Problem with faked-system-time option
expires2011 at ymail.com
Mon Jun 13 22:07:07 CEST 2011
-----BEGIN PGP SIGNED MESSAGE-----
On Sunday 12 June 2011 at 6:35:57 PM, in
<mid:201106121936.02971.mailinglisten at hauke-laging.de>, Hauke Laging
> Am Sonntag, 12. Juni 2011, 15:23:19 schrieb MFPA:
>> Some people labour under the misapprehension that the
>> signature time is significant and has potential legal
> Why should that be a misapprehension?
Because the signature time means nothing, unless there is
corroboration. It is trivial to alter a system clock (or to use
software to pass a different time to an app).
> For which law does that not have implications?
If the time/date of signing is legally significant, there had better
be more reliable evidence than the signature time.
>> Unless the emails are sent via some form of "trusted"
>> timestamp service, signature timestamp means nothing.
> Funny theory. Either you trust all or nothing. How
> should you draw the line in between?
Look at the various independent timestamping services available and
make up your own mind whether any of them may be relied upon.
>> And even then, what gets verified is the time/date of
>> sending and *not* the time/date of signing.
> That is simply wrong.
The time from a timestamping service is not the same thing as the time
the document was signed. The timestamping service cannot add its
timestamp until it receives the document. When it receives the
document will depend on when the local user sends it, not on when they
> A signature is made at
> a certain moment. It does not matter at all when the signed data gets sent.
> The time of sending cannot change the signature. You would have to create a
> new signature at a time that happens to be nearly the time of sending.
As far as I understand, creating a new, additional signature is
precisely what a timestamping service does. It demonstrates the local
user signed before a particular date/time (but not how long before).
In order to give assurance the document was signed after (rather than
before) a particular date/time, the signature from the timestamping
service could be obtained before the local user's signature is
MFPA mailto:expires2011 at ymail.com
Never lean forward to push an invisible object.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users