ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Timestamp and 3rd party sig

2006-07-16 12:04:07
from [Daniel A. Nagy] [Permanent Link] 
In his message on Feb 17, 2005
http://www.imc.org/ietf-openpgp/mail-archive/msg09179.html
Rick van Rein raised two important questions only one of which has been
addressed (by W. Koch). Rick proposed changes to the definiton of timestamp
signatures (sig type 0x40) which have been neither rejected nor accepted. In
fact, they have not even been discussed.

I would suggest to revisit his suggestion as it clarifies the correct use of
this potentially very useful signature type. I do agree with explicitly
stating the purpose of the signature as in all other cases:

    0x40: Timestamp signature.
        The intention of this signature is to accurately record the time
        at which the timestamped data was seen by the timestamp-signing
        party.

While I see the wording of the additional paragraph a bit clumsy and perhaps
overly specific, some explanation about the calculation of the signature
would be helpful. Before proceeding with that, however, I would like to ask
if there are any implementations that constrain how such signatures should
be constructed and verified?

Another question that arises in the context of timestamps whether it is
worth defining another type (say, 0x41) for timestamping canonical text
documents analogously to the distinction between 0x00 and 0x01? My personal
opinion is that it is definitely worth doing. Thus, I would propose the
following wording:

    0x40: Timestamp signature of a binary document.
        The intention of this signature is to accurately record the time
        at which the timestamped binary data was seen by the timestamp-signing
        party.

    0x41: Timestamp signature of a canonical text document.
        The intention of this signature is to accurately record the time
        at which the timestampe text was seen by the timestamp-signing
        party. The signature is calculated over the text data with its
        line endings converted to <CR><LF>.

Since I am currently implementing an OpenPGP compliant timestamping service,
I would like to solicit opinions on the issue even without suggesting
immediate changes to the standard. In particular, I would like to know how
various implementations treat 0x40 signatures when encountering them during
signature verification?

Thank you in advance,

-- 
Daniel A. Nagy

Attachment: signature.asc
Description: Digital signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenPGP Minutes / Quick Summary, Derek Atkins
Next by Date:  Re: OpenPGP Minutes / Quick Summary, Werner Koch
Previous by Thread:  OpenPGP Minutes / Quick Summary, Derek Atkins
Next by Thread:  Re: Timestamp and 3rd party sig, Greg Sabino Mullane
Indexes:  [Date] [Thread] [Top] [All Lists]