Problem with faked-system-time option

[MFPA]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Wednesday 8 June 2011 at 4:36:52 PM, in
<mid:20110608153652.4F1508C074 at nym.dizum.nl>, Amano Corunga wrote:

>>The batch key generation and that parameter is
>>supported by all versions.

> I gladly confirm it really works - Great!  GPG1 key
> creation problem solved.

It would be really good if this could be used to create multiple
subkeys, and when adding UIDs, subkeys, signatures, etc. to existing
keys.


> But is there an equivalent for determining signature
> timestamps?

That would be an interesting feature. It is already available to
anybody who can change their system clock time (or use an app to pass
a fake time to gnupg).


> It's fair to say that GnuPG is one of the most
> important privacy tools out there.  It protects data
> from unauthorized access, with 'throw-keyids' the
> recipient's identity is hidden, but why in the world do
> I involuntarily have to allow others to gain sensitive
> information about my time management with each mail I
> sign?  I don't quite understand why that's of minor
> importance to others.

Some people labour under the misapprehension that the signature time
is significant and has potential legal implications.


> If OTOH you're aiming at a signature with a trusted
> timestamp in no way whatsoever the local computer's
> system clock can replace a validated time stamp service.

Unless the emails are sent via some form of "trusted" timestamp
service, signature timestamp means nothing. And even then, what gets
verified is the time/date of sending and *not* the time/date of
signing.


> So why not allow
> everybody to specify signatures' timestamps directly
> instead of making that option accessible only to those
> who are permitted to change their Windows computer's
> system time (thanks Daniel for your Linux advice) and
> tolerant against all the adverse side effects arising
> from that manipulation?

And why not allow the user to adjust the granularity of the timestamp?
For example specifying the date but no time, or simply indicating the
year and month?


- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

Change is inevitable except from a vending machine
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJN9L3SnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5ptaAD/2Dz
zjMK7SRQk66Na7oC/9zl1AaknPOB3vNpOuORCP2tLhyHm6b2gNUUNIsFAnos0DD7
zv7TdRgZoT31jMTh6aHdcijrO2IxKEA4Vg1H8Sa9nj3MuAYz6q4i2wTdxVpTBlab
5X1Aa+ie4aRzhrxf+p8KIxxQJwJOVEp3f6a9XpOi
=xlxh
-----END PGP SIGNATURE-----