Problem with faked-system-time option
expires2011 at ymail.com
Wed Jun 15 23:16:39 CEST 2011
-----BEGIN PGP SIGNED MESSAGE-----
On Wednesday 15 June 2011 at 8:59:49 PM, in
<mid:BANLkTikWHT86Tbwcfk+KdPB6+hqOshfkcQ at mail.gmail.com>, Jerome Baum
> Um, yeah, so you used a blurry specification of the
The "problem" is very simple: the timestamp contained in an OpenPGP
signature cannot be relied upon as accurate without independent
corroboration. An example of such corroboration is to use a
timestamping service that is trusted by the relevant parties.
You asserted that the signer's own signature timestamp was sufficient
when a third party needs to prove when the document was signed. I
replied with the bare bones of a scenario where the third party brings
evidence that suggests the signature timestamp to be incorrect, so
that the signer needs to refute that evidence.
> that you could adjust as needed for your
> arguments -- possibly in contradicting ways?
The "problem" is not sufficiently complex to allow this.
> I wouldn't
> consider "what is being proven and who has an interest
> in proving that -- i.e. who will cooperate" as a
> "detail", but as a minimal basis for discussion.
The "what is being proven" is when the document was signed.
The "who has an interest" matters only if it affects the proposed
solution. As an example, if an independent timestamping service can be
shown to be sufficiently reliable, it could provide the proof
regardless of which party has an interest in using that proof.
MFPA mailto:expires2011 at ymail.com
Time flies like an arrow. Fruit flies like a banana. -- Groucho Marx
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users