1 <!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Strict//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns=
"http://www.w3.org/1999/xhtml" dir=
"ltr">
5 <meta http-equiv=
"Content-Type" content=
"text/html;charset=utf-8" />
6 <title>Petter Reinholdtsen: Public Trusted Timestamping services for everyone
</title>
7 <link rel=
"stylesheet" type=
"text/css" media=
"screen" href=
"http://people.skolelinux.org/pere/blog/style.css" />
8 <link rel=
"stylesheet" type=
"text/css" media=
"screen" href=
"http://people.skolelinux.org/pere/blog/vim.css" />
15 <a href=
"http://people.skolelinux.org/pere/blog/">Petter Reinholdtsen
</a>
23 <div class=
"title">Public Trusted Timestamping services for everyone
</div>
24 <div class=
"date">25th March
2014</div>
25 <div class=
"body"><p>Did you ever need to store logs or other files in a way that would
26 allow it to be used as evidence in court, and needed a way to
27 demonstrate without reasonable doubt that the file had not been
28 changed since it was created? Or, did you ever need to document that
29 a given document was received at some point in time, like some
30 archived document or the answer to an exam, and not changed after it
31 was received? The problem in these settings is to remove the need to
32 trust yourself and your computers, while still being able to prove
33 that a file is the same as it was at some given time in the past.
</p>
35 <p>A solution to these problems is to have a trusted third party
36 "stamp" the document and verify that at some given time the document
37 looked a given way. Such
38 <a href=
"https://en.wikipedia.org/wiki/Notarius">notarius
</a> service
39 have been around for thousands of years, and its digital equivalent is
41 <a href=
"http://en.wikipedia.org/wiki/Trusted_timestamping">trusted
42 timestamping service
</a>.
<a href=
"http://www.ietf.org/">The Internet
43 Engineering Task Force
</a> standardised how such service could work a
44 few years ago as
<a href=
"http://tools.ietf.org/html/rfc3161">RFC
45 3161</a>. The mechanism is simple. Create a hash of the file in
46 question, send it to a trusted third party which add a time stamp to
47 the hash and sign the result with its private key, and send back the
48 signed hash + timestamp. Both email, FTP and HTTP can be used to
49 request such signature, depending on what is provided by the service
50 used. Anyone with the document and the signature can then verify that
51 the document matches the signature by creating their own hash and
52 checking the signature using the trusted third party public key.
53 There are several commercial services around providing such
54 timestamping. A quick search for
55 "
<a href=
"https://duckduckgo.com/?q=rfc+3161+service">rfc
3161
56 service
</a>" pointed me to at least
57 <a href="https://www.digistamp.com/technical/how-a-digital-time-stamp-works/
">DigiStamp</a>,
58 <a href="http://www.quovadisglobal.co.uk/CertificateServices/SigningServices/TimeStamp.aspx
">Quo
60 <a href="https://www.globalsign.com/timestamp-service/
">Global Sign</a>
61 and <a href="http://www.globaltrustfinder.com/TSADefault.aspx
">Global
62 Trust Finder</a>. The system work as long as the private key of the
63 trusted third party is not compromised.</p>
65 <p>But as far as I can tell, there are very few public trusted
66 timestamp services available for everyone. I've been looking for one
67 for a while now. But yesterday I found one over at
68 <a href="https://www.pki.dfn.de/zeitstempeldienst/
">Deutches
69 Forschungsnetz</a> mentioned in
70 <a href="http://www.d-mueller.de/blog/dealing-with-trusted-timestamps-in-php-rfc-
3161/
">a
71 blog by David Müller</a>. I then found
72 <a href="http://www.rz.uni-greifswald.de/support/dfn-pki-zertifikate/zeitstempeldienst.html
">a
73 good recipe on how to use the service</a> over at the University of
76 <p><a href="http://www.openssl.org/
">The OpenSSL library</a> contain
77 both server and tools to use and set up your own signing service. See
78 the ts(1SSL), tsget(1SSL) manual pages for more details. The
79 following shell script demonstrate how to extract a signed timestamp
80 for any file on the disk in a Debian environment:</p>
85 url="http://zeitstempel.dfn.de"
86 caurl="https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt"
87 reqfile=$(mktemp -t tmp.XXXXXXXXXX.tsq)
88 resfile=$(mktemp -t tmp.XXXXXXXXXX.tsr)
90 if [ ! -f $cafile ] ; then
91 wget -O $cafile "$caurl"
93 openssl ts -query -data "$
1" -cert | tee "$reqfile" \
94 | /usr/lib/ssl/misc/tsget -h "$url" -o "$resfile"
95 openssl ts -reply -in "$resfile" -text
1>&
2
96 openssl ts -verify -data "$
1" -in "$resfile" -CAfile "$cafile"
1>&
2
98 rm "$reqfile" "$resfile"
99 </pre></blockquote></p>
101 <p>The argument to the script is the file to timestamp, and the output
102 is a base64 encoded version of the signature to STDOUT and details
103 about the signature to STDERR. Note that due to
104 <a href=
"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742553">a bug
105 in the tsget script
</a>, you might need to modify the included script
106 and remove the last line. Or just write your own HTTP uploader using
107 curl. :) Now you too can prove and verify that files have not been
110 <p>But the Internet need more public trusted timestamp services.
