Did you ever need to store logs or other files in a way that would
-allow it to be used as evidence in court, and needed a way to
-demonstrate without reasonable doubt that the file had not been
-changed since it was created? Or, did you ever need to document that
-a given document was received at some point in time, like some
-archived document or the answer to an exam, and not changed after it
-was received? The problem in these settings is to remove the need to
-trust yourself and your computers, while still being able to prove
-that a file is the same as it was at some given time in the past.
-
-
A solution to these problems is to have a trusted third party
-"stamp" the document and verify that at some given time the document
-looked a given way. Such
-notarius service
-have been around for thousands of years, and its digital equivalent is
-called a
-trusted
-timestamping service. The Internet
-Engineering Task Force standardised how such service could work a
-few years ago as RFC
-3161. The mechanism is simple. Create a hash of the file in
-question, send it to a trusted third party which add a time stamp to
-the hash and sign the result with its private key, and send back the
-signed hash + timestamp. Both email, FTP and HTTP can be used to
-request such signature, depending on what is provided by the service
-used. Anyone with the document and the signature can then verify that
-the document matches the signature by creating their own hash and
-checking the signature using the trusted third party public key.
-There are several commercial services around providing such
-timestamping. A quick search for
-"rfc 3161
-service" pointed me to at least
-DigiStamp,
-Quo
-Vadis,
-Global Sign
-and Global
-Trust Finder. The system work as long as the private key of the
-trusted third party is not compromised.
-
-
But as far as I can tell, there are very few public trusted
-timestamp services available for everyone. I've been looking for one
-for a while now. But yesterday I found one over at
-Deutches
-Forschungsnetz mentioned in
-a
-blog by David Müller. I then found
-a
-good recipe on how to use the service over at the University of
-Greifswald.
-
-
The OpenSSL library contain
-both server and tools to use and set up your own signing service. See
-the ts(1SSL), tsget(1SSL) manual pages for more details. The
-following shell script demonstrate how to extract a signed timestamp
-for any file on the disk in a Debian environment:
-
-
-#!/bin/sh
-set -e
-url="http://zeitstempel.dfn.de"
-caurl="https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt"
-reqfile=$(mktemp -t tmp.XXXXXXXXXX.tsq)
-resfile=$(mktemp -t tmp.XXXXXXXXXX.tsr)
-cafile=chain.txt
-if [ ! -f $cafile ] ; then
- wget -O $cafile "$caurl"
-fi
-openssl ts -query -data "$1" -cert | tee "$reqfile" \
- | /usr/lib/ssl/misc/tsget -h "$url" -o "$resfile"
-openssl ts -reply -in "$resfile" -text 1>&2
-openssl ts -verify -data "$1" -in "$resfile" -CAfile "$cafile" 1>&2
-base64 < "$resfile"
-rm "$reqfile" "$resfile"
-
-
-
The argument to the script is the file to timestamp, and the output
-is a base64 encoded version of the signature to STDOUT and details
-about the signature to STDERR. Note that due to
-a bug
-in the tsget script, you might need to modify the included script
-and remove the last line. Or just write your own HTTP uploader using
-curl. :) Now you too can prove and verify that files have not been
-changed.
-
-
But the Internet need more public trusted timestamp services.
-Perhaps something for Uninett or
-my work place the University of Oslo
-to set up?
-
