In response to Dmitri dmitri@users.sourceforge.net

[Noel D. Torres Taño]

>The timestamping server must have known-good clock. How would you do
>that? Some currently existing servers (as Michael mentioned) derive
>strength from numbers - by publishing timestamps they allow many eyes
to
>see their deeds. Tampering with a large number of adjacent timestamps
>would be inconvenient and easier to trace.

Simply using a server that cannot (or is difficult to) be tampered. For
example, in Spain the OFFICIAL time is the one of the atomic clock of
the Real Observatorio de la Marina de San Fernando (Cadiz).  What if the
timestamp server is connected to this clock? even if it is tampered, it
will recover correct time more than a thousand times a second.

>But the problem of trust still remains. It is possible to wrongly
>timestamp something, especially intentionally. Basically, the question
>is "do you trust the server?" - and I do not trust most of servers that

>are out there. I will trust my lawyer, though - I know him, I have live

>witnesses, each reads the timestamp and gets a copy. Hard to fake that.

No judge can untrust that server, for the reason I exposed: The time it
says IS the official time in Spain.

>Let them sign a ciphertext. They will envelope it in their own
signature
>without knowing what is inside. Thus, they can't be held responsible.
>The time of signing will be embedded into the signature as usual. It
can
>be a detached signature as well, thus allowing multiple parallel
>timestamps without altering the message block as such.

If you read my proposal, you can see that I proposed that. Simply use
RECIPIENT mode.

>There is no need for new options. If anything, you need a MUA, or some
>pigeons if nothing else works :-)

Again: don't think in e-mail only. It is possible for me to want a
timestamp in a document, without need to send it.

>If the data is encrypted, then where is the problem with
responsibility?

Let the user the option of no encrypting their data. I can want a
timestamp in an unencrypted document to present it to the court without
needing to discover to the court any private key. For example, I can
want a cleartext timestamp in my last will.

>Why would a timestamping server need to decrypt the data? My lawyer
will
>be glad to timestamp a sealed envelope. What he does not know can't
hurt
>him.

If you read the protocol, the line you are making reference to is in YOU
mode, that is, data is encrypted to the timestamp server, to avoid clear
data transmission. But the user wants a timestamp in the _original
unencrypted_ data. So timestamp server must recover that original data
to can timestamp it.