Edit: corrected page number
We should discourage users from running NTP on the host because at best it leaks the host’s time itself through timestamps (page 3) and at worst its a vehicle for remotely exploiting the client’s code and skewing time which could deny Tor service.
We should probably combine consensus with the more accurate Hidden descriptors and use them instead of CA SSL, on both gateway and workstation.
I will backtrack from that position once more:
-when not using kvmclock on the gateway and the gateway clock incorrect after suspend, the only viable option is to fetch a verified consensus in the clear and set from that because Tor logically wouldn’t be able to connect in this situation.
-By setting sdwate to use only verified consensus we make it safe to fetch the data in the clear meaning that not even replay attacks are possible from the ISP. (SSL and Directory Authority keys make it impossible as you brought up).
-The only problem with this approach is the fingeprintable nature of it, because sdwdate would need to do this on a regular basis if the user suspends their machine.
- Because its better and safer to disable NTP on the host, setting the gateway to use kvmclock instead and avoiding sdwdate on the gateway should improve things in a way.
tl;dr
A secure but fingerprinted technique to start Tor because we aren’t using kvmclock vs. using kvmclock and disabling NTP - which isn’t so bad because of the potential cons of keeping it running.