Interesting screwup case

[Hal Murray]

> I think it would be nice if DHCP had a 'new' visitor option to send the
> time. 

But then you have to go down the rathole of considering what happens if 
that time is not accurate.  Let's not go there.

> Also, an option to temporarily waive DNSSEC if the time is before
> BUILD_EPOCH and (probably) revoke those that do not match after the big
> step would be nice. (working on it badly) 

So far, there is nothing in DNS that is critical for security.  If a MITM 
returns bogus data, that can send NTS-KE to the wrong host, but that will 
fail the TLS security checks.  So I haven't been doing much thining along 
that area.  It might be interesting for non-NTS setups, but that just gets 
less-insecure, not real security.


> Additionally, find out whether Red Hat/Fedora has something  else. Also,
> what if the mini-SD card has been offline for more than the duration of
> an involved signature or key? 

There is source for fake-hwclock on github, all ready to go.  I don't know 
why Fedora hasn't grabbed it.

Yes, it fails if the system has been offline too long.  I call that the 
shelf problem.

> Isn't this almost exactly the plug story for roughtime?

No almost about it.

We can do the same thing with NTS by using self signed certificates with 
long lifetimes.  It will take a bit more work on the client end to set 
things up.  I think this deserves more attention.  I want to set things up 
so a server works with either the normal PKI certificates or a self signed 
one, but that gets complicated and I don't understand the details yet.




-- 
These are my opinions.  I hate spam.