Re: [TLS] Relative vs absolute ServerConfiguration.expiration_date

Bill Frantz <> Thu, 23 July 2015 01:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6045B1A1B76 for <>; Wed, 22 Jul 2015 18:38:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.6
X-Spam-Status: No, score=-0.6 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SiXlK-XQHTFf for <>; Wed, 22 Jul 2015 18:38:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6DFA11A1AE3 for <>; Wed, 22 Jul 2015 18:38:42 -0700 (PDT)
Received: from [] (helo=Williams-MacBook-Pro.local) by with esmtpa (Exim 4.67) (envelope-from <>) id 1ZI5T6-00040E-Ga; Wed, 22 Jul 2015 21:38:40 -0400
Date: Wed, 22 Jul 2015 18:38:42 -0700
From: Bill Frantz <>
To: Blake Matheny <>
X-Priority: 3
In-Reply-To: <>
Message-ID: <r422Ps-1075i-2B99FA179EAA462989B17C5443053D7F@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.3.1 (422)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec79a7c74cfc5aadb00f828d073285374e2a350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
Archived-At: <>
Subject: Re: [TLS] Relative vs absolute ServerConfiguration.expiration_date
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 23 Jul 2015 01:38:44 -0000

One place we may run into a lot of those clients are on machines 
like the Raspberry Pi and Beaglebone machines. These boards do 
not include clock chips, so the machines must get the current 
time via NTP every time they power on. If there is a problem 
with NTP, or if the shell script to set the clock is not run, 
then the date will probably be 20 or 30 years back in the last millenium.

Cheers - Bill

On 7/22/15 at 2:14 PM, (Blake Matheny) wrote:

>Ahh. I can't tell, the data I have is only clients with very 
>very broken clocks who failed validation as a result. My 
>assumption would be that there is a much larger number of 
>clients that fit what you described (cert/OCSP check passes, 
>but ServerConfiguration would not be). Since I don’t have the 
>data, I can’t say that for sure, but anecdotal evidence would 
>indicate that this is the case.
>On 7/22/15, 10:58 PM, "Eric Rescorla" <> wrote:
>>I guess what I'm trying to get at is the following:
>>Are there a lot of people whose clocks are accurate enough that they will be able to connect to the
>server and check the certificate/OCSP but not accurate enough 
>to process ServerConfiguration if it is in absolute time.
>TLS mailing list
Bill Frantz        | Ham radio contesting is a    | Periwinkle
(408)356-8506      | contact sport.               | 16345 
Englewood Ave |  - Ken Widelitz K6LA / VY2TT | Los Gatos, 
CA 95032