Re: [ltans] Concrete examples of long-term archiving

Tobias Gondrom <> Mon, 08 August 2011 00:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B1FAC21F86BF for <>; Sun, 7 Aug 2011 17:40:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -93.958
X-Spam-Status: No, score=-93.958 tagged_above=-999 required=5 tests=[AWL=-1.196, BAYES_50=0.001, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aF0DvTFsBIqt for <>; Sun, 7 Aug 2011 17:40:14 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 64FCF21F8548 for <>; Sun, 7 Aug 2011 17:40:14 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=fZ0VVaTGGfDkjgH469xOZqaDfyhoW+M6ls/pcr3bsJPa6mVEvm3R1edPVCmgZvieEgk5cQCizUOdEo9b5YkowjEYWq0OtpQzCwpZwUKeMeyIJRdtSDm8+imgvEuhJPbr; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 24260 invoked from network); 8 Aug 2011 02:39:59 +0200
Received: from (HELO ? ( by with (DHE-RSA-AES256-SHA encrypted) SMTP; 8 Aug 2011 02:39:59 +0200
Message-ID: <>
Date: Mon, 08 Aug 2011 01:39:58 +0100
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [ltans] Concrete examples of long-term archiving
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LTANS Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Aug 2011 00:40:15 -0000

Hi Martin,

in general you can find real life examples when larger organisations are 
dealing with critical documents (that in paper form would be signed and 
often documenting high value issues) for a longer time frame.

For example:
- the German federal government uses ERS for signed data.
There is even a guideline for all German government agencies on how to 
use it:
(unfortunately in German, sorry)
* one scenario is for example documents signed in internal workflows and 
documents being delivered to an agency through a so-called agency 
- other real life examples are:
* long-term storage of documents, like pension contracts, sorry can't be 
more specific due to confidentiality
* patient records in health care (in some jurisdictions the health care 
provider (e.g. hospital) is responsible to guarantee the integrity and 
authenticity of all archived patient records for the whole lifespan of 
the patient (and to be able to proof that). In the past this was done 
via paper documents, etc. But when such an institution moves/moved to 
electronic records and documents, electronic signatures were used and 
also required ERS to protect against broken algorithms.
* electronic invoices: EU directive on electronic invoices requires them 
to carry a qualified signature to be used for pre-tax allowances. And as 
in some jurisdictions it may take years until the tax auditor validates 
the records, signature algorithms may become weak and require ERS to 
renew their strength.
* or think of blueprints and documentation for air-planes and ammunition 
during their manufacturing process, to be stored for the whole lifetime 
they may be in use.

But to add a pinch of salt: My personal observation is that the vast 
majority of cases of long-term authenticity and proof of existence is 
still using pure simple paper documents stored somewhere physically safe 
in a bunker/paper archive - like we did the last few hundred years....
(Some companies/government agencies have developed the technical 
capabilities to do this electronically with ERS, but most of them 
haven't yet).

Hope that helps, Tobias

On 04/08/11 17:21, Martin Augusto G. Vigil wrote:
> Hi,
> I am a PhD student and I have been working on a survey on long-term authenticity and proof of existence. I have found many solutions (e.g. ERS, Patricia Trees, etc), projects (e.g. ArchiSig, Prokopius, HP's Content Integrity Service) and even acts (Sarbanes-Oxley Act, Directive 2001/115/EC) but few real life examples in which long-term archiving is required and was already used.
> May someone point some concrete examples?
> Kind regards,
> ----
> Martín A. Gagliotti Vigil
> Technische Universität Darmstadt
> Cryptography and Computer Algebra
> Hochschulstraße 10
> 64289 Darmstadt, Germany
> Room: S2/02 B216
> Tel.: +49 6151 16-5416
> _______________________________________________
> ltans mailing list