Adding RFC 3161 timestamps to git tags

Adding RFC 3161 timestamps to git tags

[Anton Wuerfel]

Hello,

as part of an university project we plan to implement time stamp
signatures according to RFC 3161. This enables users to create and verify
cryptographic time stamp signatures to prove that a commit existed at a
certain point in time.

As a long-term goal, we would like to get this new feature accepted into
upstream, so we are very interested in your opinions and suggestions for
our approach described in the following.

We plan to add new command line options to git tag and call openssl
similar to how "git tag -s" is calling gpg. The time stamp query generated
by openssl will be sent to the time stamping authority via libcurl.
Verification of timestamps will be possible via git verify-tag.

In order to store time stamp signatures, the file format for git tags
needs to be extended. Similar to how gpg signatures are stored, we would
store the signed time stamp responses in base64 surrounded by BEGIN and
END tags:
-----BEGIN RFC3161-----
Issuer: [issuer-name]
[time stamp response in base64]
-----END RFC3161-----

We plan to offer git config options to configure, which timestamping
authority to use and where trusted certificates are stored.

Regards,
Phillip Raffeck
Anton Wuerfel

Re: Adding RFC 3161 timestamps to git tags

[Junio C Hamano]

"Anton Wuerfel" <anton.wuerfel@fau.de> writes:

> as part of an university project we plan to implement time stamp
> signatures according to RFC 3161. This enables users to create and verify
> cryptographic time stamp signatures to prove that a commit existed at a
> certain point in time.
>
> As a long-term goal, we would like to get this new feature accepted into
> upstream, so we are very interested in your opinions and suggestions for
> our approach described in the following.
>
> We plan to add new command line options to git tag and call openssl
> similar to how "git tag -s" is calling gpg. The time stamp query generated
> by openssl will be sent to the time stamping authority via libcurl.
> Verification of timestamps will be possible via git verify-tag.
>
> In order to store time stamp signatures, the file format for git tags
> needs to be extended. Similar to how gpg signatures are stored, we would
> store the signed time stamp responses in base64 surrounded by BEGIN and
> END tags:
> -----BEGIN RFC3161-----
> Issuer: [issuer-name]
> [time stamp response in base64]
> -----END RFC3161-----
>
> We plan to offer git config options to configure, which timestamping
> authority to use and where trusted certificates are stored.

A few random thoughts that come to mind, none of which is
rhetorical [*1*]:

 - What should happen when the timestamping service is unreachable?
   The user cannot get her work done at all?  A tag is created
   without timestamp and with a warning?  Something else?

 - Is "signed tag" the only thing that will benefit from such a
   certified timestamping mechanism?  Would it be worthwhile to
   offer a similar support for "signed commit"?

 - How would the certified timestamp interact with GPG signing of
   the tag?  Can they both be applied to the same tag, and if so
   what is signed by which mechanism and in what order or are they
   done independently and in parallel?  E.g. would the timestamp be
   done on the contents without GPG signature, and the GPG signature
   be done on the contents without timestamp, and both signature
   blocks concatenated at the end of the original contents?

 - Would it make sense to store the certified timestamp in the
   object header part, like the way GPG signature for signed commit
   objects are stored [*2*], instead of following the old-style
   "signed tag" that concatenates a separate signature at the end?


[Footnote]

*1* ... meaning that when I ask "Is X true?", I do not mean "I think
    X is true" or "I do not think X can possibly be true".

*2* We designed newer places that use GPG signatures (i.e. signed
    commit and merge tag) to store the signature in the header part
    for a reason: the base64 gobbledygook is not for human
    consumption and showing it together with the original contents
    would not help.

Re: Adding RFC 3161 timestamps to git tags

[Anton Wuerfel]

Hello Junio,

thanks for your reply. See my comments below.

"Junio C Hamano" <gitster@pobox.com> writes:

> A few random thoughts that come to mind, none of which is
> rhetorical [*1*]:
>
>  - What should happen when the timestamping service is unreachable?
>    The user cannot get her work done at all?  A tag is created
>    without timestamp and with a warning?  Something else?

If the timestamping service is unreachable, we plan to output a warning
and abort the tag creation as a default behavior. However we could create
config option to allow the user to create a tag without a signature if the
TSA (timestamp authority) is not available.


>  - Is "signed tag" the only thing that will benefit from such a
>    certified timestamping mechanism?  Would it be worthwhile to
>    offer a similar support for "signed commit"?

This is a good point. We will consider implementing this in signed
commits, too. Like in gpg-signed commits, rebases and changes of these
commits will not be possible any more without invalidating the timestamp
signature. However, the intention behind all this is to be able to verify
important steps in development and continue to be able to work and commit
without internet connection. Therefore our main focus is on tags with
timestamp signatures.


>  - How would the certified timestamp interact with GPG signing of
>    the tag?  Can they both be applied to the same tag, and if so
>    what is signed by which mechanism and in what order or are they
>    done independently and in parallel?  E.g. would the timestamp be
>    done on the contents without GPG signature, and the GPG signature
>    be done on the contents without timestamp, and both signature
>    blocks concatenated at the end of the original contents?

Both GPG and timestamp signing can be assigned to the same tag. A GPG
signature includes the timestamp signature for one important reason: It
should not be possible to replace an existing timestamp signature by
another (later) timestamp signature. Including the timestamp signature
into the GPG signature prevents this.
Creating a timestamp signature without any GPG signature at all is
therefore possible but would be vulnerable to the described scenario.


