Am Montag, 13. Juni 2011, 22:07:07 schrieb MFPA: > Because the signature time means nothing, unless there is > corroboration. It is trivial to alter a system clock (or to use > software to pass a different time to an app).
By that standards: What does a signature mean at all? As a parallel discussion on this list shows, it does not even guarantee that the signer had access to the signed data. You should tell apart who has to prove something. Your argument is valid if the signer has to prove that he has made the signature at (or before or after) a certain date and time. His own signature is no proof in that case as he can easily fake the timestamp. If a third party has to prove that and when the signer has signed a document then the signature timestamp is perfectly OK. The rest of my former mail was probably a misunderstanding. I thought you were talking about local signatures but your reply shows that you meant additional signatures by a timestamp server. > > Funny theory. Either you trust all or nothing. How > > should you draw the line in between? > > Look at the various independent timestamping services available and > make up your own mind whether any of them may be relied upon. > > >> And even then, what gets verified is the time/date of > >> sending and *not* the time/date of signing. > > > > That is simply wrong. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
