I have a wicked question for support. In order to sign PDF documents. I asked im May 2020 but I did not get any answer
I do need a TSA (Time Stamp authority) server. In my case I would need to sign pdf documents using internal certificates. Therefore I would like to set up my own TSA. I found some code based on http and openssl:
Obviously, Nethserver brings in everything I need. By change, maybe @stephdl, can somebody help me to set up such a TSA server on top of my nethserver installation?
well you attempt to go directly to the solution but I am not sure you started by the question, first I thought we could try by how to sign a document, eventually you could give the url of your first question.
I think this issue will come soon, Italy is ahead on this question, they do sign their document, I must admit French are still living in caves. We know that rspamd has been patched (v2.7) to not detect .7pm as malware
So first for me the question is how to sign digitally a document !!!
Certain countries, like Germany, are very strict where âData Processingâ is done!
If processing is done âOut of the EUâ, itâs a no go. If itâs in America, itâs even more a No-Go.
But the TSA should never see the actual data, only a hash of the data. And by definition, a hash is one-way, so none of the data can be determined from the hash. How could this be seen as a problem?
@danb35 a bit of extra backgound might be explanatoryâŠ
In general continental-Europe is a bit more bureaucratic compared to the US⊠One of the backgrounds, causes if you wish, is linked to your profession. We live under civil (Roman) law instead of common (English) law.
Iâd hope itâs better, seeing as how itâs my profession and all⊠But I havenât had much occasion to need to know how foreign legal systems work in my practice, and US law is plenty complicated. But Iâm certainly aware of a stereotype of the Germans (and Swiss, for that matter) insisting on everything being precisely correct.
But back to the subject at handâin principle, this seems like a relatively straightforward application of public-key cryptography. The problem is going to be one of trustâyouâre going to be using a self-signed certificate, since a typical cert from a public CA like Letâs Encrypt wonât have the appropriate key usage attributes. And that means nobody else will trust your timestamps, unless they first trust your cert. So really, this would only be useful in a controlled environmentâbut that kind of defeats the purpose of the timestamp being from a trusted third party.
But with that said, the second link looks easy enough to install (the first hasnât had an update in 18 yearsâno surprise if itâs on SourceForgeâso it doesnât seem likely itâd be very useful). Thereâs a RPM for groovy that you can install from the default repos using yum install groovy. Then clone the tsa-server repo and run it as described in the README. But again, trusted certs are going to be hard to come by, Iâd think.
Edit: Looks like there may be other options for the software. This one looks simple enough, could be distributed as a compiled binary, and thus wouldnât need you to install a ton of dependencies on your production server:
Another one on Sourceforge (ugh), but much more recently-updated than TSA, the first link above:
Its home page, with installation docs. Looks much more involved than uts-server above in terms of dependencies, but also much more capable:
Reading Danâs comment and my understanding sofarâŠ
It raises the question with me if it makes sence to run your own TSA server in stead of using a trusted public TSA server?
If two parties can agree one (or more) public TSA server(s) are trustworthy; the party who âreceivesâ the data (file) with the time stamp can run a check using the (public cert/key pair of) same public (trusted) TSA serverâŠ
Participants of this discussion should have PN with a dial in for an online meeting.
I would like to introduce you in the world of Good Manufacturing Practice (GMP), 21CFR Part 11, EU-GMP Guideline, its summary in GAMP 5 Guideline to Computer sytems validation and its consequences for digital signatures.
I would also like to talk about âwhere I amâ in an already closed project.
something interesting, maybe rather to host a time stamp authority and claim about the legality of it, rely with compatible client on a known authority could be also a good way.
I think dan spoke of it, it is like ssl certificate, you can create yours, but what is the trust we have on it
Yes, it does exactly describe in words what I tried to explain during our video-meeting
Exactly that part is important to our industry - anyway, our case is a little easier: we are not talking about contracts of two parties, we are talking about internal documents, provided from the âauthorityâ aka the âcompanies quality assuranceâ to the employees. Consequently, an internal TSA would be enough.
Additionally, such systems must be so transparent and validated according to GAMP 5 / 21 CFR part 11 setting up equal standards to a 3rd party TSA
A pitty the authors of the norm did not look around into technology industries where version control systems like cvs for documents and digital data is in use for decades.
All of them include a form of a hash of the date, the committer, the commit message and a hash of the data commited tooâŠ
They know that these systems are available, but the want to prevent companies to use systems without such mechanisms. Any Company will always do âthe cheap and simple wayâ if not tied by law. I can present a lot of examples where companies tried to save money but violated GMP rules causing patients to suffer from intoxication, diseases and much worse. We are talking about a hare hedgehog run of laws and gaps⊠Of couse, some of them were black swans, but do you want to be the first to see a black swan ?
The 21CRF part 11 (and the EU GMP Guide) are legal binding laws. Both enforce the usage of the mechanisms you describe. Additionally, the check by CSV is requested, so that no company uses (for any reason) a system without the correct checking and data integrity mechanisms. In simple words, GAMP 5 is a summary of âcurrent state of the artâ or âa collection of best practiceâ on how to do the required selection and checking of the selected system.