On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: > I've read a lot about timestamping a document, but dunno how it works in > practice. How can i apply a timestamp to a digitally signed or encrypted > document? Like i encrypt or sign a document with gnupg, but before the > process how can i timestamp it? > Sorry for the stupid question but i really can't imagine it. >
I suppose the first question is: is the time stamp for info only or does the recipient have to verify the accuracy of the timestamp? I.e. lets say you take the file you want to encrypt and sign, put it in a tarball that will protect the file's modification time, and encrypt and sign that. This gives the recipient your opinion on the timestamp and protects it from being changed enroute. However, the recipient can't verify that you or your system are telling the truth. I don't know if there's an accepted strategy, but if I had to create one from scratch, off the top of my head I'm thinking some time of time server. It would have to publish a signed file of the current time, say once per minute, so that you could include the hash in the above noted tarball. The recipient could note the time of that hash file, query the time server for the matching hash and compare the two. If they match, then the time matches. This would have to be a time server that is trusted by the recipient. I'll be interested to hear from someone who really knows about this. Doug.