Hi,
[sorry for the delay...]
Disclaimer: I've not thought of this very hard, and I lack the
theoretical background to reason about it in formal terms.
Patrick Schleizer wrote (28 Aug 2014 14:42:55 GMT) :
> Even if they don't agree to send fake time information, I don't
> understand why connecting to a foe/hostile server and using their time
> information is any useful.
I think our design doc is putting too much weight on the pal/foe
naming (and in turn, quite logically, you are too :)
IMO, the idea is to get different pools of servers so that those
picked from one pool are unlikely to plot with those from other pools
against Tails users.
> I can't think of another area in which asking a hostile for advice is a
> good idea. Maybe "if friend and foe both agree, you can be confident
> that they're right; if they disagree, look further" - but that's not
> what Tails htpdate is doing.
Indeed, it should probably discard information that is diverging too
much from what others tell us. Care to file a "research" ticket
about it?
> Or asked the other way around:
> How much worse would you be off if basically, Tails htpdate would pick
> three random servers from the pal pool, and then build the mediate of
> the three advertised dates.
Intuitively, I think it would put too much weight on the trust we have
in the servers that are in the "pal" pool. But again, I may very well
be wrong.
Cheers,
--
intrigeri