IETF Logo Mail Archive

Re: [TLS] Getting started, clock not set yet

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 14 August 2022 10:05 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18158C14CE27 for <tls@ietfa.amsl.com>; Sun, 14 Aug 2022 03:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23wkfxEsbn39 for <tls@ietfa.amsl.com>; Sun, 14 Aug 2022 03:05:06 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.21.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67729C14F723 for <tls@ietf.org>; Sun, 14 Aug 2022 03:05:05 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2173.outbound.protection.outlook.com [104.47.71.173]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-3-cvNsTxFOPmOk1JQj_81cbw-1; Sun, 14 Aug 2022 20:05:01 +1000
X-MC-Unique: cvNsTxFOPmOk1JQj_81cbw-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SY4PR01MB6798.ausprd01.prod.outlook.com (2603:10c6:10:137::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.16; Sun, 14 Aug 2022 10:05:00 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9ce9:9bf2:308b:8a40]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9ce9:9bf2:308b:8a40%3]) with mapi id 15.20.5504.027; Sun, 14 Aug 2022 10:05:00 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Christian Huitema <huitema@huitema.net>, Benjamin Kaduk <bkaduk@akamai.com>
CC: Kyle Rose <krose@krose.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Getting started, clock not set yet
Thread-Index: AQHYq6pFXIHKkuDZkEWAUyh0UYDrO62m1XyAgAFZWpKAAa+zgIAAPSGAgAAWGICAAXhAAIACiOnR
Date: Sun, 14 Aug 2022 10:05:00 +0000
Message-ID: <SY4PR01MB6251A71C1D7410147CC35EFBEE699@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <20220809044037.8332328C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <CAJU8_nX5_8qCQMNhX15oH-2=cEa8roxczc3xe9Q=8nOYfKPxdQ@mail.gmail.com> <SY4PR01MB625105043B703E672776835AEE659@SY4PR01MB6251.ausprd01.prod.outlook.com> <CAJU8_nXTmvw6YJCeGy1P+O7S2ATJ3ACoP5Y0_k7GWzwf8Y2BUA@mail.gmail.com> <e4ed5b91-d3b7-0fe0-21ba-41fd337ffe87@huitema.net> <20220811205427.GA3579@akamai.com> <6bc78814-ba9c-72a9-c929-3934ccf70b74@huitema.net>
In-Reply-To: <6bc78814-ba9c-72a9-c929-3934ccf70b74@huitema.net>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 545d34fb-e192-4e9f-bd84-08da7ddc7304
x-ms-traffictypediagnostic: SY4PR01MB6798:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: kz8yBDY3h+FzDNS0rk6zqZzdXHM/gbXsZbOJQVydQvnOsYA4PXXRlyZwGpVCFUy3CNmaqIYNdWhqYUri5FUhJ/yRTyfRrE8D12ane12/mHSaly6d/SZnwJQK/leZSU056HiTPtudewl264FPmNtdMcjPbI9LQGJHPsCIHOn8hMnY/H0YlZ4nL8bUuZkePWdWHbwexokWMVLibwodLDyCWeywQAy85B+vGdLUjfydJNsasTidBURZKo7UXbg+4AWwtky7ojh5pKuuCyhqwx1xzmHbtYP2Db5W84Jl20FE6rKSdY/OQxWbKtiV3hHvE4qlozPoG7XUEWw4yjP5fhxepodeIdAXeq4NBWsixb5e62dHOHV0DZSiTLVFUQNPLF/V6QYqWmj5eQ3c20kP9Hyt3clxv7AIIpi6N14QtqVJVJW5hNInGe20b8TgX4vVPblm61b1AidviuNtg5PxfUv9lRg6aaCV5QqNcnaS/GLdaVxPRSHkSXLxMaSCgAdC7H5s7xGRioNdcxVymaGkEy4/bZ5pkQeXO7JTEcH+7Mf8t+vXymTpyc45fu8Lo/mHRM5baWtifToBtEqZcA0z2Dsg9m3kUWdAoXBV9vEGpoTUNpNK6B9EnuIPdV800J02MOtkpiMlsiEaHvc4ExAgNYSVdXwKpQq3G+xo0raL6q7jpjU6nZmM5+GM6s21gXO30xWe3UBDl51CEQAW9eTHkw9lpcmYen7mh/jy7r7PddmF03Gdxlhz10MZ6V2vGyy2DmDtz/VE7cXKTFOu2dodOSHIuREMs2kFGFhVL8/+yCeLuWTmWQI0SmRtyWHRtJG7HNa3
