RE: Time-stamping.
"Gary Visser" <gary@timestamp.com> Tue, 20 March 2001 19:29 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA20229 for <pkix-archive@odin.ietf.org>; Tue, 20 Mar 2001 14:29:56 -0500 (EST)
Received: from localhost (daemon@localhost) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA10640; Tue, 20 Mar 2001 11:28:56 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Tue, 20 Mar 2001 11:28:48 -0800
Received: from wildpackets.com (wildpackets.com [192.216.124.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA10605 for <ietf-pkix@imc.org>; Tue, 20 Mar 2001 11:28:47 -0800 (PST)
Received: from GARYNOTEBOOK (gary-dock.wildpackets.com [192.216.124.61]) by wildpackets.com (8.11.1/8.10.1) with SMTP id f2KJOIT18313 for <ietf-pkix@imc.org>; Tue, 20 Mar 2001 11:24:18 -0800 (PST)
From: Gary Visser <gary@timestamp.com>
To: IETF-PKIX <ietf-pkix@imc.org>
Subject: RE: Time-stamping.
Date: Tue, 20 Mar 2001 11:28:40 -0800
Message-ID: <PKELJKDELDJOFGCJNPLCAEPFCBAA.gary@timestamp.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0008_01C0B130.E9ED3F40"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
In-Reply-To: <001a01c0b130$280b4e30$966801c4@insight>
Importance: Normal
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Peasant Dambe wrote: > Time-stamping of the dataum does not bind the time-stamped data to paticular user. > So where it will be used as it does not bind creator identity. Correct, but the timestamp is bound to a particular entity. This entity is providing a service similar to a public notary, someone who can attest to the fact that the datum existed prior to a specific point in time. > Any one can claim that I am the author of the document. Sure they can make the claim, but can they prove it? If you time-stamped the document, you are claiming to have 'seen' a digest of the document, not that you are its author. As an entity that timestamps documents I will go into a court of law and attest to the fact that an agent of mine saw a digest of a document at a particular point in time, provided of course that I have determined that my agent has not been compromised. I will not make any claims regarding the content or author of the document. > Until there is specifically identification of the creator inside the document itself. > One way to do this is to to sign over dataum plus time-stamped -data. > And if the time-stamped signature value is placed as unsigned attribute, > it can be also replaced and it is undetectable in current specification. > So in the current draft IS time-stamp generated fully secured? I do not believe that the draft says you can not include the timestamp as a signed attribute. So you are free to do this in your systems. Others may also choose to do this. But the timestamp is a separate entity from the datum and need not be a signed attribute. An alternative that provides basically the same level of trust, is to require that the timestamp be available from the author or timestamp authority separate from the datum. If the draft required that the timestamp be a signed attribute, then you would not, for example, be able to append timestamps to messages within the mail server as they are being delivered. Keep in mind that these standards are not enough to build a 'fully secured' system. You must apply and adhere to a security policy to make the system as 'fully' secured as needed. I believe that the authors of these standards go to great lengths to ensure that no particular security policy is mandated by the standard. Thereby allowing you to build a system that meets your requirements. Gary Visser Timestamp.com -----Original Message----- From: Prashant Dambe [mailto:prashant@elock.co.in] Sent: Tuesday, March 20, 2001 3:23 AM To: ietf-pkix@imc.org Subject: Time-stamping. Time-stamping of the dataum does not bind the time-stamped data to paticular user. So where it will be used as it does not bind creator identity. Any one can claim that I am the author of the document. Until there is specifically identification of the creator inside the document itself. One way to do this is to to sign over dataum plus time-stamped -data. In this case user can replace the signature put its own signature. So Is not that time-stampng of signature value is necessary. And if the time-stamped signature value is placed as unsigned attribute, it can be also replaced and it is undetectable in current specification. So in the current draft IS time-stamp generated fully secured? Prashant Dambe
- Time-stamping. Prashant Dambe
- Re: Time-stamping. Jean-Marc Desperrier
- RE: Time-stamping. Gary Visser