RE: [dss] Timestamping

[Robert Zuccherato <robert.zuccherato@entrust.com>]

Dimitri;

However, from the linking information one can only verify that the token was
issued in a certain period relative to other tokens that have been issued.
In order to authenticate the time value a signature over that value (or over
the aggregated values) will have to be verified.  Thus, for our purposes,
the linking protocols do not seem to provide any advantages over traditional
methods.

Could you please post the relevant IPR for the linking protocols to this
list?  Most of us do not have access to the current draft of the ISO/IEC
18014-3 document.

	Robert.

> -----Original Message-----
> From: Dimitri Andivahis [mailto:dimitri@surety.com]
> Sent: Friday, March 21, 2003 7:16 PM
> To: dss@lists.oasis-open.org
> Subject: RE: [dss] Timestamping
> 
> 
> Robert,
> 
> > -----Original Message-----
> > From: Robert Zuccherato [mailto:robert.zuccherato@entrust.com]
> > Sent: Friday, March 21, 2003 10:45 AM
> > To: dss@lists.oasis-open.org
> > Subject: RE: [dss] Timestamping
> > 
> > 
> > Dimitri;
> > 
> > It is true that both ISO/IEC 18014 and ANSI X9.95 include 
> the linking
> > methods of timestamping.  However, the scope of these 
> efforts is broader
> > than ours, which is to "support the processing of digital 
> > signatures" and to
> > prove "that a signature was created within its key validity period".
> > 
> > The linking methods, by themselves will only tell a relying 
> party that a
> > timestamp was issued in the time between the issuance of two other
> > timestamps.  By linking all timestamps together like this, 
> > confidence can be
> > obtained in the authenticity of the timestamps.  This is a useful 
> > service in
> > some environments.  However, when a relying party needs to know 
> > the absolute
> > time that a signature was applied it doesn't directly help. 
>  In order to
> > obtain that additional information a signature a time value must 
> > usually be
> > included in the token.  Thus, the linking protocols provide, to my
> > knowledge, little additional value to the hash and sign methods.
> > 
> 
> The linked timestamp token as defined at ISO and X9 contains 
> the absolute 
> time value, and can be used to pinpoint the time a signature 
> was applied.  The requirements for a trusted time source are 
> common to 
> all TSAs, regardless of the method of timestamping they practice.
> 
> According to ISO/IEC 18014-3, a TSA responding to a timestamp request:
> - creates the time info object including the usual data (the 
> submitted hash, 
>   time value, policy ID, serial number and so on), 
> - generates new hashes over a canonical form of this time info object,
> - links these hashes with the repository of linked values and inserts 
>   a new resulting linked value in this repository,
> - packages all linking information (==hashes) necessary for 
> verification
>   into a BindingInfo object,
> - encapsulates the time info object and the BindingInfo object
>   into a timestamp token.
> 
> As a result, the BindingInfo crypto-binding covers all data 
> in the time info
> object, including the time value.  I omitted the aggregation step for 
> simplicity.  The integrity of the repository of linked values
> is ensured by requiring that the TSA publishes in a timely 
> fashion values 
> derived from it.
> 
> Verification of the timestamp token requires carrying out 
> a verification protocol with the TSA.  The other methods also 
> have a requirement that you contact a TTP when you verify 
> a timestamp token (CRL checks/OCSP responses, MAC TSAs).
> 
> Linking methods are significantly different from the methods 
> using digital signatures or MACs: they don't depend on secret keys,
> they only depend on the reliability of one-way collision-free
> hash functions.  Past TSA operations can be verified algorithmically 
> at any time using the linked data in the repository, and key 
> management 
> issues affecting the lifecycle of timestamp tokens are removed.  
> Overall, I think linking methods are better suited for long-lived 
> timestamping.  For these reasons, I believe linking methods 
> should be considered for the timestamping protocols in this TC. 
> 
> > I believe that there are also IPR issues associated with the 
> > linking methods
> > of timestamping.  I would encourage all TC members to familiarize 
> > themselves
> > with the OASIS IPR policy
> > (http://www.oasis-open.org/who/intellectualproperty.shtml) 
> and make sure
> > that they are in compliance.
> > 
> > 	Robert.
> > 
> > > [...]
> 
> Just a note, even though I haven't submitted any input 
> document myself:
> the patent holders that were listed in 18014-3 have submitted letters 
> to ISO offering reasonable-non-discriminating-worldwide 
> licensing terms.
> I believe they would do the same for OASIS.
> 
> Dimitri
>