gpgsm support for timestamp signatures
Open, NormalPublic

Description

gpgsm currently does not have support for timestamp signatures created by an external Time Stamping Authority (TSA).

This is a big limitation regarding certificate- and signature life cycle management. Currently, gpgsm:

  • accepts a signature as valid even after the signer certificate has expired (the signature remains valid forever).
  • rejects a signature as invalid when a certificate is revoked, regardless of when the signature was created.

The limitations make sense considering the lack of trusted timestamps, but they also illustrate the need for the timestamps.

Without timestamp support it is very hard to revoke a certificate, since it invalidates all existing signatures, requiring all data to be audited again and re-signed.

Also, an expired certificate, even though it is not revoked, should formally not be allowed to create new signatures after its expiration date. (An attacker may for example have an easier time finding and stealing, without discovery, an old/expired certificate and its private key, considering that its owner regards it as obsolete, does not realize its value, and keeps it less protected).

Therefore it would be very nice if gpgsm included support for timestamp creation and verification, according to RFC 3161, with the CMS-related format as described in Appendix A.

This feature request may be related to https://dev.gnupg.org/T4108.

werner triaged this task as Normal priority.