TSA - Time stamp authority

Hi Forum,

I have a wicked question for support. In order to sign PDF documents. I asked im May 2020 but I did not get any answer :frowning:
I do need a TSA (Time Stamp authority) server. In my case I would need to sign pdf documents using internal certificates. Therefore I would like to set up my own TSA. I found some code based on http and openssl:


Obviously, Nethserver brings in everything I need. By change, maybe @stephdl, can somebody help me to set up such a TSA server on top of my nethserver installation?

Thank you and best regards
Thorsten

1 Like

Hello, never played with it, will check the link

well you attempt to go directly to the solution but I am not sure you started by the question, first I thought we could try by how to sign a document, eventually you could give the url of your first question.

I think this issue will come soon, Italy is ahead on this question, they do sign their document, I must admit French are still living in caves. We know that rspamd has been patched (v2.7) to not detect .7pm as malware

So first for me the question is how to sign digitally a document !!!

@stephadl,

You got a PN :slight_smile:

Best regards
Thorsten

1 Like

blind shot

install my repo

[root@ns7loc5 ~]# yum install nethserver-rh-python36
[root@ns7loc5 ~]# /opt/rh/rh-python36/root/usr/bin/pip3 install opentimestamps-client
[root@ns7loc5 ~]# touch toto
[root@ns7loc5 ~]# /opt/rh/rh-python36/root/usr/bin/ots stamp toto
Submitting to remote calendar https://a.pool.opentimestamps.org
Submitting to remote calendar https://b.pool.opentimestamps.org
Submitting to remote calendar https://a.pool.eternitywall.com
Submitting to remote calendar https://ots.btc.catallaxy.com
[root@ns7loc5 ~]# ll
total 20
-rw-------. 1 root root 4567 Dec 19 16:55 anaconda-ks.cfg
-rw-r–r–. 1 root root 775 Dec 19 16:55 kickstart-post.log
-rw-------. 1 root root 3826 Dec 19 16:55 original-ks.cfg
-rw-r–r-- 1 root root 0 Jan 21 21:37 toto
-rw-r–r-- 1 root root 433 Jan 21 21:38 toto.ots

see : https://opentimestamps.org/

why to host it if we could use a TSA client ?

@stephdl

Certain countries, like Germany, are very strict where “Data Processing” is done!
If processing is done “Out of the EU”, it’s a no go. If it’s in America, it’s even more a No-Go.

And see here:

Tel Nr is American, registered in Canada… :frowning:

My 2 cents
Andy

But the TSA should never see the actual data, only a hash of the data. And by definition, a hash is one-way, so none of the data can be determined from the hash. How could this be seen as a problem?

@danb35

Hi Dan!

Ever tried explaining that to a real german “Beamter” (=German Government official)…? :slight_smile:

And some are so dense that they might think you’re talikng about drugs (hash)…

My 2 cents
Andy

_ Off Topic _

@danb35 a bit of extra backgound might be explanatory…
In general continental-Europe is a bit more bureaucratic compared to the US… One of the backgrounds, causes if you wish, is linked to your profession. We live under civil (Roman) law instead of common (English) law. :wink:

@mark_nl

DanB has travelled in Europe, and - if his law knowhow is half as good as his IT, as a lawyer I’m sure he’s aware of the major differences in law.

But you’re right, especially people from other continents have difficulty understanding how Europe ticks…

My 2 cents
Andy

1 Like

I’d hope it’s better, seeing as how it’s my profession and all… But I haven’t had much occasion to need to know how foreign legal systems work in my practice, and US law is plenty complicated. But I’m certainly aware of a stereotype of the Germans (and Swiss, for that matter) insisting on everything being precisely correct.

But back to the subject at hand–in principle, this seems like a relatively straightforward application of public-key cryptography. The problem is going to be one of trust–you’re going to be using a self-signed certificate, since a typical cert from a public CA like Let’s Encrypt won’t have the appropriate key usage attributes. And that means nobody else will trust your timestamps, unless they first trust your cert. So really, this would only be useful in a controlled environment–but that kind of defeats the purpose of the timestamp being from a trusted third party.

But with that said, the second link looks easy enough to install (the first hasn’t had an update in 18 years–no surprise if it’s on SourceForge–so it doesn’t seem likely it’d be very useful). There’s a RPM for groovy that you can install from the default repos using yum install groovy. Then clone the tsa-server repo and run it as described in the README. But again, trusted certs are going to be hard to come by, I’d think.

Edit: Looks like there may be other options for the software. This one looks simple enough, could be distributed as a compiled binary, and thus wouldn’t need you to install a ton of dependencies on your production server:

Another one on Sourceforge (ugh), but much more recently-updated than TSA, the first link above:

Its home page, with installation docs. Looks much more involved than uts-server above in terms of dependencies, but also much more capable:

2 Likes

Reading Dan’s comment and my understanding sofar…
It raises the question with me if it makes sence to run your own TSA server in stead of using a trusted public TSA server?

If two parties can agree one (or more) public TSA server(s) are trustworthy; the party who “receives” the data (file) with the time stamp can run a check using the (public cert/key pair of) same public (trusted) TSA server…

Or am I missing something ?

Participants of this discussion should have PN with a dial in for an online meeting.

I would like to introduce you in the world of Good Manufacturing Practice (GMP), 21CFR Part 11, EU-GMP Guideline, its summary in GAMP 5 Guideline to Computer sytems validation and its consequences for digital signatures.

I would also like to talk about “where I am” in an already closed project.

Best regards
Thorsten

I am sorry, obviously, I forgot to set time:

Today 16:00 - but if you want I may reschedule to 17:00. Please send me a PN with your email - this would make it easier to set up the meeting.

I will of course talk in English, however, if only German natives speakers are present, I will switch to German.

1 Like

Nice to see you in face to face, we should organize from time to time zoom meetings, it is good to see people IRL :slight_smile:

2 Likes

Yes, for me it was nice, too, to see and meet other people from this forum. A year ago I did not even thougth about it :slight_smile:

1 Like

something interesting, maybe rather to host a time stamp authority and claim about the legality of it, rely with compatible client on a known authority could be also a good way.

I think dan spoke of it, it is like ssl certificate, you can create yours, but what is the trust we have on it

2 Likes

Yes, it does exactly describe in words what I tried to explain during our video-meeting :slight_smile:
Exactly that part is important to our industry - anyway, our case is a little easier: we are not talking about contracts of two parties, we are talking about internal documents, provided from the “authority” aka the “companies quality assurance” to the employees. Consequently, an internal TSA would be enough.
Additionally, such systems must be so transparent and validated according to GAMP 5 / 21 CFR part 11 setting up equal standards to a 3rd party TSA :slight_smile:

A pitty the authors of the norm did not look around into technology industries where version control systems like cvs for documents and digital data is in use for decades.

All of them include a form of a hash of the date, the committer, the commit message and a hash of the data commited too…

I disagree :slight_smile:

They know that these systems are available, but the want to prevent companies to use systems without such mechanisms. Any Company will always do “the cheap and simple way” if not tied by law. I can present a lot of examples where companies tried to save money but violated GMP rules causing patients to suffer from intoxication, diseases and much worse. We are talking about a hare hedgehog run of laws and gaps… Of couse, some of them were black swans, but do you want to be the first to see a black swan ?

The 21CRF part 11 (and the EU GMP Guide) are legal binding laws. Both enforce the usage of the mechanisms you describe. Additionally, the check by CSV is requested, so that no company uses (for any reason) a system without the correct checking and data integrity mechanisms. In simple words, GAMP 5 is a summary of “current state of the art” or “a collection of best practice” on how to do the required selection and checking of the selected system.