Am Sonntag, 12. Juni 2011, 15:23:19 schrieb MFPA: > Some people labour under the misapprehension that the signature time > is significant and has potential legal implications.
Why should that be a misapprehension? For which law does that not have implications? There is no reason to assume that you are less bound by the timestamp than by the signature itself. The timestamp can be fake. So what? So can be the signed data. You don't have to have a look at what you are going to sign. You can sign the output of /dev/urandom. Nothing of that makes your declaration of intent invalid. At least not in Germany. The relevant perspective is that of a neutral third party. How toes it look like to them? You can claim that the signing system has been compromised and that the act of signing has been rigged. That may work. But a statement like "The key and the signing system are both valid. Just don't care abour the timestamp." will not be successful. Take that legal risk if you like. > Unless the emails are sent via some form of "trusted" timestamp > service, signature timestamp means nothing. Funny theory. Either you trust all or nothing. How should you draw the line in between? > And even then, what gets > verified is the time/date of sending and *not* the time/date of > signing. That is simply wrong. A signature refers to the supplied timestamp. That is usually the current time. Even if you fake that it would just by chance be the time of sending (but noone would expect it to be that). A signature is made at a certain moment. It does not matter at all when the signed data gets sent. The time of sending cannot change the signature. You would have to create a new signature at a time that happens to be nearly the time of sending. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
