IETF Logo Mail Archive

Re: [TLS] Server time

Adam Caudill <adam@adamcaudill.com> Mon, 06 April 2015 23:20 UTC

Return-Path: <adam@adamcaudill.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E762D1ACE43 for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 16:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljUOzPTirpoC for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 16:20:19 -0700 (PDT)
Received: from mail-ob0-x229.google.com (mail-ob0-x229.google.com [IPv6:2607:f8b0:4003:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1AEC1ACE3E for <tls@ietf.org>; Mon, 6 Apr 2015 16:20:19 -0700 (PDT)
Received: by obbgh1 with SMTP id gh1so61854925obb.1 for <tls@ietf.org>; Mon, 06 Apr 2015 16:20:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adamcaudill.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=ZDKYWFhf/ohTmZHjx+eVHxEKzcDwFjZFI4KOau5tWIg=; b=S8tGt+3htTT7c7vga9yvULzyc3gfuXi4EL9psXRCopaCGDmAwgtdQh4mMW9zZlPDQB hgyPGwgBWegKcneeAcHkqUgoLnBLsWDXTuCHRv19MBjsL+Mw/34jffTh01m0yBZSbG1Z asYdb6xFtPFWdbBy0kdHKD3KF+PbW5RGojNTM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ZDKYWFhf/ohTmZHjx+eVHxEKzcDwFjZFI4KOau5tWIg=; b=dllYyOWLuz5MMczSTIbFLJBviYcsZwJwtJqerD2HYs4yAZ8XG0zgdE0hp3en/jt53N ppTCpkqct30UU0KiSZfU94FgBLoPy0AKBhoTcTMatRG61y7A+PENeNLH13sDnpcLv6jm rvwB50TEhk0BoXYqOy6lXxWo5MC80AxVBrex40RWn1tJD5+aiqvPGKuDUSZAF1d9Kb1j hUODfJOUyvWQNd9WLxPU8eMMYjZjUWUyC6V39GBqx3Esgs16sTpax+aJyPshF7AW/rl/ mmQDzCBKgrO8U7Erautl9NpnMwym9b0ZRZGt4R5CCk2TVkbWlFNn6c4iECJVLVNej01j M86w==
X-Gm-Message-State: ALoCoQlOdSXyTLiP3O+LRcYRTW6UvjPMD2q7lbxs+8dfUuEIalDFAvaNyf5Hf89lEvJMgiIx3CTw
X-Received: by 10.60.147.165 with SMTP id tl5mr13174791oeb.81.1428362419203; Mon, 06 Apr 2015 16:20:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.125.138 with HTTP; Mon, 6 Apr 2015 16:19:58 -0700 (PDT)
In-Reply-To: <CAH8yC8=f6+04GAzaQMqshzPRNszdm9idSDkES=ug6iWBnPFZMQ@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFDB9EC@uxcn10-tdc05.UoA.auckland.ac.nz> <CABkgnnW=WPfySOwZYRFr-heuUToow+vQXDMSuAkWoffJ6A9uXw@mail.gmail.com> <CAH8yC8=f6+04GAzaQMqshzPRNszdm9idSDkES=ug6iWBnPFZMQ@mail.gmail.com>
From: Adam Caudill <adam@adamcaudill.com>
Date: Mon, 06 Apr 2015 19:19:58 -0400
Message-ID: <CAFJuDmN02wr+T+YfV54zOEdosw+exU=tVtWvy7RcOS5eJmRLHQ@mail.gmail.com>
To: noloader@gmail.com
Content-Type: multipart/alternative; boundary="047d7b2e4fbe9b83310513168a00"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/1dXXFScysHFF4hTR0f1leaahbu0>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Server time
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 23:20:21 -0000

On Mon, Apr 6, 2015 at 12:30 PM, Jeffrey Walton <noloader@gmail.com> wrote:

> On Mon, Apr 6, 2015 at 12:13 PM, Martin Thomson
> <martin.thomson@gmail.com> wrote:
> > On 6 April 2015 at 05:45, Peter Gutmann <pgut001@cs.auckland.ac.nz>
> wrote:
> >> Using TLS as a pseudo-NTP source makes about as much sense as using
> HTTP as a
> >> pseudo-NTP source, which has happened a number of times in the past.
> TLS is a
> >> means of building a secure tunnel from A to B, not a kludgy way of
> avoiding
> >> use of NTP.
> >
> > Yes, this is right.  There's nothing inherently wrong with using a
> > HTTP server that you trust to have good time for a little sanity
> > checking.  That said, it doesn't make any sense to use arbitrary
> > servers.
> +1. That was the exact use case I was envisioning - an LG refrigerator
> abandons the browser security model and pins to LG's CA. In this case,
> it trusts its own organization's PKI and servers (but no others).
>
> Jeff
>
>
In certain circumstances, using a HTTPS server as a time source isn't a
horrible idea, but why change TLS for such an edge case? To me, this seems
like a clear case of trying to address the issue at the wrong level - this
adds no security, introduces privacy issues, and introduces further changes
for an edge case that could easily be addressed in many other ways.

If there are use cases where it is important that time be acquired from an
HTTPS, have the server return the timestamp at whatever precision desired
as the body of the response to the GET request - it's still simple to work
with, and doesn't impact all TLS users as this would.

v2.23.0 | Report a Bug | By Email