Re: [TLS] Getting started, clock not set yet
Kyle Rose <krose@krose.org> Sun, 14 August 2022 13:35 UTC
Return-Path: <krose@krose.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 527BEC15258C for <tls@ietfa.amsl.com>; Sun, 14 Aug 2022 06:35:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pqEFIRG4Xaur for <tls@ietfa.amsl.com>; Sun, 14 Aug 2022 06:35:41 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23707C152588 for <tls@ietf.org>; Sun, 14 Aug 2022 06:35:40 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id fy5so9532503ejc.3 for <tls@ietf.org>; Sun, 14 Aug 2022 06:35:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=vqTYspvCQH1v/j1IvxO6/EAA55ztv651oIUiMnPYvw8=; b=QDu83AhGco0u1QfTXpaThyBNup1nk91Z+OsWpefGDbTuVze0Pah05k8aWhwL48Dsib EWIXeZQtsF233IJWBcWKigL7Iui3mR4U2wEmFqPyQzkcGidu8O5BDZ0EC+aV803cDFHp C0ghoXav2U1EkyDkADZGAsD6SauZr/qucLZZ0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=vqTYspvCQH1v/j1IvxO6/EAA55ztv651oIUiMnPYvw8=; b=C2ImE8K3mm/ju76DapxgUF57Ux6qZg3akP4lMywhEAi7Vksr+SJInc2p+K6m1LQZZ2 IYg2NwOPHfZdvU3Gz9MKySlC/Qib1eMzc0hkvxZWRM8Pm8p8czHHi/BaAWg4cwtAbVXa 0b+7oXRnP8jJLtaIni992T9UItoIgcpTWntbj3RqVUEUgycujBfBxYNJgQqhq9rFykAz jRb7dJppTfFUZl/vhuMOH75ZeCW7mquDeVDgwQwDXtr+tXbUUSpe4zSSd3kGm7reGeGN cV9quFwRNSLHD5TTtgxsgeTe8CPeoBYKE5m1aPuI05ihn28OcG0CagFeYcBmVLYqecrX yf+A==
X-Gm-Message-State: ACgBeo0N69lZ3AnxaxuVn9GvYbovGVcX8Wvo881PLjVO5SCSSxl11ZWp gLhpC/ytuaPd2IWybSScQ5tHrq2u46GEigG6xAQJcw==
X-Google-Smtp-Source: AA6agR6/khCKcwRkveD9EfNrPIdFgVQcVqDFc6PZSp6B1pxFnV6uz4LDbnrDKeS53nQYdKu1xW5BR4zf8VMBfgpAlMk=
X-Received: by 2002:a17:906:9c82:b0:6df:c5f0:d456 with SMTP id fj2-20020a1709069c8200b006dfc5f0d456mr8187452ejc.287.1660484139458; Sun, 14 Aug 2022 06:35:39 -0700 (PDT)
MIME-Version: 1.0
References: <krose@krose.org> <CAJU8_nX5_8qCQMNhX15oH-2=cEa8roxczc3xe9Q=8nOYfKPxdQ@mail.gmail.com> <20220814031607.7C6CD28C1EF@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20220814031607.7C6CD28C1EF@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
From: Kyle Rose <krose@krose.org>
Date: Sun, 14 Aug 2022 09:35:28 -0400
Message-ID: <CAJU8_nWC+GRZFm02trAgB_bmUfkNF9bMfUHenVRNojydzi1NNw@mail.gmail.com>
To: Hal Murray <halmurray@sonic.net>
Cc: Hal Murray <halmurray+tls@sonic.net>, tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000049b91c05e6339701"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YQDhoa63EmyITmZtQdmuVhZUrxY>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Aug 2022 13:35:45 -0000
On Sat, Aug 13, 2022 at 11:16 PM Hal Murray <halmurray@sonic.net> wrote: > > IIRC, this is one of the main arguments for advancing Roughtime: > > I took a look at draft 06. I don't see how it helps. Am I missing > something? > > Here is the key section: > > 6.4 Validity of Response > A client MUST check the following properties when it receives a > response. We assume the long-term server public key is known to the > client through other means. > > If I can distribute valid long-term keys, I can use them to sign the > certificates for NTS-KE servers and don't need Roughtime to get started. > It's been a few years, but IIRC my thinking was that the degree of trust required in the Roughtime servers' long-term public keys is very low: you're trusting them only for one server's assertion of the current time, not for general web traffic; and if you ask enough servers, the likelihood of being tricked into trusting a bad timestamp is very low even over long time periods. Such an attack would require both access to a large number of long-term private keys whose public keys are embedded in the client attack target, as well as the ability to intercept traffic intended for each of these servers at whatever moment the client initiates the Roughtime protocol (which probably implies a long-term undetected network presence). This is clearly a higher bar than simply trusting a web PKI certificate signed some indeterminate time ago without respecting the expiration date and without being able to update CRLs on startup (which also poses trust anchor turtles all the way down). In other words, much of the security of the scheme is in the practical difficulty of mounting a successful attack even if the keys have been compromised. NTS doesn't even attempt to address this kind of attack vector. Kyle
- [TLS] Getting started, clock not set yet Hal Murray
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Rob Sayre
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Rob Sayre
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Rob Sayre
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Christopher Wood
- Re: [TLS] Getting started, clock not set yet Benjamin Kaduk
- Re: [TLS] Getting started, clock not set yet Eric Rescorla
- Re: [TLS] Getting started, clock not set yet Benjamin Kaduk
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Christian Huitema
- Re: [TLS] Getting started, clock not set yet Benjamin Kaduk
- Re: [TLS] Getting started, clock not set yet Robert Relyea
- Re: [TLS] Getting started, clock not set yet Christian Huitema
- Re: [TLS] Getting started, clock not set yet Hal Murray
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Hal Murray
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Salz, Rich
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Peter Gutmann
- Re: [TLS] Getting started, clock not set yet Kyle Rose
- Re: [TLS] Getting started, clock not set yet Peter Gutmann