Trusted timestamping

Paweł Krawczyk pawel.krawczyk at
Mon Oct 5 10:14:46 EDT 2009

On Sun, 04 Oct 2009 23:42:22 +0200 Alex Pankratov <ap at> 

>There is for example, but there is 
>no documentation or description of it whatsoever. 

>From European world plagued with qualified electronic signature 
disease - timestamp servers usually are compatible with RFC 3161 
"Time-Stamp Protocol (TSP)" that works over HTTP, but since they 
don't want to provide free timestamping for anyone they're using 
various techniques to limit usage of this service.

I've seen two techniques to do this. One was allowing only TSP 
request encapsulated in *signed* CMS (RFC 3369). So if you're 
signing a document using qualified signature AND timestamp you've 
got to enter PIN twice - one for document signature, one for TSP 
transport signature. 

The other server was not requiring signed CMS, but instead silently 
discarded signature requests from clients other that their own 
software. It had something to do with TSP options probably, but I 
didn't investigate any deeper.

Pawe  Krawczyk

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list