[pcl]

I'm curious why the clients chain requests but the servers don't chain replies.

One challenge would be around server scale -- for the servers to maintain a strict chain, they would need to coordinate amongst themselves, which can be costly. The proposed approach doesn't introduce that requirement.

But they could get close by maintaining a branching history, like what you might see in a git history, or a vector clock. Neither of those approaches provides the same causality assurances as your proposal, but either would provide something close without incurring any blocking server-side state management.

[amluto]

I just meant for servers to maintain a local chain. Cross-server checking would be free, sort of, as clients that talk to multiple servers would inject the chain state from the first server into the second via their nonces.

[pcl]

At scale, a time server's DNS address will likely either be a reverse proxy or a multi-valued A record. The coordination amongst those separate physical servers that are serving requests for the same DNS name would become a scale challenge if they needed to share state.

[amluto]

But they wouldn't need to share state. They could run independently, and any client that wanted to tie their clocks together could request the signed time from one and then send it to the other, causing it to get logged in the other server's chain.