Christian Huitema <huit...@huitema.net> writes: >For example, the device will get some notion of time from the dates in the >certificates that are provisioned during enrollment. Maybe that's enough to >move from the 10 years scenario to the one year scenario, and then call NTP. >But it would probably be better to spell it out.
That's one of several ways I've seen of getting an approximate time, if you get fed a cert with validFrom = X then you know that it's at least time X. A more common one is to use HTTP as NTP and take the time from the "Date:" line. For store-and-forward, you take the message signing time, e.g. the CMS signingTime attribute. One I haven't seen for awhile (thankfully) is to take the time in the TLS server hello, the gmt_unix_time, and use that (I never set that to anything valid so as not to expose the client or server to time-based attacks, problem was that sometimes it looked valid enough that it messed up the other side). In any case there's no need to implement yet another protocol on top of the existing ones, you can make do with what you've got - there are timestamps in so many things that you can typically find one in existing messaging. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
