Re: [TLS] Getting started, clock not set yet
Robert Relyea <rrelyea@redhat.com> Fri, 12 August 2022 15:51 UTC
Return-Path: <rrelyea@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFCF4C14F745 for <tls@ietfa.amsl.com>; Fri, 12 Aug 2022 08:51:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.687
X-Spam-Level:
X-Spam-Status: No, score=-2.687 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-Hym8At3xBY for <tls@ietfa.amsl.com>; Fri, 12 Aug 2022 08:51:45 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70BFEC157B3E for <tls@ietf.org>; Fri, 12 Aug 2022 08:51:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1660319504; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=30muOlQXQyTDzOIPoSpm3ZrHlBVgWIbRI2dJtChUrDA=; b=Av6IKFze4rMiW45M7pzLAItC88jRBiHXBuKBG7jjrPNHyWcCXukhWEfa+Wih/rq/ny7go8 g7EzFuM7GQOGpGWqSGuQlfKCxj5FHkKh1E9mIBQDPQEoIWVzyMNJEs/ePNexU97iBChGI0 CX/nx17OzRh0j9Td4s/fKUyYFo6MtwI=
Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-592-IDgBvJTzNWeM_NcrSBkLng-1; Fri, 12 Aug 2022 11:51:43 -0400
X-MC-Unique: IDgBvJTzNWeM_NcrSBkLng-1
Received: by mail-qt1-f198.google.com with SMTP id d29-20020ac8615d000000b0033d168124e9so1045641qtm.19 for <tls@ietf.org>; Fri, 12 Aug 2022 08:51:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc; bh=30muOlQXQyTDzOIPoSpm3ZrHlBVgWIbRI2dJtChUrDA=; b=01r/QHhtN1E3CFsc60G+bSOhaWgHhM1Wbby11nLuaSnTMS8VQt8UOQOAooeUbBByGG j5ZHel2kZWQ7NdYODF3heyg+jOwg1C89G6jh+9Mr6GsCLwV6pTRz/wXTA2I7WK6lEFzc W3G4PnvsQKDVZCzWI48MjYHSHsiFufndsA0I3X8WS2Nw4ZLWUvW5lhi4SDl+cjgI77UL 9eZyt6/lM4MBP4gtewQSi+HSqSbKsgZxUi3QdQolCI6p52izhKPZd5BahvRaRJ2P64/z NV/u/E6lGx452a+c/W1UrOkdIz7y7T01BFwmLTqOaehdwvwQ88eOwrXPwWW7yin0IPpw feGw==
X-Gm-Message-State: ACgBeo2TJmahQ/yiIZyzb+su8n/hUq9kZ+cneLe+2H5HUJOBrCPAfu3S oKV2ykNQtCM+/VMWSB7cArycyhqHW5Nj2b8A7uB1y3Vmb21drzJzKLIb1FeE9Nn/EuqJcAAKJDi Lbf+z47Iw4TVehc3GsEGM2C2YmzNqAzgnn89G61FNpie79fPYqItTJQ==
X-Received: by 2002:a0c:b298:0:b0:473:8d6a:df00 with SMTP id r24-20020a0cb298000000b004738d6adf00mr4084738qve.71.1660319502324; Fri, 12 Aug 2022 08:51:42 -0700 (PDT)
X-Google-Smtp-Source: AA6agR5hM4gH4HXL76S0jHTJ8pP7klixmkTVTDrviAzD8qMXqubhzMaueZVA9VJixPbMMa8VhVNaXA==
X-Received: by 2002:a0c:b298:0:b0:473:8d6a:df00 with SMTP id r24-20020a0cb298000000b004738d6adf00mr4084712qve.71.1660319501961; Fri, 12 Aug 2022 08:51:41 -0700 (PDT)
Received: from [192.168.1.74] ([98.47.139.97]) by smtp.gmail.com with ESMTPSA id f4-20020a05620a280400b006aedb35d8a1sm2023718qkp.74.2022.08.12.08.51.40 for <tls@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 12 Aug 2022 08:51:41 -0700 (PDT)
Message-ID: <c0509a06-3f86-af50-506e-5b6ac289c711@redhat.com>
Date: Fri, 12 Aug 2022 08:51:39 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
To: tls@ietf.org
References: <20220809044037.8332328C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <SY4PR01MB6251F7EDC97E18A897BC3E6CEE629@SY4PR01MB6251.ausprd01.prod.outlook.com> <CABcZeBM7Xo=yT4GDSAzRNfZYBDAyaT9yNahOuNY8YDvx1SH+Rw@mail.gmail.com> <CAChr6Sy0oLDM=HLPCVtZEZracoD0GamAzGEg0fesrXAMzpEiLA@mail.gmail.com> <CABcZeBNZxUdNTeFCEPgGwtfehV-5LgV86QOXBi+Nqn2A0d6WUA@mail.gmail.com> <CAChr6SyJ=5bcEtMZXpfM=0UsixR0P7111nV0onksYeedSVF_KA@mail.gmail.com> <CABcZeBPvJx1G5da8ceyYBxuxHv6NYFSD_L0Y=cLCf-1cFwweww@mail.gmail.com> <20220809230826.GW3579@akamai.com> <CABcZeBMELWTRC9Ox9zjNRJ+bcy=rFV7zWi-skZKs81ncTcKG0g@mail.gmail.com>
From: Robert Relyea <rrelyea@redhat.com>
In-Reply-To: <CABcZeBMELWTRC9Ox9zjNRJ+bcy=rFV7zWi-skZKs81ncTcKG0g@mail.gmail.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: multipart/alternative; boundary="------------EWBlfZgkfetksmvnDqMhBa80"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/L2vJnQVt-994bAcaUuTrfZOGulA>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2022 15:51:50 -0000
On 8/9/22 4:12 PM, Eric Rescorla wrote: > n Tue, Aug 9, 2022 at 4:08 PM Benjamin Kaduk <bkaduk@akamai.com> wrote: > > On Tue, Aug 09, 2022 at 03:59:01PM -0700, Eric Rescorla wrote: > > > > > 3. Are you aware of some other set of rules for certificate issuance > that require > revocation after the certificate has expired? Removing certs from revocation lists after the certificate has expired is pretty much required in any scalable deployment which has a non-trivial time horizon (basically any commercial CA). That is because the list would grow without bounds. It's not necessary to solve the 'Getting started, clock not set yet' feature, however. For that case you only need to ignore 'not Before' when validating a TLS cert associated with an NTS call. You can always arrange for the unset clock to be older than the current time, so if the cert is expired based on the unset clock, the cert is expired for real. bob > > -Ekr > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Getting started, clock not set yet Hal Murray
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Rob Sayre
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Rob Sayre
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Rob Sayre
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Christopher Wood
- Re: [TLS] Getting started, clock not set yet Benjamin Kaduk
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Benjamin Kaduk
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Christian Huitema
- Re: [TLS] Getting started, clock not set yet Benjamin Kaduk
- Re: [TLS] Getting started, clock not set yet Robert Relyea
- Re: [TLS] Getting started, clock not set yet Christian Huitema
- Re: [TLS] Getting started, clock not set yet Hal Murray
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Hal Murray
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Salz, Rich
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Peter Gutmann