With all the discussion on validating timestamps, I was thinking about a cryptographic approach to signing data in such a way that the time it was signed could be validated. This would of course have substantial value in forensic investigations. Anway, here's the idea (which I hereby declare into the publich domain, just in case someone else hasn't thought of it before.) First, there should be a timestamp server, which upon request, will generate a strong hash using its private key of the current time. This can then be incorporated into a data set's signature. Of course one flaw with this approach is that signatures could be prefetched, then applied later, so this doesn't prove how long the signing took place AFTER the request to the timestamp server -- it only proves that the dataset could not be signed BEFORE the request. Therefore, the second half of the transaction should consist of sending the signature that we create BACK to the timeserver, which will then sign it and store it securely. I found one product which seems to do some of this: http://download.baltimore.com/download/pdf/BaltimoreUniCERTExtendedTS.pdf Does anyone know if there is a standard for this? ********************************* Paul Gillingwater, BA, BSc, MBA Managing Director CSO Lanifex Unternehmensberatung & Softwareentwicklung G.m.b.H. NEW BUSINESS CONCEPTS E-mail: paulat_private Tel: +43(1)2198222-20 Fax: +43(1)2198222-11 Mobile: +43(699)1922 3085 Webhome: http://www.lanifex.com/ Address: Praterstrasse 60/1/2 A-1020 Vienna, Austria ********************************* ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 10:06:20 PDT