gnumed-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnumed-devel] GNotary

From: Sebastian Hilbert
Subject: Re: [Gnumed-devel] GNotary
Date: Sun, 28 Aug 2005 09:30:19 +0200
User-agent: KMail/1.8.2 
Hi Syan,

I admit I am no expert at all in this field. But fortunately GNotary is Open 
Source so I can discuss this with people who have a better understanding of 
this matter. If anyone comes up with a good solution I will be happy to 
implement it. 

On Sunday 28 August 2005 02:39, Syan Tan wrote:
> How does gnotary prevent the timestamps in signatures from being altered at
> a later time , or
The way I see it there is no way to keep the client from altering the 
timestamp of a signature client side. This concept only works if a third 
party like a court of law asks me if I agree with what the client presents.

> a stored signature of an original document be replaced with a different
> signature of a different document at some other time ,
The client could certainly do that but that would bring his version out of 
sync with what we store. So unless we collaborate with the client by 
replacing the signature stored on our server there is little benefit for the 
client in replacing the signature.
> and that altered 
> signature also being passed on to colluding client ?
Do I as a service provider represent any kind of organization that can 
implictely be trusted ? I guess not. But there are two things we do which 
make it hard for us to collaborate with the client.

We hash our logs and get them signed by other GNotary servers /and or notary 
providers. We plan to publish a hash of our logs in a German newspaper at 
certain intervals which gives us a hard to forge timstamp. And since we would 
use a newspaper which has to be store by German national Library forever 
(required by law) the hash will be around for some time.

Last but not least I will be happy to offer ready to roll GNotary servers to 
any organization that can be implicitely trusted. Be it a federal 
agency/department, a reprsentative medical organization or whoever you can 
think of.

After all. The whole concept is to prove that you did your best effort to keep 
your records straight. I guess that means a whole lot more to a court than 
showing up with no "proof" whatsoever.

Let me know if you spot any pitfals I might need to iron out.     
-- 
Sebastian Hilbert 
Leipzig / Germany
[www.openmed.org]  -> PGP welcome, HTML ->/dev/null
ICQ: 86 07 67 86   -> No files, no URL's
VoIP: callto://address@hidden
My OS: Suse Linux. Geek by Nature, Linux by Choice
reply via email to
[Prev in Thread] Current Thread [Next in Thread]