Trusted timestamping
Paweł Krawczyk
pawel.krawczyk at hush.com
Mon Oct 5 10:14:46 EDT 2009
On Sun, 04 Oct 2009 23:42:22 +0200 Alex Pankratov <ap at poneyhot.org>
wrote:
>There is for example timestamp.verisign.com, but there is
>no documentation or description of it whatsoever.
>From European world plagued with qualified electronic signature
disease - timestamp servers usually are compatible with RFC 3161
"Time-Stamp Protocol (TSP)" that works over HTTP, but since they
don't want to provide free timestamping for anyone they're using
various techniques to limit usage of this service.
I've seen two techniques to do this. One was allowing only TSP
request encapsulated in *signed* CMS (RFC 3369). So if you're
signing a document using qualified signature AND timestamp you've
got to enter PIN twice - one for document signature, one for TSP
transport signature.
The other server was not requiring signed CMS, but instead silently
discarded signature requests from clients other that their own
software. It had something to do with TSP options probably, but I
didn't investigate any deeper.
--
Pawe Krawczyk
http://ipsec.pl
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list