Slightly OT - i need the proper wording for a signed document

Wiktor Kwapisiewicz wiktor at metacode.biz
Fri Nov 2 17:17:59 CET 2018


On 02.11.2018 15:35, Dirk Gottschalk wrote:
> I prefer GPG. And no, GPG does not lack timestamping, a timestamp is
> included in every signature.

Signature creation date is not the same as timestamping. As for why you
may consider the problem of validating signatures made by revoked keys.
Without timestamping this kind of signature is inherently insecure (as
the compromised key could be used by the attacker to created a backdated
signature).

For example Authenticode uses timestamping [0] so that old signatures
can still be considered valid even when the key expires or is revoked later.

Adding something comparable to OpenPGP was discussed [1] on OpenPGP ML
recently and previously [2].

Kind regards,
Wiktor

[0]:
https://docs.microsoft.com/en-US/windows/desktop/SecCrypto/time-stamping-authenticode-signatures

[1]: https://www.ietf.org/mail-archive/web/openpgp/current/msg09092.html

[2]: https://www.ietf.org/mail-archive/web/openpgp/current/msg07136.html

-- 
https://metacode.biz/@wiktor



More information about the Gnupg-users mailing list