Show HN: Seal – Verifiable timestamp for your private ideas

As another commenter noted, there&#x27;s a general internet standard defined already for cryptographically timestamping and signing digital artifacts, like JARs, PDFs, dotNet assemblies, and many others.<p><a href="https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;rfc3161" rel="nofollow">https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;rfc3161</a><p>Many large certificate issuing orgs run timestamping authority servers. Tools like Java jarsigner, Adobe Acrobat, and many other tools are designed to work with them. Search for &quot;rfc3161&quot;.

I love these sorts of hacks. In fact I did something similar with a project called rget[1] two thoughts:<p>1. My project got politely asked to not use the ct log and lets encrypt infra this way. Since you are only doing it every 12 hours you might be ok.<p>2. Sigstore[2] seems like it might be a good match and their infra is designed for lots of small fast one off sigs.<p>[1]: <a href="https:&#x2F;&#x2F;merklecounty.substack.com&#x2F;p&#x2F;rget-a-secure-download-user-story" rel="nofollow">https:&#x2F;&#x2F;merklecounty.substack.com&#x2F;p&#x2F;rget-a-secure-download-u...</a><p>[2]: <a href="https:&#x2F;&#x2F;sigstore.dev" rel="nofollow">https:&#x2F;&#x2F;sigstore.dev</a>

Alternatively, every large CA maintains a public TSA server (time-stamping authority), because it&#x27;s an integral part of the code signing framework. These are meant for high loads, so they can be used to sign each document individually.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Trusted_timestamping#Trusted_(digital)_timestamping" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Trusted_timestamping#Trusted_(...</a>

There&#x27;s also <a href="https:&#x2F;&#x2F;opentimestamps.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;opentimestamps.org&#x2F;</a> for timestamping into the bitcoin blockchain using a &#x27;calendar aggregation&#x27; concept. Clients get back a merkle tree of hashes that can be used to show inclusion in a published hash on the blockchain.<p>I&#x27;ve been using opentimestamps&#x2F;ots for a few years now. It can be used to show a specific version of a file existed as early as the proof date. Unfortunately the only other value seems to be showing that if you had doctored a file then that happened at least as early as the timestamp and not later.

A bunch of comments below indicated that this is technically an abuse of the CT logs. Feel free to use Sigstore instead for this, it&#x27;s basically the same architecture as CT logs except we officially support and endorse this use case.<p><a href="https:&#x2F;&#x2F;www.sigstore.dev&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.sigstore.dev&#x2F;</a>

Abusing CT log is unethical.<p>For practical purposes DKIM signatures in emails would do the trick.<p>Write an email to yourself, or to someone you trust, its DKIM will include the timestamp and it can be verified publicly.

In Poland you can use &quot;podpis zaufany&quot; to sign a file, which also records the date of signing. The only thing you need is a bank account which was verified using your physical ID. The best UX, I think, is with PDF files - others are encapsulated in an XML Base64 container. Everyone can verify a signature with no account necessary.

I&#x27;m not sure what the value proposition is here. Is the idea that you want to use this later to tell others you had the idea first, or to protect your IP?<p>If so, I could definitely see people noting every conceivable idea they can imagine to claim rights later<p>... Otherwise, is it because I don&#x27;t trust my past self to be accurate?<p>Or to prove to 3rd parties you absolutely did what you said you did at a time? In which case it&#x27;s not private.

One other thing you can do for resilience, is periodically (say every 6 months or so) take out a full page ad in The NY Times with the hashes.<p>These newspapers tend to be archived all over the world by multiple people, and are another way to provide proof that something was published by a certain date.

For anyone who’s interested in a quick and dirty way to do it, I just post the sha256 to Twitter&#x2F;some public forum and reveal when I feel like it

Seems like an interesting problem, but I have zero background knowledge. Could you share who would use this and why?

As far as I understand there&#x27;s also Zeitgitter[1], to provide similar proof.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;zeitgitter&#x2F;zeitgitterd" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;zeitgitter&#x2F;zeitgitterd</a>

The only thing I don&#x27;t get, and forgive me if it&#x27;s a dumb question, what&#x27;s the difference with say sending yourself an email&#x2F;making a github repo&#x2F;entry&#x2F;any timestamped note?

This could be implemented via blockchain too , where in you can prove that you had posted the idea before a certain block was mined. Timestamping blocks can be done via schilling coin based oracle.

In other news: employees of letsencrypt have unexpected windfall due to their massive library of prior art, which they are apparently willing to nix after suitable payment has been received.

This is a good hack, even with some very light abuse (once per 12 hours) of CT logs.<p>I don&#x27;t see the need to build new tech though. It should be trivial to build a CRUD layer over git repo (which uses a merkle tree DAG) - and you get public logs to boot, including simple hosting and wide tooling. Immutable commits maintained in a public tree. This could also be combined with the above hack (using commit id).

I&#x27;m working on a text-based protocol for making and verifying timestamps of documents and live-streams. It uses SHA3-512 only. <a href="https:&#x2F;&#x2F;github.com&#x2F;mleonhard&#x2F;tokimark" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mleonhard&#x2F;tokimark</a>

How is this better than hashing a txt document with a claim which has a timestamp in it?<p>shasum -a 512 filewithtimestamp.txt

I like this concept! Good luck with this.