[144935] in cryptography@c2.net mail archive
Re: Trusted timestamping
daemon@ATHENA.MIT.EDU (Thierry Moreau)
Mon Oct 5 22:57:25 2009
Date: Mon, 05 Oct 2009 12:52:09 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
To: 'Cryptography' <cryptography@metzdowd.com>
In-Reply-To: <000001ca453b$8ff733d0$6e01a8c0@lenovo>
Alex Pankratov wrote:
> Does anyone know what's the state of affairs in this area ?
>
> This is probably slightly off-topic, but I can't think of
> a better place to ask about this sort of thing.
>
> I have spent a couple of days looking around the Internet,
> and things appear to be .. erm .. hectic and disorganized.
>
> There is for example timestamp.verisign.com, but there is
> no documentation or description of it whatsoever. Even the
> website itself is broken. However it is used by Microsoft's
> code signing tool that embeds Verisign's timestamp into
> Authenticode signature of signed executable files.
>
> There is also a way to timestamp signed PDFs, but the there
> appears to be nothing _trusted_ about available Trusted
> Timestamping Authorities. Just a bunch of random companies
> that call themselves that way and provide no indication why
> they should actually be *trusted*. No audit practicies, not
> even a simple description of their backend setup. The same
> goes for the companies providing timestamping services for
> arbitrary documents, either using online interfaces or a
> downloadable software.
>
> There are also Digital Poststamps, which is a very strange
> version of a timestamping service, because their providers
> insist on NOT releasing the actual timestamp to the customer
> and then charging for each timestamp verification request.
>
> I guess my main confusion at the moment is why large CAs of
> Verisign's size not offering any standalone timestamping
> services.
>
> Any thoughts or comments ?
>
I answer your question by two questions:
Trusted timestamping service is like a specialized form of
non-repudiation service. You may wonder if there is any fielded usage of
genuine non-repudiation service, i.e. extending to an arbitration
function that would support evidence management in some litigation
forum. Fraud prevention in payment systems is not based on a genuine
non-repudiation scheme. Are you aware of the current state of genuine
non-repudiation service?
Another approach to your question is that timestamping service has to be
sold before being fielded and used. Who is(are) the real
beneficiary(ies) in a trusted timestamping service, and how do you sell
the service to them so that it makes economic sense?
Regards,
- Thierry Moreau
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
