The following two messages were recently posted to Cypherpunks. There is als o good information in the Cypherpunk archives or Tim May's "Cyphernomicon." See <ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html> --Jeff ---------------------- From: Matthew Richardson,matthew@itconsult.co.uk Subject: "Trustworthy" PGP Timestamping Service ?? -----BEGIN PGP SIGNED MESSAGE----- I have recently setup a free PGP timestamping service which operates by email. The objective of the service is to be able to produce "trustworthy" timestamps which cannot be backdated without detection. It achieves this by:- (a) giving every signature a unique sequential serial number; (b) every day making a ZIP file of that day's detached signatures and feeding the ZIP file back for signing (and hence the assignment of another serial number); (c) making available details of the highest serial number on each day as well as the signed ZIP files via email (and shortly WWW); (d) weekly publishing details of the DETACHED signatures of the ZIP file in alt.security.pgp and to users requesting them on a list server. I would be interested in folks comments on this "trustworthiness", including any weaknesses or possible improvements. Full details of the service can be found at:- http://www.itconsult.co.uk/stamper.htm Thank you in advance. Best wishes, Matthew -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAgUBMQKHtAKwLwcHEv69AQFVLgQAjVyX5w0YM75gskinZ74dkqQ9vDfnOlWt OD28p/0ot+85q+UP8hreS61Fs1bGDqgH5YL3/2Lviy+xhlIj9x8kVw+Rj1KrZvI+ Jt7pInfqwdx9gYxVGDuP0rIcCH+74vFWQJu1UMpZWORq4gv4t/IS1cBJJRaYSyrM hhcdHPRU6RE= =qD+L -----END PGP SIGNATURE----- >From John Lull,lull@acm.org Subject Re: "Trustworthy" PGP Timestamping Service ?? > It sounds like a variant of the Haber and Stornetta work on digital > timestamping, about which much has been written on our list (check the > archives, and/or sections of my Cyphernomicon). > > They have a company, Surety, which is doing this (or was, last time I heard). They were a month ago, at least. Their patent was re-issued 5/30/95 (# R34,954). > www.surety.com will get you there. > > My hunch is that your scheme implements a version of a hash (the idea of > hashing the doc and then publishing the hash as a "widely witnessed event," > in Haber and Stornetta terms) that could infringe on their patents > (assuming they applied, as I recall hearing they did). I would be very surprised if it did. Haber & Stornetta's work is based on building a tree of hashes for all documents within a given time period (1 second in their commercial service), and then chaining the hashes for successive time periods. Once a week they publish one hash from the chain in the New York Times, and have been doing so for many years. The certificate apparently consists of the hashes from the root of the tree to your document, plus one hash for each branch not taken along that route. This permits you to verify that the hash for the time period was indeed partially derived from the document in question. As I understand it you then have to check the chain of hashes for the week, and verify that the ending hash matches the published value. To make this whole process more secure, they use a 288 bit hash created by concatenating an MD5 hash and an SHA hash. There is no digital signature involved and no information which must be kept private -- only the hashes.