Detached Signature / Timestapm

[Vlad "SATtva" Miller]

skl99999 at gmx.net (02.02.2009 23:25):
> Hello,
> 
> is there a possibility to have gpg2 make a detached cleartext
> signature? I only seem to be able to have it do either the one or the
> other.

gpg --armor --detach-sign --sign

> And the more complex follow on question for all the crypto experts
> out there: the reason why I want to do that is because I would like
> to timestamp some files, eg using www.itconsult.co.uk/stamper.htm.

I wouldn't consider Stamper's keys as secure. They date back to 1995,
they are a v3 keys, they are even not self-signed so it's not so easy to
even import them on the keyring.

Try using something like this: http://timemarker.org/en/

> Now my thought was that I do not really send the file itself (which
> might be rather big) but that I could sign the file and then
> timestamp the signature. Would this be enough (1), and would it
> matter if the password of my signature key would become compromised
> (2)? May guess is (1) yes, (2) no because I am really only making use
> of the hashing algorithm, and indeed I also could simply timestamp a
> hash (is this true?).

Using a hash value from a secure hash algorithm will suffice. Keep in
mind that you should timestamp not a hash value alone, but a hash value
along with the name of hashing algorithm, e.g.

SHA256:1234ABCD0987...

> The reason that I want to to have a timestamped detached cleartext
> signature is that I believe that this is a bit more stable than a
> timestamped detached signature of a binary - views on this?

What do you mean by stable?

-- 
SATtva | security & privacy consulting
www.vladmiller.info | www.pgpru.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 513 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090203/fc600ec6/attachment-0001.pgp>