[ntpwg] Digital Evidence Standards and a statement that this directly effects NTP and its use...

TS Glassey tglassey at earthlink.net
Wed Nov 14 14:57:37 UTC 2007 

----- Original Message ----- 
From: "Shane Kerr" <Shane_Kerr at isc.org>
To: "TS Glassey" <tglassey at earthlink.net>
Cc: <ntpwg at lists.ntp.org>; <dhcwg at ietf.org>
Sent: Wednesday, November 14, 2007 1:41 AM
Subject: Re: [ntpwg] Digital Evidence Standards and a statement that this 
directly effects NTP and its use...


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Todd,
>
> TS Glassey wrote:
>>
>> Google the actual ruling here:
>> http://www.google.com/search?q=lorraine+v+markel&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLF
>
> A massive triumph of legal formalism over common sense, IMHO.

Yeah - I hear this same statement from Systems Administrator's - the same 
buch of guys and girls that keep failing those IT Security Audits... so I 
look to their commentary as their way of getting out of doing a honest day's 
work. If that statement offfends you as much as a buch of Systems 
Administrator's trying to control the world of Information Security becuase 
they are too freaking lazy to 'do it right', well... you explain to me why 
so many folks fail those audits again and again ???

This ruling sets the world of the System Administrator on its arse and did 
so globally by eliminating the concept that there is no-such thing as a 
digital original. In fact there is and the issue is that while document 
conterfeiting used to be more difficult, now a days it is as easy as saying 
'cp file1-name counterfeit-file name'...

>
>> Bluntly, the world changed a tad on May 4th and while this effort is 
>> pointed
>> at the physics of operating NTP, these new controls impact any work with 
>> any
>> other Standardized Protocol as well... What this means to people who NTP 
>> is
>> a part of their commercial offering, is that they MUST apply these new
>> standards to this code and its support as well, or they must use their 
>> own
>> internal code-base's rather than depending on one here. I think this 
>> ruling
>> re-set the bar heighth, and it is now much higher - even for an Academic
>> Entity. As to how this effects this WG, we need to build tools that are
>> capable of being used in these key application contexts or this protocol
>> will likely be ultimately replaced.
>
> I'm a little slow this morning... I can't figure out how this standard 
> applies
> to NTP.

OK Shane, I personally think the ruling means that there are now 
requirement's for tight and reliable evidence ganthering and maintanence in 
all aspects of the use of something creating digital evidence, especially 
when those processes run automatically below the general control of the 
end-user... It sets a new bar-height for demonstrating the quality of the 
system and the security in place for its use. So in some senses its NOT the 
NTP protocol itslef but its use that are impacted. Certianly the integrity 
of the code management process will become a real issue.

For what its worth this matter is before the US Appellate Court right now to 
get it advanced into real precedent "standard" from the persusave precedent 
it is now and all concerned will need to understand this and comply with it.

> Can you explain what it means, from a protocol and a software point of
> view (plain English preferred, technical gibberish okay, no legalese 
> please)?

1)    REAL reliable NTP user models MUST be developed. That means Use 
Statment's and what the system will provide in the form of timestamps per 
second based on some baseline metric.

2)    A real TEST PLAN needs to exist for each program in the NTP Suite and 
that will  be executed by the supporting party. Its MUCH better for the 
commercial relying parties if they dont develop the core of this TEST PLAN 
but rather just customize the one used to pre-certify the operations of NTP 
in their environment.

3)    The entity holding the Code Base will have to take full responsibility 
for that as well, meaning that they will become liable for screwup's or 
damages that people suffer using the code.

4)    The "No warranty for fitness" language needs to be removed from the 
license IMHO, because if there is no accountability in the time transfer 
process there is no point in using it.

Hmmm- what would that mean for the ISC by the way? - could it step to the 
plate and put in place a secured and audited change control process and 
service? Could it and will it bear the expense of those?


Just my two cents.

Todd Glassey

>
> - --
> Shane
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHOsLAMsfZxBO4kbQRAk8uAKCjfp0XvQUKcCat2oBvUDOBgZ39fwCfWtcN
> 5ejJMaSb3blH3h/9kohaioo=
> =4DDy
> -----END PGP SIGNATURE-----

More information about the ntpwg mailing list