dates and their representation

John A. Martin jam at
Fri Oct 2 11:26:18 CEST 1998

Silly me, I respond to my own mail after having read the specs.  I had
not supposed from the drift of previous posts in this thread that the
time representation was apparently settled in the OpenPGP draft as
being UTC the same as in rfc1991.  Apparently I was not alone, but
only the last to be so silly. :-)

>>>>> "jam" == John A Martin
>>>>> "Re: dates and their representation "
>>>>>  Sun, 27 Sep 1998 08:34:45 -0400

>>>>> "Matthew" == Matthew Skala
>>>>> "Re: dates and their representation"
>>>>>  Sat, 26 Sep 1998 19:55:49 -0700 (PDT)

    Matthew> IMHO, the Right Thing to do with dates is:
    Matthew> - store and transmit dates in UTC (although if you're
    Matthew>   storing "seconds since epoch", you don't even store a
    Matthew>   time zone at all)
    Matthew> - display ALL dates according to the user's locale
    Matthew>   settings

Sections 3.5 of both the draft-ietf-openpgp-formats-07 and rfc1991
specify that time fields carry the number of seconds elapsed since
midnight, 1 January 1970 UTC (GMT) [the Unix Epoch].

    jam> FWIW I agree with both points.

I am no longer so sure about the second point.

    Matthew> It's a bad idea to store the time zone where a key was
    Matthew> generated or signature made, because that reveals what
    Matthew> part of the world the key or signature originates from,
    Matthew> and that could very well be something the user would want
    Matthew> to conceal.  It's bad even to store the time zone
    Matthew> optionally, because it becomes a sort of subliminal
    Matthew> channel.

    jam> It is, IMHO, of utmost importance not to store or transmit a
    jam> local time zone.  Providing an option not only provides a way
    jam> for it to leak out but provides an indication of the user's
    jam> intent which could itself be damaging.

The OpenPGP draft and rfc1991 both do the right thing to preserve

As to the local display of time or date it seems that with UTC being
an integral part of PGP it might be least confusing to always display
UTC.  Recall that is what earlier PGPs did sometimes accompanied with
a "Current time: yyyy/mm/dd hh:mm GMT" after the copyright banner.

I make these remarks after having become fairly confused looking at
gpg outputs from distant systems.  Perhaps best would be consistent
and unadorned UTC times with an optional "Current time ... UTC" ahead
of outputs showing times or dates, though the current time seems to me
like gilding the lily.

Please excuse my earlier responses to this thread without having
consulted the pertinent documentation.


More information about the Gnupg-devel mailing list