Re: [TLS] How to Validate Servers' Identities w/out reliable source of time

Rob Stradling <Rob@ComodoCA.com> Thu, 04 October 2018 16:57 UTC

Return-Path: <rob@comodoca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1F76130DD3 for <tls@ietfa.amsl.com>; Thu, 4 Oct 2018 09:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBIR_i_XuIMJ for <tls@ietfa.amsl.com>; Thu, 4 Oct 2018 09:57:19 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680043.outbound.protection.outlook.com [40.107.68.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C43E1130E5E for <tls@ietf.org>; Thu, 4 Oct 2018 09:57:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-comodoca-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mT5UuXVNokg9ZcZMam8DK2BiINQax0fF7ptYbsWlE/A=; b=vtH/eMjJJPDCczqIi5qGW7LSVGQPCOER8VClVewmdMMfRlc6WS+iyVMgwNyApdsMv/2DcdZJZKqla1ieUd5K0vSP0xZxTDNSFDNHTLcgytNUCS9ZkjLC7fT6Wu8gcUlbQCjXzxGzHiSJ/O+NPiFHVV2Qaq6P5NIEIF0bhDQ9Y1Y=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=rob@comodoca.com;
Received: from [192.168.1.81] (51.6.167.73) by BLUPR17MB0481.namprd17.prod.outlook.com (2a01:111:e400:c46b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1185.25; Thu, 4 Oct 2018 16:57:15 +0000
To: "Dr. Pala" <director@openca.org>
References: <90b6138b-acf9-0836-79e8-556c81d1029a@openca.org>
From: Rob Stradling <Rob@ComodoCA.com>
Cc: TLS WG <tls@ietf.org>
Message-ID: <4f35e991-9aa7-48d3-bf83-ead7412d3ebc@ComodoCA.com>
Date: Thu, 4 Oct 2018 17:57:07 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <90b6138b-acf9-0836-79e8-556c81d1029a@openca.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [51.6.167.73]
X-ClientProxiedBy: LO2P265CA0123.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9f::15) To BLUPR17MB0481.namprd17.prod.outlook.com (2a01:111:e400:c46b::14)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6e666753-bba8-455f-7a5e-08d62a1a700c
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BLUPR17MB0481;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR17MB0481; 3:YX0PSwAemrCrxMw2v456FIvRK7y1qejmXa8E5cBQD3Xu6d9ZeHxHQfAf69SrufVYvFCKAUfM+y21nTVjH8lOYsYrKBJbhII7xNpUKx7I8o9ckhwR6jqhNcvUbCd0whxf2MtYTYrtu2YXJnLCbbybBhJPyKB0TuVeLTu5R9Pe9SALPScGRBr34rBx7xdwpR8ljgdTf+uxVmCe8vp0UxypuH0jzYjpi8E85n5y9H2Z4e2LxFe+2MTGpBuas0/0GPDn; 25:8iVz1CIZ2iChNOOP2edYlpbVdVXZ85J9E23zWhEC1lQWK5VBnTOmITJLYJAQz6idu3o+KC/rZCKzJPhL+1Rj9utlXiz9d8nbFk+yccwR5qwIbYEWsuQ7GKOOve61MfXqUHX2Kd07IYjc4F+X75iApcpTsD9RabCaMyOn1mwaRGKoFMdqoetogCr2bnH90rDR9Emvzp6jeris1dykWTa17VARAQEkoKQ6XKl9/a2fRke4dcsOMHK4S0UrLjjOqvNiqZ4wOLJygIcahvi1BVNPpwe5fEkHDFNL9yHpoR+aMQXZ9jraFfOkoXyaZ6Af9fEQK5xcrIiCKjo3y0CAXNdVVA==; 31:ZCzTF1/d+Uwp0evsqoR0w4y4efuHvAaueftkq/JlnRa3fwz6lOwNaeYCPQYgeM4g+xAPB2NcjzwXQE1UvWENMeEU7wOJ13FbfnnovIZRoBvcTEMoWVAiEshvvwHsrjthRiNxzGqmxq3VS7wajF3z+vxpl9R4kLADS1L4P55kW4SO1ljzyXJuDyLulrvd7178IbYj6No8qvDc+MRad/V34H+aDtMzjCchwv9Z1jiBTP0=
X-MS-TrafficTypeDiagnostic: BLUPR17MB0481:
X-Microsoft-Antispam-PRVS: <BLUPR17MB0481BF20EA4AC9FC91A7E4DBCDEA0@BLUPR17MB0481.namprd17.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(21532816269658)(158342451672863);
