- <item>
- <title>Public Trusted Timestamping services for everyone</title>
- <link>http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html</guid>
- <pubDate>Tue, 25 Mar 2014 12:50:00 +0100</pubDate>
- <description><p>Did you ever need to store logs or other files in a way that would
-allow it to be used as evidence in court, and needed a way to
-demonstrate without reasonable doubt that the file had not been
-changed since it was created? Or, did you ever need to document that
-a given document was received at some point in time, like some
-archived document or the answer to an exam, and not changed after it
-was received? The problem in these settings is to remove the need to
-trust yourself and your computers, while still being able to prove
-that a file is the same as it was at some given time in the past.</p>
-
-<p>A solution to these problems is to have a trusted third party
-"stamp" the document and verify that at some given time the document
-looked a given way. Such
-<a href="https://en.wikipedia.org/wiki/Notarius">notarius</a> service
-have been around for thousands of years, and its digital equivalent is
-called a
-<a href="http://en.wikipedia.org/wiki/Trusted_timestamping">trusted
-timestamping service</a>. <a href="http://www.ietf.org/">The Internet
-Engineering Task Force</a> standardised how such service could work a
-few years ago as <a href="http://tools.ietf.org/html/rfc3161">RFC
-3161</a>. The mechanism is simple. Create a hash of the file in
-question, send it to a trusted third party which add a time stamp to
-the hash and sign the result with its private key, and send back the
-signed hash + timestamp. Both email, FTP and HTTP can be used to
-request such signature, depending on what is provided by the service
-used. Anyone with the document and the signature can then verify that
-the document matches the signature by creating their own hash and
-checking the signature using the trusted third party public key.
-There are several commercial services around providing such
-timestamping. A quick search for
-"<a href="https://duckduckgo.com/?q=rfc+3161+service">rfc 3161
-service</a>" pointed me to at least
-<a href="https://www.digistamp.com/technical/how-a-digital-time-stamp-works/">DigiStamp</a>,
-<a href="http://www.quovadisglobal.co.uk/CertificateServices/SigningServices/TimeStamp.aspx">Quo
-Vadis</a>,
-<a href="https://www.globalsign.com/timestamp-service/">Global Sign</a>
-and <a href="http://www.globaltrustfinder.com/TSADefault.aspx">Global
-Trust Finder</a>. The system work as long as the private key of the
-trusted third party is not compromised.</p>
-
-<p>But as far as I can tell, there are very few public trusted
-timestamp services available for everyone. I've been looking for one
-for a while now. But yesterday I found one over at
-<a href="https://www.pki.dfn.de/zeitstempeldienst/">Deutches
-Forschungsnetz</a> mentioned in
-<a href="http://www.d-mueller.de/blog/dealing-with-trusted-timestamps-in-php-rfc-3161/">a
-blog by David Müller</a>. I then found
-<a href="http://www.rz.uni-greifswald.de/support/dfn-pki-zertifikate/zeitstempeldienst.html">a
-good recipe on how to use the service</a> over at the University of
-Greifswald.</p>
-
-<p><a href="http://www.openssl.org/">The OpenSSL library</a> contain
-both server and tools to use and set up your own signing service. See
-the ts(1SSL), tsget(1SSL) manual pages for more details. The
-following shell script demonstrate how to extract a signed timestamp
-for any file on the disk in a Debian environment:</p>
-
-<p><blockquote><pre>
-#!/bin/sh
-set -e
-url="http://zeitstempel.dfn.de"
-caurl="https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt"
-reqfile=$(mktemp -t tmp.XXXXXXXXXX.tsq)
-resfile=$(mktemp -t tmp.XXXXXXXXXX.tsr)
-cafile=chain.txt
-if [ ! -f $cafile ] ; then
- wget -O $cafile "$caurl"
-fi
-openssl ts -query -data "$1" -cert | tee "$reqfile" \
- | /usr/lib/ssl/misc/tsget -h "$url" -o "$resfile"
-openssl ts -reply -in "$resfile" -text 1>&2
-openssl ts -verify -data "$1" -in "$resfile" -CAfile "$cafile" 1>&2
-base64 < "$resfile"
-rm "$reqfile" "$resfile"
-</pre></blockquote></p>
-
-<p>The argument to the script is the file to timestamp, and the output
-is a base64 encoded version of the signature to STDOUT and details
-about the signature to STDERR. Note that due to
-<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742553">a bug
-in the tsget script</a>, you might need to modify the included script
-and remove the last line. Or just write your own HTTP uploader using
-curl. :) Now you too can prove and verify that files have not been
-changed.</p>
-
-<p>But the Internet need more public trusted timestamp services.
-Perhaps something for <a href="http://www.uninett.no/">Uninett</a> or
-my work place the <a href="http://www.uio.no/">University of Oslo</a>
-to set up?</p>
-</description>
- </item>
-
projects / homepage.git / blobdiff