111 Perhaps something for
<a href=
"http://www.uninett.no/">Uninett
</a> or
112 my work place the
<a href=
"http://www.uio.no/">University of Oslo
</a>
116 <div class=
"tags">Tags:
<a href=
"http://people.skolelinux.org/pere/blog/tags/english">english
</a>,
<a href=
"http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet
</a>.
</div>
134 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/01/">January (
2)
</a></li>
136 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/02/">February (
3)
</a></li>
138 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/03/">March (
8)
</a></li>
140 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/04/">April (
7)
</a></li>
142 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/05/">May (
1)
</a></li>
144 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/06/">June (
2)
</a></li>
146 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/07/">July (
2)
</a></li>
148 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/08/">August (
2)
</a></li>
150 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/09/">September (
5)
</a></li>
152 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/10/">October (
6)
</a></li>
154 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/11/">November (
3)
</a></li>
156 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2014/12/">December (
2)
</a></li>
163 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/01/">January (
11)
</a></li>
165 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/02/">February (
9)
</a></li>
167 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/03/">March (
9)
</a></li>
169 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/04/">April (
6)
</a></li>
171 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/05/">May (
9)
</a></li>
173 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/06/">June (
10)
</a></li>
175 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/07/">July (
7)
</a></li>
177 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/08/">August (
3)
</a></li>
179 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/09/">September (
5)
</a></li>
181 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/10/">October (
7)
</a></li>
183 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/11/">November (
9)
</a></li>
185 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2013/12/">December (
3)
</a></li>
192 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/01/">January (
7)
</a></li>
194 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/02/">February (
10)
</a></li>
196 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/03/">March (
17)
</a></li>
198 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/04/">April (
12)
</a></li>
200 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/05/">May (
12)
</a></li>
202 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/06/">June (
20)
</a></li>
204 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/07/">July (
17)
</a></li>
206 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/08/">August (
6)
</a></li>
208 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/09/">September (
9)
</a></li>
210 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/10/">October (
17)
</a></li>
212 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/11/">November (
10)
</a></li>
214 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2012/12/">December (
7)
</a></li>
221 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/01/">January (
16)
</a></li>
223 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/02/">February (
6)
</a></li>
225 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/03/">March (
6)
</a></li>
227 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/04/">April (
7)
</a></li>
229 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/05/">May (
3)
</a></li>
231 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/06/">June (
2)
</a></li>
233 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/07/">July (
7)
</a></li>
235 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/08/">August (
6)
</a></li>
237 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/09/">September (
4)
</a></li>
239 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/10/">October (
2)
</a></li>
241 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/11/">November (
3)
</a></li>
243 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2011/12/">December (
1)
</a></li>
250 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/01/">January (
2)
</a></li>
252 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/02/">February (
1)
</a></li>
254 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/03/">March (
3)
</a></li>
256 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/04/">April (
3)
</a></li>
258 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/05/">May (
9)
</a></li>
260 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/06/">June (
14)
</a></li>
262 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/07/">July (
12)
</a></li>
264 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/08/">August (
13)
</a></li>
266 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/09/">September (
7)
</a></li>
268 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/10/">October (
9)
</a></li>
270 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/11/">November (
13)
</a></li>
272 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2010/12/">December (
12)
</a></li>
279 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/01/">January (
8)
</a></li>
281 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/02/">February (
8)
</a></li>
283 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/03/">March (
12)
</a></li>
285 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/04/">April (
10)
</a></li>
287 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/05/">May (
9)
</a></li>
289 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/06/">June (
3)
</a></li>
291 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/07/">July (
4)
</a></li>
293 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/08/">August (
3)
</a></li>
295 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/09/">September (
1)
</a></li>
297 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/10/">October (
2)
</a></li>
299 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/11/">November (
3)
</a></li>
301 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2009/12/">December (
3)
</a></li>
308 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2008/11/">November (
5)
</a></li>
310 <li><a href=
"http://people.skolelinux.org/pere/blog/archive/2008/12/">December (
7)
</a></li>
321 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/3d-printer">3d-printer (
13)
</a></li>
323 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/amiga">amiga (
1)
</a></li>
325 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/aros">aros (
1)
</a></li>
327 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/bankid">bankid (
4)
</a></li>
329 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/bitcoin">bitcoin (
8)
</a></li>
331 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem (
15)
</a></li>
333 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/bsa">bsa (
2)
</a></li>
335 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/chrpath">chrpath (
2)
</a></li>
337 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/debian">debian (
109)
</a></li>
339 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (
151)
</a></li>
341 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/digistan">digistan (
10)
</a></li>
343 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/dld">dld (
15)
</a></li>
345 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/docbook">docbook (
12)
</a></li>
347 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/drivstoffpriser">drivstoffpriser (
4)
</a></li>
349 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/english">english (
263)
</a></li>
351 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (
21)
</a></li>
353 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (
12)
</a></li>
355 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/freeculture">freeculture (
14)
</a></li>
357 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/freedombox">freedombox (
9)
</a></li>
359 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/frikanalen">frikanalen (
11)
</a></li>
361 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/intervju">intervju (
41)
</a></li>
363 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/isenkram">isenkram (
10)
</a></li>
365 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/kart">kart (
19)
</a></li>
367 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/ldap">ldap (
9)
</a></li>
369 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/lenker">lenker (
8)
</a></li>
371 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/lsdvd">lsdvd (
2)
</a></li>
373 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/ltsp">ltsp (
1)
</a></li>
375 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/mesh network">mesh network (
8)
</a></li>
377 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (
32)
</a></li>
379 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/norsk">norsk (
251)
</a></li>
381 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/nuug">nuug (
164)
</a></li>
383 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/offentlig innsyn">offentlig innsyn (
11)
</a></li>
385 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/open311">open311 (
2)
</a></li>
387 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (
50)
</a></li>
389 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/personvern">personvern (
76)
</a></li>
391 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/raid">raid (
1)
</a></li>
393 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/reactos">reactos (
1)
</a></li>
395 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/reprap">reprap (
11)
</a></li>
397 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/rfid">rfid (
3)
</a></li>
399 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/robot">robot (
9)
</a></li>
401 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/rss">rss (
1)
</a></li>
403 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/ruter">ruter (
4)
</a></li>
405 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/scraperwiki">scraperwiki (
2)
</a></li>
407 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (
41)
</a></li>
409 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (
4)
</a></li>
411 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/skepsis">skepsis (
4)
</a></li>
413 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/standard">standard (
46)
</a></li>
415 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (
3)
</a></li>
417 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/stortinget">stortinget (
9)
</a></li>
419 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/surveillance">surveillance (
27)
</a></li>
421 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/sysadmin">sysadmin (
2)
</a></li>
423 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/valg">valg (
8)
</a></li>
425 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/video">video (
46)
</a></li>
427 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (
4)
</a></li>
429 <li><a href=
"http://people.skolelinux.org/pere/blog/tags/web">web (
34)
</a></li>
435 <p style=
"text-align: right">
436 Created by
<a href=
"http://steve.org.uk/Software/chronicle">Chronicle v4.6
</a>
projects / homepage.git / blob