[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: time resolution (was Re: six-page binary format draft)
Steven Bellovin wrote:
>
> Our middle name is "Engineering". "Engineering" means solving a
> problem economically, within a set of constraints. The trick, of
> course, is knowing which constraints are reasonable and which aren't.
>
> It's certainly possible to have machines' clocks agree to within a few
> milliseconds. Is it necessary here? These are *certificates*, not
> challenge/response values. I will, of course, point out that
> certificates are used precisely so that full-time online operation
> isn't necessary -- if I can query the authorization center when someone
> presents me with credentials, I don't need the credentials to be
> signed.
>
> We don't need finer resolution than 1 second. I suspect we could stick
> with 1 minute, if we wanted to save some space.
Is this, perhaps, a short-sighted view of what certificates may be used
for? Suppose access to a terabit pipe were controlled by certs? We may
well want sub-second resolution on those, no? [Note: this may not be the
right way to use certs, but can we assume we currently know the right
ways?]
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd, |http://www.algroup.co.uk/Apache-SSL
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
Follow-Ups:
References: