+ <div class="entry">
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html">Public Trusted Timestamping services for everyone</a></div>
+ <div class="date">25th March 2014</div>
+ <div class="body"><p>Did you ever need to store logs or other files in a way that would
+allow it to be used as evidence in court, and needed a way to
+demonstrate without reasonable doubt that the file had not been
+changed since it was created? Or, did you ever need to document that
+a given document was received at some point in time, like some
+archived document or the answer to an exam, and not changed after it
+was received? The problem in these settings is to remove the need to
+trust yourself and your computers, while still being able to prove
+that a file is the same as it was at some given time in the past.</p>
+
+<p>A solution to these problems is to have a trusted third party
+"stamp" the document and verify that at some given time the document
+looked a given way. Such
+<a href="https://en.wikipedia.org/wiki/Notarius">notarius</a> service
+have been around for thousands of years, and its digital equivalent is
+called a
+<a href="http://en.wikipedia.org/wiki/Trusted_timestamping">trusted
+timestamping service</a>. <a href="http://www.ietf.org/">The Internet
+Engineering Task Force</a> standardised how such service could work a
+few years ago as <a href="http://tools.ietf.org/html/rfc3161">RFC
+3161</a>. The mechanism is simple. Create a hash of the file in
+question, send it to a trusted third party which add a time stamp to
+the hash and sign the result with its private key, and send back the
+signed hash + timestamp. Anyone with the document and the signature
+can then verify that the document matches the signature by creating
+their own hash and checking the signature using the trusted third
+party public key. There are several commercial services around
+providing such timestamping. A quick search for
+"<a href="https://duckduckgo.com/?q=rfc+3161+service">rfc 3161
+service</a>" pointed me to at least
+<a href="https://www.digistamp.com/technical/how-a-digital-time-stamp-works/">DigiStamp</a>,
+<a href="http://www.quovadisglobal.co.uk/CertificateServices/SigningServices/TimeStamp.aspx">Quo
+Vadis</a>,
+<a href="https://www.globalsign.com/timestamp-service/">Global Sign</a>
+and <a href="http://www.globaltrustfinder.com/TSADefault.aspx">Global
+Trust Finder</a>. The system work as long as the private key of the
+trusted third party is not compromised.</p>
+
+<p>But as far as I can tell, there are very few public trusted
+timestamp services available for everyone. I've been looking for one
+for a while now. But yesterday I found one over at
+<a href="https://www.pki.dfn.de/zeitstempeldienst/">Deutches
+Forschungsnetz</a>mentioned in
+<a href="http://www.d-mueller.de/blog/dealing-with-trusted-timestamps-in-php-rfc-3161/">a
+blog by David Müller</a>. I then found a good recipe on how to use
+over at the
+<a href="http://www.rz.uni-greifswald.de/support/dfn-pki-zertifikate/zeitstempeldienst.html">University
+of Greifswald</a>. The OpenSSL library contain both server and tools
+to use and set up your own signing service. See the ts(1SSL),
+tsget(1SSL) manual pages for more details. The following shell script
+demonstrate how to extract a signed timestamp for any file on the disk
+in a Debian environment:
+
+<p><blockquote><pre>
+#!/bin/sh
+set -e
+url="http://zeitstempel.dfn.de"
+caurl="https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt"
+reqfile=$(mktemp -t tmp.XXXXXXXXXX.tsq)
+resfile=$(mktemp -t tmp.XXXXXXXXXX.tsr)
+cafile=chain.txt
+if [ ! -f $cafile ] ; then
+ wget -O $cafile "$caurl"
+fi
+openssl ts -query -data "$1" -cert | tee "$reqfile" \
+ | /usr/lib/ssl/misc/tsget -h "$url" -o "$resfile"
+openssl ts -reply -in "$resfile" -text 1>&2
+openssl ts -verify -data "$1" -in "$resfile" -CAfile "$cafile" 1>&2
+base64 < "$resfile"
+rm "$reqfile" "$resfile"
+</pre></blockquote></p>
+
+<p>The argument to the script is the file to timestamp, and the output
+is a base64 encoded version of the signature to STDOUT and details
+about the signature to STDERR. Note that due to
+<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742553">a bug
+in the tsget script</a>, you might need to modify the included script
+and remove the last line. Or just write your own HTTP uploader using
+curl. :) Now you too can prove and verify that files have not been
+changed.</p>
+
+<p>But the Internet need more public trusted timestamp services.