>  - Would it make sense to store the certified timestamp in the
>    object header part, like the way GPG signature for signed commit
>    objects are stored [*2*], instead of following the old-style
>    "signed tag" that concatenates a separate signature at the end?

For timestamped commits we will, of course, use the new-style format. We
would also new-style format for git tags, leaving the GPG signature as is
and creating a timesig-header. However, mixing old-style and new-style
format in tag objects would introduce an inconsistency. Is this
problematic?

Regards,
Phillip Raffeck
Anton Wuerfel

Re: Adding RFC 3161 timestamps to git tags

[Michael J Gruber]

Anton Wuerfel venit, vidit, dixit 07.03.2016 15:15:
> Hello,
> 
> as part of an university project we plan to implement time stamp
> signatures according to RFC 3161. This enables users to create and verify
> cryptographic time stamp signatures to prove that a commit existed at a
> certain point in time.

Before talking about a specific header format (and, possibly, repeating
mistakes of the past) we should take a step back to exactly here: What
is the goal that you are trying to achieve?

"prove that a commit existed at a certain point in time" is a good
definition for that goal.

Based on our standing assumption that a commit SHA1 is unique, it is
sufficient to "prove that a SHA1 existed[was known] at a certain point
in time".

In particular, this does not need to take into account the DAG (beyond
what is determined through the SHA1) nor any prior timestamps.
Consequently, I don't think that warrants extending the object format in
any way - it is information in addition to what is in the DAG.

Also, it is conceivable that more than one user of the timestamp service
requests a timestamp for the same SHA1, and does so for a commit which
has children already, without wanting to (and without any intrinsic need
to) rewrite history.

To me, this means timestamps have no place in commit objects.

As for adding additional information to the DAG without altering it, we
have two means: tags and notes. Tags suffer from a "merge problem",
notes from a "transport" problem; for both of them you have to know how
to set up your refspecs.

So, I think a proper first step would be to make our "metadata handling"
(default notes refspec, merging) more use friendly, i.e. work out of the
box for the common use case (whatever that is).

That would serve timestamps well, and many other use cases.

> As a long-term goal, we would like to get this new feature accepted into
> upstream, so we are very interested in your opinions and suggestions for
> our approach described in the following.
> 
> We plan to add new command line options to git tag and call openssl
> similar to how "git tag -s" is calling gpg. The time stamp query generated
> by openssl will be sent to the time stamping authority via libcurl.
> Verification of timestamps will be possible via git verify-tag.
> 
> In order to store time stamp signatures, the file format for git tags
> needs to be extended. Similar to how gpg signatures are stored, we would
> store the signed time stamp responses in base64 surrounded by BEGIN and
> END tags:
> -----BEGIN RFC3161-----
> Issuer: [issuer-name]
> [time stamp response in base64]
> -----END RFC3161-----
> 
> We plan to offer git config options to configure, which timestamping
> authority to use and where trusted certificates are stored.
> 
> Regards,
> Phillip Raffeck
> Anton Wuerfel
> 

Re: Adding RFC 3161 timestamps to git tags

[Junio C Hamano]

Michael J Gruber <git@drmicha.warpmail.net> writes:

> Anton Wuerfel venit, vidit, dixit 07.03.2016 15:15:
>> Hello,
>> 
>> as part of an university project we plan to implement time stamp
>> signatures according to RFC 3161. This enables users to create and verify
>> cryptographic time stamp signatures to prove that a commit existed at a
>> certain point in time.
>
> Before talking about a specific header format (and, possibly, repeating
> mistakes of the past) we should take a step back to exactly here: What
> is the goal that you are trying to achieve?
>
> "prove that a commit existed at a certain point in time" is a good
> definition for that goal.

Moving the timestamp signature out of line has merits and demerits.

 - Inline timestamp signature proves that the commit existed at a
   certain point in time, and also it proves that any descendant
   commit was not there before that time.  Also, the object name
   of the signed object itself protects the fact that it was created
   with the signature (i.e. if you replace the signature, its object
   name would change)--this can be a feature or inconvenience,
   depending on your use case.

 - Out of line timestamp signature allows you to say "I didn't
   bother timestamping that commit I made 5 days ago, and it now is
   buried 200 commits deep in the history from the tip, but I am
   asking a timestamping service that the commit existed as of
   now--I cannot go back and prove that it actually was made 5 days
   ago, but at least the timestamp proves it was there today".

   It does not allow you to say anything about descendant commits,
   though, like an inline timestamp would.

There is a convenience argument, too, for and against inline vs out
of line signatures.

 - The original "signed tag" is a good out-of-line signature
   mechanism that you can add signed attestation to a different
   object (i.e. you made a commit either 2 seconds or 5 days ago,
   and then you certify that you would want to call that with a
   tagname with some messages and cryptgraphically sign that
   retroactively).  Being in the ref namespace, it didn't scale for
   use cases where you would want to have as many signatures as you
   would have commits, though.

 - The "signed commit" is made in-line, and for those who want to
   always validate each and every commit, not having to maintain a
   separate collection of signatures was a convenience.

 - The "merge signed tags" is also made in-line, primarily for
   convenience benefit, i.e. not having to keep collection of all
   pull request tags out of line.

I haven't thought deeply enough between in-line and out-of-line
which would suit better for timestamp signatures, though.