You wrote: > With all the discussion on validating timestamps, I was > thinking about a cryptographic approach to signing data > in such a way that the time it was signed could be > validated. This reminds me of the "eternal logfile" facility developed by Lutz Donnerhacke. I don't know if it is still publicly usable but you'll find the idea and technical description at http://www.iks-jena.de/mitarb/lutz/logfile/ (only in german, I'm afraid) > Of course one flaw with this approach is that signatures > could be prefetched, then applied later, so this doesn't > prove how long the signing took place AFTER the request > to the timestamp server In the eternal logfile, the data (or at least a short description) is used as input to the hashing function together with the previous hash value. You cannot prefetch signatures. If the current hash value is published in archived, non-electronic media (newspapers, letter heads), there'll be a verifiable trace of hash values that can be correlated with a timestamp. I haven't seen this method in use, though. HTH, Hauke ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 04:57:51 PDT