Re: [Monotone-devel] Monotone Security

[Markus Wanner]

Hi,

Zack Weinberg wrote:
> Yes.  Distributed systems research has concluded that there ain't no
> such thing as a trustable global clock.  (I don't have cites - this is
> my paraphrase of something Nathaniel said some years ago.)

While that's certainly true, I also agree with Daniel that there's
something wrong with revisions A -> B having timestamps in reverse ordering.

IMO monotone should at least warn about such obviously ill-certified
revisions, better yet protect against such wrong information. That's one
reason for my work on nvm.dates: being able to compare the dates, so we
can do these checks.

So with refusing to commit revisions with a date *before* its ancestor,
monotone would help detecting clock skews. And by warning and (possibly
automatically) distrusting certs from the future, monotone could prevent
situations where you cannot commit because someone else has signed a
revision with an erroneous date. Keep in mind that you can always decide
to *not* trust a cert with an invalid date.

Note that this does not have anything to do with a "global time" or
using timestamps for internal purposes. It's rather just about extending
validity checking of the given information.

Regards

Markus Wanner