Alex Pankratov wrote:
Does anyone know what's the state of affairs in this area ?
This is probably slightly off-topic, but I can't think of
a better place to ask about this sort of thing.

I have spent a couple of days looking around the Internet,
and things appear to be .. erm .. hectic and disorganized.

There is for example timestamp.verisign.com, but there is no documentation or description of it whatsoever. Even the website itself is broken. However it is used by Microsoft's code signing tool that embeds Verisign's timestamp into Authenticode signature of signed executable files.

There is also a way to timestamp signed PDFs, but the there appears to be nothing _trusted_ about available Trusted Timestamping Authorities. Just a bunch of random companies
that call themselves that way and provide no indication why
they should actually be *trusted*. No audit practicies, not even a simple description of their backend setup. The same goes for the companies providing timestamping services for arbitrary documents, either using online interfaces or a
downloadable software.

There are also Digital Poststamps, which is a very strange
version of a timestamping service, because their providers
insist on NOT releasing the actual timestamp to the customer and then charging for each timestamp verification request.

I guess my main confusion at the moment is why large CAs of Verisign's size not offering any standalone timestamping services.

Any thoughts or comments ?

I answer your question by two questions:

Trusted timestamping service is like a specialized form of non-repudiation service. You may wonder if there is any fielded usage of genuine non-repudiation service, i.e. extending to an arbitration function that would support evidence management in some litigation forum. Fraud prevention in payment systems is not based on a genuine non-repudiation scheme. Are you aware of the current state of genuine non-repudiation service?

Another approach to your question is that timestamping service has to be sold before being fielded and used. Who is(are) the real beneficiary(ies) in a trusted timestamping service, and how do you sell the service to them so that it makes economic sense?

Regards,

- Thierry Moreau
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to