Discussion:
PGP Timestamping service. Question
(too old to reply)
d***@gmail.com
2008-05-13 08:19:50 UTC
Permalink
Hi guys,
I found the stamper from http://www.itconsult.co.uk/stamper.htm to be
very useful, BUT! What happened with the certificate of this service?
Seems like it's incorrect: it's not self-signed. It's impossible to
use this service anymore without dirty tricks like "allow-non-
selfsigned-uid" for gpg. Does anyone know any good (and free!) service
like this which can provide proof of posting in clearsign way? Or (who
knows?) if Matthew reads this group - maybe you can update the
certificate with a new one, correctly signed.

Best regards,
Dmitry
Matthew Richardson
2008-05-18 07:59:53 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----

In article <052ee810-b266-4c28-bfef-
Post by d***@gmail.com
Hi guys,
I found the stamper from http://www.itconsult.co.uk/stamper.htm to be
very useful, BUT! What happened with the certificate of this service?
Seems like it's incorrect: it's not self-signed. It's impossible to
use this service anymore without dirty tricks like "allow-non-
selfsigned-uid" for gpg. Does anyone know any good (and free!) service
like this which can provide proof of posting in clearsign way? Or (who
knows?) if Matthew reads this group - maybe you can update the
certificate with a new one, correctly signed.
Best regards,
Dmitry
I believe that we have subsequently corresponded by email on this
matter and that you concluded that it does work. The key is signed
by myself.

The reason for its not being self-signed goes back to 1995 when the
service was created. At that point, my policy was to ensure that the
key did not sign anything for which a "Stamper Id" number was not
created. In those days, a signature from another trusted key was
considered more than sufficient.

Given the more recent versions of software like gnupg, this design
decision is not currently ideal. I may consider self-signing the key
if it causes undue difficulties. My current view is that the current
situation is workable, but would welcome views from others.

Best wishes,
Matthew
David W. Hodgins
2008-05-18 08:22:00 UTC
Permalink
Post by Matthew Richardson
Given the more recent versions of software like gnupg, this design
decision is not currently ideal. I may consider self-signing the key
if it causes undue difficulties. My current view is that the current
situation is workable, but would welcome views from others.
I agree with dvasunin, that the key should be self signed. If I remember
correctly, the requirement that keys be self signed was added, to avoid
a potential security bug. Take a look at section 5 of
http://www.iusmentis.com/technology/remailers/selfsign.html

It would probably have taken less time to sign the key, and upload the new
version to a public key server, than it took to write the above.
Why not go ahead and do it, assuming you remember the passphrase :)?

Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
Loading...