Re: [pkix] Validating Certs w/out reliable source of Time

Rob Stradling <rob@comodoca.com> Thu, 04 October 2018 17:02 UTC

Return-Path: <rob@comodoca.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4498B130E78 for <pkix@ietfa.amsl.com>; Thu, 4 Oct 2018 10:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sl_FAYGX1YMq for <pkix@ietfa.amsl.com>; Thu, 4 Oct 2018 10:02:32 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0080.outbound.protection.outlook.com [104.47.33.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7E27130DD3 for <pkix@ietf.org>; Thu, 4 Oct 2018 10:02:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-comodoca-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rvAeNyu2FBb8G/7OlGfgZq9nCPxk5RC7YRixOLlLeos=; b=r3k3ZKNMvXN8psnX6xqgPyCp+ktFHOFoD2D+i1hQoY8Z2gJIwtf9Z3Mk6Wp5vhcPO8fcDIKB9ZI8Bz6flV9UQhnimd6s/0xB8nPEyjnkFu+1MvhpJimg1htI/9pDK/5EEB9YbmwWTPieCekfuXWQ9GO0QxuC+Xo3Tf/5ZWVWnL4=
Received: from CY1PR17MB0490.namprd17.prod.outlook.com (10.163.254.140) by CY1PR17MB0581.namprd17.prod.outlook.com (10.164.216.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1164.25; Thu, 4 Oct 2018 17:02:28 +0000
Received: from CY1PR17MB0490.namprd17.prod.outlook.com ([fe80::e4a4:7649:252d:5bf5]) by CY1PR17MB0490.namprd17.prod.outlook.com ([fe80::e4a4:7649:252d:5bf5%3]) with mapi id 15.20.1185.027; Thu, 4 Oct 2018 17:02:28 +0000
From: Rob Stradling <rob@comodoca.com>
To: "Dr. Pala" <director@openca.org>
CC: PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Validating Certs w/out reliable source of Time
Thread-Index: AQHUW+2lIBJiKYT5c0uiCFepxyerqKUPUBcA
Date: Thu, 4 Oct 2018 17:02:28 +0000
Message-ID: <678c4912-d9bc-8d37-ffb3-4e797a37099e@ComodoCA.com>
References: <f1d0a721-96e4-5d1b-4dd3-7b041e3c4379@openca.org>
In-Reply-To: <f1d0a721-96e4-5d1b-4dd3-7b041e3c4379@openca.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: VI1PR0701CA0053.eurprd07.prod.outlook.com (2603:10a6:800:5f::15) To CY1PR17MB0490.namprd17.prod.outlook.com (2a01:111:e400:c444::12)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@comodoca.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [51.6.167.73]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY1PR17MB0581; 6:RNMfN2EtKX6gWLb4fGOeaX7xsrRGS4ghJjX68w9dC76YUbDW0uYPC/AgczFzcetcLeB0/ody2LEMuxw1nR/gyhjGcp4TgMcBNFeGIDubIQd2sGvB/Kycz0C7haxc3DKjmltVWIe5mnL0InGI/DqvpVLjsXasuqG1gLZjPitkBkg6xipomH1PJyIDuyCQrtKs3raS6Zufniwi4EntJxs4tbEzEeTVcV8xMrVcr71oALzvFT8QKLhU5IhkFc60cIQRe7tQxTvzlq8bvvt5oxY4hNp+d4XC+/q6hMWgyEe8VRWYfVq6scR9Hzac98kP0+3ubiDIa1ZuDVhUPVwQT6SZv8rZ4LhFQrYEOAV1d8VC1XzReSCVupdH32phfJdaTSK2+wy/R4xd5A5ctnQQ124nf9ndGyHwsnEcbPsA05ASJv/Z3aFTQkfEaS+7o7MzZCBa7gdVWkocDkqADna/DFxk2w==; 5:TD4jDKsDUe4pQ1zwDwLHMNAhGwmJKjBCVL1Sbr5WMdsbdnN9ZQZ0kFXfv30fuunqsZqy5HpZ8K1lb2gZMSNNKiLrjvQGWd4NsEuuKht87dWnC3bXGBxGvXY968B+rg9rkhKM4R4ZCncgJ96RSnJLs7qm0OMVHGVm1eYbrN5Wa0A=; 7:nrUsdCGMhY2b5iCiKaf4C+5NBk8i4i+Cixug4ruZ8nad/ye45syXoVVrW8J8J/ixmzvCm2V5iM4a2udh9+oMDV/n4xxIInPS+XidgtnOOoItg1xoDhNavIIN/7+0S6YMez1K6IR+zbLV8OlAEQGrGLZ5IkqxpBFLFCQ+CQmVHxSHsaQ1sdGooV/FNZVVci2/p65gpYOZ0d/XEEe9NKmBTRA6UrljWztHY4IGhPaaydsruiE6Ye6CGOxJY6gzuN4u
x-ms-office365-filtering-correlation-id: f4d603e0-869b-43ba-0094-08d62a1b2a27
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:CY1PR17MB0581;
x-ms-traffictypediagnostic: CY1PR17MB0581:
x-microsoft-antispam-prvs: <CY1PR17MB058117ABB107771D95DB2628CDEA0@CY1PR17MB0581.namprd17.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21532816269658);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3231355)(944501410)(52105095)(10201501046)(3002001)(93006095)(93001095)(149066)(150057)(6041310)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(201708071742011)(7699051); SRVR:CY1PR17MB0581; BCL:0; PCL:0; RULEID:; SRVR:CY1PR17MB0581;
x-forefront-prvs: 0815F8251E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39850400004)(136003)(396003)(346002)(376002)(189003)(199004)(252514010)(53754006)(81156014)(6486002)(6436002)(316002)(86362001)(8676002)(14454004)(4326008)(26005)(6306002)(31696002)(3846002)(6512007)(6116002)(105586002)(68736007)(6916009)(486006)(7736002)(106356001)(186003)(305945005)(36756003)(97736004)(81166006)(71190400001)(102836004)(71200400001)(256004)(2900100001)(5250100002)(2616005)(446003)(478600001)(53936002)(11346002)(31686004)(14444005)(8936002)(66066001)(25786009)(966005)(99286004)(6246003)(386003)(5660300001)(76176011)(2906002)(6506007)(53546011)(229853002)(52116002)(476003)(12269545002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR17MB0581; H:CY1PR17MB0490.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: comodoca.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 0+znTX/r1pH10wNKtIlcfqJDEg85AN/KQJWm6vlpMF5PZ6WlwVudTCbj+84SWvPx1Uc38Xn7VTaxoI/FQp5x73ti3261Ad+BXgdlUPYA9Z6gOXbx+n7VtBAmu4ziPIDBmNYXxqrRmfJmnukRVgnRckku6MjTiHV44h/cE7afzcfZ/dimA9/D/w+Zx4CMmdUWX+QNwJwRMLf3glRtv6w1m9cqAfK8cC0GSbUdvbj9a+qVhY6LVQXJnlfoltBk5i1v6wb7xz1vmxNZy8nvZwN6Vv4ghCLsb2OeLoKmwE3odzDEghxF7Fxj6CgLB3Dh44u1it79ZmYrsH1Ip2l0aQSr9wyJ3KBybaEt5ntrNOOw6Ec=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <E253A17F20CB9B489FBA68D7BF14975A@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: comodoca.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f4d603e0-869b-43ba-0094-08d62a1b2a27
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Oct 2018 17:02:28.4343 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR17MB0581
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/PZKB0nTEcwilt3CJ5WvLvp4zi3M>
Subject: Re: [pkix] Validating Certs w/out reliable source of Time
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 17:02:35 -0000

Hi Max.  The most promising solution I've seen to this problem is 
Google's Roughtime protocol.

Adam Langley's blog post:
https://www.imperialviolet.org/2016/09/19/roughtime.html

Protocol description:
https://roughtime.googlesource.com/roughtime/+/HEAD/PROTOCOL.md

Open-source implementation:
https://roughtime.googlesource.com/roughtime

Cloudflare's Roughtime service:
https://blog.cloudflare.com/roughtime/

On 04/10/18 15:21, Dr. Pala wrote:
> Hi all,
> 
> I am struggling with one issue that we have been seeing more and more 
> often with the introduction of small IoT devices that connect to clouds 
> and need to validate the other party's certificate chain.
> 
> In particular, the problem is that without a reliable (or trusted) 
> source of Time information, devices can not really validate certificates 
> (i.e., is the certificate even valid... ? is it expired ? is the 
> revocation info fresh enough ?) and my question for the list is about 
> best practices in the space.
> 
> Do you know if there are indications / best practices from ITU or from 
> IETF (or other organizations) on how to deal with this issue ?
> 
> Cheers,
> Max
> 
> -- 
> Best Regards,
> Massimiliano Pala, Ph.D.
> OpenCA Labs Director
> OpenCA Logo

-- 
Rob Stradling
Senior Research & Development Scientist
Email: Rob@ComodoCA.com