Re: Timestamping
Jeff Williams (williams@va.arca.com)
22 Jan 1996 15:17:40 GMT
The following two messages were recently posted to Cypherpunks. There is als
o
good information in the Cypherpunk archives or Tim May's "Cyphernomicon."
See <ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html>
--Jeff
----------------------
From: Matthew Richardson,matthew@itconsult.co.uk
Subject: "Trustworthy" PGP Timestamping Service ??
-----BEGIN PGP SIGNED MESSAGE-----
I have recently setup a free PGP timestamping service which operates
by email.
The objective of the service is to be able to produce "trustworthy"
timestamps which cannot be backdated without detection. It achieves
this by:-
(a) giving every signature a unique sequential serial number;
(b) every day making a ZIP file of that day's detached signatures
and feeding the ZIP file back for signing (and hence the assignment
of another serial number);
(c) making available details of the highest serial number on each
day as well as the signed ZIP files via email (and shortly WWW);
(d) weekly publishing details of the DETACHED signatures of the ZIP
file in alt.security.pgp and to users requesting them on a list
server.
I would be interested in folks comments on this "trustworthiness",
including any weaknesses or possible improvements.
Full details of the service can be found at:-
http://www.itconsult.co.uk/stamper.htm
Thank you in advance.
Best wishes,
Matthew
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAgUBMQKHtAKwLwcHEv69AQFVLgQAjVyX5w0YM75gskinZ74dkqQ9vDfnOlWt
OD28p/0ot+85q+UP8hreS61Fs1bGDqgH5YL3/2Lviy+xhlIj9x8kVw+Rj1KrZvI+
Jt7pInfqwdx9gYxVGDuP0rIcCH+74vFWQJu1UMpZWORq4gv4t/IS1cBJJRaYSyrM
hhcdHPRU6RE=
=qD+L
-----END PGP SIGNATURE-----
>From John Lull,lull@acm.org
Subject Re: "Trustworthy" PGP Timestamping Service ??
> It sounds like a variant of the Haber and Stornetta work on digital
> timestamping, about which much has been written on our list (check the
> archives, and/or sections of my Cyphernomicon).
>
> They have a company, Surety, which is doing this (or was, last time I
heard).
They were a month ago, at least. Their patent was re-issued 5/30/95
(# R34,954).
> www.surety.com will get you there.
>
> My hunch is that your scheme implements a version of a hash (the idea of
> hashing the doc and then publishing the hash as a "widely witnessed event,"
> in Haber and Stornetta terms) that could infringe on their patents
> (assuming they applied, as I recall hearing they did).
I would be very surprised if it did. Haber & Stornetta's work is
based on building a tree of hashes for all documents within a given
time period (1 second in their commercial service), and then chaining
the hashes for successive time periods. Once a week they publish one
hash from the chain in the New York Times, and have been doing so for
many years. The certificate apparently consists of the hashes from
the root of the tree to your document, plus one hash for each branch
not taken along that route. This permits you to verify that the hash
for the time period was indeed partially derived from the document in
question. As I understand it you then have to check the chain of
hashes for the week, and verify that the ending hash matches the
published value.
To make this whole process more secure, they use a 288 bit hash
created by concatenating an MD5 hash and an SHA hash.
There is no digital signature involved and no information which must
be kept private -- only the hashes.