[FoRK] Does the web have a public timestamper?

Matt Jensen mattj at newsblip.com
Sun May 8 07:32:03 PDT 2005

Quoting Gordon Mohr <gojomofork at xavvy.com>:

> A Surety patent in the area appears to have been successfully
> challenged in 1999:
>   http://www.entrust.com/news/files/11_09_99_258.htm

It seems that challenge only defeated Surety's general claim to all forms of
digital timestamping. There are other claims in the patent which still stand;
the IETF TSP group noted this.

The most useful of these claims (IMHO) is the chaining of hashes from one
document to the next.  Every week, Surety publishes a cumulative hash in the
New York Times.  Each new document is signed by hashing the document, and
signing that hash combined with the current, global, cumulative hash.  This
ensures that nobody can backdate a faked document.  (I believe chained hashes
were in the literature before the patent application, too, but that's not what
Entrust challenged, apparently.)

I had long thought about implementing this technique in a user-friendly Web app,
where initial document hashing is done in client-side JavaScript. That would
protect customer data, yet not require a software download (as Surety does). 
It would make timestamping something anyone can use; timestamp photos of the
condition of something you take possession of (car, apartment, etc.), or your
interactions with Customer Service people, or your blog entries to prove you
don't rewrite them.  With user-friendly software, you could offer timestamping
for free and make your money with AdSense on your validation pages.

It's funny, because this was a back-burner project I was planning on working on
this morning.  But this thread led me to check the patent situation more
closely, and it seems to this layman that Surety's remaining patent claims are
too powerful.

-Matt Jensen

> Russell Turpin wrote:
> > Long ago, I thought some site -- maybe a
> > certificate source like Thawte? -- should
> > provide a provable timestamping service
> > over the web. The basic idea is that when
> > an application wants to timestamp some
> > item, such as an entry in QuickBooks or
> > an executed PDF or whatever, it would
> > (1) generate a signature of the item,
> > using SHA1 or the favorite hash function
> > du jour, (2) then post a request to the
> > timestamp site with the signature,
> > (3) in the hope of receiving (a) a global
> > timestamp and (b) a validation signature
> > of the timestamp and item signature.
> >
> > The website also would maintain a
> > globally accessible log, by time, of what
> > validation signatures it had generated.
> > These provide independent proof if
> > ever needed that the item was indeed
> > timestamped -- and hence, existed --
> > when claimed.
> >
> > It seems to me that this would be useful
> > for a broad range of applications, from
> > bookkeepping to facility monitoring. I
> > can imagine all sorts of reasons for wanting
> > a verified timestamp, from the legal to
> > the mundane. Is anyone doing this?
> >
> >
> > _______________________________________________
> > FoRK mailing list
> > http://xent.com/mailman/listinfo/fork
> >
> _______________________________________________
> FoRK mailing list
> http://xent.com/mailman/listinfo/fork

More information about the FoRK mailing list