2

I need to timestamp an XML file. Is there any solution on this? I can make an digital signature and put it into XML-DSIG structure, but i need to do it with timestamp. Principialy it is the same process. Signing i do myself, timestamping do TSA (Timestamp authority).

Yes of cours, i can make hash in the same way a clasis signature is made. And response from TSA put in some element (for example ). But it does not seem clean. And validation cannot be done with available tools (Tools for XML-DSIG).

Thanks for advice.

Achiles
  • 122
  • 5

2 Answers2

1

Have you thought about using detached timestamps, i.e. applying the timestamp to the xml fingerprint and storing the resulting TimeStampResponse in a separate .tsr file?

If it is ok for you, then you can apply a trusted timestamp to your file using, for example, easytimestamping.com or the related API.

Validation can then be performed with any RFC3161 compliant software, such as OpenSSL or, for example, this online verification tool from a european Certification Authority.

disclaimer: i am involved in the company behind easytimestamping.com

mrucci
  • 4,342
  • 3
  • 33
  • 35
  • Yes, i thought about it. I mentioned about put response from TSA into separated elements. – Achiles Jun 18 '12 at 18:44
  • Please note, that we have working solution with XML-DSIG. One user make report (in XML of course) and sign it (enveloped signature). He send it to other user. Somebody make a comments. Make a signature and save it to the same file (without broking any previous signature). XML-DSIG have a tool to for selecting nodes which are included into the hash and which are not. I would like to use this tool with a timestamps. Not to mention, if i use this specification.All signatures can be validated using third party tools. – Achiles Jun 18 '12 at 18:55
1

The XAdES standard is based on XMLDsig and extends it with structures for (TSA) timestamps (beside others).

Take a look at the XAdES-T form.

Andy
  • 1,964
  • 1
  • 15
  • 29