Trusted timestamping

[Alex Pankratov]

Does anyone know what's the state of affairs in this area ? 

This is probably slightly off-topic, but I can't think of
a better place to ask about this sort of thing.

I have spent a couple of days looking around the Internet,
and things appear to be .. erm .. hectic and disorganized.

There is for example timestamp.verisign.com, but there is 
no documentation or description of it whatsoever. Even the
website itself is broken. However it is used by Microsoft's 
code signing tool that embeds Verisign's timestamp into 
Authenticode signature of signed executable files.

There is also a way to timestamp signed PDFs, but the there 
appears to be nothing _trusted_ about available Trusted 
Timestamping Authorities. Just a bunch of random companies
that call themselves that way and provide no indication why
they should actually be *trusted*. No audit practicies, not 
even a simple description of their backend setup. The same
goes for the companies providing timestamping services for 
arbitrary documents, either using online interfaces or a
downloadable software.

There are also Digital Poststamps, which is a very strange
version of a timestamping service, because their providers
insist on NOT releasing the actual timestamp to the customer 
and then charging for each timestamp verification request.

I guess my main confusion at the moment is why large CAs of 
Verisign's size not offering any standalone timestamping 
services.

Any thoughts or comments ?

Thanks,
Alex

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com