- <title>Idea for storing trusted timestamps in a Noark 5 archive</title>
- <link>http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html</guid>
- <pubDate>Wed, 7 Jun 2017 21:40:00 +0200</pubDate>
- <description><p><em>This is a copy of
-<a href="https://lists.nuug.no/pipermail/nikita-noark/2017-June/000297.html">an
-email I posted to the nikita-noark mailing list</a>. Please follow up
-there if you would like to discuss this topic. The background is that
-we are making a free software archive system based on the Norwegian
-<a href="https://www.arkivverket.no/forvaltning-og-utvikling/regelverk-og-standarder/noark-standarden">Noark
-5 standard</a> for government archives.</em></p>
-
-<p>I've been wondering a bit lately how trusted timestamps could be
-stored in Noark 5.
-<a href="https://en.wikipedia.org/wiki/Trusted_timestamping">Trusted
-timestamps</a> can be used to verify that some information
-(document/file/checksum/metadata) have not been changed since a
-specific time in the past. This is useful to verify the integrity of
-the documents in the archive.</p>
-
-<p>Then it occured to me, perhaps the trusted timestamps could be
-stored as dokument variants (ie dokumentobjekt referered to from
-dokumentbeskrivelse) with the filename set to the hash it is
-stamping?</p>
-
-<p>Given a "dokumentbeskrivelse" with an associated "dokumentobjekt",
-a new dokumentobjekt is associated with "dokumentbeskrivelse" with the
-same attributes as the stamped dokumentobjekt except these
-attributes:</p>
-
-<ul>
-
-<li>format -> "RFC3161"
-<li>mimeType -> "application/timestamp-reply"
-<li>formatDetaljer -> "&lt;source URL for timestamp service&gt;"
-<li>filenavn -> "&lt;sjekksum&gt;.tsr"
-
-</ul>
-
-<p>This assume a service following
-<a href="https://tools.ietf.org/html/rfc3161">IETF RFC 3161</a> is
-used, which specifiy the given MIME type for replies and the .tsr file
-ending for the content of such trusted timestamp. As far as I can
-tell from the Noark 5 specifications, it is OK to have several
-variants/renderings of a dokument attached to a given
-dokumentbeskrivelse objekt. It might be stretching it a bit to make
-some of these variants represent crypto-signatures useful for
-verifying the document integrity instead of representing the dokument
-itself.</p>
-
-<p>Using the source of the service in formatDetaljer allow several
-timestamping services to be used. This is useful to spread the risk
-of key compromise over several organisations. It would only be a
-problem to trust the timestamps if all of the organisations are
-compromised.</p>
-
-<p>The following oneliner on Linux can be used to generate the tsr
-file. $input is the path to the file to checksum, and $sha256 is the
-SHA-256 checksum of the file (ie the "<sjekksum>.tsr" value mentioned
-above).</p>
-
-<p><blockquote><pre>
-openssl ts -query -data "$inputfile" -cert -sha256 -no_nonce \
- | curl -s -H "Content-Type: application/timestamp-query" \
- --data-binary "@-" http://zeitstempel.dfn.de > $sha256.tsr
-</pre></blockquote></p>
-
-<p>To verify the timestamp, you first need to download the public key
-of the trusted timestamp service, for example using this command:</p>
-
-<p><blockquote><pre>
-wget -O ca-cert.txt \
- https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
-</pre></blockquote></p>
-
-<p>Note, the public key should be stored alongside the timestamps in
-the archive to make sure it is also available 100 years from now. It
-is probably a good idea to standardise how and were to store such
-public keys, to make it easier to find for those trying to verify
-documents 100 or 1000 years from now. :)</p>
-
-<p>The verification itself is a simple openssl command:</p>
-
-<p><blockquote><pre>
-openssl ts -verify -data $inputfile -in $sha256.tsr \
- -CAfile ca-cert.txt -text
-</pre></blockquote></p>
-
-<p>Is there any reason this approach would not work? Is it somehow against
-the Noark 5 specification?</p>
+ <title>A bit more on privacy respecting health monitor / fitness tracker</title>
+ <link>http://people.skolelinux.org/pere/blog/A_bit_more_on_privacy_respecting_health_monitor___fitness_tracker.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/A_bit_more_on_privacy_respecting_health_monitor___fitness_tracker.html</guid>
+ <pubDate>Mon, 13 Aug 2018 09:00:00 +0200</pubDate>
+ <description><p>A few days ago, I wondered if there are any privacy respecting
+health monitors and/or fitness trackers available for sale these days.
+I would like to buy one, but do not want to share my personal data
+with strangers, nor be forced to have a mobile phone to get data out
+of the unit. I've received some ideas, and would like to share them
+with you.
+
+One interesting data point was a pointer to a Free Software app for
+Android named
+<a href="https://github.com/Freeyourgadget/Gadgetbridge/">Gadgetbridge</a>.
+It provide cloudless collection and storing of data from a variety of
+trackers. Its
+<a href="https://github.com/Freeyourgadget/Gadgetbridge/#supported-devices">list
+of supported devices</a> is a good indicator for units where the
+protocol is fairly open, as it is obviously being handled by Free
+Software. Other units are reportedly encrypting the collected
+information with their own public key, making sure only the vendor
+cloud service is able to extract data from the unit. The people
+contacting me about Gadgetbirde said they were using
+<a href="https://us.amazfit.com/shop/bip?variant=336750">Amazfit
+Bip</a> and
+<a href="http://www.xiaomimi6phone.com/xiaomi-mi-band-3-features-release-date-rumors/">Xiaomi
+Band 3</a>.</p>
+
+<p>I also got a suggestion to look at some of the units from Garmin.
+I was told their GPS watches can be connected via USB and show up as a
+USB storage device with
+<a href="https://www.gpsbabel.org/htmldoc-development/fmt_garmin_fit.html">Garmin
+FIT files</a> containing the collected measurements. While
+proprietary, FIT files apparently can be read at least by
+<a href="https://www.gpsbabel.org">GPSBabel</a> and the
+<a href="https://apps.nextcloud.com/apps/gpxpod">GpxPod</a> Nextcloud
+app. It is unclear to me if they can read step count and heart rate
+data. The person I talked to was using a
+<a href="https://buy.garmin.com/en-US/US/p/564291">Garmin Forerunner
+935</a>, which is a fairly expensive unit. I doubt it is worth it for
+a unit where the vendor clearly is trying its best to move from open
+to closed systems. I still remember when Garmin dropped NMEA support
+in its GPSes.</p>
+
+<p>A final idea was to build ones own unit, perhaps by basing it on a
+wearable hardware platforms like
+<a href="https://learn.adafruit.com/flora-geo-watch">the Flora Geo
+Watch</a>. Sound like fun, but I had more money than time to spend on
+the topic, so I suspect it will have to wait for another time.</p>
+
+<p>While I was working on tracking down links, I came across an
+inspiring TED talk by Dave Debronkart about
+<a href="https://archive.org/details/DavedeBronkart_2010X">being a
+e-patient</a>, and discovered the web site
+<a href="https://participatorymedicine.org/epatients/">Participatory
+Medicine</a>. If you too want to track your own health and fitness
+without having information about your private life floating around on
+computers owned by others, I recommend checking it out.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
projects / homepage.git / blobdiff