Should some kind of "boot protocol" be part of the specification? Meaning: If the client has no idea what the current time is, how can the "chicken-egg paradoxon" be solved (time required to check authentication, authentic responses needed to trust the time sent). I think in times of "IoT" this might be an important aspect (in the past "servers" had a battery backed up clock, or a trusted operator that sets/verifies/checks the clock on boot).
I disagree, thinking this should be left out of protocol spec but should be BCP'd as different deployments and implementations will have different requirements.
I'm not convinced this should be part of the document - deployment considerations, use of other backup sources of time or other protocols is by in large out of scope.
Ulrich writes:
I disagree, thinking this should be left out of protocol spec but should be BCP'd as different deployments and implementations will have different requirements.