[cabfpub] Pre-Ballot - Short-Life Certificates

Phillip Hallam-Baker philliph at comodo.com
Wed Nov 19 16:41:09 UTC 2014

On Nov 19, 2014, at 10:35 AM, Ben Laurie <benl at google.com> wrote:
> Clients recognize the hash from the log, look up when the certificate
> was issued (when the hash was published), and set the certificate to
> expire three days later.
> The question is: how do I know its 3 days later?

For many machines it is trivial - just look at the system clock.

But lots of machines don’t have a RTC. The RaspberryPi for example does not because it would add $10 to the cost and require huge board area for the battery.

Sync with an NTP server provides time but not trusted time since the current protocol isn’t signed.

Which is why my Private-DNS protocol might be relevant. DNS and Time are both trusted services. Every device needs to be configured with a means to authenticate responses from a source chosen as trustworthy.

The main difference between Private-DNS and DNS over DTLS is that while they both involve a key agreement portion and a framing portion, in Private-DNS the key agreement portion is high level and allows a client to ask for means to connect to multiple services at once. For example DNS and NTP.

That said, NTP is probably way more accurate than necessary for crypt purposes for which a simple JSON protocol ‘what is the time’. would be more than sufficient to check that the system clock is within five minutes of UTC and TAI. Which is also supported.

I hope to get a draft out on this only I caught something nasty on the plane back and my machine is dead. So after I rebuild the machine and find the Visual Studio disks etc I should have an implementation of using the key agreement protocol with Private-DNS and NTP / JNTP.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141119/b4351b61/attachment-0003.html>

More information about the Public mailing list