IETF Logo Mail Archive

Re: [TLS] How to Validate Servers' Identities w/out reliable source of time

Rob Stradling <Rob@ComodoCA.com> Thu, 04 October 2018 16:57 UTC

Return-Path: <rob@comodoca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1F76130DD3 for <tls@ietfa.amsl.com>; Thu, 4 Oct 2018 09:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBIR_i_XuIMJ for <tls@ietfa.amsl.com>; Thu, 4 Oct 2018 09:57:19 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680043.outbound.protection.outlook.com [40.107.68.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C43E1130E5E for <tls@ietf.org>; Thu, 4 Oct 2018 09:57:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-comodoca-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mT5UuXVNokg9ZcZMam8DK2BiINQax0fF7ptYbsWlE/A=; b=vtH/eMjJJPDCczqIi5qGW7LSVGQPCOER8VClVewmdMMfRlc6WS+iyVMgwNyApdsMv/2DcdZJZKqla1ieUd5K0vSP0xZxTDNSFDNHTLcgytNUCS9ZkjLC7fT6Wu8gcUlbQCjXzxGzHiSJ/O+NPiFHVV2Qaq6P5NIEIF0bhDQ9Y1Y=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=rob@comodoca.com;
Received: from [192.168.1.81] (51.6.167.73) by BLUPR17MB0481.namprd17.prod.outlook.com (2a01:111:e400:c46b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1185.25; Thu, 4 Oct 2018 16:57:15 +0000
To: "Dr. Pala" <director@openca.org>
References: <90b6138b-acf9-0836-79e8-556c81d1029a@openca.org>
From: Rob Stradling <Rob@ComodoCA.com>
Cc: TLS WG <tls@ietf.org>
Message-ID: <4f35e991-9aa7-48d3-bf83-ead7412d3ebc@ComodoCA.com>
Date: Thu, 04 Oct 2018 17:57:07 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <90b6138b-acf9-0836-79e8-556c81d1029a@openca.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [51.6.167.73]
X-ClientProxiedBy: LO2P265CA0123.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9f::15) To BLUPR17MB0481.namprd17.prod.outlook.com (2a01:111:e400:c46b::14)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6e666753-bba8-455f-7a5e-08d62a1a700c
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BLUPR17MB0481;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR17MB0481; 3:YX0PSwAemrCrxMw2v456FIvRK7y1qejmXa8E5cBQD3Xu6d9ZeHxHQfAf69SrufVYvFCKAUfM+y21nTVjH8lOYsYrKBJbhII7xNpUKx7I8o9ckhwR6jqhNcvUbCd0whxf2MtYTYrtu2YXJnLCbbybBhJPyKB0TuVeLTu5R9Pe9SALPScGRBr34rBx7xdwpR8ljgdTf+uxVmCe8vp0UxypuH0jzYjpi8E85n5y9H2Z4e2LxFe+2MTGpBuas0/0GPDn; 25:8iVz1CIZ2iChNOOP2edYlpbVdVXZ85J9E23zWhEC1lQWK5VBnTOmITJLYJAQz6idu3o+KC/rZCKzJPhL+1Rj9utlXiz9d8nbFk+yccwR5qwIbYEWsuQ7GKOOve61MfXqUHX2Kd07IYjc4F+X75iApcpTsD9RabCaMyOn1mwaRGKoFMdqoetogCr2bnH90rDR9Emvzp6jeris1dykWTa17VARAQEkoKQ6XKl9/a2fRke4dcsOMHK4S0UrLjjOqvNiqZ4wOLJygIcahvi1BVNPpwe5fEkHDFNL9yHpoR+aMQXZ9jraFfOkoXyaZ6Af9fEQK5xcrIiCKjo3y0CAXNdVVA==; 31:ZCzTF1/d+Uwp0evsqoR0w4y4efuHvAaueftkq/JlnRa3fwz6lOwNaeYCPQYgeM4g+xAPB2NcjzwXQE1UvWENMeEU7wOJ13FbfnnovIZRoBvcTEMoWVAiEshvvwHsrjthRiNxzGqmxq3VS7wajF3z+vxpl9R4kLADS1L4P55kW4SO1ljzyXJuDyLulrvd7178IbYj6No8qvDc+MRad/V34H+aDtMzjCchwv9Z1jiBTP0=
