Hi Max. The most promising solution I've seen to this problem is
Google's Roughtime protocol.
Adam Langley's blog post:
https://www.imperialviolet.org/2016/09/19/roughtime.html
Protocol description:
https://roughtime.googlesource.com/roughtime/+/HEAD/PROTOCOL.md
Open-source implementation:
https://roughtime.googlesource.com/roughtime
Cloudflare's Roughtime service:
https://blog.cloudflare.com/roughtime/
On 04/10/18 16:22, Dr. Pala wrote:
Hi all,
I am struggling with one issue that we have been seeing more and more
often with the introduction of small IoT devices that connect to clouds
via TLS and need to validate the cloud server's (or the other party's)
certificate chain.
In particular, the problem is that without a reliable (or trusted)
source of Time information, devices can not reliably validate
certificates (i.e., is the certificate even valid... ? is it expired ?
is the revocation info fresh enough ?) and my question for the list is
about best practices in the space. The problem is even more problematic
for devices with limited access to the network (e.g., access only to
specific servers / cloud services) since no "external" source of time
can be used.
Do you know if there are indications / best practices from ITU or from
IETF (or other organizations) on how to deal with this issue ? Has the
issue been addressed somewhere ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
--
Rob Stradling
Senior Research & Development Scientist
Email: r...@comodoca.com
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls