Comments on: “Crashing is an appropriate response”

By: Jens Alfke

Jens Alfke — Thu, 10 Jan 2008 23:30:06 +0000

Yes, clock synchronization is another known issue with certificate revocation. Fortunately the granularity needed is usually pretty low, like hours or days.

You guys are taking this more seriously than I meant! I was mostly just amused at coming across a real-world example of the “all Cretans are liars” paradox.

By: Shamino

Shamino — Thu, 10 Jan 2008 22:27:13 +0000

It would seem to me that, due to the impossibility of completely synchronizing clocks over the internet, that event-timestamps should only be trusted for the purpose of putting events from a single source in sequence. Comparing them against timestamps from other sources (including your own internal clock) is going to sometimes result in unexpected behavior.

And, IMO, predictable behavior is better than technical correctness.

By: fluffy

fluffy — Tue, 08 Jan 2008 14:22:00 +0000

I guess that depends on how much you’re supposed to trust the timestamp, then, considering that even in a world of NTP time is still fairly relative (and lunchtime doubly-so).

By: Jens Alfke

Jens Alfke — Tue, 08 Jan 2008 05:55:42 +0000

But revocations are timestamped, so the cert is already invalid at the time the app is parsing the revocation. It’s exactly like the Liar Paradox.

There’s a later point in the same slideshow where he describes how revocation means certs can’t obey ACID properties. The whole thing is a great exercise in sustained sarcasm; by the end, X.509 is reduced to a smoking hole in the ground that he’s pouring salt into.

By: fluffy

fluffy — Tue, 08 Jan 2008 05:36:08 +0000

Ostensibly, any app which accepts a self-revocation from the self-signed cert would authorize the cert, then perform the action which is signed with said cert. Ideally such an app would be designed with ACID criteria in mind. So, hopefully, self-signed self-revocation would behave as one would intuitively expect (i.e. a suicide note).