-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The whole timestamping process was the idea of the procurer. I'll be concerned with the network security and similar stuff, so thats why i'm "researching" the available timestamping methods. I've learned a lot from all of your comments and i'm really thankful for that. I guess i'll reconsider this whole timestamping issue and i'm gonna discuss it with the procurer.
Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Douglas A. Tutty mrta: > On Thu, Oct 04, 2007 at 05:03:41PM +0200, G?bri M?t? wrote: >> There'll be two main servers, a web server and a sql server. We have to >> insert a timestamp and a signature in the specified rows of tables. >> Periodically the sql server will make pdf documents from the data and we >> have to sign and timestamp these docs too. I also have to set up a >> firewall and a backup server, both of them will be OBSD. >> After what all of You wrote i guess one of the OBSD servers will act as >> the timestamping machine with the method of issuing a time file >> periodically, sign and hash it. I can setup a script for that, and >> another one for verification. Thats the easiest way i guess. >> >> As for why i dont want to use a public time stamping service: its much >> more flexible to do it on our own, and much more faster, and there are >> other reasons. Of course the results dont have to be verified buy total >> strangers, just those who work with the data from day-to-day. >> > > I'm not clear on what you will gain over just having all the boxes > running ntp and having the SQL server inserting a time value on each row > of the table, and having each row be non-alterable (other than, of > course, by root), and having a time stamp put on the pdf document. > > Typical uses for real time stamps are for audit purposes. The only > reason for an audit trail is to prove that records havnen't been altered > either accidentally or intentionally/maliciously by someone within the > organization. If this is for internal auditing only and your internal > audit department requires something more than just a time-entry in an > SQL file, then they should have sole controll over the server that does > the time stamping. Nobody outside of the audit department should have > any root privlidges. In which case, a dedicated dot-matrix printer that > prints the file name, hash, and time stamp of files as they are received for > stamping, would be prudent. Put multi-part paper in the printer and > take a copy off-site (to the off-site auditors?) regularily. > > In any event, your system (policy, protocols, etc) should be approved by > the people who will be needing to verify the veracity of the timestamps. > > Doug. iD8DBQFHBl6s8najRxwF9nkRAkz+AKC5P7BcBqJ5LxknB3LBNo+TmrqAgACglXX/ SC8QX0PO3MHyffurfMWz3zM= =H5Pv -----END PGP SIGNATURE-----