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231355)(944501410)(52105095)(149066)(150057)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(201708071742011)(7699051); SRVR:BLUPR17MB0481; BCL:0; PCL:0; RULEID:; SRVR:BLUPR17MB0481;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR17MB0481; 4:XboSS9a9wkW9NprN2R1Nn9pRslb06yCdozK+tsRL5uAcoVEQsq8glVxwAXSUKjDqlkAxAo0rW3YOCh/cwnDS8YTxfeZReqzg2K2CC1k2m6NQjpxU317S1cAnZhoghw6mjIeH0ZBtlWRxwkWr7yqiDtoZXM2Dt/QRG1C4/vwMu2XXXg33JB599Q+eyyc6Wj1cf79IqxX74k3o6DCJV/eCDDM8kIRis2EhEzqrJVEKS6w6CklpwKckBZc1l6uUCg/IbF3tSSPangFWG6s4mGL0O2+YHcejJizHLECoSi8MYm7dLlndIj6QPr+3JNRYUGp7m8AaGwr1cNsJ4CaI4C+GJCWCf5rxqw4kBOWEq/ZJUio=
X-Forefront-PRVS: 0815F8251E
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6049001)(136003)(346002)(366004)(376002)(396003)(39850400004)(199004)(252514010)(189003)(53754006)(81156014)(16576012)(53546011)(50466002)(36756003)(2906002)(229853002)(23676004)(966005)(2486003)(68736007)(8676002)(77096007)(81166006)(230700001)(386003)(6486002)(52146003)(76176011)(6666003)(26005)(8936002)(15650500001)(65826007)(5660300001)(67846002)(64126003)(478600001)(11346002)(486006)(16526019)(31686004)(4326008)(97736004)(66066001)(31696002)(65806001)(65956001)(305945005)(316002)(186003)(86362001)(53936002)(106356001)(446003)(2616005)(7736002)(47776003)(6306002)(25786009)(6246003)(52116002)(117156002)(6916009)(105586002)(956004)(476003)(14444005)(6116002)(58126008)(3846002)(12269545002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR17MB0481; H:[192.168.1.81]; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
Received-SPF: None (protection.outlook.com: comodoca.com does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTFVQUjE3TUIwNDgxOzIzOkhBa2E4WEM5YWo5UWVmK2MrQ1Q3VU9jV3lv?= =?utf-8?B?d3I2d1F2aTJOWmVCY1F3TU1Ub0JsQWUrbno5ODFFejFFS1BNZXBIUlNuWmww?= =?utf-8?B?RzFuSVNKNFlxbW16d0VrTFkwMkVOU3ZUS0RPeW5UcmJodWd0em93WTMxK2VF?= =?utf-8?B?aE5MYnY3dm9EMHp0cmJZeFpCRFJTZmROZ3FzK2ZsRU5pWEZIUkt4VlJ4bW9D?= =?utf-8?B?bGZuUHduNmdmdkQ4MkFXYzRpQWNOQ2hpMmJMai9tcktINEpiSVhoUEN6QVNM?= =?utf-8?B?TW5kRzNhcEdzMGRiMHZaMFlMbm5GS0NiT0MvTGFuY1pQaC9DMnNBYWpBUjdT?= =?utf-8?B?a05DZkdiczdtVC9TK1A0WS9zZjFJbzVzRmhndnZhT3Y2T1lSZUF2Ym9qVHlT?= =?utf-8?B?cVdEZmp3WW1Rd3VEUkR0OXVITHQ1dUVQaDVuTklLK2RwTjB0M0NaUll1Sm5h?= =?utf-8?B?RThYMGlXQW13a2dOREZhVlcxQnZuUlQ3UThaaElwWUppdGsxYzJvYW05dXRK?= =?utf-8?B?OTlUL25Jc2ptVGRRVkl6M2JKTk03bmZtMEk1NWpGQ05qSW1Da2hLMWM4QW1E?= =?utf-8?B?MGZaQm1lSGNpTVR2aTUxdlVUVFdHUGlaRlc5czhZMXFhYVpnckhmL2taeFRw?= =?utf-8?B?TGlVMWE4U2cwSUdkTlBaVjlCMURYMzNnZzRUUWNENnE3TGpXZTJlSFY4UHFI?= =?utf-8?B?TzVrVFQ1TUsycGZ0MUZEME1ZajBXZUhQT2pEV0l3Wk1rMW9jNXpYeG82MDYx?= =?utf-8?B?bk5DTzRwMVI2OENmM3paVE9OQnZsQ3ZLWE5xOXE1V0FQZHRtdXVyM0d0b1lz?= =?utf-8?B?ZDFRTUxOUlJFVE0xalR0T0pZNmoxeVpzcnhyRFhaejl5YUcxUWtNSXhURjVx?= =?utf-8?B?ZFV0czl0Nm1nSEFHVFVRM2IyV0tyWVBLd3R4Si9IVGp4UW5ZNVVoNndnUFJF?= =?utf-8?B?SXdoZHF2VnA2MHJwdTJZak1pUUJFQVcwcmhMRVFDaWd5K0t6L3lKTGZiR0dk?= =?utf-8?B?ZW5YcHl2OTllYmhOWUpPaWVveXYzYjRnM1VwVG5ocXJrRVBkTWxPZkowVWJi?= =?utf-8?B?bW5ndk1xeWhUSnRJSklxanU1MUE5bzFWLzVlVWc1TFBFenlDSkhib3VjMFRH?