IETF Logo Mail Archive

Re: [TLS] Getting started, clock not set yet

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 15 August 2022 15:13 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F51FC1524C6 for <tls@ietfa.amsl.com>; Mon, 15 Aug 2022 08:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hozRtO40GJ7A for <tls@ietfa.amsl.com>; Mon, 15 Aug 2022 08:13:22 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.21.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EA50C14CF11 for <tls@ietf.org>; Mon, 15 Aug 2022 08:12:41 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2235.outbound.protection.outlook.com [104.47.71.235]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-21-EsSxjZgsMR2oet9xKZp92g-1; Tue, 16 Aug 2022 01:12:35 +1000
X-MC-Unique: EsSxjZgsMR2oet9xKZp92g-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by ME3PR01MB7047.ausprd01.prod.outlook.com (2603:10c6:220:16c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.16; Mon, 15 Aug 2022 15:12:34 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9ce9:9bf2:308b:8a40]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9ce9:9bf2:308b:8a40%4]) with mapi id 15.20.5504.028; Mon, 15 Aug 2022 15:12:33 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Kyle Rose <krose@krose.org>
CC: "tls@ietf.org" <tls@ietf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Thread-Topic: [TLS] Getting started, clock not set yet
Thread-Index: AQHYq6pFXIHKkuDZkEWAUyh0UYDrO62m1XyAgAFZWpKAAa+zgIAGO3YX
Date: Mon, 15 Aug 2022 15:12:33 +0000
Message-ID: <SY4PR01MB6251DFA737BA61A5E4459D6DEE689@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <20220809044037.8332328C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <CAJU8_nX5_8qCQMNhX15oH-2=cEa8roxczc3xe9Q=8nOYfKPxdQ@mail.gmail.com> <SY4PR01MB625105043B703E672776835AEE659@SY4PR01MB6251.ausprd01.prod.outlook.com> <CAJU8_nXTmvw6YJCeGy1P+O7S2ATJ3ACoP5Y0_k7GWzwf8Y2BUA@mail.gmail.com>
In-Reply-To: <CAJU8_nXTmvw6YJCeGy1P+O7S2ATJ3ACoP5Y0_k7GWzwf8Y2BUA@mail.gmail.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1c62f283-b30b-4bad-4ada-08da7ed094b7
x-ms-traffictypediagnostic: ME3PR01MB7047:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: 2QMjYngbatR0DwNdJ90VfEU4CmOcHPvHF/RhqNggMIxe+n+k/V2+E22iNV+1FrwMYDLfMg1mlivHiayD+5NU5yWOs3XeLcTwuoWtKOklqsx+VwvvtxHU5m9knBPsA8I0YdNYk8cGRY6ojmh5lhSwI4rAxaBa875dMZe41Zp3HuK9Sfp19f7lSZ4VlzrOQC6KHOsJBleoIHWecyAGPCvfXpgRFwLnOOQr749bDWMGFm9vACikayaVn0L4VcbUQaUrXgL9ZnFHg92Aigsp64J9XlwYQKgYM5I6fM9uJqlPYqqaPMjKEUQ1aYPf2/pCsayKpSQn8yklY4ohGf1jp1GtJaU7au+sqCcNA/BAq+72oiL0jO+lIN6N1jkAUjLzhlxKdepU5e0RmczXwVMSlc3085IwTa4Yz7GDwTqhLggby6qO37nEX5GaDBwDEdA7c7lXMboCGz+Onz0jAvA0AdpGFlQcKlAUHtpCx5g8RPhL32pER7urCzJwXeE/k4tHoKNlaShJAkGvfAS33G2K3+hFSL2AvF0LybeNjN1NXr4Fb7RNZZkkZgeXGXmsKwjhJ18ped/l7LSDZx8ptjE6Di2WLdirwNS494IAX+UMNFBxDcopykAkuKCNK8L02hDzLQHXo6w4TtRGk9gpzIeusEDTQiTFX0r6w6EKPaa6Qedh2hwC9ohqTCSn0q2UoRhJQDGCtDzIdnB2373PT4AAcIgdmAt1KR93TPFDNEY5SqlGIPqcO5hxCZa9tsfCQ/S+g/JuZ9n00Feo5Q7QWue8UcKWrdttUrc0TniKv3HXd8ER0zX2UNjJs63aaFLdUa+ka4xm6dXe86loyfdCq90hOjOp8w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(366004)(396003)(136003)(39860400002)(346002)(316002)(786003)(54906003)(26005)(6506007)(41300700001)(9686003)(7696005)(71200400001)(478600001)(2906002)(86362001)(33656002)(107886003)(55016003)(6916009)(66446008)(64756008)(8676002)(66556008)(66946007)(4326008)(76116006)(66476007)(8936002)(122000001)(5660300002)(52536014)(83380400001)(38070700005)(38100700002)(66574015)(186003)(134034003); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Xk6uPaW4jbJzErwqZjsnjXOjmSU3K51RSdUEHP+pTYI2/Zu8dRQb6zFuxG7YMOMRUH8+FOvYcFCBlAjGpWHILCQyczsIqAnn0QPBzoo0n5RVUSrIe0RwOMTPTY4KtUH8Z9Vt1U5f7sAd3zbhBhsHj6h/exBWM3LTfguN3YjP6/VH84ZNaEiYntqWhgNlHFpMGOeocrO1sLjkm8UaFFbT+IkDaUihptO4Ac97rdZ384iOqZB+rhUkbJohRC8gWB6XfU2bflS+gaASRZ+8UA3h/VVCWly2DJ1RYKDPth0ss5gMCiiFJy0RvcKwqj/PerGcWKIFtu7FRCBjREx9SMV+wV3WBxU8//oJ5qHObeIwGgcpZ97+OSlW/8oxo0D/09/T99ZOy258Dls+wHBWZsF2lqKKEzabc8HIsZu1ChCrUBrOkeNAKTtf3FQOQBwDRnBrPXKRI6Zs4fQWC3yKVCCK9n+vNwHsBPbV++ETA4gW0WK5EQGHucfOnS13Te1R6/hBS3MIFuOWW/Hkch3fDzOLuoSUOOhfddTjP02g/AAKCMyoki/W/Hn2QICFGehzs+ufVv5hiL7V9MkvspuRfM3kRGEbaD7OP0wOUac+LV7HUWisVF0z5BRToaLwXETnep2pJDSzSqiV6IUNlidQ43E9KaKs1iAdQdQ22YXc4moLBo7+eZeUjwaDHGb+jYPR1dZoKZWQmfktJJSd43WcU6Hdd1yGePxhFOTmulG/ocDDeTD2DcF73ev1rkzBLIiXLpYJ5xMrRMJ8ujD4vGCIsGhNAX67pkqoHi6TwPIDcryCBuXMAu3PbEL/zLTJnUC+RJ6T3vY3l0y5IfRcLInunnEw5t1ym10JWWUW09VqEkQ4w79mIRzO0JGSAixYP21c38h3JfjUd3mRlKBfmrV/mKjNdCNgYN/7vS5txCvWDgJWbOA6JXp5rK+hpoOfCV7JoJ9MNrXMpBrCW/jfyCQgCGZdQSkKt3GS/lk1ECsrDLXBd4AUKGf0zg2IGDhXcKS4lqPSfWKPyQVAc04QM+58m/Qfn0fHuCQ/ziBCngtzf6+dDUPeKw6VJ44BWUqoB85dgjUYfeBejb0x/9b5xVket+SiT17aIzLW4z1ctzOsgO7Wd4jOs38KDsJ/kbaRVzkt304E6od3B6PSWYn5vu+AxUKWIYRSAlZTjvRHZoNX733/fHZnV29AlTSzd7awWeEMr4UJF2ZJp5+fWjaCul/f4oxWNchNwxX7MEBCrRNFgoZMkTrZlRDB3rmHAm6oLZuyqsHp6re1Qpaj3zp1LzXXRt1C3c5C8/EOYVsv79qe2Jv6zuQXMrF8YWGdauz8wh8+VcFUwESKkFoZ++UO9NpFEs+t43kZBuoAtcM0KLKwjilZNr0M1+V7FffUs3/hKsnq4wjVuql6oBptgrWeRtRP8GL4qwu6sj6JjPQXlbDVmSIKdrpivLs85yT2Wh1TSfrnUlZkxmWSoE6rQq9yN/wsLPD299G7L0UFuke9ZoDVZ/hwZu2z/Q7wCSB27ot6S2WB7DVfuvH49kuj3YlABBim0AFAcPslC72mt7XPqVUvTSaJA8MX310XtffGgIqJOOdeAGd5
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1c62f283-b30b-4bad-4ada-08da7ed094b7
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Aug 2022 15:12:33.9371 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2AROP5W7yvl9UPbLJ1WHvnfYLjpsjDT+z6IRrDr2zty6fFX11KJgoZz9/tJVJnHjp7iikH2y9b6Hieb2wE8MDgT4qFbEsPdP9INCZAwLANo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME3PR01MB7047
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/540V1fTMzbC4GTV_-dYy4ajbIzk>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2022 15:13:24 -0000

