New feature for GPG
David Shaw
dshaw@jabberwocky.com
Wed Nov 6 06:19:01 2002
On Tue, Nov 05, 2002 at 09:26:09PM -0500, Michael H. Warfield wrote:
> On Tue, Nov 05, 2002 at 05:08:14PM +0000, Noel D. Torres Ta=F1o wrote:
> > I'm thinking in a new GPG feature. I call it Timestamping.
> > I know that signing data makes a timestamp in them. But that kind of
> > timestamps can be denied only by saying "I recognize the signer, but =
he
> > altered his computer clock while signing this."
>=20
> Not quite, if you use a timestamping service... They stamp
> a message or a message digest with their timestamp and periodically
> publish a public table of timestamps.
>=20
> :
> : - Remainder deleted...
> :
>=20
> Exactly what advantage would you have over this service:
>=20
> <http://www.itconsult.co.uk/stamper.htm>
>=20
> They've been in business a long time at this point... I've
> never needed to use them, but they've been there for many years...
> Your system clock is not an issue. They also post their stamps
> to a newsgroup for further "publication and documentation".
Indeed. The idea of having multiple such stamping services is a good
one, and neatly deals with the bogus-clock problem. The latest
OpenPGP draft even defines a "notary signature", which can be used so
all such signing services will make OpenPGP messages that are
compatible with each other.
I have a version of GnuPG here that generates and verifies notary
signatures, but since the specification is still in flux, it'll have
to wait a little while :)
David
--=20
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.co=
m/
+------------------------------------------------------------------------=
---+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson