Secure Time

[lorenz]

So currently for secure time there are essentially two options:

NTS (Network Time Security) | RFC 8915

• NTS is an actual standard, not just a draft and seems to enjoy quite some support from the national standards agencies (ptbtime1.ptb.de, nts1.time.nl, ...) but less so from the tech companies (only Cloudflare seems to run a server).
• It doesn't require an additional client and can reach very high accuracy as it's just NTP with security.
• Its key exchange phase requires a full-blown TLS 1.3 implementation which we definitely don't want to run as part of a C binary. But the key exchange phase is separate, we could try to run that in Go and only pass the cookies to chrony.
• Security-wise its ok, but it has no accountability (you cannot prove that a time server sent you bogous time). But since falseticker handling in NTP clients is well-understood and implemented as long as you have multiple servers operated by independant parties this is less of an issue. Has a chicken-egg problem with its own certificate validation if you have absolutely no time information (not even RTC).

See also https://weberblog.net/network-time-security-strengths-weaknesses/, which has some more details.

Roughtime | draft-ietf-ntp-roughtime-05

• Just a draft, in fact the current Cloudflare client is not interoperable with their own server.
• More popular with the tech companies (Google, Cloudflare and Chainpoint provide servers). No standards agencies seem to provide it.
• There are two Go implementations, one from Google which is compatible with current servers and one from Cloudflare which implements a newer draft.
• Would run in a separate service and essentially only guard against running off the rails with time.
• Security is good. The crypto is solid and the principle of operation pretty simple. If falseticker detection is properly implemented it could produce proofs of roughtime servers misbehaving, but we'd have to actually do something with them. Uses hardcoded public keys, so no problems with bootstrapping.

[leoluk]

Good summary - it seems like Roughtime is the right choice?

[q3k]

After a quick discussion, we've decided to not make a decision on this for now - ie., we're deferring this past MVP, and then we hope that there is a clear winner between the two approaches (for example, because roughtime becomes more standardized, or because an alternative NTP implementation in a memory-safe language exists and we're more comfortable with letting it handle crypto protocols).

[fionera]

There is also https://github.com/pendulum-project/ntpd-rs now which implements NTS and is written in rust