On Sat, 29 Dec 2007 19:22:00 +0200, Eugene Mayevski wrote:

> Hello!
> You wrote on Sat, 29 Dec 2007 10:00:27 -0500:
>
> A> I suppose they assume that the user has been authenticated (identity)
> A> which leads me to think why the signatory process couldn't be tied to
> A> the verification process. hmmm....
>
> I am not sure that I understand your point/question. The problem with
> absense of timestamping is that when the signature is verified several years
> later, the certificate, used to sign the document, will most likely be
> expired. If there's no timestamp, the validator will alert the user that the
> certificate has expired. If the certificate is revoked and this is
> discovered by the validator, the validator will complain about this too.
>
> Timestamping lets the validator check when the timestamp was made and not to
> alert the user about the expired certificate. If the certificate was
> revoked, the validator will compare the revocation moment with the timestamp
> and will have a chance to figure out whether the signature was made with a
> valid or revoked certificate.
>
> Timestamping authority timestamps the signature (to be precise, the hash of
> some data), it doesn't care about what was used to produce the hash.

I see what your saying but the most important process is the authentication
of the *identity* of the signer. If there is no ID that is verified, then
the rest doesn't matter. I can use your Adobe on your computer to sign in
your name as long as I can get to your software.

Which is my point. Why not incorporate the system that determines that it
is *you* accessing your Adobe, or PDFBlackBox seamlessly with the digital
signature capabilities? Rather than have two or more programs to do this.