Our telemetry shows that there are tons of machines (including recently manufactured tablets) without persistent clocks (i.e. no battery powering the system clock). Such machines indeed boot with date/time in the past millennium; they cannot hard-fail on OCSP errors (which greatly reduces the value of OCSP).
If we can avoid creating the same issue for ServerConfiguration, I think we should. Cheers, Andrei From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Eric Rescorla Sent: Thursday, July 23, 2015 7:02 AM To: Bill Frantz Cc: tls@ietf.org Subject: Re: [TLS] Relative vs absolute ServerConfiguration.expiration_date On Thu, Jul 23, 2015 at 3:38 AM, Bill Frantz <fra...@pwpconsult.com<mailto:fra...@pwpconsult.com>> wrote: One place we may run into a lot of those clients are on machines like the Raspberry Pi and Beaglebone machines. These boards do not include clock chips, so the machines must get the current time via NTP every time they power on. If there is a problem with NTP, or if the shell script to set the clock is not run, then the date will probably be 20 or 30 years back in the last millenium. That's definitely a problem, but not a specific problem for ServerConfiguration since those implementations will also have problems with certificates (and ironically, will accept ServerConfiguration just fine) -Ekr Cheers - Bill On 7/22/15 at 2:14 PM, bmath...@fb.com<mailto:bmath...@fb.com> (Blake Matheny) wrote: Ahh. I can't tell, the data I have is only clients with very very broken clocks who failed validation as a result. My assumption would be that there is a much larger number of clients that fit what you described (cert/OCSP check passes, but ServerConfiguration would not be). Since I don’t have the data, I can’t say that for sure, but anecdotal evidence would indicate that this is the case. -Blake On 7/22/15, 10:58 PM, "Eric Rescorla" <e...@rtfm.com<mailto:e...@rtfm.com>> wrote: I guess what I'm trying to get at is the following: Are there a lot of people whose clocks are accurate enough that they will be able to connect to the server and check the certificate/OCSP but not accurate enough to process ServerConfiguration if it is in absolute time. _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls ----------------------------------------------------------------------- Bill Frantz | Ham radio contesting is a | Periwinkle (408)356-8506<tel:%28408%29356-8506> | contact sport. | 16345 Englewood Ave www.pwpconsult.com<http://www.pwpconsult.com> | - Ken Widelitz K6LA / VY2TT | Los Gatos, CA 95032
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
