Problem with faked-system-time option
mailinglisten at hauke-laging.de
Sun Jun 12 19:35:57 CEST 2011
Am Sonntag, 12. Juni 2011, 15:23:19 schrieb MFPA:
> Some people labour under the misapprehension that the signature time
> is significant and has potential legal implications.
Why should that be a misapprehension? For which law does that not have
There is no reason to assume that you are less bound by the timestamp than by
the signature itself. The timestamp can be fake. So what? So can be the signed
data. You don't have to have a look at what you are going to sign. You can
sign the output of /dev/urandom. Nothing of that makes your declaration of
intent invalid. At least not in Germany. The relevant perspective is that of a
neutral third party. How toes it look like to them?
You can claim that the signing system has been compromised and that the act of
signing has been rigged. That may work. But a statement like "The key and the
signing system are both valid. Just don't care abour the timestamp." will not
be successful. Take that legal risk if you like.
> Unless the emails are sent via some form of "trusted" timestamp
> service, signature timestamp means nothing.
Funny theory. Either you trust all or nothing. How should you draw the line in
> And even then, what gets
> verified is the time/date of sending and *not* the time/date of
That is simply wrong. A signature refers to the supplied timestamp. That is
usually the current time. Even if you fake that it would just by chance be the
time of sending (but noone would expect it to be that). A signature is made at
a certain moment. It does not matter at all when the signed data gets sent.
The time of sending cannot change the signature. You would have to create a
new signature at a time that happens to be nearly the time of sending.
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 555 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users