800, Jon Callas wrote: > > > > > > In the general case, you can't consider a time measurement to be a > scalar, it has to be at the very least a complex number of the form [time, > skew]. As Derek noted, Kerberos used a skew of five minutes. While Neal > Walfield noted in his original post that he's seen skew of 20min, I concur > that that seems a bit long. My naive home set-up commonly has alarms across > devices being ±2s or less, but that's because they're all getting time from > some combination of NTP and cellular network time, which is ultimately GPS > time (and of course, skew). I think five minutes is likely reasonable, but > *some* skew is unavoidable. Moreover, anyone who's on satellite networks is > seeing latency of over a second and once you throw in normal exponential > backoff, five minutes seems about as short as is reasonable. > > I believe that if Kerberos was starting over now, the 5 minutes would be > seen as excessively long, FWIW. > > -Ben > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp >
- [openpgp] Dealing with clock skew Neal H. Walfield
- Re: [openpgp] Dealing with clock skew Derek Atkins
- Re: [openpgp] Dealing with clock skew Bill Frantz
- Re: [openpgp] Dealing with clock skew Claudio Luck
- Re: [openpgp] Dealing with clock skew Jon Callas
- Re: [openpgp] Dealing with clock skew Benjamin Kaduk
- Re: [openpgp] Dealing with clock skew Phillip Hallam-Baker