Detached Signature / Timestapm
Vlad "SATtva" Miller
sattva at pgpru.com
Mon Feb 2 19:30:30 CET 2009
skl99999 at gmx.net (02.02.2009 23:25):
> is there a possibility to have gpg2 make a detached cleartext
> signature? I only seem to be able to have it do either the one or the
gpg --armor --detach-sign --sign
> And the more complex follow on question for all the crypto experts
> out there: the reason why I want to do that is because I would like
> to timestamp some files, eg using www.itconsult.co.uk/stamper.htm.
I wouldn't consider Stamper's keys as secure. They date back to 1995,
they are a v3 keys, they are even not self-signed so it's not so easy to
even import them on the keyring.
Try using something like this: http://timemarker.org/en/
> Now my thought was that I do not really send the file itself (which
> might be rather big) but that I could sign the file and then
> timestamp the signature. Would this be enough (1), and would it
> matter if the password of my signature key would become compromised
> (2)? May guess is (1) yes, (2) no because I am really only making use
> of the hashing algorithm, and indeed I also could simply timestamp a
> hash (is this true?).
Using a hash value from a secure hash algorithm will suffice. Keep in
mind that you should timestamp not a hash value alone, but a hash value
along with the name of hashing algorithm, e.g.
> The reason that I want to to have a timestamped detached cleartext
> signature is that I believe that this is a bit more stable than a
> timestamped detached signature of a binary - views on this?
What do you mean by stable?
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 513 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users