Detached Signature / Timestapm

[David Shaw]

On Mon, Feb 02, 2009 at 06:25:38PM +0100, skl99999 at gmx.net wrote:
> Hello,
> 

> is there a possibility to have gpg2 make a detached cleartext
> signature? I only seem to be able to have it do either the one or
> the other.

What do you mean by a detached cleartext signature?  A detached
signature that is ascii armored?  If so, then:

  --armor --detach-sign

> And the more complex follow on question for all the crypto experts
> out there: the reason why I want to do that is because I would like
> to timestamp some files, eg using
> www.itconsult.co.uk/stamper.htm. Now my thought was that I do not
> really send the file itself (which might be rather big) but that I
> could sign the file and then timestamp the signature. Would this be
> enough (1), and would it matter if the password of my signature key
> would become compromised (2)? May guess is (1) yes, (2) no because I
> am really only making use of the hashing algorithm, and indeed I
> also could simply timestamp a hash (is this true?).

1) It depends on what you plan on doing with the signatures.  If
you're just trying to show a timestamp for the document creation, then
yes, it's fine.

2) Again, assuming you're trying to show a timestamp, then no, it does
not matter.  The relevant timestamp is that imposed by the stamper
service, not the one imposed by your key.  Thus your key can be
compromised without affecting the timestamps.

> The reason that I want to to have a timestamped detached cleartext
> signature is that I believe that this is a bit more stable than a
> timestamped detached signature of a binary - views on this?

Armored signatures are not any more stable than binary signatures.
The data is identical.  Only the file format is different.

If you're just doing timestamping, note that you can also just hash
the document and send that hash to the stamper service (i.e. your
personal signature doesn't add much to the equation):

  gpg --print-md sha256 (thedocument) | mail the-stamper-service

David