Hi Bob, Judging from what you wrote you might want to implement a 'content timestamp', which is added to the authenticated attributes and contains a timestamp over the encapsulated content info. This will not give a proof of the signing time, just the existence of the data at a particular time.
For implementing this solution you would need the following: 1., A TSA client that can ask for a timestamp over TCP or HTTP. Although I do not have it currently I will have it in 2-3 months. 2., The TSA client should be integrated into the pkcs7 OpenSSL application and an option added for requesting and attaching time stamps if required. This is minor work once 1., is ready. However, I do not have any plans yet for implementing this feature. You might want to post your message to openssl-dev, that's a better forum for discussing this. Good luck, Zoltan ----- Original Message ----- From: "Bob Steele" <[EMAIL PROTECTED]> To: "'Zoltán Glózik'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, June 07, 2002 6:42 PM Subject: Re: Is it possible/appropriate to add a timestamp (RFC 3161) to a PKCS#7? > > > You are on the right track - it should be possible to attach > > a time stamp token to a PKCS7 token. However, there are > > several options depending on what you want to time stamp. The > > two most obvious ones being: > > > > - if you want to prove the existence of the orignal content > > at a particular time, you hash the content, ask for a > > timestamp and attach the time stamp token as a signed > > attribute to the SignerInfo. > > This best matches my problem. If I understand other responders > posts, they have suggested similar things. (Thank you all.) > > > You may want to look at the following specification for more info: > > http://portal.etsi.org/sec/el-sign.asp > > Publication: TS 101 733 v.1.2.2 > > > I do not know of any tools that implement the specification > > above. However, OpenSSL could be extended to support the > > above with a significant amount of work. > > I have had a look at this document, and if I am understanding it > correctly, it places the timestamp over the entire digital signature, > which is probably not what I want to do. > > While interoperability is not crucial to my circumstances, I do not want > to > invent a custom format either, or be deliberately incompatible. If > adding > the timestamp as an AuthenticatedAttribute to the SignerInfo is an > unobjectionable > thing to be doing, and likely to be ignored by readers who don't > understand it, > then I think I would go with this. > > Do you believe this would be a "significant" amount of work? Or were you > referring > to a complete implementation of TS 101 733 v.1.2.2? > > I wonder if such work would be welcomed back into the OpenSSL code base > if > I did it? Would anyone care to comment? (Perhaps someone could copy this > message to the programmer's list; I don't subscribe to it.) > > - Bob > > > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
