what does a timestamp signature mean? [was: Re: Problem with faked-system-time option]

Thu Jun 16 21:08:47 CEST 2011

>> this discussion is much more interesting. Let's keep the arguments
>> about specification, usefulness, etc. out of this thread!
>
> Actually, i think usefulness and specification are quite important.
> Without them, this discussion is just noise to me.

If this is going to be a thread about specification, then as I said I
am keeping out of it until I hear from Werner. I'll address the
non-specification comments though:

>> [dkg wrote]:
>>> I don't think this is the general consensus.  Timestamps *are*
>>> meaningful -- they are an assertion by the person making the signature
>>> of what time they made the signature.
>>
>> I would say that it's a matter of interpretation,
>
> I actually don't think what i said above is a matter of interpretation.

... and that is your interpretation.

>> Again, wasn't the goal. As for usefulness of assertion-by-signer, see
>> above for repudiating that you made/intended to make that assertion.
>
> ???  When i make a signature with a timestamp in it, i am very much
> making (and intending to make) the assertion that the signature was made
> at that time.  I see no repudiation in your message, only that "some
> people don't know that they are making this claim".  I'd also argue that
> some people don't know that when they put a date next to their
> pen-and-ink signature, they're making the claim that that pen-and-ink
> signature was made on that date.  But it's certainly what most of us
> mean by it.

Most of "us"? You really need some context to have this discussion. I
suggested the context of legal proceedings, you are free to suggest
another real-world context. The assertion then depends on that
context. I would have thought the requirement of context was a point
that's come across by now. Technology is meaningless without context.

>> If you think about a timestamp is for, usually you're not actually
>> concerned with saying "I did X yesterday". You're usually concerned
>> with saying "I did X within 2 weeks of your notice", or "I did X
>> before you did Y". Other options include "I did X before the
>> cancellation deadline" and "I did X within 2 minutes, so I was acting
>> promptly and wasn't negligent".
>
> right, and this is what i suspect you'd need a global, published
> timestamping service for.

Do you realize that I listed several options and they don't all
require the same kind of timestamping?

>  Maybe your time would be better spent working
> out what such a service would look like.  If you can define the service
> itself (centralized, distributed, or whatever), then you'll get a better
> sense of what semantics you need from OpenPGP.  Maybe such a service
> already exists!  I haven't looked for it; have you?

I want to create a basis for any kind of timestamping service. For
instance, stamper. Or, just me making the assertion that I saw some
data at some point. Those are both pretty well-specified. I already
know what semantics I need from OpenPGP: Some key makes the assertion
that some data was available to the owner of that key at-or-before a
specific point in time.

Oh, and yes, I have looked for timestamping services before engaging
in a discussion about them. Maybe you should look at the existing
options as well?

-- 
Jerome Baum
tel +49-1578-8434336
email jerome at jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA