On Sat, Aug 27, 2005 at 09:55:52AM -0400, David Shaw wrote:
On Sat, Aug 27, 2005 at 09:50:18AM +0200, Daniel A. Nagy wrote:
I am wondering if I understand the following correctly:
0x40 Timestamp signature.
It is calculated directly on any document like a 0x00 signature (BTW, it
would probably makes sense to introduce a 0x41 timestamp for textual
documents), but the issuer of the signature does not claim authorship or
endorse the document, just states the fact that the document existed at the
time when the signature was issued.
Signature over a signature, just like 0x50. It's not exactly made
clear in section 5.2.1, but note that it gets a signature target
subpacket. That only makes sense if it is a signature over a
signature.
If the signature target subpacket is in the hashed part of the signature, it
makes perfect sense with signatures on the document as well, as it binds
the document to the signature (e.g. a party that has access only to the
notary's public key can be assured that it is a valid signature on the
document, provided that the notatry is trusted).
Note that 0x40 actually existed in rfc-1991 as well (also
a signature over a signature).
It's actually RFC1991 that got me wondering:
<40> - time stamping ("I saw this document") (*)
... Type <40> is intended to
be a signature of a signature, as a notary seal on a signed document.
Now, this is contradictory. If a signature does not have any cryptograpic
binding (except the indirect one through the other signature) to the
document, it cannot be used to assert the integrity thereof.
Someone with the public key of the notary cannot verify this claim. Also, it
makes a lot of sense to certify documents that have not been signed. Since
there are no implementations of 0x40 signatures (to my knowledge) it is
worth giving it a thought. A timestamp signature on (possibly unsigned)
documents that can, if required, bind signatures to it is immensely useful
This one I do not understand at all:
0x50 Third-Party Confirmation signature.
What is the signature calculated on? The document? The certified signature?
Both?
The signature. I thought this one was pretty clear (from 5.2.1):
This signature is a signature over some other OpenPGP
signature packet(s). It is analogous to a notary seal on the
signed data.
Except that if it's a signature on the signature, then it cannot be
analogous to a notary seal on the signed data (see above). Yet, a signature
over a signature is also useful, as it can be issued by a blind notary that
doesn't see the document. Also, it does prove to someone with access to all
public keys the integrity of the document.
In sum, if 0x40 would be a timestamp signature on the document while 0x50 a
timestamp signature on the signature, it would make perfect sense, making
both of them useful and not redundant at all. This won't contradict the
wording of RFC2440, while RFC1991 contradicts itself, so being consistent
with that one is hopeless to begin with.
--
Daniel