I work on NTP software. NTS (Network Time Security) uses TLS.
Many security schemes get tangled up with time. TLS has time limits on
certificates. That presents a chicken-egg problem for NTP when getting
started.
I'm looking for ideas, data, references, whatever?
Is there other work in this area?
Is there any sort of consensus on how close a clock needs to be when checking
certificates?
At this point, I divide the problem into 3 chunks.
The first case is easy. I'll call it the RTC case. Most PCs, laptops, and
servers have some sort of battery backed clock. As long as it is close
enough, everything just works.
But how close is close enough?
You need a plan for when the battery dies and such.
Set the clock from the BIOS.
ssh in and set the clock. That requires setting up the ssh keys ahead of
time.
The second case is something like a Raspberry Pi. They don't have RTCs.
Debian has a fake-hwclock module that writes the time to the disk every hour.
I call this the one year case. What happens when you leave it on the shelf
for a year?
Certificates are generally available with only a 1 year lifetime. That's
built into popular browsers so everybody else gets stuck with the decision.
After a year, nothing works. After 6 months, half of your servers should
still work.
A vendor could setup 2 servers with their certificates 6 months out of phase
so that 1 will last at least a year.
Note that games and IoT gear sold through retail channels will hit this
problem if they sit on a shelf for a year.
The really hard case is the 10 year problem. Consider a spare board sitting
on the shelf for 10 years. That's longer than batteries will last for RTCs.
Phone companies used to work on this time frame. I think we need to provide
them guidance. I've seen two ways.
One is to manually set the clock somewhere in the replace-the-board process.
I'm picturing a USB port where the technician can plug in his laptop. The
laptop can set the time.
The other is to use a certificate with a long lifetime. Are those available
or does that turn into a self-signed certificate?
There is also DNSSEC. I don't know anything about that yet. For the 1 year
or 10 year cases, you could "cache" the data in /etc/hosts. Then you need a
cron job to keep the cache up to date.
Does this make sense? Am I on the right track? ...
--
These are my opinions. I hate spam.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
