I have a wicked question for support. In order to sign PDF documents. I asked im May 2020 but I did not get any answer
I do need a TSA (Time Stamp authority) server. In my case I would need to sign pdf documents using internal certificates. Therefore I would like to set up my own TSA. I found some code based on http and openssl:
Obviously, Nethserver brings in everything I need. By change, maybe @stephdl, can somebody help me to set up such a TSA server on top of my nethserver installation?
well you attempt to go directly to the solution but I am not sure you started by the question, first I thought we could try by how to sign a document, eventually you could give the url of your first question.
I think this issue will come soon, Italy is ahead on this question, they do sign their document, I must admit French are still living in caves. We know that rspamd has been patched (v2.7) to not detect .7pm as malware
So first for me the question is how to sign digitally a document !!!
Certain countries, like Germany, are very strict where “Data Processing” is done!
If processing is done “Out of the EU”, it’s a no go. If it’s in America, it’s even more a No-Go.
But the TSA should never see the actual data, only a hash of the data. And by definition, a hash is one-way, so none of the data can be determined from the hash. How could this be seen as a problem?
@dan a bit of extra backgound might be explanatory…
In general continental-Europe is a bit more bureaucratic compared to the US… One of the backgrounds, causes if you wish, is linked to your profession. We live under civil (Roman) law instead of common (English) law.
I’d hope it’s better, seeing as how it’s my profession and all… But I haven’t had much occasion to need to know how foreign legal systems work in my practice, and US law is plenty complicated. But I’m certainly aware of a stereotype of the Germans (and Swiss, for that matter) insisting on everything being precisely correct.
But back to the subject at hand–in principle, this seems like a relatively straightforward application of public-key cryptography. The problem is going to be one of trust–you’re going to be using a self-signed certificate, since a typical cert from a public CA like Let’s Encrypt won’t have the appropriate key usage attributes. And that means nobody else will trust your timestamps, unless they first trust your cert. So really, this would only be useful in a controlled environment–but that kind of defeats the purpose of the timestamp being from a trusted third party.
But with that said, the second link looks easy enough to install (the first hasn’t had an update in 18 years–no surprise if it’s on SourceForge–so it doesn’t seem likely it’d be very useful). There’s a RPM for groovy that you can install from the default repos using yum install groovy. Then clone the tsa-server repo and run it as described in the README. But again, trusted certs are going to be hard to come by, I’d think.
Edit: Looks like there may be other options for the software. This one looks simple enough, could be distributed as a compiled binary, and thus wouldn’t need you to install a ton of dependencies on your production server:
Another one on Sourceforge (ugh), but much more recently-updated than TSA, the first link above:
Its home page, with installation docs. Looks much more involved than uts-server above in terms of dependencies, but also much more capable:
Reading Dan’s comment and my understanding sofar…
It raises the question with me if it makes sence to run your own TSA server in stead of using a trusted public TSA server?
If two parties can agree one (or more) public TSA server(s) are trustworthy; the party who “receives” the data (file) with the time stamp can run a check using the (public cert/key pair of) same public (trusted) TSA server…
Participants of this discussion should have PN with a dial in for an online meeting.
I would like to introduce you in the world of Good Manufacturing Practice (GMP), 21CFR Part 11, EU-GMP Guideline, its summary in GAMP 5 Guideline to Computer sytems validation and its consequences for digital signatures.
I would also like to talk about “where I am” in an already closed project.
something interesting, maybe rather to host a time stamp authority and claim about the legality of it, rely with compatible client on a known authority could be also a good way.
I think dan spoke of it, it is like ssl certificate, you can create yours, but what is the trust we have on it
Yes, it does exactly describe in words what I tried to explain during our video-meeting
Exactly that part is important to our industry - anyway, our case is a little easier: we are not talking about contracts of two parties, we are talking about internal documents, provided from the “authority” aka the “companies quality assurance” to the employees. Consequently, an internal TSA would be enough.
Additionally, such systems must be so transparent and validated according to GAMP 5 / 21 CFR part 11 setting up equal standards to a 3rd party TSA
A pitty the authors of the norm did not look around into technology industries where version control systems like cvs for documents and digital data is in use for decades.
All of them include a form of a hash of the date, the committer, the commit message and a hash of the data commited too…
They know that these systems are available, but the want to prevent companies to use systems without such mechanisms. Any Company will always do “the cheap and simple way” if not tied by law. I can present a lot of examples where companies tried to save money but violated GMP rules causing patients to suffer from intoxication, diseases and much worse. We are talking about a hare hedgehog run of laws and gaps… Of couse, some of them were black swans, but do you want to be the first to see a black swan ?
The 21CRF part 11 (and the EU GMP Guide) are legal binding laws. Both enforce the usage of the mechanisms you describe. Additionally, the check by CSV is requested, so that no company uses (for any reason) a system without the correct checking and data integrity mechanisms. In simple words, GAMP 5 is a summary of “current state of the art” or “a collection of best practice” on how to do the required selection and checking of the selected system.
