what does a timestamp signature mean?

Hauke Laging mailinglisten at hauke-laging.de
Thu Jun 16 20:40:51 CEST 2011

Am Donnerstag, 16. Juni 2011, 19:37:02 schrieb Daniel Kahn Gillmor:
> On 06/16/2011 12:55 PM, Jerome Baum wrote:
> > Probably not. Everyone seems to agree that timestamps in a normal
> > signature are somewhat meaningless and only serve as an indicator. If
> > you want a reliable timestamp, why not make a timestamp signature?
> I don't think this is the general consensus.

So don't I. By my understanding the result of the discussion was there are 
situation in which a third party timestamp is necessary to prove a signature 

Then the discussion moved to problems of timestamping. As timestamping (for 
other ones) is useful it should be as simple and risk free as possible. There 
was the argument that there is an unpleasant ambiguity if there are two 
meanings of signatures (normal signatures which refer to content and timestamp 
and timestamp signatures which shall not make any statement about the content) 
but no technical difference. Strictly speaking you always have to consult the 
signature policy to know the intention but that is not easily done (let alone 
the fact that many signatures (and keys) do not have a policy URL).

> What it sounds like you want is an *unforgeable* timestamp indicator.

I would describe it so: The aim is an explicit reduction of trust (in order to 
avoid misunderstandings instead of perhaps painfully solve them afterwards). 
My wish is a reduction to the timestamp. Jerome also wants a standard 
statement of the possible timestamp error. I don't think that is important but 
there is no namespace problem so I don't care. My argument about the last 
point is that you immediately see the timestamp of the third party signature 
and have to react if its wrong. After all a statement about the assumed clock 
precision does not prevent clock problems.

PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110616/34eb4b47/attachment-0001.pgp>

More information about the Gnupg-users mailing list