Problem with faked-system-time option

Jerome Baum jerome at jeromebaum.com
Thu Jun 16 02:53:34 CEST 2011 

>> Yes. I can set up my own timestamping business. That would be quite
>> cost-ineffective though.
>
> Possibly -- but it still assumes that timestamps can be proven in a way
> that makes the impossible to contest.  This really isn't possible, as
> evidenced by the fact we continually refer to them as *trusted*
> timestamp authorities.

Who does?

> There is no way to prove to someone that a timestamp is trustworthy.
> All you can do is present the timestamp authority's methods and let the
> person make their own decision as to whether to vest the timestamp
> authority with trust.

Huh?

> Even if a timestamp authority were to publish every timestamp signature
> in the _New York Times_ on the day of issuing, that would still be
> insufficient for some people -- they would say, "well, how do I know the
> timestamp authority isn't running a con?", or whatnot.

Yeah, uh, I can probably say "this trial is probably a con", but I
don't think the judge will buy it and acquit me.

> Ultimately, it always reduces to trust.  If there were a way to *prove*
> the timestamp of a message, we wouldn't need timestamp authorities at
> all.  Instead, we have trusted third parties who are uninvolved in the
> matter of controversy -- and that works well enough for us.

Okay, let's take a look at the formal theory behind this:

Assumptions:

1. The cryptographic hash function C is "secure" (i.e. not broken at
the moment -- for verification at a later time there's the whole
"resigning" thing that federal electronic signature law requires).

1a. We'll ignore those resigning signature chains for the purposes of
keeping the proof small. It is easy to adapt the scheme to include
resigning chains.

2. The issue of newspaper N for date D (called N(D) ) is "known good"
(through public archives etc.)

Conjecture:

I can hash a document M before D and later prove in court that the
document existed before D.

Proof:

Publish C(M) in N(D)

10 years later in court, show N(D), M and compute C(M). Verify that
C(M) is published in N(D). Mathematically strong proof that it is
computationally infeasible to have published C(M) in N(D) if M didn't
exist before D -- i.e. proof that the document M existed before D.

-- 
Jerome Baum
tel +49-1578-8434336
email jerome at jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA

More information about the Gnupg-users mailing list