Peter Bowen <[email protected]> writes: >When we replaced a certificate on a publicly facing server, certain functions >on a consumer electronics device stopped working.After debugging we found out >that the device in question does not have an internal time and date >reference.When the device initializes communication with our servers it first >makes a call using HTTP over TLS to get the current date.
That's the old NTP-via-HTTP trick. Another one, used by things like smart cards and other limited embedded devices, is to use the validFrom date as a high-water-mark clock. >As long as we have embedded devices out there, we will run into corner cases >requiring some gymnastics to keep things working. Yep. If you don't have a RTC then you have to get some sort of time reference from somewhere, and validFrom is about as good as you'll get, it's a sort of store-and-forward secure-NTP. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
