Under normal circumstances, one would need an expert witness to authenticate the signature, but in several jurisdictions which enacted digital signature laws statues, that may not be necessary depending on the evidentiary status of e-signatures.
In November 2007, they posted the MD5 hash of a PDF file containing the name of the winner of the 2008 election. That of course doesn't prove that they knew who would win the election, because they prepared 12 different PDFs with 12 different names in it, all of which were crafted to generate the same MD5 hash. I don't think the hypothetical jury is going to like it.
The article mentions hashing the same data with multiple hashing algorithms; I would think this would be effective at preventing collisions (presumably different hashing algorithms are not vulnerable to the same collision attacks).
Isn't this whole timestamping thing overcomplicated? Just set up a twitter account and post the hash codes. The code in itself is useless, so it does not have to be kept secret, and you will have a way to proof that you had the document generating it at that time.
This would work if you could search all of your tweets. I don't think that is currently possible, is it?
It also assumes that twitter is going to be around when you finally need the timestamped hashes, and that you can prove that twitter (or any other service for that matter) can't have back-dated hashes inserted.
Posting to a usenet group, like alt.test, where independent systems store and timestamp the message would be a better idea.
In criminal cases I can see it often being necessary to within a day or two
Oh, if only. Digital evidence is seeing a lot more acceptance in recent years - but just recently there has been a sudden resistance to it, partly, I think, because of all the noise being made in the media about the ease of faking such things and the prevalence of viruses.
Oftentimes an audio recording tagged to within a couple of days will be fine.
But don't rely on that - it could easily be rejected out of hand by a judge who is not convinced.
Any sort of ambiguity in digital evidence and timestamps is being frowned on at the moment - at least here in the UK.
Is there anything wrong with the idea in the first blog comment? I would think sending the hashes to one or more webmail accounts in your own name would accomplish the feat of proof, and it would not require you to rely on other people to safeguard the data or give testimony.
How do you prove the e-mail wasn't changed? At least gmail allows you to upload pretty much anything (which is useful when migrating mail), and may not be able/willing to turn over (old) logs.
http://en.wikipedia.org/wiki/Trusted_timestamping
A personal favorite which I highly recommend is the following:
http://www.itconsult.co.uk/stamper.htm
Under normal circumstances, one would need an expert witness to authenticate the signature, but in several jurisdictions which enacted digital signature laws statues, that may not be necessary depending on the evidentiary status of e-signatures.