Thanks. > It's been a few years, but IIRC my thinking was that the degree of trust > required in the Roughtime servers' long-term public keys is very low: you're > trusting them only for one server's assertion of the current time, not for > general web traffic; and if you ask enough servers, the likelihood of being > tricked into trusting a bad timestamp is very low even over long time > periods.
I've been assuming self-signed certificates with long lifetimes -- one per server. > Such an attack would require both access to a large number of long-term > private keys whose public keys are embedded in the client attack target, as > well as the ability to intercept traffic intended for each of these servers > at whatever moment the client initiates the Roughtime protocol (which > probably implies a long-term undetected network presence). This is clearly a > higher bar than simply trusting a web PKI certificate signed some > indeterminate time ago without respecting the expiration date and without > being able to update CRLs on startup (which also poses trust anchor turtles > all the way down). > In other words, much of the security of the scheme is in the practical > difficulty of mounting a successful attack even if the keys have been > compromised. NTS doesn't even attempt to address this kind of attack vector. Is there a first order difference between NTS using self signed certificates and Roughtime? There have been semi-endless debates about how many NTP servers to use. (I haven't seen one recently.) With 3 servers, 2 can outvote 1 bad guy. With 4 servers, you still have 3 if one is down. ... Adding security complicates that discussion. You have to add deliberate malfeasance to the list of things that can go wrong. And things can change over 10 years. Are there any good papers or web pages discussing the security of TLS? -------- One quirk on my 10 year problem. If the boxes are sitting on a shelf, it's at least possible to open them up and update firmware. It would be expensive, but it is another branch of the cost-benefit tree. -------- Again, thanks for your helpful input. -- These are my opinions. I hate spam. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
