what does a timestamp signature mean? [was: Re: Problem with faked-system-time option]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jun 16 19:37:02 CEST 2011 

On 06/16/2011 12:55 PM, Jerome Baum wrote:
> Probably not. Everyone seems to agree that timestamps in a normal
> signature are somewhat meaningless and only serve as an indicator. If
> you want a reliable timestamp, why not make a timestamp signature?

I don't think this is the general consensus.  Timestamps *are*
meaningful -- they are an assertion by the person making the signature
of what time they made the signature.

That assertion could be false, of course, but then nothing is stopping
you from signing any other sort of false assertion either.  That doesn't
make the assertion meaningless; it just makes it wrong.

What it sounds like you want is an *unforgeable* timestamp indicator.
That is, you want some way to prove "this signature was made at time X"

Due to the imprecision of any mechanical timekeeping device, there will
be some wiggle-room in such a signature, so it's useful to clarify that
this hypothetical claim is actually:

 "this signature was made at time X ± e"

or, alternately, two separate assertions:

 a) "This signature was made after time X-e", and
 b) "This signature was made before time X+e"

let's take these two cases separately for a moment.  (a) is easy to do
with existing tools and some sort of globally-published, inherently
unpredictable data (e.g. the number of words on the front page of some
particular edition of the New York Times, or perhaps the digest of the
most recent block added to the global bitcoin blockchain).  If you want
to specify that as its own notation, i think that's a pretty clean
mechanism to prove part (a).

I think part (b) is much harder to prove effectively, and (alas) it's
probably what people really want to know.  To do that properly, i do
think you'd need some sort of public service, to which you would submit
cryptographically-strong digests of things to be published in such a way
that people could confirm it by date.  It would need to publish all
timestamped signatures in a way that people could verify and accumulate
the digests independently.

I don't think the information for (b) is possible to embed in a
signature on its own, due to the way we experience time (we can
remember/recreate how things were in the past; we can't do the same
about the future).

So if your goal is to have such an unforgeable timestamp, i'd suggest
focusing on a clearly-defined specification for (a) (probably in-scope
for this list and for the IETF OpenPGP WG), and on implementing a global
service for (b) (probably out-of-scope for this mailing list)

FWIW, i actually think the assertion-by-signer part (which we already
have) is more useful and meaningful than any arbitrary "unforgeable
timestamp".

I'd be happy to be wrong about the above analysis.

	--dkg

PS i have omitted questions about relativity, but anyone making a claim
about time should be aware that there are already known practical
problems in dealing with time due to different inertial frames:

 https://secure.wikimedia.org/wikipedia/en/wiki/Clock_drift#Relativity

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110616/588200eb/attachment.pgp>

More information about the Gnupg-users mailing list