Page MenuHome GnuPG
Create Task
Maniphest T4537

gpgsm support for timestamp signatures
Open, NormalPublic
Actions

Description

gpgsm currently does not have support for timestamp signatures created by an external Time Stamping Authority (TSA).

This is a big limitation regarding certificate- and signature life cycle management. Currently, gpgsm:

  • accepts a signature as valid even after the signer certificate has expired (the signature remains valid forever).
  • rejects a signature as invalid when a certificate is revoked, regardless of when the signature was created.

The limitations make sense considering the lack of trusted timestamps, but they also illustrate the need for the timestamps.

Without timestamp support it is very hard to revoke a certificate, since it invalidates all existing signatures, requiring all data to be audited again and re-signed.

Also, an expired certificate, even though it is not revoked, should formally not be allowed to create new signatures after its expiration date. (An attacker may for example have an easier time finding and stealing, without discovery, an old/expired certificate and its private key, considering that its owner regards it as obsolete, does not realize its value, and keeps it less protected).

Therefore it would be very nice if gpgsm included support for timestamp creation and verification, according to RFC 3161, with the CMS-related format as described in Appendix A.

This feature request may be related to https://dev.gnupg.org/T4108.

Related Objects

Event Timeline

misterzed88 created this task.May 23 2019, 4:25 PM
werner triaged this task as Normal priority.May 27 2019, 3:58 PM
werner added projects: S/MIME, gnupg (gpg23).
kuwv added subscribers: werner, kuwv.Jun 1 2022, 7:48 PM

@werner There's renewed interest with protecting supply chains. GnuPG is used by a lot of open source systems. Is it possible to bump the priority on this?

werner added a comment.Jun 2 2022, 8:00 AM

Funnily I created a file dirmngr/rfc3161.c last Sunday. I can't tell how long it will take but I am definitely interested in using GnuPG to create qualified signatures. Timestamp support is at least good for testing.

kuwv added a comment.Jun 2 2022, 7:37 PM

nice, that's great news! I'll have to try it out when I get a chance.

werner added a project: gnupg24.Dec 13 2022, 11:21 AM
werner removed a project: gnupg (gpg23).Jan 19 2023, 4:52 PM
zablockil added a subscriber: zablockil.Aug 13 2024, 5:10 PM

I made a ticket on bugzilla with ready-made tests for S/MIME, but on close inspection a different structure appears for S/MIME and another for qualified signature (openssl could not verify token extracted from CAdES-BASELINE-T signature). However, these tests can be very useful.

make_timestamped_smime.tar.gz

werner edited projects, added gnupg26; removed gnupg24.Oct 4 2024, 12:14 PM