Trusted timestamping

Thierry Moreau thierry.moreau at connotech.com
Mon Oct 5 12:52:09 EDT 2009 

Alex Pankratov wrote:
> Does anyone know what's the state of affairs in this area ? 
>
> This is probably slightly off-topic, but I can't think of
> a better place to ask about this sort of thing.
>
> I have spent a couple of days looking around the Internet,
> and things appear to be .. erm .. hectic and disorganized.
>
> There is for example timestamp.verisign.com, but there is 
> no documentation or description of it whatsoever. Even the
> website itself is broken. However it is used by Microsoft's 
> code signing tool that embeds Verisign's timestamp into 
> Authenticode signature of signed executable files.
>
> There is also a way to timestamp signed PDFs, but the there 
> appears to be nothing _trusted_ about available Trusted 
> Timestamping Authorities. Just a bunch of random companies
> that call themselves that way and provide no indication why
> they should actually be *trusted*. No audit practicies, not 
> even a simple description of their backend setup. The same
> goes for the companies providing timestamping services for 
> arbitrary documents, either using online interfaces or a
> downloadable software.
>
> There are also Digital Poststamps, which is a very strange
> version of a timestamping service, because their providers
> insist on NOT releasing the actual timestamp to the customer 
> and then charging for each timestamp verification request.
>
> I guess my main confusion at the moment is why large CAs of 
> Verisign's size not offering any standalone timestamping 
> services.
>
> Any thoughts or comments ?
>   

I answer your question by two questions:

Trusted timestamping service is like a specialized form of 
non-repudiation service. You may wonder if there is any fielded usage of 
genuine non-repudiation service, i.e. extending to an arbitration 
function that would support evidence management in some litigation 
forum. Fraud prevention in payment systems is not based on a genuine 
non-repudiation scheme. Are you aware of the current state of genuine 
non-repudiation service?

Another approach to your question is that timestamping service has to be 
sold before being fielded and used. Who is(are) the real 
beneficiary(ies) in a trusted timestamping service, and how do you sell 
the service to them so that it makes economic sense?

Regards,

- Thierry Moreau
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list