-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry i wasn't totally specific. Yes, later on the reciever need to verify the timestamp. I was looking for an oss application but couldn't find any for timestamping.
Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Douglas A. Tutty mrta: > On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: >> I've read a lot about timestamping a document, but dunno how it works in >> practice. How can i apply a timestamp to a digitally signed or encrypted >> document? Like i encrypt or sign a document with gnupg, but before the >> process how can i timestamp it? >> Sorry for the stupid question but i really can't imagine it. >> > > I suppose the first question is: is the time stamp for info only or does > the recipient have to verify the accuracy of the timestamp? I.e. lets > say you take the file you want to encrypt and sign, put it in a tarball > that will protect the file's modification time, and encrypt and sign > that. This gives the recipient your opinion on the timestamp and > protects it from being changed enroute. However, the recipient can't > verify that you or your system are telling the truth. > > I don't know if there's an accepted strategy, but if I had to create one > from scratch, off the top of my head I'm thinking some time of time > server. It would have to publish a signed file of the current time, say > once per minute, so that you could include the hash in the above noted > tarball. The recipient could note the time of that hash file, query the > time server for the matching hash and compare the two. If they match, > then the time matches. > > This would have to be a time server that is trusted by the recipient. > > I'll be interested to hear from someone who really knows about this. > > Doug. iD8DBQFHA+E08najRxwF9nkRAkZnAJ9F83yBOJ7KhTgUngOtFAcCWJeDcwCeOEUS MxT2+9gw9WpbIi6BXfeeSSc= =0rKL -----END PGP SIGNATURE-----