Problem with faked-system-time option

Robert J. Hansen rjh at sixdemonbag.org
Thu Jun 16 02:44:17 CEST 2011


On 6/15/11 8:37 PM, Jerome Baum wrote:
> Yes. I can set up my own timestamping business. That would be quite
> cost-ineffective though.

Possibly -- but it still assumes that timestamps can be proven in a way
that makes the impossible to contest.  This really isn't possible, as
evidenced by the fact we continually refer to them as *trusted*
timestamp authorities.

There is no way to prove to someone that a timestamp is trustworthy.
All you can do is present the timestamp authority's methods and let the
person make their own decision as to whether to vest the timestamp
authority with trust.

Even if a timestamp authority were to publish every timestamp signature
in the _New York Times_ on the day of issuing, that would still be
insufficient for some people -- they would say, "well, how do I know the
timestamp authority isn't running a con?", or whatnot.

Ultimately, it always reduces to trust.  If there were a way to *prove*
the timestamp of a message, we wouldn't need timestamp authorities at
all.  Instead, we have trusted third parties who are uninvolved in the
matter of controversy -- and that works well enough for us.




More information about the Gnupg-users mailing list