Support RFC3161 trusted timestamps

Issue #480 resolved
Former user created an issue

In germany it is sometimes nessecary to use external signed timestamps. See RFC3161. It would be very nice to have such a freature.

The german term for that is "Revisionssichere Archivierung". Don't know how to translate that... See also (attention: german!)

Comments (10)

  1. Janos SUTO repo owner

    Google translate had a hard time returning a translation that made sense. Anyway are you aware of any timestamp provider I can use for testing? And do you have any expectations on how it should work?

    I mean getting a timestamp for every incoming email is probably not a good idea. After some quick thoughts I'd run an external script in every hour to concenate message hash values for the messages in the given hour, then store the response in another table, one timestamp per hour.

    Then the verification should check the timestamp for the given hour where the message was archived + hash values for the given messages. The first may require a select for all message hash values from the database.

  2. thooge

    For testing purposes i think you can use


    For production use there are commercial timestamp-providers out there. There you have to pay for every timestamp, as far as i can remember the costs are about 0.20€ per stamp. So i think it would be good to have a configuation for the timestamps where you configure

    • Server Address
    • Login Credentials (optional)
    • How to stamp: every <n> hours or every <m> mails

    Code examples

  3. Janos SUTO repo owner

    I started to work on the feature. I think I'll concatenate the values of the message hashes from a bunch of messages, then do the timestamping, and store the result in a new table. However I'm not sure about the verification.

    Let's say a user clicks on a message, and the gui compares the checksums in the metadata table, the message is good, and he can see the green tick. But you can't be 100% sure that the message is unaltered unless you go and check the rfc3161 timestamp stored for the message group (the given message is in) as well. But obviously you can't just ask for a rfc3161 verification each time you check a message, can you?

    How to resolve this problem?

  4. Janos SUTO repo owner

    I managed to figure out that the public key of the TSA is for the verification, so I may create a cache of verified values to speed up things. Stay tuned.

  5. thooge

    Thank you very much :-) Currently i'm in the process of testing. How do i get the public key of the TSA? Or do i need the certificate?

  6. Janos SUTO repo owner

    Well, you have to consult with the TSA about how to get their certificate (or public key).

  7. Log in to comment