Menu
If I set a timestamp with signing, what happens?
What if I don't set?
Is it essential? Why is it recommended?
773
Timestamps are used for keeping records of information online or on a computer. A timestamp displays when certain information was created, exchanged, modified or deleted. The following are examples of how timestamps are used: Computer files may contain a timestamp that shows when the file was last changed.
A timestamp is a small data strand that gets included along with the signature when a script or executable is signed. When a client sees the signature along with the timestamp, it simply checks to ensure the signature was made at a time when the certificate was still valid.
Digital Signature Timestamp. Digital timestamps mark a PDF signature with the time and date as proof of integrity. A timestamp shows that the contents of the document existed at a point in time, and are unchanged. For added security, digital signatures can include a timestamp from an independent, trusted authority.
What is a Time Stamp Server? Once you receive a valid timestamp certificate from the TSA, whenever you sign, a hash of your code is uploaded on the timestamp server. This helps in recording the date and time of your signature and also certifies that the code was working during the time it was digitally signed.
Timestamping is used to specify time when the digital signature is made. This is needed to properly validate the signature.
If signature timestamp is present, the application which validates (verifies) the signature, will check whether the certificates involved into signature validation were valid at the moment of signing. If there's no timestamp for the signature, certificate validity is checked for the moment of signature validation, which is not always acceptable.
Example:
Certificate is valid from: 1st of January, 2008
Certificate is valid to: 31st of December, 2010
Signature is made on: 4th of July, 2009
Signature is verified on: 30th of April, 2012
With timestamp: signature is ok (signature was made during certificate validity period) Without timestamp: signature is not valid (certificate has expired by the moment of signature verification).
Timestamping should be used if the signature is supposed to be used (to proof authenticity of the document author or data originator) in long term, i.e. longer than one or several days.
Timestamping is not necessary when you, for example, send a short signed note to the colleague and this note is expected to be read and disposed of the same day as it has been written. Of course, timestamping can not be used when it's not supported by the signing technologies or when timestamping authority is not available.
On the other hand, timestamping is a must when you create signed documents for wide distribution or for long-term storage and archiving purposes. Timestamping is also used when signing the executable modules of software applications.
Update: the timestamp is also signed with a certificate. This signature is also validate using regular rules, which means that the certificate used to sign the timestamp must be valid at the moment of signature validation. In the above example if the timestamping certificate expired on the 1st of April, 2012, then the timestamp will be reported as not valid and won't be counted during validation of the signature.
161
If the signing certificate expires and there's no timestamp, there's no way to verify that the signature was made at a time when the certificate was valid, so previously signed code may just "stop working".
Timestamping involves a third party (usually your CA) attesting that you made the signature at a particular time. Regardless of when your certificate expires, somebody receiving the signed code can then verify that your certificate was valid at the time you signed it.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
