Exact timestamps may be bad

Volker Gaibler volker.gaibler@urz.uni-heidelberg.de
Mon Jul 29 17:13:02 2002


Hello,

On Sun, Jul 28, 2002 at 11:16:36PM -0400, David Shaw wrote:
> One way of handling the problem is simply to not include the timestamp
> at all.  In OpenPGP signature packets, the timestamp is a distinct
> subpacket and can be removed trivially when the signature is
> generated.  It is somewhat unclear whether this violates the OpenPGP
> RFC or not, as I can point to sections in the RFC that seem to say
> this is not allowed, and some other sections that seem to say this is
> allowed.  The point may be moot since you can't use OpenPGP data
> signatures with most versions of PGP, and I imagine you want to be as
> widely compatible as possible.
> 
> Another way is simply to always use the same timestamp, which is
> doable with either OpenPGP or the older style signatures.  I think
> this may be better than adding some skew to the timestamp since (as
> you mention in one of the bits I've snipped) if Alice sends many
> messages with the same skew, Eve may be able to get some clues about
> the window size.  If zero is used for the timestamp (i.e. 1/1/1970),
> then there is no way to even get a guess about the real setting of the
> clock.

either way there would be the possibility of a replay attack.
So Trent should sign Alices mail (also signed by herself without
timestamp) to confirm that he got the encrypted message (with timestamp)
from Alice that date. 

The communication from Alice to Trent is encrypted and so there must be
TWO timestamps inside the encrypted message: One to prove to Trent that
the mail really came from Alice (with timestamp to prevent replay) and
one inside this "Trent-signed"-message without timestamp for publication
in the public forum. The encryption and "Trent-signature" are something
like an envelope to the without-timestamp-signed message to be
published.

When using more remailers then everything has to be sent with timestamps
except the innermost signature for the public - assuming that the
remailers are trustful enough to give them the timestamp information in
the envelope, but I think we're assuming that anyway.

Volker



-- 
 Volker Gaibler                                 contact:
 http://www.volker-gaibler.de                   mail@volker-gaibler.de
 OpenPGP key: 0x86ECAC0B
 get my public key from website above 
+---------------------------------------------------------------------+