= =?utf-8?B?UktndUY0K0J5MSsvamYwNzJwSkJMWGhyaEppUXhaODBKY2xPbEQrcGNuYTVo?= =?utf-8?B?bjRGeUlrVTZ3SkVDVFp4dWhrbCtlWFRZNXkrL2tRNW9CamY5RVNCc3dPOVJ5?= =?utf-8?B?OVNYR1lyekpYSkJuVC90Vk9iNTU4YUxVZmJ2UzVjTUVOZjJYeUVEM0RPdWFp?= =?utf-8?B?K0RBWmRPbDBobXZWYnkvU2FTeWtVdEtHU3gvbDU5QUFOTGpVUE02Q0k0R1Zz?= =?utf-8?B?VXhHblgybnhxNFBlRExQUWFYNmQrdklISHJ6NmxhWS9CdGFXRVZjcUJaNnNh?= =?utf-8?B?emsrbDVMcEVSanJCTUU1eFE2bWJGRURyeURKWkUrRlpUcHl5eUNvYXNCNEQ3?= =?utf-8?B?N2E3eE5VM0k5T3Erc3pVeDFyaTgxZGhSOEF4TmFtWUhlSXlKT3RKbVZ0SVMx?= =?utf-8?B?NjhPcFhubUhpQ0xkdWhwb3FRSWdkQ3V3bXVXNngrWEZFOFVkQ3VOOGp1cTcv?= =?utf-8?B?U012a2gxK3hPSllsTWFZS3NOMVFMUm5rUEVESUpUazhhVERGRDZkMjNVc09M?= =?utf-8?B?dlJOcTFjdUtiYWY5eHVwRGhkbjc2aXl6ZjQ0cXllUzBJRG5HZGpBUWhxT2hq?= =?utf-8?B?SmpRWjkyVkdPeEZYKzY3TitsdHc5bnhjWUE1blRXS2F1UTlzb0hWSmZQRms0?= =?utf-8?B?T0ZzU29HRXhrSmN5SWIva0g1NWppTTF4VmZaYlVQN1QzVHhGdW1zY3ZDVmxW?= =?utf-8?B?WE1CUW5VTmNnSUYyMk44a3dMMkQwenF6RTBkbUhQZTVyZmgvTEpoV2FGeUN0?= =?utf-8?B?dnRERlhOL0FucWtpR2xlV096OUdzZ1ZKVk0xbG1zVFcyMXY3WTM1WTZPYVk5?= =?utf-8?B?RnREY01xSm1pQ1JRMSs1NnNQRzYzZFZEVVhnYlhCbE8yNHlZeUZhUzNmT09E?= =?utf-8?B?dlVwcWlWVndJdDhzclFBZzZBN08veVdjNDlLcGY4RkxscVpIZHFFS2QxOE1z?= =?utf-8?Q?5qE8MR3iV/zPu8pAphAmOhpDlZIvV0kwRB0BtQ+b6PSk?=
X-Microsoft-Antispam-Message-Info: LwWnIboMdMPtuBLuBLpc9253EPEAh43l+ZCb5ToZ3QDwWHTTMHmZbxxIO8UBl4IJxGJqVbM0L9qTK2xT8p3sEx8AtdRa0kKXUwYZ6s19k1Ot+TXM5PElGiKXluXVr2UlRMbT/Q2d6USdAzsYrrAqwBysluyTnv75kO1lbZRzL9CkKYJoAXlz1vvyeUomHbQtr2pzwFN2DDYNIQDMS7QLZ0OqwuUuVkiUAxnn7KdBdLHsPjMSsF6d7/VhFuQ7Y6EKK1cHBHaT8GeXD4+MfxsFDRGvmZrC4f+VIUHruuoACumVIO01KHc4aglU3P0rbYeAM78mCv+K9ZnyPMe4bog98g9Vlayv4eFYJo3HQbjmO8A=
X-Microsoft-Exchange-Diagnostics: 1; BLUPR17MB0481; 6:7bVyfjz30Be8G13AE/fKcP8SBCrfm99aizpnNtHQkSbRgcGHkckCcnKl6XcSAOZarzLJZ9ST8RIehzKfy2pZ1Xux4QmWnLdAP9pl3zcDxwnI8jqP/YHN2VCXXMv5GE33mZr2ATtE+NAoReG7sSSqtO99896TgeRnuEAlweqRBD/0s9V3cizqj+qanZBNledb9gusQ+CN1VKmFFTP5Puzjm/BbjBU2flMFQklADIK1FTvEHw4c0xhVPqRoVJFRluepUeLrD0uWg0YKIyB62M3LKSngydopR8aXULVPb4jDSlGgZrcymdi4dpEip88HknLUkWERrhor+7KewbiSgJGqxjYK8AVe/zAgR36053hgu0ENnsD98KcsNfTAmlIr3dz8DmPIV7bXQJO3nNVPn0Aa9WHEZvRLimPFY5xAxUsEyz2m48rtS55xyF2ZXuuS784u68f/WoPgdDguSdJC1rYkA==; 5:hk+uaJoBS+afsKtRU3bAfCN4gkkDEXaEN3EFuheXb1eTP2NUMJgt3LJ6/tCnLJKSHruri65PdhC9GVqGNV2pGczRIm6mV6ZkmfBSP/aiV3WrUSmu0Vv4ALbKbq2li8gfd/DHYZ94gKGNIBGJ0ULb0DmoJ8Dz+DKeNKy4PYiB43g=; 7:v2z2KC1jYdu0pag/ds1LGzHyc4YKaFzS+TJipVgvCV4OoKl/kvQKq6VgpSg7VGRUDejv0LCMzA947jfG7Gm/P7aHc8OR7Co0Y6VR1u+sxGlRnDYL2nV1TqtOV5OP6WvT1c5vOlmzgcyhgTEznvgzSXXzk9kresvaIdBM4OBgGiw51v/YFj57KjdbHoqsZ4Rx/C06sGEP+XA5YRBkEVGocUQlV6sEwAOIG3w/DhZzMCgpEUxppuj8p581SnaC21nl
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: comodoca.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Oct 2018 16:57:15.3135 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e666753-bba8-455f-7a5e-08d62a1a700c
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR17MB0481
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hAUNi6M14riXDYw9piVLS_gKZFI>
Subject: Re: [TLS] How to Validate Servers' Identities w/out reliable source of time
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 16:57:23 -0000

