[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: time resolution (was Re: six-page binary format draft)

Steven Bellovin wrote:
> Our middle name is "Engineering".  "Engineering" means solving a
> problem economically, within a set of constraints.  The trick, of
> course, is knowing which constraints are reasonable and which aren't.
> It's certainly possible to have machines' clocks agree to within a few
> milliseconds.  Is it necessary here?  These are *certificates*, not
> challenge/response values.  I will, of course, point out that
> certificates are used precisely so that full-time online operation
> isn't necessary -- if I can query the authorization center when someone
> presents me with credentials, I don't need the credentials to be
> signed.
> We don't need finer resolution than 1 second.  I suspect we could stick
> with 1 minute, if we wanted to save some space.

Is this, perhaps, a short-sighted view of what certificates may be used
for? Suppose access to a terabit pipe were controlled by certs? We may
well want sub-second resolution on those, no? [Note: this may not be the
right way to use certs, but can we assume we currently know the right



Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Follow-Ups: References: