[pkix] Validating Certs w/out reliable source of Time

"Dr. Pala" <director@openca.org> Thu, 04 October 2018 14:22 UTC

Return-Path: <director@openca.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id CA2A012DD85 for <pkix@ietfa.amsl.com>; Thu, 4 Oct 2018 07:22:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.798
X-Spam-Status: No, score=-0.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_16=1.092, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id NEWgFiU5fzBm for <pkix@ietfa.amsl.com>; Thu, 4 Oct 2018 07:22:00 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com []) by ietfa.amsl.com (Postfix) with ESMTP id 0B06E128CE4 for <pkix@ietf.org>; Thu, 4 Oct 2018 07:21:59 -0700 (PDT)
Received: from localhost (unknown []) by mail.katezarealty.com (Postfix) with ESMTP id CCCAE3740FE1 for <pkix@ietf.org>; Thu, 4 Oct 2018 14:21:59 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([]) by localhost (mail.katezarealty.com []) (amavisd-new, port 10024) with LMTP id LGA7k2XH6Gc8 for <pkix@ietf.org>; Thu, 4 Oct 2018 10:21:59 -0400 (EDT)
Received: from Maxs-MBP.cablelabs.com (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id E569237402AF for <pkix@ietf.org>; Thu, 4 Oct 2018 10:21:58 -0400 (EDT)
To: PKIX <pkix@ietf.org>
From: "Dr. Pala" <director@openca.org>
Organization: OpenCA Labs
Message-ID: <f1d0a721-96e4-5d1b-4dd3-7b041e3c4379@openca.org>
Date: Thu, 4 Oct 2018 08:21:58 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000806070401050507060701"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/nj0Fk9GzWjY2mpLDq64DmpN0OZ8>
Subject: [pkix] Validating Certs w/out reliable source of Time
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 14:22:02 -0000

Hi all,

I am struggling with one issue that we have been seeing more and more 
often with the introduction of small IoT devices that connect to clouds 
and need to validate the other party's certificate chain.

In particular, the problem is that without a reliable (or trusted) 
source of Time information, devices can not really validate certificates 
(i.e., is the certificate even valid... ? is it expired ? is the 
revocation info fresh enough ?) and my question for the list is about 
best practices in the space.

Do you know if there are indications / best practices from ITU or from 
IETF (or other organizations) on how to deal with this issue ?


Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo