-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A service will gather data in a database and this data has to be signed and timestamped for security reasons, and the archives of these data are also need to signed and timestamped. The data will be used for internal purposes, so another internal server can issue the signs and stamps.
Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Douglas A. Tutty mrta: > Without a mutually-trusted source of time "cookies", it depends on > specific needs. > > Further infomation on the nature of the transaction is required since I > haven't heard of a pre-packaged oss application. > > Doug. > > > > On Wed, Oct 03, 2007 at 08:36:37PM +0200, G?bri M?t? wrote: >> Sorry i wasn't totally specific. Yes, later on the reciever need to >> verify the timestamp. I was looking for an oss application but couldn't >> find any for timestamping. >> > >> Douglas A. Tutty ?rta: >>> On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: >>>> I've read a lot about timestamping a document, but dunno how it works in >>>> practice. How can i apply a timestamp to a digitally signed or encrypted >>>> document? Like i encrypt or sign a document with gnupg, but before the >>>> process how can i timestamp it? >>>> Sorry for the stupid question but i really can't imagine it. >>>> >>> I suppose the first question is: is the time stamp for info only or does >>> the recipient have to verify the accuracy of the timestamp? I.e. lets >>> say you take the file you want to encrypt and sign, put it in a tarball >>> that will protect the file's modification time, and encrypt and sign >>> that. This gives the recipient your opinion on the timestamp and >>> protects it from being changed enroute. However, the recipient can't >>> verify that you or your system are telling the truth. >>> >>> I don't know if there's an accepted strategy, but if I had to create one >>> from scratch, off the top of my head I'm thinking some time of time >>> server. It would have to publish a signed file of the current time, say >>> once per minute, so that you could include the hash in the above noted >>> tarball. The recipient could note the time of that hash file, query the >>> time server for the matching hash and compare the two. If they match, >>> then the time matches. >>> >>> This would have to be a time server that is trusted by the recipient. >>> >>> I'll be interested to hear from someone who really knows about this. >>> >>> Doug. >>> >>> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.5 (GNU/Linux) >> >> iD8DBQFHA+E08najRxwF9nkRAkZnAJ9F83yBOJ7KhTgUngOtFAcCWJeDcwCeOEUS >> MxT2+9gw9WpbIi6BXfeeSSc= >> =0rKL >> -----END PGP SIGNATURE----- iD8DBQFHA/Fa8najRxwF9nkRAhEEAJ4+TygfHgFyHF5ih+UElEVQoiSrFQCgrMpq JzzHM57RLOmKE4dWMOCCalA= =HV+v -----END PGP SIGNATURE-----
