"gpg: Signature made <date time>" tamper resistant?

Craig Ringer craig at 2ndquadrant.com
Mon Mar 4 03:30:51 CET 2013

Hash: SHA1

On 03/04/2013 06:35 AM, Werner Koch wrote:
> On Fri, 1 Mar 2013 22:47, adrelanos at riseup.net said:
>> Or in other words, is the date and time taken from the signers machine
>> clock and signed with the signers private key?
> Yes. The time of the signature is taken from the hashed area of the
> signature packet, which means that this is part of the signed data.
Along similar lines, I've been wondering for a while if anyone's running
a GPG remote timestamping and attestation service, where you can submit
text (or the hash of a binary) to the service by web or email and have
it sign it with a key only it had access to. The timestamp signature
could then be verified by anyone, without relying on the service being
up or even the continued existence of the service, in order to prove
that at a certain time a certain text existed.

I originally wanted this years ago in University, when my uni kept on
losing my assignments (grr!) and I wanted a way to prove that they were
completed and in the submitted state at a certain time. I've since had
other uses for such a service too.

I'm increasingly tempted to put a package together to let anyone easily
set up and run one (in the hopes that some will) and run one myself. The
amount of documentation required to educate people about the basics of
the security issues would be a bit daunting, though, and as always
time's a concern. I'm hoping something like this already exists and I've
just never found it before.

- -- 
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Gnupg-users mailing list