RFC 3161
Title: RFC 3161 Does OpenSSL implements RFC 3161 (timestamping)? Do you know for any toolkit supporting it? Thank you, Milan
Re: RFC 3161
Milan Tomic wrote: Does OpenSSL implements RFC 3161 (timestamping)? no Do you know for any toolkit supporting it? try: http://www.opentsa.org/ or https://www.openevidence.org/ Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Is it possible/appropriate to add a timestamp (RFC 3161) to a PKCS#7?
This might be a nonsensical question, and if so it wouldn't be my first foolish question here: Is it possible or appropriate to add a timestamp object (RFC 3161) to a PKCS#7 signature during the signature's creation? It is *not* possible for me to make the timestamp the signed data portion, since I'm already creating signatures on external detached data. What I was wondering is if it was possible to add the timestamp at the same level as the certificates, much as you add additional certificates (for a complete signing chain) to a PKCS#7? Alternately, If there is another PKI data structure that could incorporate both a PKCS#7 and a RFC 3161 timestamp, could you please suggest it to me? Thanks for any and all help. - Bob __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it possible/appropriate to add a timestamp (RFC 3161) to aPKCS#7?
No, Bob wants to know: Does PKCS#7 support additional signed attributes? The answer is yes. /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it possible/appropriate to add a timestamp (RFC 3161) to a PKCS#7?
On Thu, Jun 06, 2002 at 05:17:48PM -0700, Bob Steele wrote: > > This might be a nonsensical question, and if so it > wouldn't be my first foolish question here: > > Is it possible or appropriate to add a timestamp object > (RFC 3161) to a PKCS#7 signature during the signature's > creation? This should be defined by business logic and/or risk management rules. No problem at software-writing level. > It is *not* possible for me to make the timestamp the signed data > portion, since I'm already creating signatures on external > detached data. > > What I was wondering is if it was possible to add the timestamp > at the same level as the certificates, much as you add additional > certificates (for a complete signing chain) to a PKCS#7? Maybe, another one SignerInfo part of PKCS7? Made by time-stamping key to confirm signed-data was shown to signer at that time. Adding another one SignerInfo would not break validity of any previous one > Alternately, If there is another PKI data structure that could > incorporate > both a PKCS#7 and a RFC 3161 timestamp, could you please suggest it > to me? One may want to time-stamp the whole "pkcs7 signed" to confirm (unverified) signature was shown to the second signer at that time good luck, Vadim > Thanks for any and all help. > > - Bob > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it possible/appropriate to add a timestamp (RFC 3161) to a PKCS#7?
Hi Bob, You are on the right track - it should be possible to attach a time stamp token to a PKCS7 token. However, there are several options depending on what you want to time stamp. The two most obvious ones being: - if you want to prove the existence of the orignal content at a particular time, you hash the content, ask for a timestamp and attach the time stamp token as a signed attribute to the SignerInfo. - if you want long-term non-repudiation you can compute a hash on the signature itself, ask for a timestamp and attach the time stamp token as an unsigned attribute to the SignerInfo. You may want to look at the following specification for more info: http://portal.etsi.org/sec/el-sign.asp Publication: TS 101 733 v.1.2.2 I do not know of any tools that implement the specification above. However, OpenSSL could be extended to support the above with a significant amount of work. Regards, Zoltan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it possible/appropriate to add a timestamp (RFC 3161) to a PKCS#7?
Hi Bob, Judging from what you wrote you might want to implement a 'content timestamp', which is added to the authenticated attributes and contains a timestamp over the encapsulated content info. This will not give a proof of the signing time, just the existence of the data at a particular time. For implementing this solution you would need the following: 1., A TSA client that can ask for a timestamp over TCP or HTTP. Although I do not have it currently I will have it in 2-3 months. 2., The TSA client should be integrated into the pkcs7 OpenSSL application and an option added for requesting and attaching time stamps if required. This is minor work once 1., is ready. However, I do not have any plans yet for implementing this feature. You might want to post your message to openssl-dev, that's a better forum for discussing this. Good luck, Zoltan - Original Message - From: "Bob Steele" <[EMAIL PROTECTED]> To: "'Zoltán Glózik'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, June 07, 2002 6:42 PM Subject: Re: Is it possible/appropriate to add a timestamp (RFC 3161) to a PKCS#7? > > > You are on the right track - it should be possible to attach > > a time stamp token to a PKCS7 token. However, there are > > several options depending on what you want to time stamp. The > > two most obvious ones being: > > > > - if you want to prove the existence of the orignal content > > at a particular time, you hash the content, ask for a > > timestamp and attach the time stamp token as a signed > > attribute to the SignerInfo. > > This best matches my problem. If I understand other responders > posts, they have suggested similar things. (Thank you all.) > > > You may want to look at the following specification for more info: > > http://portal.etsi.org/sec/el-sign.asp > > Publication: TS 101 733 v.1.2.2 > > > I do not know of any tools that implement the specification > > above. However, OpenSSL could be extended to support the > > above with a significant amount of work. > > I have had a look at this document, and if I am understanding it > correctly, it places the timestamp over the entire digital signature, > which is probably not what I want to do. > > While interoperability is not crucial to my circumstances, I do not want > to > invent a custom format either, or be deliberately incompatible. If > adding > the timestamp as an AuthenticatedAttribute to the SignerInfo is an > unobjectionable > thing to be doing, and likely to be ignored by readers who don't > understand it, > then I think I would go with this. > > Do you believe this would be a "significant" amount of work? Or were you > referring > to a complete implementation of TS 101 733 v.1.2.2? > > I wonder if such work would be welcomed back into the OpenSSL code base > if > I did it? Would anyone care to comment? (Perhaps someone could copy this > message to the programmer's list; I don't subscribe to it.) > > - Bob > > > > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Is it possible/appropriate to add a timestamp (RFC 3161) to a PKCS#7?
> Hi Bob, > > Judging from what you wrote you might want to implement a > 'content timestamp', which is added to the authenticated > attributes and contains a timestamp over the encapsulated > content info. This will not give a proof of the signing > time, just the existence of the data at a particular time. Right. I only need the timestamp to prove the existence of the data at a particular time. The signature testifies to the contents legitimacy. > For implementing this solution you would need the following: > 1., A TSA client that can ask for a timestamp over TCP or > HTTP. Although I do not have it currently I will have it > in 2-3 months. While very useful, this is not crucial to my circumstances. What is crucial to me is the ability to verify a timestamp against its data; if you are unable to write this soon I can perhaps help. > You might want to post your message to openssl-dev, that's a > better forum for discussing this. I will join this list, and ask future questions there. - Bob __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]