Roughtime: a protocol for secure, auditable time synchronisation (opens in new tab)

This is awfully similar to Ben Laurie's good ideas about how to run a distributed time stamping service for a cryptocurrency. http://www.links.org/files/distributed-currency.pdf

Great to see these ideas used for general security applications.

I'm curious why the clients chain requests but the servers don't chain replies. It would be straightforward for servers to emit a CT-style log as they go, thus forcing servers to prove that all their timestamps are in order. With a bit of refinement, it would also allow servers to prove that they didn't generate, say, Thursday's timestamp prior to learning a nonce that was sent to them on Wednesday. If nothing else, this would substantially strengthen its use as a timestamping service.

Also:

> It is the case that the signature, even assuming one request per batch, will add some number of microseconds of latency to the reply. Roughtime is not going to displace PTP for people who care about microseconds.

I'm not convinced that this should prevent extremely precise timestamping a la PTP. The server just needs to indicate, outside the signature, how long its processing took. Sure, this prevents authentication of the fine-grained time, but a client could easily bound the amount that a server can cheat.

SpiderOak might be interested in running a Roughtime service / participating in a Roughtime community to support Semaphor.

As it is, Semaphor clients include a local timestamp among the signed content of most actions, and the server rejects actions that aren't within some tolerance (strict ordering however is accomplished via hash chain.) Roughtime would allow improving this situation from several angles.

One of the logistical challenges is client network traffic footprint. Enterprises that deploy a collaboration solution often want to have a strict definition of which upstream servers it can be expected to talk to. Would it be possible for a single Roughtime service to incorporate verifiable information from a larger Roughtime community, such that end user clients don't have to communicate with additional addresses?

> There have been efforts to augment NTP with authentication, but they still assume a world where each client trusts one or more time servers absolutely.

OpenNTPD has "constraints" where it makes HTTP requests (using TLS) to webservers and checks that the time provided by the NTP server is within a certain threshold of the time returned in the HTTP Date header.

Much simpler and doesn't require dedicated servers.

This is great, I work in distributed systems and am always dealing with wall clocks. Most people ignore/forget about clock sync or reject using wall clocks entirely because of it. But you can get very practically reasonable results by thinking these things through and doing sync. I'm glad to see other people doing more work on improving and validating NTP servers.

Seems like this might be useful with proving that something happened at a certain time, no? Like use the hash of something as a nonce to a roughtime service?

Reads a bit like PGP's trust model applied to time synchronization.