Problem with faked-system-time option

Hauke Laging mailinglisten at
Tue Jun 14 01:33:08 CEST 2011

Am Montag, 13. Juni 2011, 22:07:07 schrieb MFPA:

> Because the signature time means nothing, unless there is
> corroboration. It is trivial to alter a system clock (or to use
> software to pass a different time to an app).

By that standards: What does a signature mean at all? As a parallel discussion 
on this list shows, it does not even guarantee that the signer had access to 
the signed data.

You should tell apart who has to prove something. Your argument is valid if 
the signer has to prove that he has made the signature at (or before or after) 
a certain date and time. His own signature is no proof in that case as he can 
easily fake the timestamp.

If a third party has to prove that and when the signer has signed a document 
then the signature timestamp is perfectly OK.

The rest of my former mail was probably a misunderstanding. I thought you were 
talking about local signatures but your reply shows that you meant additional 
signatures by a timestamp server.

> > Funny theory. Either you trust all or nothing. How
> > should you draw the line in between?
> Look at the various independent timestamping services available and
> make up your own mind whether any of them may be relied upon.
> >> And even then, what gets verified is the time/date of
> >> sending and *not* the time/date of signing.
> > 
> > That is simply wrong.

PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110614/bf73eef7/attachment.pgp>

More information about the Gnupg-users mailing list