I see a slight chicken and egg problem here. This service is mostly needed to provide initial time synchronization to devices that have just powered on and don't know what time it is - but of course, since they don't know the time they have no way of checking the freshness of the server list. Which in practice means that a lot of devices will end up having to download a new server list every time they need to synchronize their time. That's a lot of load on the server providing the list, which effectively becomes a critical part of the Roughtime system that's hardcoded into the clients.
But I'm hoping that the software-update mechanism is the foundation of any modern system, and that can use nonces to show freshness. It's fairly common for systems to update immediately on power-on and hopefully that will get the fresh Roughtime server-list that allows the rest of the system to come up.
(The alternative is that we try to guarantee that Roughtime servers will never change, and that's very hard.)
while below retry limit:
time = get_time
if time == error "you use old server ids"
refresh list from random source
Imagine if a few popular models of IoT devices take security seriously and get their time with roughtime. They are still built from cheap components with minimal capability for persistent writes though, because price is key. Any large blackout could mean that millions of these devices power up simultaniously, putting huge load on the list update server.
You essentially make the list update servers crucial infrastructure that has to potentially handle huge load spikes.
This is an interesting solution I've never seen in practice before.
Also fault injection is pretty novel. I haven't seen this anywhere before. Essentially a public "opportunistic fuzzing" system: https://roughtime.googlesource.com/roughtime/+/HEAD/ECOSYSTE...
Any such clients have to fall back to TLS 1.2
A TLS 1.0 to 1.2 based time sync client called 'tlsdate' already exists.
But roughtime does much more than openntpd: It lets you get the time from multiple servers and gives you cryptographic proof in case one of them tries to lie to you. That's a much tougher security guarantee.
This sounds fairly similar to the 51% attack prevention in Bitcoin, and I think they could perhaps be more precise here. There are several other similarities which stuck out to me (note that bitcoin itself is a timestamp server, see section 3 of the whitepaper).
Also they mention "We envision that clients will maintain a rolling window of signature chains and will be able to upload any proofs of misbehaviour," which also sounds bitcoin-ish at least to me.. (maybe my perception is skewed from spending lots of time in the space)
I guess the question this leaves me with after reading is: could one get a reliable ~10 second accurate timestamp from the bitcoin blockchain or a modification of it?
With the advantage that in this case you can set an arbitrary threshold. You could for example only update your clock if 80% of your time servers agree on a time, or 90%, depending on your risk aversity.
>could one get a reliable ~10 second accurate timestamp from the bitcoin blockchain or a modification of it?
You are right that Bitcoin is essentially a timestamping system, but it only timestamps every ten minutes (some other cryptocoins go down to one minute). The protocol is also quite forgiving: you can back-date a block by up to rwo hours. There is also no mechanism for figuring out whether you have all the existing blocks, meaning any blockchain based timeserver could still be tricked into reporting an earlier date by preventing him from receiving the newest blocks.
In short I think bitcoin (and other blockchain technology) is great for proving that information already existed on a certain day or even in a certain hour, but I don't think you can make a usable time-synchronization system out of them.
I feel like what I was hinting at wouldn't quite work like this, but rather a timeserver in this system would do something like take an average of past block times, compare that with cpu time, and derive a best guess at the current time- obviously there is variance from block to block, but statistically might tend towards an accurate representation of time.
Similarly, you could set your client to only update if 80-90% of the blockchain running servers agreed on the time.
But how does that work if the attacker controls your network and prevents you from receiving any blocks newer than the first of april? He can even send you the next (still ancient) block from the blockchain every ten minutes, making everything look legitimate.
If you are cold-starting and have only a vague idea of the date, then you can't defend against this. If you have a sufficiently good idea of the current time that this doesn't impact your threat model, you have already solved your timekeeping problem and don't need the blockchain technique anymore.
Do you currently trust your LAN?
Do you not currently have some level of trust with pool.ntp.org or your OS hosted ntp mirrors?