At 4:21 AM -0700 4/6/11, Randy Bush wrote:
> Personally, I'm leery of making Internet routing dependent on ntp so
would prefer the requirement be no weaker than the following proposal:
3.xx A BGPSEC design MAY be dependent on network services other than
BGP (e.g., ntp) but SHOULD attempt to avoid such a dependancy.
if we want crypto level assurance, do you have a suggestion other than
x.509, which depends on low precision time?
for x.509 level assurance, what kind of precision does one actually
need? my guess is on the order of hours. so we may not want to
specifically abjure ntp, but rather express some bounds on the
precision one wants.
In general, the precision required for a PKI depends on the tolerance
that relying parties have re expiration of certs and staleness of
CRLs. During the WG meeting we received a good suggestion to call
for explicit local controls
for staleness of CRLs and cert expiration. Establishing conventions for
path expiration granularity is consistent with that thrust.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
