What a receiver needs are the NEXT set of
CRLs issued, ones issued after the message was sent, to prove that the
relevent certificates were not revoked at the time the message was
sent.
This begs the question of how we know "when a message was sent," which
is an old issue. (I assume that by "sent" Steve really meant "signed".)
In most cases, it is sufficient to establish the earliest date by which a
message
could have been sent, a patentable idea recorded, etc.Third party notarization
and other schemes can be used to address some of these issues, assuming that
we don't have a trusted clock built into the digital signature hardware or
software.
However, we have decided to do a "for real" but small-scale pilot project
involving
time cards as a means of forcing to the surface the various technical,
administrative,
legal, finance, audit, insurance, and social issues involved with the use of
digital
signatures. I am assuming that there will be a host of commercial-quality
applications
coming available in 1994 and 1995, and we want to get the infrastructure ready
to
support them.
But there are some interesting issues involved with timecards. First of all,
processing
time cards is not a terribly expensive process, so there isn't much money to be
saved.
That means that we can't afford to use lots of PCs with smart cards and
biometric
devices attached for this purpose. The user's private keys are going to have to
be
stored on a floppy disk and protected by a typed-in encryption passphrase.
With this rather minimalist approach to computer security, we certainly must
limit the
liability that the user is exposed to if his key is stolen, perhaps by a
computer
virus that is lurking in his computer. Maybe we say in the CA's policy statement
that the digital signature is valid for internal corporate use only, and is
null and
void for any other purpose. At least that keeps someone from forging checks
with someone else's stolen digital signature.
But if the user's private key is stored on a floppy disk with no biometric or
other identity controls, and if there is no liability for the misuse of his
private key, what is to prevent the user from giving his electronic timecard
to his secretary or a coworker, along with his floppy disk, and asking them
to sign and submit his timecard at the end of the week, because he is going
fishing?
I don't even have to ask someone to forge my signature. I just fill it in now,
advance the clock in my computer by four or five days, sign it, adjust the
clock back, and start a task to submit the timecard electronically at the
end of the week!
So how do we establish the EARLIEST time by which a message could have
been signed? (I don't care when it was sent or received.)
One way would be to reverse the usual thinking about an electronic
notary, to which you would submit a document for a postmark.
That only establishes the LATEST time you could have submitted the
message, but not when you signed it.
Instead, we need a digital WWV, which would broadcast
the current date and time once a second, and would include
a true random number along with each tick. Once a minute, once
an hour, or once a day, the entire collection random numbers
would be digitally signed, broadcast, and archived.
The random numbers cannot be predicted and the time is presumed
to be authoritative, so anyone who includes one of those random
numbers in his message would conclusively demonstrate the earliest
time after which the message could have been generated.
If we want to bound the interval during which a message could have
been generated, we have to include one of the random timestamp number
to bound the earliest time, then have the message signed or notarized by
a trusted third party to establish the latest time by which the signing could
have occurred.
Any volunteers to offer such a service, NIST?