Problem with faked-system-time option

MFPA expires2011 at ymail.com
Mon Jun 13 22:07:07 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Sunday 12 June 2011 at 6:35:57 PM, in
<mid:201106121936.02971.mailinglisten at hauke-laging.de>, Hauke Laging
wrote:


> Am Sonntag, 12. Juni 2011, 15:23:19 schrieb MFPA:

>> Some people labour under the misapprehension that the
>> signature time is significant and has potential legal
>> implications.

> Why should that be a misapprehension?

Because the signature time means nothing, unless there is
corroboration. It is trivial to alter a system clock (or to use
software to pass a different time to an app).



> For which law does that not have implications?

If the time/date of signing is legally significant, there had better
be more reliable evidence than the signature time.



>> Unless the emails are sent via some form of "trusted"
>> timestamp service, signature timestamp means nothing.

> Funny theory. Either you trust all or nothing. How
> should you draw the line in between?

Look at the various independent timestamping services available and
make up your own mind whether any of them may be relied upon.



>> And even then, what gets verified is the time/date of
>> sending and *not* the time/date of signing.

> That is simply wrong.

The time from a timestamping service is not the same thing as the time
the document was signed. The timestamping service cannot add its
timestamp until it receives the document. When it receives the
document will depend on when the local user sends it, not on when they
sign it.



> A signature is made at
> a certain moment. It does not matter at all when the signed data gets sent.
> The time of sending cannot change the signature. You would have to create a
> new signature at a time that happens to be nearly the time of sending.

As far as I understand, creating a new, additional signature is
precisely what a timestamping service does. It demonstrates the local
user signed before a particular date/time (but not how long before).

In order to give assurance the document was signed after (rather than
before) a particular date/time, the signature from the timestamping
service could be obtained before the local user's signature is
applied.


- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

Never lean forward to push an invisible object.
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJN9m3wnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pXtMD/RSk
FsPC28yLXpsaFw2NxvaRf74KoEcqM1CDVrPFR0GGtJqa/tidfZiQHUxcCEEoGM10
r8jpvpel3ItRcm1BC8OF9BJ0DVS0fFnfPFtFnD+QCAUq/iUQehYzXHuh8P+2EPcV
uHpn0KCcMdA8rgK0m7y/so0f2Nihu+PUzTH3ft3L
=BWpy
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list