On Tue, Apr 30, 2024 at 8:37 AM Dennis Jackson <ietf= 40dennis-jackson...@dmarc.ietf.org> wrote:
> As mentioned above, we have such an extension already insofar as > indicating support for Delegated Credentials means indicating a desire for > a very short credential lifetime and an acceptance of the clock skew risks. > I agree that DC implicitly says "I think I have an accurate clock". I think that given the design of DC it was probably right to merge the "I support DCs" and "I think my clock is good enough to support DCs" semantics, but I don't think it's at all as natural to do that in the case of CAs, which, after all, could support both short and long-lived certificates. As I said earlier, I think the right way to do that is with an orthogonal extension [0] Given how little use its seen, I don't know that its a good motivation for > Trust Expressions. > I agree with you about this. -Ekr [0] I also don't think (not that you suggested it) that one should infer from the client advertising support for DCs that it has an accurate enough clock for every purpose. On 30/04/2024 16:33, Eric Rescorla wrote: > > > > On Tue, Apr 30, 2024 at 8:29 AM Watson Ladd <watsonbl...@gmail.com> wrote: > >> On Tue, Apr 30, 2024 at 8:25 AM Eric Rescorla <e...@rtfm.com> wrote: >> > >> > >> > On the narrow point of shorter lifetimes, I don't think the right way >> to advertise that you have an accurate clock is to advertise that you >> support some set of root certificates. >> > >> > If we want to say that, we should have an extension that actually says >> you have an accurate clock. >> >> That says you *think* you have an accurate clock. >> > > Quite so. However, if servers gate the use of some kind of short-lived > credential > on a client signal that the client thinks it has an accurate clock > (however that > signal is encoded) and the clients are frequently wrong about that, we're > going > to have big problems. > > -Ekr > > > > >> Sincerely, >> Watson >> >> -- >> Astra mortemque praestare gradatim >> > > _______________________________________________ > TLS mailing listTLS@ietf.orghttps://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