Kyle Rose <krose@krose.org> writes:

>Expired CAs are definitely a problem for PKI participation after such a
>delay, but probably one that is dwarfed by the near certain existence of
>known vulnerabilities in firmware that hasn't been updated in 10 years. So
>it's probably best they remain air-gapped and don't participate in active
>networked systems until they've been updated, which would then include new CA
>certificates.

Getting a bit off-track, but the ones I've encountered won't be updated,
typically because there's no way to do so and/or because the software is
written to a higher standard than the usual Internet-facing stuff.  One common
defence, although it's not really intended as such, is that there's nothing
there to attack, everything is hardcoded and fixed and does just barely enough
to communicate with the other side, so there's very little attack surface.

>Consequently, I would not recommend any device interact with the web without
>being able to establish that server certificates have not expired.

Sure, but that's web use.  For SCADA use you don't care (or check) whether the
certificates have expired or not because that's the difference between "things
work" and "things don't work": "When PLCs’ certificates expire, they just
disappear off the network.  Plus, 99 percent of the industrial world has no
idea what a certificate is, so how do they troubleshoot the problem at 2am?"
(from "Control Systems Security from the Front Lines").

I would assume this extends to lots of non-SCADA cases as well: If you want
things to work, you don't check for cert expiry.  Or revocation.

>>Ignoring CA billing-cycle^H^H^Hexpiry dates
>
>You repeatedly bring up this point, but you do realize that one of the people
>you're arguing with was instrumental in the establishment of a mechanism for
>provisioning *free* web PKI certificates, right? The cost of procuring signed
>certificates is no longer an obstacle to participating in the web PKI.

Sure, and I pointed out that it was a thing for commercial CAs.  In any case
though I wasn't commenting on that but on why a 1-year expiration period is
used, because the alternative was to point out that tying a supposed security
parameter to the earth's (approximate) orbital period seems a bit paleolithic
[0].  And in that case I think we should take a less geocentric view of
certificate expiry and instead use the orbital period of the largest planet in
the solar system, Jupiter, over 300 times the size of the earth so it's got to
be more significant.  Giving certificates an expiry time of 12 years to match
Jupiter's orbital period should be enough to cover most use cases (extending
this to Pluto, and whether it should actually be Pluto or stop at full planets
like Neptune, is left as an open discussion point).

Peter.

[0] Based on nature-worship dating back to the Old Stone Age, I don't know
    whether they knew the earth's orbital period back then or not but I
    believe it was well known by the Bronze Age.

v2.23.0 | Report a Bug | By Email