-- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress >Return-Path: owner-ids@uow.edu.au >Received: from wyrm.cc.uow.edu.au (wyrm.cc.uow.edu.au [130.130.68.1]) by dns >Received: (from majordom@localhost) by wyrm.cc.uow.edu.au (8.7.1/8.6.11) id >X-Authentication-Warning: wyrm.cc.uow.edu.au: majordom set sender to owner-i >X-Sender: dun@wintermute.ncsa.uiuc.edu >Mime-Version: 1.0 >Content-Type: text/plain; charset="us-ascii" >X-PGP-Fingerprint: 05 9C CC 58 07 2D B6 35 43 FF C6 1D 9D B6 61 93 >X-Face: #&)jrrXxV*Y<\==GUSh/#MTt"LgJmy?(a-7C.JYheK&9hUb"P}rcga8NU|&*k~qwwLe? >Date: Thu, 25 Jan 1996 09:28:21 -0600 >To: ids@uow.edu.au >From: dun@ncsa.uiuc.edu (Chris Dunlap) >Subject: Re: Timestamping >Sender: owner-ids@uow.edu.au >Reply-To: ids@uow.edu.au > >It was on 1/22/96 at 8:41 AM when Doug Hughes wrote: >>The best way to do this is with digital signatures. If you include the >>timestamp in the body of the message, and then sign the body of the message >>there can be no doubt about the time (unless you have a weak key-length, or >>your key has been compromised). PGP/PEM will do this. >There can be no doubt. Use the largest key you can. > >How do you prove the timestamp in the body of the message is the >correct time in the first place? Your system clock could have been >set forward or back before your digital signature. The whole point >behind using a timestamping service is that their clock is supposedly >secure (and somewhere outside of your control). > Yeah, it depends on your intentions. If you want something that proves that somebody else sent something by a particular time, then a trusted third party is the only alternative. However, if you just want something that additionally authenticates a post for yourself, this can be useful. This way, if a signed posting (purportedly by you) shows up on Usenet at some day at some time, and the timestamp is way off, it would raise a flag, thereby preventing replay sorts of hacks. (somebody taking your posting, and, for whatever reason, sending it someplace else at a later date in time) I think we're straying from IDS though, so I won't post anymore on the subje to the list.