Then, if a private key is compromised by an attacker, she could sign stuff prete
ID: 655962 • Letter: T
Question
Then, if a private key is compromised by an attacker, she could sign stuff pretending she's you. This way, any organization that has the (even legal) power of asking you to decrypt your messages such to prove to a court there's no evidence of illegal action in them, has now the power of signing messages that state you did things you never did.
Is there any way for attaching a computationally-hard-to-fake timestamp (not silly cleartext meta's, course...) on a signature such that you can not only revoke a key after having been obliged to release it, but that you can also prevent them to now sign every message they want it to look you wrote?
Explanation / Answer
The specific case of a private key being compromised is actually handled already, but you have to do it right in the first place.
The correct way to do it is to use a secure timestamp as part of the signature. These timestamps are provided by trusted third party servers (there are several ones that are usable for free provided by big names in the security business). They include a hash of the signed data and are integral part of the digital signature (The TSA signature is applied to the timestamp, your data and your digital signature).
When a your private key is compromised, you indicate the date when the revocation starts (in practice, it usually starts when you notify the CA that the key should be revoked). Any application validating a document signed with the revoked key should then compare the timestamp included with the signature with the one included with the key revocation record: anything before that date should be considered valid and anything starting and after that date should be considered invalid.
That way, document you signed before your key was compromised can still be validated safely.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.