Support RFC3161 trusted timestamps
Issue #480
resolved
In germany it is sometimes nessecary to use external signed timestamps. See RFC3161. It would be very nice to have such a freature.
The german term for that is "Revisionssichere Archivierung". Don't know how to translate that... See also https://www.pki.dfn.de/faqpki/faq-zeitstempel/ (attention: german!)
Comments (10)
-
repo owner
-
For testing purposes i think you can use
- http://zeitstempel.dfn.de/
- http://time.certum.pl/
For production use there are commercial timestamp-providers out there. There you have to pay for every timestamp, as far as i can remember the costs are about 0.20€ per stamp. So i think it would be good to have a configuation for the timestamps where you configure
- Server Address
- Login Credentials (optional)
- How to stamp: every <n> hours or every <m> mails
Code examples
-
repo owner
Thanks for the exhausting user story, I'll see what I can do about it.
-
repo owner
I started to work on the feature. I think I'll concatenate the values of the message hashes from a bunch of messages, then do the timestamping, and store the result in a new table. However I'm not sure about the verification.
Let's say a user clicks on a message, and the gui compares the checksums in the metadata table, the message is good, and he can see the green tick. But you can't be 100% sure that the message is unaltered unless you go and check the rfc3161 timestamp stored for the message group (the given message is in) as well. But obviously you can't just ask for a rfc3161 verification each time you check a message, can you?
How to resolve this problem?
-
repo owner
I managed to figure out that the public key of the TSA is for the verification, so I may create a cache of verified values to speed up things. Stay tuned.
-
repo owner
I think it's ready to test. See http://www.mail-archive.com/piler-user@list.acts.hu/msg00785.html for more details on how to enable it. Your comments are welcome.
-
repo owner
- changed status to resolved
-
Thank you very much :-) Currently i'm in the process of testing. How do i get the public key of the TSA? Or do i need the certificate?
-
repo owner
Well, you have to consult with the TSA about how to get their certificate (or public key).
-
Repository of Timestamp Public Key Certificates
https://www.digistamp.com/support/repository-of-timestamp-public-key-certificates/?q=1
- Log in to comment
Google translate had a hard time returning a translation that made sense. Anyway are you aware of any timestamp provider I can use for testing? And do you have any expectations on how it should work?
I mean getting a timestamp for every incoming email is probably not a good idea. After some quick thoughts I'd run an external script in every hour to concenate message hash values for the messages in the given hour, then store the response in another table, one timestamp per hour.
Then the verification should check the timestamp for the given hour where the message was archived + hash values for the given messages. The first may require a select for all message hash values from the database.