Problem with faked-system-time option

Jerome Baum jerome at jeromebaum.com
Wed Jun 15 23:58:27 CEST 2011


>> Um, yeah, so you used a blurry specification of the
>> problem
>
> The "problem" is very simple: the timestamp contained in an OpenPGP
> signature cannot be relied upon as accurate without independent
> corroboration. An example of such corroboration is to use a
> timestamping service that is trusted by the relevant parties.

So, we timestamp stuff for fun? Whether something can be "relied upon"
depends on what you're going to do with the accuracy assumption. I can
timestamp an empty document and -- besides stuff like "the key must
have existed before the timestamp" or "I must have started or
scheduled a task for the time in the timestamp" -- you can trust the
timestamp to be fully correct without consequence. There would be no
point in contesting. There would, of course, be no point for you in
trusting the timestamp, but it wouldn't be a problem either.

> You asserted that the signer's own signature timestamp was sufficient
> when a third party needs to prove when the document was signed.

When?

> I
> replied with the bare bones of a scenario where the third party brings
> evidence that suggests the signature timestamp to be incorrect, so
> that the signer needs to refute that evidence.

The signer doesn't need to do anything until, say, there is a chance
of falsification charges.

>> I wouldn't
>> consider "what is being proven and who has an interest
>> in proving that -- i.e. who will cooperate" as a
>> "detail", but as a minimal basis for discussion.
>
> The "what is being proven" is when the document was signed.

Correct.

> The "who has an interest" matters only if it affects the proposed
> solution. As an example, if an independent timestamping service can be
> shown to be sufficiently reliable, it could provide the proof
> regardless of which party has an interest in using that proof.

"sufficiently"? For whom? Who has this interest and who decides what
is sufficient?

-- 
Jerome Baum
tel +49-1578-8434336
email jerome at jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA



More information about the Gnupg-users mailing list