IETF Logo Mail Archive

Re: [TLS] Getting started, clock not set yet

Kyle Rose <krose@krose.org> Tue, 09 August 2022 17:35 UTC

Return-Path: <krose@krose.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B6C0C14F722 for <tls@ietfa.amsl.com>; Tue, 9 Aug 2022 10:35:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O84oLhfRrb9j for <tls@ietfa.amsl.com>; Tue, 9 Aug 2022 10:35:38 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C748C14F606 for <tls@ietf.org>; Tue, 9 Aug 2022 10:35:37 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id o22so16007906edc.10 for <tls@ietf.org>; Tue, 09 Aug 2022 10:35:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=BE1/s3kUjkJdeh/yNxMQNL7tKh4AyOHoZKEk2ZUgNWY=; b=cX0HtBpu+a1moLv+GhNyr5cCjCgP3fTSFqlAyJRpv/1nSJ70UGJ01ZF8znQvN00ob7 cUQr/G+UgPbXxVFpOb2rhUXfy35RluUIq5eyQaXmXDlcQCEVfrYqjMEP+csALn7DaBz7 sp6/bUj2sEiCaT7npxbvAtHp6IRoE0+7ye9/U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=BE1/s3kUjkJdeh/yNxMQNL7tKh4AyOHoZKEk2ZUgNWY=; b=HoHR1OPYKd7W+V23nztmHewzDVcTNo2JkTBbc4Io2ig3UnS889k+9u7+2/AvCCQIH9 ReZEFPqd/6H9TkGd/qXCflLRcDUp9m/cO2nz662HmOpJA3/XPyiKsUhpYQLNNTVsrv0w iFztVa9aajuj//dW7uKmr7II/oGx2YW56lW80QDZx2CMrIcCyKzGctRh5c5pUudQBqgD ROjOeUhjth2LQjGv+u3Xg9MIFYV0GMtAGIHbeqFF+KhW/6UurjQtIgLa2yL4wWHaG/Av 08sj8plw4aaLkxAhzfnch8raQh91oAlr7UhRIvCkFgJhmdU19AozG36YbH0A8nauJkNQ 2/OQ==
X-Gm-Message-State: ACgBeo2UYkvq+EEXC7EuywQTs/7W5BY8wnEAP7yR4zPptlD08EoFXO30 YV9i0jD8fFMYaDTzlb6QKoyADgqOWzRIzg78r7o9Jw==
X-Google-Smtp-Source: AA6agR5F6NHDRgaFTA4vuj7FHz6wpU82DbXBORV+bj4RUjxhHgQwa6Db8AZ25up40WvVUTjc6LfWC8gaHm6xZwVHrOY=
X-Received: by 2002:a05:6402:28cb:b0:43b:c6d7:ef92 with SMTP id ef11-20020a05640228cb00b0043bc6d7ef92mr23268465edb.333.1660066536414; Tue, 09 Aug 2022 10:35:36 -0700 (PDT)
MIME-Version: 1.0
References: <20220809044037.8332328C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20220809044037.8332328C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
From: Kyle Rose <krose@krose.org>
Date: Tue, 09 Aug 2022 13:35:25 -0400
Message-ID: <CAJU8_nX5_8qCQMNhX15oH-2=cEa8roxczc3xe9Q=8nOYfKPxdQ@mail.gmail.com>
To: Hal Murray <halmurray+tls@sonic.net>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000034f61005e5d25c7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dtKp28YzsibazIN5PSFDXTrl0Q0>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 17:35:42 -0000

On Tue, Aug 9, 2022 at 12:40 AM Hal Murray <halmurray+tls@sonic.net> wrote:

> I work on NTP software.  NTS (Network Time Security) uses TLS.
>
> Many security schemes get tangled up with time.  TLS has time limits on
> certificates.  That presents a chicken-egg problem for NTP when getting
> started.
>

IIRC, this is one of the main arguments for advancing Roughtime:

https://datatracker.ietf.org/doc/draft-ietf-ntp-roughtime/

Assuming Roughtime is 'close enough', you can bootstrap NTP and then do
whatever else requires an accurate notion of the current time.

What Peter said isn't quite right, since (for example) you wouldn't want to
be obliged to distribute revocations for compromised but long-expired
certificates under the assumption that a properly-functioning client
wouldn't accept them anyway, but relying on Roughtime as a bootstrapping
mechanism limits the risk of trusting an expired cert.

Kyle

v2.23.0 | Report a Bug | By Email