On 10/13/2011 10:05 AM, Michael Richardson wrote:
>>>>>> "Curtis" == Curtis Villamizar <[email protected]> writes:
> >> While talking about hardware. These these devices all need a
> >> battery backed clock or all the crypto will be broken.
>
>
> Curtis> Having a clock is not hard but I don't think your statement
> Curtis> is true.
>
> Curtis> Some crypto does not require time, but rather just entropy
> Curtis> (a nonce or challenge). For crypto that does require time
> Curtis> the former can be a bootstrap of sorts, possibly to get ntp
> Curtis> going if very accurate time is needed (for some reason).
>
> Curtis, Mark, as a DNSSEC implementer knows of what he speaks.
> DNSSEC requires time. Not to the second or even minute, but at least
> hour.
>
> DNSSEC is a core protocol at this point, and we need to be aware of it.
> It doesn't matter today, because we have a broken home DNS system, but
> that's within homenet to fix.
>
> Bootstraping time enough to get DNSSEC to work is important.
>
Yup. And DNSSEC does not require precise time as you note.
In the short term, in CeroWrt, which has running DNSSEC, Dave plans to
do insecure lookups initially to resolve NTP server addresses to get the
time, and then switch over to secure once time has been established.
There may be other options possible. Ideally, something like a well
known anycast address we can get approximate time on would suffice, for
some high velocity hand waving.
- Jim
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
