On Fri, Sep 13, 2013 at 1:49 PM, Randy Bush <[email protected]> wrote: > >> OF course, there will be some things where encryption is simply not > >> needed, and but data integrity is is needed. Example: time (NTP) and > >> routing protocols. So we need to be careful how we specify MUST. > >> :-) > > I think this is a reasonable read but I'd like to encourage dissent > > here. Time is a very important part of almost all cryptographic > > protocols > > i might go further. having some protocols in the clear allows the > attacker to better focus their efforts on what is encrypted. also, > though some data themselves might not require privacy, the nature of > the conversation may facilitate traffic analysis. >
My security concern with NTP is not so much on the encryption side as the authentication side. Due to the nature of the protocol it is easy to get encryption if you do authentication, so why not. But the protocol seems to have been by the type of people who care about synchronizing their clocks to Tier 1 stratum sources to within a nanosecond rather than people who care about getting a very high degree of assurance that they have a trustworthy time value that is good to maybe a minute. I do want my system clock to be within a second of a good reference of course. But for security purposes I would tolerate a much lower degree of accuracy. -- Website: http://hallambaker.com/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