Hi Max.  The most promising solution I've seen to this problem is 
Google's Roughtime protocol.

Adam Langley's blog post:
https://www.imperialviolet.org/2016/09/19/roughtime.html

Protocol description:
https://roughtime.googlesource.com/roughtime/+/HEAD/PROTOCOL.md

Open-source implementation:
https://roughtime.googlesource.com/roughtime

Cloudflare's Roughtime service:
https://blog.cloudflare.com/roughtime/

On 04/10/18 16:22, Dr. Pala wrote:
> Hi all,
> 
> I am struggling with one issue that we have been seeing more and more 
> often with the introduction of small IoT devices that connect to clouds 
> via TLS and need to validate the cloud server's (or the other party's) 
> certificate chain.
> 
> In particular, the problem is that without a reliable (or trusted) 
> source of Time information, devices can not reliably validate 
> certificates (i.e., is the certificate even valid... ? is it expired ? 
> is the revocation info fresh enough ?) and my question for the list is 
> about best practices in the space. The problem is even more problematic 
> for devices with limited access to the network (e.g., access only to 
> specific servers / cloud services) since no "external" source of time 
> can be used.
> 
> Do you know if there are indications / best practices from ITU or from 
> IETF (or other organizations) on how to deal with this issue ? Has the 
> issue been addressed somewhere ?
> 
> Cheers,
> Max
> 
> -- 
> Best Regards,
> Massimiliano Pala, Ph.D.
> OpenCA Labs Director
> OpenCA Logo

-- 
Rob Stradling
Senior Research & Development Scientist
Email: Rob@ComodoCA.com