Alex Pankratov wrote:
Does anyone know what's the state of affairs in this area ?
This is probably slightly off-topic, but I can't think of
a better place to ask about this sort of thing.
I have spent a couple of days looking around the Internet,
and things appear to be .. erm .. hectic and disorganized.
There is for example timestamp.verisign.com, but there is
no documentation or description of it whatsoever. Even the
website itself is broken. However it is used by Microsoft's
code signing tool that embeds Verisign's timestamp into
Authenticode signature of signed executable files.
There is also a way to timestamp signed PDFs, but the there
appears to be nothing _trusted_ about available Trusted
Timestamping Authorities. Just a bunch of random companies
that call themselves that way and provide no indication why
they should actually be *trusted*. No audit practicies, not
even a simple description of their backend setup. The same
goes for the companies providing timestamping services for
arbitrary documents, either using online interfaces or a
downloadable software.
There are also Digital Poststamps, which is a very strange
version of a timestamping service, because their providers
insist on NOT releasing the actual timestamp to the customer
and then charging for each timestamp verification request.
I guess my main confusion at the moment is why large CAs of
Verisign's size not offering any standalone timestamping
services.
Any thoughts or comments ?
I answer your question by two questions:
Trusted timestamping service is like a specialized form of
non-repudiation service. You may wonder if there is any fielded usage of
genuine non-repudiation service, i.e. extending to an arbitration
function that would support evidence management in some litigation
forum. Fraud prevention in payment systems is not based on a genuine
non-repudiation scheme. Are you aware of the current state of genuine
non-repudiation service?
Another approach to your question is that timestamping service has to be
sold before being fielded and used. Who is(are) the real
beneficiary(ies) in a trusted timestamping service, and how do you sell
the service to them so that it makes economic sense?
Regards,
- Thierry Moreau
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [email protected]
