IETF Logo Mail Archive

Re: [TLS] Server time

Dave Garrett <davemgarrett@gmail.com> Sat, 04 April 2015 21:57 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CAF21A035F for <tls@ietfa.amsl.com>; Sat, 4 Apr 2015 14:57:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AgdQEvnZUJfH for <tls@ietfa.amsl.com>; Sat, 4 Apr 2015 14:57:08 -0700 (PDT)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F07B81A036C for <tls@ietf.org>; Sat, 4 Apr 2015 14:57:07 -0700 (PDT)
Received: by qku63 with SMTP id 63so223676qku.3 for <tls@ietf.org>; Sat, 04 Apr 2015 14:57:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=zpWrkuvlBwTGRrmdVmT9VVsB/TigVLa/5NiYHSoBCTQ=; b=d2xmNxqkKViwaTUWQZRkgi5NcXbwf+YUD4hrDs2h4FWcM/FMMQyiYbXVeN0Wx1RAPg MMjyPXdFfK2jNIfgijv4z0bg+KsQEPyEt7hROkLEO6By/Mwgz1LUyC1BLOGii8Mjwcnm 21+byRop3ZlrgBPlwZlOb8Lcd6vedAt+7QzEL72WEcYsi4XDp1ujAy1cQ5fMKqUBxpfI YI4MaKSwNzlTaCVp4se5mbbGBMFB7NTGINvdz1qCFs5Mi1SPJceqrV0TVNicexv7wTtn fj4U3sE/SB+pS7ldS+9w9e9C1ir1YSNvjNkU8Ip1qx+PeKOz1bu+6HeB2UBjxPNoVmIV iBVQ==
X-Received: by 10.55.55.85 with SMTP id e82mr15915507qka.2.1428184627206; Sat, 04 Apr 2015 14:57:07 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id 80sm228784qhb.26.2015.04.04.14.57.06 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 04 Apr 2015 14:57:06 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Sat, 04 Apr 2015 17:57:05 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-73-generic-pae; KDE/4.4.5; i686; ; )
References: <201504041352.12431.davemgarrett@gmail.com> <CAKC-DJj0rKNVXc1XJ4W2yiGY2bXYsXtAfubGEmO8JsoBu2kfvA@mail.gmail.com>
In-Reply-To: <CAKC-DJj0rKNVXc1XJ4W2yiGY2bXYsXtAfubGEmO8JsoBu2kfvA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201504041757.05854.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6GktJN5yYdmyRzdCLyNnnjp-9kw>
Cc: Erik Nygren <erik@nygren.org>
Subject: Re: [TLS] Server time
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Apr 2015 21:57:11 -0000

On Saturday, April 04, 2015 03:53:31 pm Erik Nygren wrote:
> It does seem like a useful server hello extension, however, as long as
> clients wait for a complete and authenticated handshake before using it.

Just sticking in an extra ServerHello field for the time is the quick and simple replacement for the old standardized hack. If we want more, it wouldn't be difficult to write a simple time/ping protocol to build into the spec. Do a ping with a time request after authentication and it would be protected, measure latency, and easily provide precise remote time adjusted for response time. Might be overkill, though it'd be simple enough to add.


Dave

v2.23.0 | Report a Bug | By Email