+Perhaps something for <a href="http://www.uninett.no/">Uninett</a> or
+my work place the <a href="http://www.uio.no/">University of Oslo</a>
+to set up?</p>
+</div>
+ <div class="tags">
+
+
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
<div class="entry">
<div class="title"><a href="http://people.skolelinux.org/pere/blog/Video_DVD_reader_library___python_dvdvideo___nice_free_software.html">Video DVD reader library / python-dvdvideo - nice free software</a></div>
<div class="date">21st March 2014</div>
and program
<a href="http://bblank.thinkmo.de/blog/new-software-python-dvdvideo">python-dvdvideo</a>
written by Bastian Blank. It is
-<a href"http://packages.qa.debian.org/p/python-dvdvideo.html">in Debian
+<a href="http://packages.qa.debian.org/p/python-dvdvideo.html">in Debian
already</a> and the binary package name is python3-dvdvideo. Instead
of trying to read every block from the DVD, it parses the file
structure and figure out which block on the DVD is actually in used,
</div>
<div class="padding"></div>
- <div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/New_chrpath_release_0_16.html">New chrpath release 0.16</a></div>
- <div class="date">14th January 2014</div>
- <div class="body"><p><a href="http://www.coverity.com/">Coverity</a> is a nice tool to
-find problems in C, C++ and Java code using static source code
-analysis. It can detect a lot of different problems, and is very
-useful to find memory and locking bugs in the error handling part of
-the source. The company behind it provide
-<a href="https://scan.coverity.com/">check of free software projects as
-a community service</a>, and many hundred free software projects are
-already checked. A few days ago I decided to have a closer look at
-the Coverity system, and discovered that the
-<a href="http://www.gnu.org/software/gnash/">gnash</a> and
-<a href="http://sourceforge.net/projects/ipmitool/">ipmitool</a>
-projects I am involved with was already registered. But these are
-fairly big, and I would also like to have a small and easy project to
-check, and decided to <a href="http://scan.coverity.com/projects/1179">request
-checking of the chrpath project</a>. It was
-added to the checker and discovered seven potential defects. Six of
-these were real, mostly resource "leak" when the program detected an
-error. Nothing serious, as the resources would be released a fraction
-of a second later when the program exited because of the error, but it
-is nice to do it right in case the source of the program some time in
-the future end up in a library. Having fixed all defects and added
-<a href="https://lists.alioth.debian.org/mailman/listinfo/chrpath-devel">a
-mailing list for the chrpath developers</a>, I decided it was time to
-publish a new release. These are the release notes:</p>
-
-<p>New in 0.16 released 2014-01-14:</p>
-
-<ul>
-
- <li>Fixed all minor bugs discovered by Coverity.</li>
- <li>Updated config.sub and config.guess from the GNU project.</li>
- <li>Mention new project mailing list in the documentation.</li>
-
-</ul>
-
-<p>You can
-<a href="https://alioth.debian.org/frs/?group_id=31052">download the
-new version 0.16 from alioth</a>. Please let us know via the Alioth
-project if something is wrong with the new release. The test suite
-did not discover any old errors, so if you find a new one, please also
-include a test suite check.</p>
-</div>
- <div class="tags">
-
-
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/chrpath">chrpath</a>, <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>.
-
-
- </div>
- </div>
- <div class="padding"></div>
-
<p style="text-align: right;"><a href="index.rss"><img src="http://people.skolelinux.org/pere/blog/xml.gif" alt="RSS feed" width="36" height="14" /></a></p>
<div id="sidebar">
<li><a href="http://people.skolelinux.org/pere/blog/archive/2014/02/">February (3)</a></li>
-<li><a href="http://people.skolelinux.org/pere/blog/archive/2014/03/">March (5)</a></li>
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2014/03/">March (6)</a></li>
</ul></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/drivstoffpriser">drivstoffpriser (4)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (239)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (240)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (21)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/scraperwiki">scraperwiki (2)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (35)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (36)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (4)</a></li>
projects / homepage.git / blobdiff