From the Ecosystem page: "So, instead, Roughtime is only available for products that can be updated. The server lists have an explicit expiry time in them and we will actively seek to break clients that try to use old information in order to maintain ecosystem health. At the moment changing the hostname or port of a server is the easiest way to enforce this but we expect to add a per-server id in the future that clients would need to send in order to prove to the server that they have a current server list."
I see a slight chicken and egg problem here. This service is mostly needed to provide initial time synchronization to devices that have just powered on and don't know what time it is - but of course, since they don't know the time they have no way of checking the freshness of the server list. Which in practice means that a lot of devices will end up having to download a new server list every time they need to synchronize their time. That's a lot of load on the server providing the list, which effectively becomes a critical part of the Roughtime system that's hardcoded into the clients.
This is a good point and we might need to change things because of this; it depends on what client needs turn out to be.
But I'm hoping that the software-update mechanism is the foundation of any modern system, and that can use nonces to show freshness. It's fairly common for systems to update immediately on power-on and hopefully that will get the fresh Roughtime server-list that allows the rest of the system to come up.
(The alternative is that we try to guarantee that Roughtime servers will never change, and that's very hard.)
Why not just use a hash of the server list to query whether or not you're up to date? You ping the server with your hash and it replies OK or it sends you the latest one.
That reduces the impact of each query, but doesn't reduce the amount of queries.
Imagine if a few popular models of IoT devices take security seriously and get their time with roughtime. They are still built from cheap components with minimal capability for persistent writes though, because price is key. Any large blackout could mean that millions of these devices power up simultaniously, putting huge load on the list update server.
You essentially make the list update servers crucial infrastructure that has to potentially handle huge load spikes.
openntpd is a nice hacky workaround, but not a clean solution. However they hindered adoption by requiring libressl to build this feature.
But roughtime does much more than openntpd: It lets you get the time from multiple servers and gives you cryptographic proof in case one of them tries to lie to you. That's a much tougher security guarantee.
Note that this isn't exactly a problem in Google case. They want to fix cases where a wrong clock can invalidate certificates, so even a skew of a few minutes wouldn't be a problem (in Roughtime specially, they allow a 10 second delay as far I understand).
"With only two servers, the client can end up with proof that something is wrong, but no idea what the correct time is. But with half a dozen or more independent servers, the client will end up with a chain of proof of any server's misbehaviour, signed by several others, and (presumably) enough accurate replies to establish what the correct time is."
This sounds fairly similar to the 51% attack prevention in Bitcoin, and I think they could perhaps be more precise here. There are several other similarities which stuck out to me (note that bitcoin itself is a timestamp server, see section 3 of the whitepaper).
Also they mention "We envision that clients will maintain a rolling window of signature chains and will be able to upload any proofs of misbehaviour," which also sounds bitcoin-ish at least to me.. (maybe my perception is skewed from spending lots of time in the space)
I guess the question this leaves me with after reading is: could one get a reliable ~10 second accurate timestamp from the bitcoin blockchain or a modification of it?
>This sounds fairly similar to the 51% attack prevention in Bitcoin
With the advantage that in this case you can set an arbitrary threshold. You could for example only update your clock if 80% of your time servers agree on a time, or 90%, depending on your risk aversity.
>could one get a reliable ~10 second accurate timestamp from the bitcoin blockchain or a modification of it?
You are right that Bitcoin is essentially a timestamping system, but it only timestamps every ten minutes (some other cryptocoins go down to one minute). The protocol is also quite forgiving: you can back-date a block by up to rwo hours. There is also no mechanism for figuring out whether you have all the existing blocks, meaning any blockchain based timeserver could still be tricked into reporting an earlier date by preventing him from receiving the newest blocks.
In short I think bitcoin (and other blockchain technology) is great for proving that information already existed on a certain day or even in a certain hour, but I don't think you can make a usable time-synchronization system out of them.
>There is also no mechanism for figuring out whether you have all the existing blocks, meaning any blockchain based timeserver could still be tricked into reporting an earlier date by preventing him from receiving the newest blocks.
I feel like what I was hinting at wouldn't quite work like this, but rather a timeserver in this system would do something like take an average of past block times, compare that with cpu time, and derive a best guess at the current time- obviously there is variance from block to block, but statistically might tend towards an accurate representation of time.
Similarly, you could set your client to only update if 80-90% of the blockchain running servers agreed on the time.
>take an average of past block times, compare that with cpu time, and derive a best guess at the current time
But how does that work if the attacker controls your network and prevents you from receiving any blocks newer than the first of april? He can even send you the next (still ancient) block from the blockchain every ten minutes, making everything look legitimate.
If you are cold-starting and have only a vague idea of the date, then you can't defend against this. If you have a sufficiently good idea of the current time that this doesn't impact your threat model, you have already solved your timekeeping problem and don't need the blockchain technique anymore.
Presumably you can corrupt a couple of small networks on which bitcoin nodes are running and that wouldn't disrupt time for the entire chain and clients relying on it...
"[Secure NTP] But that's what NTP should have been, 15 years ago—it just allows the network to be untrusted. We aim higher these days"..... So the infra/servers cannot be trusted.. THIS is the real takeaway.
I see a slight chicken and egg problem here. This service is mostly needed to provide initial time synchronization to devices that have just powered on and don't know what time it is - but of course, since they don't know the time they have no way of checking the freshness of the server list. Which in practice means that a lot of devices will end up having to download a new server list every time they need to synchronize their time. That's a lot of load on the server providing the list, which effectively becomes a critical part of the Roughtime system that's hardcoded into the clients.