Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp> wrote: > > As was discussed recently in IETF ML, a serious vulnerability of, > so called, DNSSEC is lack of secure time.
I have the beginnings of a solution to this problem. It is based on using tlsdate, which gets the time from a server with minimal risk of interference by a man-in-the-middle. If you get the time from several diverse servers you can be very sure you have the right time if enough of them agree. You can choose the size of a quorum according to your security and robustness requirements. Agreement is determined in a similar way to NTP's clock select algorithm, which separates falsetickers from truechimers. http://fanf.livejournal.com/128861.html - introductory article https://git.csx.cam.ac.uk/x/ucs/u/fanf2/temporum.git - rough proof of concept implementation Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop