On Sat, Nov 16, 2019 at 03:06:13PM -0800, Jon Callas wrote:
In the general case, you can't consider a time measurement to be a scalar, it
has to be at the very least a complex number of the form [time, skew]. As
Derek noted, Kerberos used a skew of five minutes. While Neal Walfield noted
in his original post that he's seen skew of 20min, I concur that that seems a
bit long. My naive home set-up commonly has alarms across devices being ±2s
or less, but that's because they're all getting time from some combination of
NTP and cellular network time, which is ultimately GPS time (and of course,
skew). I think five minutes is likely reasonable, but *some* skew is
unavoidable. Moreover, anyone who's on satellite networks is seeing latency
of over a second and once you throw in normal exponential backoff, five
minutes seems about as short as is reasonable.
I believe that if Kerberos was starting over now, the 5 minutes would be
seen as excessively long, FWIW.
-Ben
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp