Re: [TLS] Relative vs absolute ServerConfiguration.expiration_date

[Bill Frantz <frantz@pwpconsult.com>]

One place we may run into a lot of those clients are on machines 
like the Raspberry Pi and Beaglebone machines. These boards do 
not include clock chips, so the machines must get the current 
time via NTP every time they power on. If there is a problem 
with NTP, or if the shell script to set the clock is not run, 
then the date will probably be 20 or 30 years back in the last millenium.

Cheers - Bill

On 7/22/15 at 2:14 PM, bmatheny@fb.com (Blake Matheny) wrote:

>Ahh. I can't tell, the data I have is only clients with very 
>very broken clocks who failed validation as a result. My 
>assumption would be that there is a much larger number of 
>clients that fit what you described (cert/OCSP check passes, 
>but ServerConfiguration would not be). Since I don’t have the 
>data, I can’t say that for sure, but anecdotal evidence would 
>indicate that this is the case.
>
>-Blake
>
>
>
>
>On 7/22/15, 10:58 PM, "Eric Rescorla" <ekr@rtfm.com> wrote:
>
>>I guess what I'm trying to get at is the following:
>>Are there a lot of people whose clocks are accurate enough that they will be able to connect to the
>server and check the certificate/OCSP but not accurate enough 
>to process ServerConfiguration if it is in absolute time.
>_______________________________________________
>TLS mailing list
>TLS@ietf.org
>https://www.ietf.org/mailman/listinfo/tls
>
-----------------------------------------------------------------------
Bill Frantz        | Ham radio contesting is a    | Periwinkle
(408)356-8506      | contact sport.               | 16345 
Englewood Ave
www.pwpconsult.com |  - Ken Widelitz K6LA / VY2TT | Los Gatos, 
CA 95032