IETF Logo Mail Archive

Re: [TLS] Getting started, clock not set yet

Rob Sayre <sayrer@gmail.com> Tue, 09 August 2022 17:25 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5091DC14CF1C for <tls@ietfa.amsl.com>; Tue, 9 Aug 2022 10:25:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQg4sWHGkYZq for <tls@ietfa.amsl.com>; Tue, 9 Aug 2022 10:25:43 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D58E4C157B40 for <tls@ietf.org>; Tue, 9 Aug 2022 10:25:33 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id gk3so23380429ejb.8 for <tls@ietf.org>; Tue, 09 Aug 2022 10:25:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=snoHDueRBg8YjOjg2cHkl/8KqD5Fl+kaW+k9s+ct26k=; b=FcrXcWvmRCRyhKy1rnG8dZGh5ueGLbyPEB+HxmpAgYB5Ju+7JXR0lEbmcUVBN9p6Tx WfAgaxX56+U+py5BiRwtxubhqAEtQjm5orTj7rC1kys18VfKyQtvSN7572gjXhmm41vi 1n7txEnfAaMfBMUhPX+p8ogYRsgkaByqOf7sd+pu5PmWRH7gTTaKjd82BPgRQRWKsIGh TDaHnyEgiDbD/PVk9bdhxPv2m1hryeo1V25xCOJZ+BUUPDJDLp5dDENngZr4Ie/5uvk5 VcavhHk9xcK3qOQu3aazIB5kE9gv0BbUYOJH6IXyPCCiSXOL2roWfQsEZ2GI2/kskfV1 8bIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=snoHDueRBg8YjOjg2cHkl/8KqD5Fl+kaW+k9s+ct26k=; b=hbcR9jf/Wu35ziYapEytweVropQezDbwtenSmDs60R8caesBkzTeWGp23tU/aNL+Hv A6gufKOrnLDc8jfZEnPmi4eF0C97IYVPjTRvnzSkHiX1GJLuAxFP0nn8/xnTC5Dso8iz mFRk3ig8kg5vCZ4UznNyKwAABdbh0+ShXmeTDymCDNfB5RvCdQ2Y63puRuS2Jl+1LB5N Y866ArYLneNUJ1HcVRxGKareON49IytYuVrjtS87httIlg8EESYi5kpHAkMktshS8+X+ 24EW1wpyRrkKZaVLwRY8TGUmLS0hUGZV+BoidrXNiC+f+DpJJ+eYVnyYZgh8wVdhSoGL kL6w==
X-Gm-Message-State: ACgBeo0soCBfIPuhtVwwf97dv5LJqOrn4/uC9VXkeszhW0X87ouQM8ro XsuqylvYXqJ7w8j1iw/FcvsUOUsfzgXYfXaWZ3Uu0sfqYOs=
X-Google-Smtp-Source: AA6agR7PejHhzu4crDuX8GbEHNSvnSY7nJoY1hugCrw53IpSY5/cSdtNXwSi1HrzaphS5c3tG9X6dVLrDNdz8bl62SU=
X-Received: by 2002:a17:906:8cb0:b0:730:d6f3:279e with SMTP id qr48-20020a1709068cb000b00730d6f3279emr18616811ejc.25.1660065932153; Tue, 09 Aug 2022 10:25:32 -0700 (PDT)
MIME-Version: 1.0
References: <20220809044037.8332328C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <SY4PR01MB6251F7EDC97E18A897BC3E6CEE629@SY4PR01MB6251.ausprd01.prod.outlook.com>
In-Reply-To: <SY4PR01MB6251F7EDC97E18A897BC3E6CEE629@SY4PR01MB6251.ausprd01.prod.outlook.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 09 Aug 2022 10:25:21 -0700
Message-ID: <CAChr6SyLY978PjoCGiRnB-4vWWBVxw=Y=+iA+B3ypyewAUfYDg@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Hal Murray <halmurray+tls@sonic.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000030974c05e5d23856"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fzyctPAqCaP_vGfqPpz2Mlyy0T0>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 17:25:49 -0000

On Mon, Aug 8, 2022 at 10:04 PM Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> Hal Murray <halmurray+tls@sonic.net> writes:
>
> >Many security schemes get tangled up with time.  TLS has time limits on
> >certificates.  That presents a chicken-egg problem for NTP when getting
> >started.
> >
> >I'm looking for ideas, data, references, whatever?
>
> For commercial CAs, the expiry time is a billing mechanism, not a security
> mechanism.  A certificate is no more, or less, valid at 23:59:59 than it
> is at
> 00:00:01
>

On the other end of the spectrum from SCADA hardware, hosting companies now
provide "managed"* LetsEncrypt certificates. That means you never worry
about the certificate expiring at all, at the cost of paying somewhat high
prices for bandwidth. They do have an expiration, but they tend to be
replaced many months before it gets close, because that part is free.

thanks,
Rob


* e.g
https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs

v2.23.0 | Report a Bug | By Email