Re: [TLS] Server time
Jeffrey Walton <noloader@gmail.com> Mon, 06 April 2015 23:49 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0DB01B2AC7 for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 16:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RaKbRuXFHCXP for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 16:49:40 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4545F1B2AC5 for <tls@ietf.org>; Mon, 6 Apr 2015 16:49:40 -0700 (PDT)
Received: by ignm3 with SMTP id m3so3154038ign.0 for <tls@ietf.org>; Mon, 06 Apr 2015 16:49:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=chma8RLsbxzharaHoDChA5Xw90qym+ZSVR0D1/kb354=; b=KWFQydBAOUagyKiQbqXlo33ZFcHwYFovYbERCasFGH90hTHGuat+PTBR8LH+5ww/8N QDlN/6b0PF9i7+RK9UIcy2ZM4oS0ITaOWWxSswRoTByP8hF5h5XnbJowGfgow3KG60Jv mZ0FDgsAE7d2Q1rIP82S5b9JAy321PsbZG+DWMYHSLr0VcNme3m7K2UMuk8+3VENJhVu n3sgUvnFYMzypTBcM61qV4ogNfiqkXHF0BJ00mVtsLJBmYz2Rqa41DWWOuOWarzjuTai F3oKQJUYrS+uxdRh6Z3D/W0z4AnDmArgdxtl0nhEaPnfVJiaPa/qblT7SASLb5UXkJmm Ov/Q==
MIME-Version: 1.0
X-Received: by 10.107.29.21 with SMTP id d21mr26633723iod.11.1428364179740; Mon, 06 Apr 2015 16:49:39 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Mon, 6 Apr 2015 16:49:39 -0700 (PDT)
In-Reply-To: <CAFJuDmN02wr+T+YfV54zOEdosw+exU=tVtWvy7RcOS5eJmRLHQ@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFDB9EC@uxcn10-tdc05.UoA.auckland.ac.nz> <CABkgnnW=WPfySOwZYRFr-heuUToow+vQXDMSuAkWoffJ6A9uXw@mail.gmail.com> <CAH8yC8=f6+04GAzaQMqshzPRNszdm9idSDkES=ug6iWBnPFZMQ@mail.gmail.com> <CAFJuDmN02wr+T+YfV54zOEdosw+exU=tVtWvy7RcOS5eJmRLHQ@mail.gmail.com>
Date: Mon, 06 Apr 2015 19:49:39 -0400
Message-ID: <CAH8yC8kMga-Sfa1=0tP9PYc_Gx5bhbs-CWg5=e_zWzTARemBTw@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Adam Caudill <adam@adamcaudill.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/9UYQjcHkfrwwGblG2iZ3Qbr4-lU>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Server time
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 23:49:41 -0000
> In certain circumstances, using a HTTPS server as a time source isn't a > horrible idea, but why change TLS for such an edge case? Well, that edge case is going to inundate us in years to come. There will be hundreds of millions of PC sales in a year; hundreds of millions to billions of smartphones sales in a year, and billions of IoT gadget sales in a year. Not to mention all the SmartCard applications that may need it. Is SSL_VERIFY_NONE really the only choice for resource constrained and low end devices? > If there are use cases where it is important that time be acquired from an > HTTPS, have the server return the timestamp at whatever precision desired as > the body of the response to the GET request - it's still simple to work > with, and doesn't impact all TLS users as this would. > Doesn't that set-up the chicken-and-the-egg problem? Channel setup will never occur because of the failed certificate validation due to the time skew at the client. Or maybe it won't matter because the folks programming the system will helpfully add SSL_VERIFY_NONE. Anyway, I'm not arguing either way. I just know what I've experienced in the past, and I expect it to happen again in the future.
- [TLS] Server time Dave Garrett
- Re: [TLS] Server time Erik Nygren
- Re: [TLS] Server time Jeffrey Walton
- Re: [TLS] Server time Dave Garrett
- Re: [TLS] Server time Dave Garrett
- Re: [TLS] Server time Jeffrey Walton
- Re: [TLS] Server time Hauke Mehrtens
- Re: [TLS] Server time Brian Smith
- Re: [TLS] Server time Jeffrey Walton
- Re: [TLS] Server time Eric Rescorla
- Re: [TLS] Server time Dave Garrett
- Re: [TLS] Server time Peter Gutmann
- Re: [TLS] Server time Tom Ritter
- Re: [TLS] Server time Kurt Roeckx
- Re: [TLS] Server time Peter Gutmann
- Re: [TLS] Server time Martin Thomson
- Re: [TLS] Server time Jeffrey Walton
- Re: [TLS] Server time Adam Caudill
- Re: [TLS] Server time Jeffrey Walton
- Re: [TLS] Server time Ben Laurie
- Re: [TLS] Server time Florian Weimer
- Re: [TLS] Server time Peter Gutmann
- Re: [TLS] Server time Florian Weimer
- Re: [TLS] Server time Kurt Roeckx
- Re: [TLS] Server time Florian Weimer
- Re: [TLS] Server time Kurt Roeckx
- Re: [TLS] Server time Jeffrey Walton