Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> writes:
>From: [EMAIL PROTECTED] (Peter Gutmann)
>pgut001> Given that (statistically speaking) the client will be a
>pgut001> Windoze box with a time which is more or less random, the use
>pgut001> of absolute timestamps doesn't add much, it would have been
>pgut001> better to use nonces+relative times ("The next update is 5
>pgut001> minutes from when you got this response", with an implied "If
>pgut001> this response took more than a minute or so to get to you, be
>pgut001> suspicuous").
>Sounds fine, except for the little detail that it's usually hard to know how
>long it took a packet to come from A to B, let alone an OCSP response that
>might (think of the really small ATM packets :-)) be broken into pieces.
Uhh... I can tell exactly how long it took to get from A to B by measuring the
response time for a query. If it's longer than (say) a minute, I regard it as
suspect. That's the one time measure which is useful, the local system can
determine whether a response is fresh (assuming the use of a nonce) no matter
how bogus its own time setting is, and if it knows it has a fresh response it
can use the relative time in there to determine when (again, relative to its
own idea of the time) an update will be available.
>we might see time syncronisity (sp?) as a standard in windows and whatnot in a
>couple of years.
I'm sure Microsoft will add that right after they get ActiveX security sorted
out and finish making Outlook immune to trojans :-).
Peter.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]