views:

92

answers:

2

I would like to sign records in a database with a secure timestamp to prove they have not been altered by anyone after that date.

What methods or services should I consider? RFC 3161? Does anyone provide that service /and/ have a reputable looking website?

Is it possible to roll your own?

A: 

Simple method would be to append the values you want to make sure is not tampered, add a salt to it, and then md5 all of it, and save the md5 hash.

So if you have a table with the columns: Username, Firstname, Lastname, Hash

You do a md5(Username+Firstname+Lastname+"MySuperSecretSalt") and save the value in Hash.

But I must say, it sounds like a weird thing to do.

Skovsende
+1  A: 

If you're looking for a working RFC3161 server then http://time.certum.pl/ has been one that I've known and has been around.

If you're looking for a bigger solution that do not depend on a single secret based timestamping box (basically something that scales well) have a look at http://www.guardtime.com

Technically, a timestamp is a UNIX timestamp :) But the properties you seem to assign to a timestamp are a hash and a "signature" (possibility to verify that the claim that a certain hash existed at a certain time).

Anything that has to do with "trust" is something you can roll your own. The same way you can roll your own CA, the same way you can roll your own standards-based service or invent your own scheme. But convincing other parties to "trust" the thing you've rolled your own might be trickier.

That's why people pay for CA certificates - they are pre-trusted by browser vendors. That's why when you need a solution that others have to trust or if you're obliged to timestamp your data, you need a certified timestamp source.

martin