maas-devel team mailing list archive

Thread
Date

Re: Clock skew and OAuth

To: Gavin Panella <gavin.panella@xxxxxxxxxxxxx>
From: John Arbash Meinel <john@xxxxxxxxxxxxxxxxx>
Date: Mon, 20 Aug 2012 21:35:52 +0200
Cc: maas-devel@xxxxxxxxxxxxxxxxxxx, Scott Moser <scott.moser@xxxxxxxxxxxxx>
In-reply-to: <CALL7ch=4h2XLhuHa6MR--B_SgPwtSN75JqJyYy_y43k-8-6ahA@mail.gmail.com>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/20/2012 6:17 PM, Gavin Panella wrote:
> On 20 August 2012 16:41, Robie Basak <robie.basak@xxxxxxxxxxxxx>
> wrote:
>> Scott pointed out a flaw in this to me offline. I had assumed
>> that the clock is only wrong by being in the past, and this
>> solution will not address the problem of the clock being wrong by
>> being in the future.
>> 
>> But AIUI now, this is problem on machines which have previously
>> been running on other OSes with the hardware clock set to local
>> time rather than UTC.
>> 
>> This may completely wipe out my proposal, since we can only
>> safely move the time towards the future with this plan, and not
>> towards the past.
> 
> Is there any such thing as a time-since-power-on clock? That, in 
> combination with it_is_after, would give us a semi-reliable upper 
> bound on the correct time.
> 

The other question is how close do the clocks actually need to be, and
how long does it take to spin up the machine? If the clocks only need
to be less accurate than the boot time, then you can just set the clock.

For example, clock needs to be accurate to within 1hr, and boot time
is no-more-than 10min.

If the clock needs to be more accurate than boot time, then you'll
never really make it with a flag passed at boot.

If you are worried that you'll upset more accurate time, just to have
it correct itself eventually with NTP, then you can use logic like:

if current_time < it_is_after:
  current_time = it_is_after
elif current_time > (it_is_after + 60*60): # 1hr
  # It doesn't take more than 1hr to boot, so any skew here is
  # because of an OS that sets the clock to local time instead of UTC
  current_time = it_is_after

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAykZgACgkQJdeBCYSNAAMP+QCfb7mi1oPT4o0Cyuiro0Sirw7j
WxcAnjuZAgC/w7jYswehKg9t61xOaZHy
=HI8b
-----END PGP SIGNATURE-----

References

Clock skew and OAuth
From: Julian Edwards, 2012-06-27
Re: Clock skew and OAuth
From: Jeroen Vermeulen, 2012-06-27
Re: Clock skew and OAuth
From: Julian Edwards, 2012-06-27
Re: Clock skew and OAuth
From: Scott Moser, 2012-06-27
Re: Clock skew and OAuth
From: Robie Basak, 2012-08-06
Re: Clock skew and OAuth
From: Gavin Panella, 2012-08-07
Re: Clock skew and OAuth
From: Robie Basak, 2012-08-07
Re: Clock skew and OAuth
From: Gavin Panella, 2012-08-20
Re: Clock skew and OAuth
From: Robie Basak, 2012-08-20
Re: Clock skew and OAuth
From: Gavin Panella, 2012-08-20