Trusted timestamping
Alex Pankratov
ap at poneyhot.org
Sun Oct 4 17:42:22 EDT 2009
Does anyone know what's the state of affairs in this area ?
This is probably slightly off-topic, but I can't think of
a better place to ask about this sort of thing.
I have spent a couple of days looking around the Internet,
and things appear to be .. erm .. hectic and disorganized.
There is for example timestamp.verisign.com, but there is
no documentation or description of it whatsoever. Even the
website itself is broken. However it is used by Microsoft's
code signing tool that embeds Verisign's timestamp into
Authenticode signature of signed executable files.
There is also a way to timestamp signed PDFs, but the there
appears to be nothing _trusted_ about available Trusted
Timestamping Authorities. Just a bunch of random companies
that call themselves that way and provide no indication why
they should actually be *trusted*. No audit practicies, not
even a simple description of their backend setup. The same
goes for the companies providing timestamping services for
arbitrary documents, either using online interfaces or a
downloadable software.
There are also Digital Poststamps, which is a very strange
version of a timestamping service, because their providers
insist on NOT releasing the actual timestamp to the customer
and then charging for each timestamp verification request.
I guess my main confusion at the moment is why large CAs of
Verisign's size not offering any standalone timestamping
services.
Any thoughts or comments ?
Thanks,
Alex
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list