IETF Logo Mail Archive

Re: [TLS] Getting started, clock not set yet

Christian Huitema <huitema@huitema.net> Thu, 11 August 2022 19:35 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63B00C157B5D for <tls@ietfa.amsl.com>; Thu, 11 Aug 2022 12:35:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v2ClhIDf4H-0 for <tls@ietfa.amsl.com>; Thu, 11 Aug 2022 12:35:32 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CC05C14F693 for <tls@ietf.org>; Thu, 11 Aug 2022 12:35:31 -0700 (PDT)
Received: from xse384.mail2web.com ([66.113.197.130] helo=xse.mail2web.com) by mx257.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1oMDxn-0000pn-II for tls@ietf.org; Thu, 11 Aug 2022 21:35:30 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4M3cTp12xjzBsP for <tls@ietf.org>; Thu, 11 Aug 2022 12:35:26 -0700 (PDT)
Received: from [10.5.2.18] (helo=xmail08.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1oMDxm-00078W-19 for tls@ietf.org; Thu, 11 Aug 2022 12:35:26 -0700
Received: (qmail 16073 invoked from network); 11 Aug 2022 19:35:24 -0000
Received: from unknown (HELO [192.168.1.106]) (Authenticated-user:_huitema@huitema.net@[172.58.43.187]) (envelope-sender <huitema@huitema.net>) by xmail08.myhosting.com (qmail-ldap-1.03) with ESMTPA for <krose@krose.org>; 11 Aug 2022 19:35:24 -0000
Content-Type: multipart/alternative; boundary="------------ax49uhTyn0TOkMQ90Xkt3gsY"
Message-ID: <e4ed5b91-d3b7-0fe0-21ba-41fd337ffe87@huitema.net>
Date: Thu, 11 Aug 2022 12:35:23 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0
Content-Language: en-US
To: Kyle Rose <krose@krose.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <20220809044037.8332328C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <CAJU8_nX5_8qCQMNhX15oH-2=cEa8roxczc3xe9Q=8nOYfKPxdQ@mail.gmail.com> <SY4PR01MB625105043B703E672776835AEE659@SY4PR01MB6251.ausprd01.prod.outlook.com> <CAJU8_nXTmvw6YJCeGy1P+O7S2ATJ3ACoP5Y0_k7GWzwf8Y2BUA@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
In-Reply-To: <CAJU8_nXTmvw6YJCeGy1P+O7S2ATJ3ACoP5Y0_k7GWzwf8Y2BUA@mail.gmail.com>
X-Originating-IP: 66.113.197.130
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5y+TdELUc3IPXxOn6N6uGoCj3CSdYahsEhiizd3WfZtETDq mfwzI/tXDF5CpbR9+bnlYLLlWSy3OGfGBNeqx2anHyJxjDLo4/ugN15VVJm4KWrxEaaKeSxe0Wrx 6M4G5/Wm4Zd53xWOh54QqC5fJ2uRgenfUkxOuTRxhXEsME/nQlxh7hoyMoWHMkqYfQEaAmskDLHF kt1dIOuYfGsjx/0opbt3W3gfNnuKkqGP09ZKLP25Cgscc2Nqd9azmDa4ZbYxn04qRLKGrOrEzQDq o2Fe5e0H1p2YD3fIDgqE3F/hSENKwnAR2oVisY+bnEqWCKi5klmK1va3wJScg92pg//jdNpXP/ul EV6DIUDLc0Yd6iTlYE+Zcn8p1rPpG64P1y7nVrUQfxkYoV3jt7fqlPgR0kaOEXLuWd+6zLg4wp8u X1nsyWu8Q0HDoORE+fy5gr3LgKffTIgl7nuGO/IJU1342OUMeHyTpNN0eXybX/w7/4a+Zyc1sUYl ckMDbruAhxeLAMKmgwH2OI1KXZVCaM7UCHgZWjUtPx0MdoXD3mCYwb+h94gWp+UbSZuh3os1PdzN 3czVgU9146mJgnLsXI67C8CKASqFe0kBQ5ZmwPhPJiyZvdx3ZJDsPzrvEdt+b8mxX4OQOI/UQ6jn FfMBgzwOSHunMg5j/UO+IMRndiIcrvOjrmSNLSBBJln+Md0EfRzZcpPgEJKLbDyaC/LdLvvYzJ2+ 7XAHi95JA/mbSWcdZPpVB9v9zY0h8asEYmbGGsJD9ySC20IzFkBtfP+lFUR4I9U0QCvnnAK9EdIR hfML7713qFZSq8Fx+9otn0aqja8VKPqpdskk5LxBR/9t1zMMkdu6/R2FM84kxYRFSvC1IDg1BRW7 hzp8w3iHcOwbVtsmWfnQGGis4EvbR3jXsI0ESXwhBU2hwt/J18C+HygJl/jEzm1SsR8v3aJbN/NZ fa8pHhHaz+HPa0HAgEx4sWDF
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BuQxsv3mnWieENkcJPzOoj99sDE>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2022 19:35:34 -0000

On 8/11/2022 8:56 AM, Kyle Rose wrote:
> On Wed, Aug 10, 2022 at 10:13 AM Peter Gutmann<pgut001@cs.auckland.ac.nz>
> wrote:
>
>> So we're down to mostly non-web-PKI devices and/or the ten year problem, of
>> which I've encountered the latter several times with gear that sits on a
>> shelf
>> for years and then when it's time to provision it all the certificates have
>> long since expired, which is another reason why you ignore expiry dates
>> (or at
>> least you ignore them after you get hit by the first major outage caused by
>> this because until then no-one realised that it was an issue, a ticking
>> time-
>> bomb that may take years to detonate).
>>
> Expired CAs are definitely a problem for PKI participation after such a
> delay, but probably one that is dwarfed by the near certain existence of
> known vulnerabilities in firmware that hasn't been updated in 10 years. So
> it's probably best they remain air-gapped and don't participate in active
> networked systems until they've been updated, which would then include new
> CA certificates.

Isn't the ANIMA WG working on these scenarios? If there is a formal 
"enrollment" process for adding a device to a network, that process 
could include setting the time, and possibly performing updates. I say 
"possibly" here, because in scenarios like "disaster recovery", the 
local network may not have global connectivity. But even so, setting the 
time during enrollment seems logical.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email