top | item 31638480

(no title)

vjaswal | 3 years ago

As another commenter noted, there's a general internet standard defined already for cryptographically timestamping and signing digital artifacts, like JARs, PDFs, dotNet assemblies, and many others.

https://datatracker.ietf.org/doc/html/rfc3161

Many large certificate issuing orgs run timestamping authority servers. Tools like Java jarsigner, Adobe Acrobat, and many other tools are designed to work with them. Search for "rfc3161".

discuss

layer8|3 years ago

I’d like to add that one should be aware that such timestamps are only valid until the TSA certificate expires (or is revoked). To prolong the validity, you need to add another timestamp on top, using a newer certificate, to prove that the first timestamp was created before its certificate expired/was revoked. This is a recursive process. If the TSA renews its certificate every N years, it makes sense to accordingly re-timestamp every N years to keep the original timestamp valid. To guard against the case of an untimely revocation, you may want to timestamp with multiple TSAs each time.

smileybarry|3 years ago

That's not really the case -- at least on Windows, timestamp signatures persist past the timestamping certificate's validity, it's their whole point. I just looked for something signed on my PC to find that Office 2019 installations were signed & timestamped on 2019-12-01 by Microsoft with both certs (code-signing and timestamping) valid 2019-2020. The signature & timestamp remain valid.

huhtenberg|3 years ago

> I’d like to add that one should be aware that such timestamps are only valid until the TSA certificate expires (or is revoked).

This is simply not true.

More precisely, it depends on the definition of "valid", but conventionally the death of a notary doesn't invalidate their notarizations.