X-MS-TrafficTypeDiagnostic: BLUPR17MB0481:
X-Microsoft-Antispam-PRVS: <BLUPR17MB0481BF20EA4AC9FC91A7E4DBCDEA0@BLUPR17MB0481.namprd17.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(21532816269658)(158342451672863);
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231355)(944501410)(52105095)(149066)(150057)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(201708071742011)(7699051); SRVR:BLUPR17MB0481; BCL:0; PCL:0; RULEID:; SRVR:BLUPR17MB0481;
X-Microsoft-Exchange-Diagnostics: 1; BLUPR17MB0481; 4:XboSS9a9wkW9NprN2R1Nn9pRslb06yCdozK+tsRL5uAcoVEQsq8glVxwAXSUKjDqlkAxAo0rW3YOCh/cwnDS8YTxfeZReqzg2K2CC1k2m6NQjpxU317S1cAnZhoghw6mjIeH0ZBtlWRxwkWr7yqiDtoZXM2Dt/QRG1C4/vwMu2XXXg33JB599Q+eyyc6Wj1cf79IqxX74k3o6DCJV/eCDDM8kIRis2EhEzqrJVEKS6w6CklpwKckBZc1l6uUCg/IbF3tSSPangFWG6s4mGL0O2+YHcejJizHLECoSi8MYm7dLlndIj6QPr+3JNRYUGp7m8AaGwr1cNsJ4CaI4C+GJCWCf5rxqw4kBOWEq/ZJUio=
X-Forefront-PRVS: 0815F8251E
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6049001)(136003)(346002)(366004)(376002)(396003)(39850400004)(199004)(252514010)(189003)(53754006)(81156014)(16576012)(53546011)(50466002)(36756003)(2906002)(229853002)(23676004)(966005)(2486003)(68736007)(8676002)(77096007)(81166006)(230700001)(386003)(6486002)(52146003)(76176011)(6666003)(26005)(8936002)(15650500001)(65826007)(5660300001)(67846002)(64126003)(478600001)(11346002)(486006)(16526019)(31686004)(4326008)(97736004)(66066001)(31696002)(65806001)(65956001)(305945005)(316002)(186003)(86362001)(53936002)(106356001)(446003)(2616005)(7736002)(47776003)(6306002)(25786009)(6246003)(52116002)(117156002)(6916009)(105586002)(956004)(476003)(14444005)(6116002)(58126008)(3846002)(12269545002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR17MB0481; H:[192.168.1.81]; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
Received-SPF: None (protection.outlook.com: comodoca.com does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;BLUPR17MB0481;23:HAka8XC9aj9Qef+c+CT7UOcWyowr6wQvi2NZeBcQwMMToBlAe+nz981Ez1EKPMepHRSnZl0G1nISJ4YqmmzwEkLY02ENSvTKDOynTrbhugtzowY31+eEhNLbv7voD0ztrbYxZBDRSfdNgqs+flENiXFHRKxVRxmoClfnPwn6gfvD82AWc4iAcNChi2bLj/mrKH4JbIXhPCzASLMndG3apGs0db0vZ0YLnnFKCbOC/LancZPh/C2sAajAR7SkNCfGbs7mT/S+P4Y/sf1Io5sFhgvvaOv6OYReAvbojTySqWDfjwYmQwuDRDt9uHLt5uEPh5nNIK+dpN0t3CZRYuJnaE8X0iWAmwkgNDFaVW1BvnRT7Q8ZhIpYJitk1c2oam9utJ99T/nIsjmTdQVIz3bJNM7nfm0I55jFCNjImCkhK1c8AmD0fZBmeHciMTvi51vUTTWGPiZFW9s8Y1qaaZgrHf/kZxTpLiU1a8Sg0IGdNPZV9B1DX33gg4TQcD6q7LjWe2eHV8PqHO5kTT5MK2pft1FD0MYj0WeHPOjDWIwZMk1oc5zXxo6061nNCO4p1R68Cf3zZTONBvlCvKXNq9q5WAPdtmuur3GtoYsd1QMLNRRETM1jTtOJY6j1yZsrxrDXZz9yaG1QkMIxTF5qdUts9t6mgHAGTUQ3b2WKrYPKwtxJ/HTjxQnY5Uh6wgPREIwhdqvVp60rpu2YjMiQBEAW0rhLEQCigy+Kz/yJLfbGGdenXpyv99ebhNYJOieoyv3b4g3UpTnhqrkEPdMlOfJ0UbbmngvMqyhTJtIJIqju51A9o1V/5eUg5LPEzyCJHbouc0TGRKguF4+By1+/jf072pJBLXhrhJiQxZ80JclOlD+pcna5hn4FyIkU6wJECTZxuhkl+eXTY5y+/kQ5oBjf9ESBswO9Ry9SXGYrzJXJBnT/tVOb558aLUfbvS5cMENf2XyED3DOuai+DAZdOl0hmvVby/SaSykUtKGSx/l59AANLjUPM6CI4GVsUxGnX2nxq4PeDLPQaX6d+vIHHrz6laY/BtaWEVcqBZ6sazk+l5LpERjrBME5xQ6mbFEDryDJZE+FZTpyyyCoasB4D77a7xNU3I9Oq+szUx1ri81dhR8AxNamYHeIyJOtJmVtIS168OpXnmHiCLduhpoqQIgdCuwmuW6x+XFE8UdCuN8juq7/SMvkh1+xOJYlMaYKsN1QLRnkPEDIJTk8aTDFD6d23UsOLvRNq1cuKbaf9xupDhdn76iyzf44qyeS0IDnGdjAQhqOhjJjQZ92VGOxFX+67N+ltw9nxcYA5nTWKauQ9soHVJfPFk4OFsSoGExkJcyIb/kH55jiM1xVfZbUP7T3TxFumscvCVlVXMBQnUNcgIF22N8kwL2D0zqzE0dmHPe5rfh/LJhWaFyCtvtDFXN/AnqkiGleWOz9GsgVJVM1lmsTW21v7Y35Y6OaY9FtDcMqJmiCRQ1+56sPG63dVDUXgbXBlO24yYyFaS3fOODvUpqiVVwIt8srQAg6A7O/yWc49Kpf8FLlqZHdqEKd18Ms5qE8MR3iV/zPu8pAphAmOhpDlZIvV0kwRB0BtQ+b6PSk
X-Microsoft-Antispam-Message-Info: LwWnIboMdMPtuBLuBLpc9253EPEAh43l+ZCb5ToZ3QDwWHTTMHmZbxxIO8UBl4IJxGJqVbM0L9qTK2xT8p3sEx8AtdRa0kKXUwYZ6s19k1Ot+TXM5PElGiKXluXVr2UlRMbT/Q2d6USdAzsYrrAqwBysluyTnv75kO1lbZRzL9CkKYJoAXlz1vvyeUomHbQtr2pzwFN2DDYNIQDMS7QLZ0OqwuUuVkiUAxnn7KdBdLHsPjMSsF6d7/VhFuQ7Y6EKK1cHBHaT8GeXD4+MfxsFDRGvmZrC4f+VIUHruuoACumVIO01KHc4aglU3P0rbYeAM78mCv+K9ZnyPMe4bog98g9Vlayv4eFYJo3HQbjmO8A=
X-Microsoft-Exchange-Diagnostics: 1; BLUPR17MB0481; 6:7bVyfjz30Be8G13AE/fKcP8SBCrfm99aizpnNtHQkSbRgcGHkckCcnKl6XcSAOZarzLJZ9ST8RIehzKfy2pZ1Xux4QmWnLdAP9pl3zcDxwnI8jqP/YHN2VCXXMv5GE33mZr2ATtE+NAoReG7sSSqtO99896TgeRnuEAlweqRBD/0s9V3cizqj+qanZBNledb9gusQ+CN1VKmFFTP5Puzjm/BbjBU2flMFQklADIK1FTvEHw4c0xhVPqRoVJFRluepUeLrD0uWg0YKIyB62M3LKSngydopR8aXULVPb4jDSlGgZrcymdi4dpEip88HknLUkWERrhor+7KewbiSgJGqxjYK8AVe/zAgR36053hgu0ENnsD98KcsNfTAmlIr3dz8DmPIV7bXQJO3nNVPn0Aa9WHEZvRLimPFY5xAxUsEyz2m48rtS55xyF2ZXuuS784u68f/WoPgdDguSdJC1rYkA==; 5:hk+uaJoBS+afsKtRU3bAfCN4gkkDEXaEN3EFuheXb1eTP2NUMJgt3LJ6/tCnLJKSHruri65PdhC9GVqGNV2pGczRIm6mV6ZkmfBSP/aiV3WrUSmu0Vv4ALbKbq2li8gfd/DHYZ94gKGNIBGJ0ULb0DmoJ8Dz+DKeNKy4PYiB43g=; 7:v2z2KC1jYdu0pag/ds1LGzHyc4YKaFzS+TJipVgvCV4OoKl/kvQKq6VgpSg7VGRUDejv0LCMzA947jfG7Gm/P7aHc8OR7Co0Y6VR1u+sxGlRnDYL2nV1TqtOV5OP6WvT1c5vOlmzgcyhgTEznvgzSXXzk9kresvaIdBM4OBgGiw51v/YFj57KjdbHoqsZ4Rx/C06sGEP+XA5YRBkEVGocUQlV6sEwAOIG3w/DhZzMCgpEUxppuj8p581SnaC21nl
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: comodoca.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Oct 2018 16:57:15.3135 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e666753-bba8-455f-7a5e-08d62a1a700c
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR17MB0481
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hAUNi6M14riXDYw9piVLS_gKZFI>
Subject: Re: [TLS] How to Validate Servers' Identities w/out reliable source of time
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 16:57:23 -0000

