IETF Logo Mail Archive

Re: [TLS] Server time

Kurt Roeckx <kurt@roeckx.be> Mon, 06 April 2015 11:44 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9BF61A87CC for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 04:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eaBhbJqX6_nE for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 04:44:39 -0700 (PDT)
Received: from defiant.e-webshops.eu (defiant.e-webshops.eu [82.146.122.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DF581A87CA for <tls@ietf.org>; Mon, 6 Apr 2015 04:44:39 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by defiant.e-webshops.eu (Postfix) with ESMTP id AD38E1C20F4; Mon, 6 Apr 2015 13:44:36 +0200 (CEST)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 77EDD1FE0241; Mon, 6 Apr 2015 13:44:36 +0200 (CEST)
Date: Mon, 06 Apr 2015 13:44:36 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Message-ID: <20150406114436.GA5162@roeckx.be>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFDB939@uxcn10-tdc05.UoA.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73AAFDB939@uxcn10-tdc05.UoA.auckland.ac.nz>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/CRdElZWmN96en7NMGF1dPEB78C8>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Server time
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 11:44:41 -0000

On Mon, Apr 06, 2015 at 11:15:44AM +0000, Peter Gutmann wrote:
> >The ability of a client to sanity check or sync its time seems like something
> >worth having, especially for only a 4 byte cost.
> 
> Given that there's already a globally-deployed dedicated infrastructure that
> requires nothing more complicated than sending a single UDP packet to port 123
> and checking the response, turning your TLS server into a sort of proxy time
> server that may or may not have the correct time in the first place seems like
> a bad idea.

There is work being done to make NTP more secure.  But if you
don't know what time it is there is no way that we know how to
get the correct time in a secure way.  About the best you can do
is assume that not everybody is compromised.


Kurt

v2.23.0 | Report a Bug | By Email