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(136003)(396003)(346002)(376002)(39860400002)(366004)(33656002)(2906002)(55016003)(8676002)(8936002)(66446008)(66476007)(66556008)(66946007)(76116006)(71200400001)(786003)(478600001)(9686003)(7696005)(26005)(6506007)(110136005)(4326008)(64756008)(41300700001)(316002)(83380400001)(54906003)(186003)(38070700005)(86362001)(5660300002)(52536014)(122000001)(38100700002); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Pak+n5VwfdYGmvOMyLCl9Uc5jo+iEl/1U8/U9W44gEsgbbb8xTDV6Kid9z/LFHIExYbVAXr76Buy6pmvi2+NwrMb5Nfjx+062nixiWxzdRiLXu6CE2Z9QbmkanTNhWLpVOaPQvYxa9TGNEVcGLf5F8+PjAmxoXDFZa9lHnGDuu3ewaAPb+2dYyHA4oJa6Izh9LFwambVekX018Qbi7gzKcmY8uaEpROwWhw2GtBD2GYvafZs7sWnXkSdLl/u4G3mmul8QNNy0GTc+Qif0Cwg5+IbXAF1nGD1L4AFR6eYh92k+uyu7lc6wFURIkMu+/Xch40HWKXiwubiOUr1g1FC2waLEe6uE8QB5xNid91eaeqdtrCBl0s+xXZgCA0eFoZT8XHnwJzvlNQU4uI/NbjnHiCOxd230QI8kxe74rSgovXBGrosHT5+xEu28iGQq4NbexWCBoEEDgBG9j9e7poAxEOpEsBU76LSN1bctYV+M2fkI+ALpKWZNsseVbrF5loj+c3KYd3pI5J7CO/q8HLVcQX+HKJNPjdIXDfLoBU2fOlM24lU+gHNDKrK7Wj1L6ip33o/fKhFlRvPAGEEPtH/FqDgPXHkKa9z4oQhFFNiYcco413ljEVfIWRHI2O+D7Ufj4vXDDZyVTpD/4FKfR4o4A0yG4LpXqhDe6OtLDOA0PBmJvElQOTp4BG3fW6+ifUAiBcvKeVWhFycgxgOS8/u7+Z12Dock+J+PDUlba9ZHcjrQmLpcVXaUHtRbkvBWwqCMk5ioRte9OlF7L26tat74hPrB9kGC6tDkAX18UYdTzTjIGGoK7d520WDVDV8gux8xJR3JjvZaI3pW+uX6FRM9r0DLayxze3TuwrXRSm6Gd+izh3MuA8+6vIJzwRj+O0cgK6ge5kBZBl9dXuTXY2R+e1/QqFtIhwBTMew6M1kVjb7YQHtRM3C3OrhojRNsCBb95GAwdI5ODPrlgv2V1if7mb9CuI24nFrafVfuDs+Pdfye4H1Xy3tCkE78fi2s7YU2DqLyEO+xYBiZ6/a6AZtNmTuEV4E4Mz0Dqzj/JPLEHAEddKE/AroCME5/Db+B08fu89Ufmj6eIFRW9vZyETks0ca3QhXlblM4nxBsMwcw5h7vb5gBt9svh1dT8OxEHDFt19NisCSfCvJUglcm97uxO89pFiM0LclqxoMn/ewxmd12QOPfbWxZbLOk++nDDJ0iyFrqKsU3DMqHwLaF7vKhozs0HAyMF5hn1MqTzE8cgY+MAsnH6YnbYQo9EBfwLN8vZl5+IAzmvfxt1NgjdhevNlVg2Pp3ka9LAkLBgX1gkPrb8jKkqeBVbnNoDhPb1yrZing3wsGetE821om68Ks1nSXuq7HIrcNiHz/Xw/hXAYMN52opbbWNIx57RO5vkHsfJtdHoxiF/W/kVEw+Ha/J8MSeaOtr1lS2T9S2KWR8e0vdpLztwA2uxXNhxg7VwPiissVpKqYV6l5agMhLwza4tG878g8vg6TGX9tXG/9GTvB+z/yYkKC+S5VHQcvXAopcyViaOcb3teqxvr2WgvLNPRHbh0vYjSaTNh5cicbxN+HJJzcOtK+xhIGUbVrPsS9q9HHbz5f9uWvq4/IOiwuwQ==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 545d34fb-e192-4e9f-bd84-08da7ddc7304
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2022 10:05:00.1845 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eE6INhIXAuejEnYdxPJ84XfKvpS3fsI0YAjSZ8jtqdhj371o0ulOEDf7iM3uspyr9yRFiog+3krC4q/PCVEwRysnbHySpz8pmBRUvfKlVhE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY4PR01MB6798
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jIozAUtuDehoS0scE4yBB_-l9-4>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Aug 2022 10:05:12 -0000

Christian Huitema <huitema@huitema.net> writes:

>For example, the device will get some notion of time from the dates in the
>certificates that are provisioned during enrollment. Maybe that's enough to
>move from the 10 years scenario to the one year scenario, and then call NTP.
>But it would probably be better to spell it out.

That's one of several ways I've seen of getting an approximate time, if you
get fed a cert with validFrom = X then you know that it's at least time X.  A
more common one is to use HTTP as NTP and take the time from the "Date:" line.
For store-and-forward, you take the message signing time, e.g. the CMS
signingTime attribute.  One I haven't seen for awhile (thankfully) is to take
the time in the TLS server hello, the gmt_unix_time, and use that (I never set
that to anything valid so as not to expose the client or server to time-based
attacks, problem was that sometimes it looked valid enough that it messed up
the other side).

In any case there's no need to implement yet another protocol on top of the
existing ones, you can make do with what you've got - there are timestamps in
so many things that you can typically find one in existing messaging.

Peter.

v2.23.0 | Report a Bug | By Email