Hi Max.  The most promising solution I've seen to this problem is 
Google's Roughtime protocol.

Adam Langley's blog post:
https://www.imperialviolet.org/2016/09/19/roughtime.html

Protocol description:
https://roughtime.googlesource.com/roughtime/+/HEAD/PROTOCOL.md

Open-source implementation:
https://roughtime.googlesource.com/roughtime

Cloudflare's Roughtime service:
https://blog.cloudflare.com/roughtime/

On 04/10/18 16:22, Dr. Pala wrote:
> Hi all,
> 
> I am struggling with one issue that we have been seeing more and more 
> often with the introduction of small IoT devices that connect to clouds 
> via TLS and need to validate the cloud server's (or the other party's) 
> certificate chain.
> 
> In particular, the problem is that without a reliable (or trusted) 
> source of Time information, devices can not reliably validate 
> certificates (i.e., is the certificate even valid... ? is it expired ? 
> is the revocation info fresh enough ?) and my question for the list is 
> about best practices in the space. The problem is even more problematic 
> for devices with limited access to the network (e.g., access only to 
> specific servers / cloud services) since no "external" source of time 
> can be used.
> 
> Do you know if there are indications / best practices from ITU or from 
> IETF (or other organizations) on how to deal with this issue ? Has the 
> issue been addressed somewhere ?
> 
> Cheers,
> Max
> 
> -- 
> Best Regards,
> Massimiliano Pala, Ph.D.
> OpenCA Labs Director
> OpenCA Logo

-- 
Rob Stradling
Senior Research & Development Scientist
Email: Rob@ComodoCA.com

v2.23.0 | Report a Bug | By Email