On 02.11.2018 15:35, Dirk Gottschalk wrote: > I prefer GPG. And no, GPG does not lack timestamping, a timestamp is > included in every signature.
Signature creation date is not the same as timestamping. As for why you may consider the problem of validating signatures made by revoked keys. Without timestamping this kind of signature is inherently insecure (as the compromised key could be used by the attacker to created a backdated signature). For example Authenticode uses timestamping [0] so that old signatures can still be considered valid even when the key expires or is revoked later. Adding something comparable to OpenPGP was discussed [1] on OpenPGP ML recently and previously [2]. Kind regards, Wiktor [0]: https://docs.microsoft.com/en-US/windows/desktop/SecCrypto/time-stamping-authenticode-signatures [1]: https://www.ietf.org/mail-archive/web/openpgp/current/msg09092.html [2]: https://www.ietf.org/mail-archive/web/openpgp/current/msg07136.html -- https://metacode.biz/@wiktor _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
