X-Git-Url: https://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/17a7cc8c1a60f7341f92e0f757b83700189144a7..b279793fc3681f16b43cc7dba38f0d6f4e22d247:/blog/tags/english/index.html diff --git a/blog/tags/english/index.html b/blog/tags/english/index.html index 7c7b71dc9d..8e6c64df82 100644 --- a/blog/tags/english/index.html +++ b/blog/tags/english/index.html @@ -20,6 +20,178 @@

Entries tagged "english".

+
+
+ Release 0.1.1 of free software archive system Nikita announced +
+
+ 10th June 2017 +
+
+

I am very happy to report that the +Nikita Noark 5 +core project tagged its second release today. The free software +solution is an implementation of the Norwegian archive standard Noark +5 used by government offices in Norway. These were the changes in +version 0.1.1 since version 0.1.0 (from NEWS.md): + +

+ +

If this sound interesting to you, please contact us on IRC (#nikita +on irc.freenode.net) or email +(nikita-noark +mailing list).

+ +
+
+ + + Tags: english, nuug, offentlig innsyn, standard. + + +
+
+
+ +
+
+ Idea for storing trusted timestamps in a Noark 5 archive +
+
+ 7th June 2017 +
+
+

This is a copy of +an +email I posted to the nikita-noark mailing list. Please follow up +there if you would like to discuss this topic. The background is that +we are making a free software archive system based on the Norwegian +Noark +5 standard for government archives.

+ +

I've been wondering a bit lately how trusted timestamps could be +stored in Noark 5. +Trusted +timestamps can be used to verify that some information +(document/file/checksum/metadata) have not been changed since a +specific time in the past. This is useful to verify the integrity of +the documents in the archive.

+ +

Then it occured to me, perhaps the trusted timestamps could be +stored as dokument variants (ie dokumentobjekt referered to from +dokumentbeskrivelse) with the filename set to the hash it is +stamping?

+ +

Given a "dokumentbeskrivelse" with an associated "dokumentobjekt", +a new dokumentobjekt is associated with "dokumentbeskrivelse" with the +same attributes as the stamped dokumentobjekt except these +attributes:

+ + + +

This assume a service following +IETF RFC 3161 is +used, which specifiy the given MIME type for replies and the .tsr file +ending for the content of such trusted timestamp. As far as I can +tell from the Noark 5 specifications, it is OK to have several +variants/renderings of a dokument attached to a given +dokumentbeskrivelse objekt. It might be stretching it a bit to make +some of these variants represent crypto-signatures useful for +verifying the document integrity instead of representing the dokument +itself.

+ +

Using the source of the service in formatDetaljer allow several +timestamping services to be used. This is useful to spread the risk +of key compromise over several organisations. It would only be a +problem to trust the timestamps if all of the organisations are +compromised.

+ +

The following oneliner on Linux can be used to generate the tsr +file. $input is the path to the file to checksum, and $sha256 is the +SHA-256 checksum of the file (ie the ".tsr" value mentioned +above).

+ +

+openssl ts -query -data "$inputfile" -cert -sha256 -no_nonce \
+  | curl -s -H "Content-Type: application/timestamp-query" \
+      --data-binary "@-" http://zeitstempel.dfn.de > $sha256.tsr
+

+ +

To verify the timestamp, you first need to download the public key +of the trusted timestamp service, for example using this command:

+ +

+wget -O ca-cert.txt \
+  https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
+

+ +

Note, the public key should be stored alongside the timestamps in +the archive to make sure it is also available 100 years from now. It +is probably a good idea to standardise how and were to store such +public keys, to make it easier to find for those trying to verify +documents 100 or 1000 years from now. :)

+ +

The verification itself is a simple openssl command:

+ +

+openssl ts -verify -data $inputfile -in $sha256.tsr \
+  -CAfile ca-cert.txt -text
+

+ +

Is there any reason this approach would not work? Is it somehow against +the Noark 5 specification?

+ +
+
+ + + Tags: english, offentlig innsyn, standard. + + +
+
+
+
Free software archive system Nikita now able to store documents @@ -28160,7 +28332,7 @@ be the only one fitting our needs. :/

  • April (2)
    • -
  • June (1)
    • +
  • June (3)
    • @@ -28442,7 +28614,7 @@ be the only one fitting our needs. :/

  • drivstoffpriser (4)
    • -
  • english (346)
    • +
  • english (348)
  • fiksgatami (23)
    • @@ -28478,9 +28650,9 @@ be the only one fitting our needs. :/

  • norsk (290)
    • -
  • nuug (188)
    • +
  • nuug (189)
    • -
  • offentlig innsyn (31)
    • +
  • offentlig innsyn (33)
  • open311 (2)
    • @@ -28510,7 +28682,7 @@ be the only one fitting our needs. :/

  • skepsis (5)
    • -
  • standard (52)
    • +
  • standard (55)
  • stavekontroll (6)