IETF Logo Mail Archive

Re: [TLS] Getting started, clock not set yet

"Salz, Rich" <rsalz@akamai.com> Mon, 15 August 2022 13:04 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4D56C14F725 for <tls@ietfa.amsl.com>; Mon, 15 Aug 2022 06:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.674
X-Spam-Level:
X-Spam-Status: No, score=-2.674 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FfjN_DGuT5Cp for <tls@ietfa.amsl.com>; Mon, 15 Aug 2022 06:04:03 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BD88C1524AA for <tls@ietf.org>; Mon, 15 Aug 2022 06:04:03 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.17.1.5/8.17.1.5) with ESMTP id 27FB3c6B013236; Mon, 15 Aug 2022 14:04:02 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=ko7jQ8jaZvhJp80ahGQSSK5Il7obC5DfGLCuhLYyVpY=; b=m9B9DvW6Dwkbnl2Kv9i3lxEwGnLHKKPopCeF4YA6ur90kVNoBSQIm3a9qMjqOmcWbKKE BbyC3SBLVkyj4wSfhCXVpkiXfme0j7q64fa4JD4wH9F9q3BB67eo0T2y4U/V8jKGbcyw n0gSGNNorg2kqHgVW0ZCEkiUh8Y/8UylQicTzbaDDC48YYrEvjA1iOpnc/egwnutKSnI Y6e9BnerZKg7e9EnEzjKb5UmTczr4HTeGm00LZmdmCgemJ7yJoc0k1HThE15IG6wQjBL iH99pZtYyM2X3I215ArLFiWsaA513uyibAz00SoBmqR860Lj3PGP4oV9dXpDcXugTlUT TA==
Received: from prod-mail-ppoint7 (a72-247-45-33.deploy.static.akamaitechnologies.com [72.247.45.33] (may be forged)) by m0050093.ppops.net-00190b01. (PPS) with ESMTPS id 3hx37u9r6x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 15 Aug 2022 14:04:02 +0100
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.17.1.5/8.17.1.5) with ESMTP id 27FCaOYi013746; Mon, 15 Aug 2022 09:04:01 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.203]) by prod-mail-ppoint7.akamai.com (PPS) with ESMTPS id 3hx79wafr5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 15 Aug 2022 09:03:59 -0400
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com (172.27.50.203) by ustx2ex-dag4mb3.msg.corp.akamai.com (172.27.50.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Mon, 15 Aug 2022 06:03:18 -0700
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) by ustx2ex-dag4mb4.msg.corp.akamai.com ([172.27.50.203]) with mapi id 15.02.1118.009; Mon, 15 Aug 2022 06:03:18 -0700
From: "Salz, Rich" <rsalz@akamai.com>
To: Kyle Rose <krose@krose.org>, Hal Murray <halmurray@sonic.net>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Getting started, clock not set yet
Thread-Index: AQHYr4wxQhJxOFsCHkKD5+IbA7Sfja2u264AgAFGSYA=
Date: Mon, 15 Aug 2022 13:03:18 +0000
Message-ID: <AE7FBBE6-6112-402D-9D55-824EFF45F98E@akamai.com>
References: <krose@krose.org> <CAJU8_nX5_8qCQMNhX15oH-2=cEa8roxczc3xe9Q=8nOYfKPxdQ@mail.gmail.com> <20220814031607.7C6CD28C1EF@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <CAJU8_nWC+GRZFm02trAgB_bmUfkNF9bMfUHenVRNojydzi1NNw@mail.gmail.com>
In-Reply-To: <CAJU8_nWC+GRZFm02trAgB_bmUfkNF9bMfUHenVRNojydzi1NNw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.63.22070801
x-originating-ip: [172.27.118.139]
Content-Type: multipart/alternative; boundary="_000_AE7FBBE66112402D9D55824EFF45F98Eakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-15_08,2022-08-15_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 phishscore=0 mlxscore=0 malwarescore=0 mlxlogscore=919 bulkscore=0 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208150051
X-Proofpoint-GUID: v0ra1kscDGqApSS7eYHpuJmDknr7NLNR
X-Proofpoint-ORIG-GUID: v0ra1kscDGqApSS7eYHpuJmDknr7NLNR
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-15_08,2022-08-15_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 bulkscore=0 phishscore=0 clxscore=1015 spamscore=0 mlxscore=0 malwarescore=0 impostorscore=0 mlxlogscore=901 lowpriorityscore=0 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208150051
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XR2n4a2SIY3f7Ey7KLBFKPNvlR4>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2022 13:04:07 -0000

If I can distribute valid long-term keys, I can use them to sign the
certificates for NTS-KE servers and don't need Roughtime to get started.

Kyle’s right.  Roughtime increases the amount of work the attacker has to do by saying they must compromise multiple machines. That’s different from a single long-term key.

v2.23.0 | Report a Bug | By Email