Problem with faked-system-time option

Hauke Laging mailinglisten at hauke-laging.de
Sun Jun 12 19:35:57 CEST 2011 

Am Sonntag, 12. Juni 2011, 15:23:19 schrieb MFPA:

> Some people labour under the misapprehension that the signature time
> is significant and has potential legal implications.

Why should that be a misapprehension? For which law does that not have 
implications?

There is no reason to assume that you are less bound by the timestamp than by 
the signature itself. The timestamp can be fake. So what? So can be the signed 
data. You don't have to have a look at what you are going to sign. You can 
sign the output of /dev/urandom. Nothing of that makes your declaration of 
intent invalid. At least not in Germany. The relevant perspective is that of a 
neutral third party. How toes it look like to them?

You can claim that the signing system has been compromised and that the act of 
signing has been rigged. That may work. But a statement like "The key and the 
signing system are both valid. Just don't care abour the timestamp." will not 
be successful. Take that legal risk if you like.


> Unless the emails are sent via some form of "trusted" timestamp
> service, signature timestamp means nothing.

Funny theory. Either you trust all or nothing. How should you draw the line in 
between?


> And even then, what gets
> verified is the time/date of sending and *not* the time/date of
> signing.

That is simply wrong. A signature refers to the supplied timestamp. That is 
usually the current time. Even if you fake that it would just by chance be the 
time of sending (but noone would expect it to be that). A signature is made at 
a certain moment. It does not matter at all when the signed data gets sent. 
The time of sending cannot change the signature. You would have to create a 
new signature at a time that happens to be nearly the time of sending.


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110612/cfa683a9/attachment.pgp>

More information about the Gnupg-users mailing list