Cornell Researchers Unveil a Virtual Notary

First time accepted submitter el33thack3r writes "We've all wanted a trustworthy record of an online factoid, whether it's your official employment status, a tweet someone made or the hash of an open-source distribution to protect it from tampering. A group of Cornell researchers have just unveiled a service called Virtual Notary that can serve as a witness to online factoids. The service is useful for inventors who want to timestamp an invention disclosure, for people who are seeking an officially random number selected for a raffle or crypto protocol, for web services that want a record of a user's email address, and for many other use cases. The service is free and the researchers are seeking community input on other online factoids of interest. What would you like notarized online?" The concept is interesting, but some of the items they've chosen as examples seem well documented elsewhere, such as historical exchange rates and stock prices.

Re:

[flimflammer]

News for news sounds boring anyway.

Re:

[icebike]

Actually, no. Bitcoin is simply one of the methods used to record the notary log chain value into a long lived form. Bitcoin isn't central to this in any way.
The methodology is far less compute intensive than the mining methodology in bitcoin. If it weren't it couldn't keep up.

Virtual Notary publishes the hash of the log every time a certificate is issued. They also tweet this value. They could have as well used any other method that leaves a long standing record, even engraving it in metal and handing t

Not ready for prime time

[LVSlushdat]

Looks like its not ready for prime time... it blows up with

AttributeError at /vnotary/dispatch/emailverify/input/
'module' object has no attribute 'choice'

Re:

[Emin Gün Sirer]

Thanks, fixed!

Reminds me of the old UK Timestamper

[mlts]

A long time ago, there was a site in the UK which would make a PGP signed timestamp of anything mailed to it (within reason). The site also published the hashes of everything stamped every week just to ensure nothing got tampered with. Of course, it means nothing legally, but as far as I remember, it never got compromised, so in theory, the timestamps it made could be considered usable.

This virtual notary appears to be as secure, with the hashes posted on Twitter.

Re:Reminds me of the old UK Timestamper

[heypete]

For those who are interested, the service you're referring to is likely http://www.itconsult.co.uk/stamper.htm [itconsult.co.uk].

Re:

[icebike]

Interesting, but not the same as this service.

With that service each stamp stands alone. With this service each Notary log value validates itself and all preceding values.
If the Stamper service goes off line, its useless. With this service the existence of any later log value validates your log value even if Cornell goes titsup.

Re:

[Anonymous Coward]

There are other things out there, this isn't new:
https://en.wikipedia.org/wiki/Trusted_timestamping [wikipedia.org]

Re:

[DERoss]

That service is still operating. I used it over 10 years ago to establish priority for a business concept that I then presented to my employer.

All that is needed is a detached digital signature -- via an OpenPGP application, such as PGP or Gnu Privacy Guard (GPG) -- for the file in question. The signature file is E-mailed to the PGP Digital Timestamping Service as described at http://www.itconsult.co.uk/stamper.htm [itconsult.co.uk]. The service digitally signs the signature file, creating another detached signature that

Re:

[mlts]

It is good to have it still up as a resource. Multiple, independent timestamping services might be enough proof for something, although a judge and a jury will more likely look at a physical notary seal and a signature with more regard than even the best cryptography and secured atomic clock.

Re:

[icebike]

Maybe, but notary seals are far easier to disappear (or fake), and validating one from 100 years ago is virtually impossible. It becomes a matter of blind faith.

This Virtual Notary has the ability to become just as legal as a physical seal, because every subsequent notary issued validates all prior ones.
It will have to be mathematically proven to work, but should that happen, and nobody can fake one over time, I could see this being used for a lot of digital document signing.

The problem I see with it is in

Re:

[Emin Gün Sirer]

Cool service! Note that Virtual Notary also embeds the hashes in the Bitcoin public ledger. I kind of like this part of the implementation, partly because it's hacky and partly because it does something useful with Bitcoin.

"factoids of interest"

[Dystopian Rebel]

A factoid is not a fact.

http://en.wikipedia.org/wiki/Factoid [wikipedia.org]

The only "factoid of interest" is that Slashdot may have editors.

Re:

[Ibiwan]

Nice factoid about factoids. But, by your own link, the word has come to be used also to refer to "true but useless facts" -- like this one!
http://en.wikipedia.org/wiki/Factoid#Other_meanings [wikipedia.org]

Re:

[EvanED]

Why would you get a useless fact notarized?

No, here's is being used as "a small fact", which doesn't even meet the alternative definition you cite.

Re:

[JoeInnes]

The SECOND sentence in your link refutes your point.

Re:

[Hovden]

Agreed. Factoid is not a fact but presents itself like one. -oid is a suffix meaning “resembling,” or “like,”. For example, humanoid is human like, but not actually human. There is a tiny blog dedicated to writing factoids: http://defactoid.net/ [defactoid.net] . You will find them believable, but absolutely untrue.

Re:

[Hovden]

Get THIS fact notarized: the correct definition of factoid.

Re:

[icebike]

Bitcoin is not central to Cornell's system. It is just ONE method of making public the current value of the log entry.

Every holder of a Notary value also validates all prior notary values.
Don't get hung up on the bitcoin part. Its not really germane.

Hold up in court?

[s1d3track3D]

Seems like a great idea but would this actually hold up in court?

Re:

[kermidge]

Seems could be of some use for not just musicians but writers and photogs, possibly bloggers and reporters.

Re:

[FreshnFurter]

Not only that. It is also important for scientists and inventors.
It allows to time stamp ideas. I just did one with one of my articles in draft form. Yes it is not ready to release to the public but the idea is solid. So having a version of this notarized would be interesting to see how this affects patenting, without going through the terrible long process of submitting and waiting. Also junior scientists working in a lab can timestamp their contributions.

Re:

[kermidge]

Nice; even nicer if those junior Tom Swifts could get some credit for their work.

Notaries

[VGPowerlord]

The point of a Notary Public is that it's a trusted person representing the government doing the notarizing.

Something this service isn't.

Re:

[icebike]

It's not as much that they are a trusted person, but that they are a neutral third party.

This neutrality is often in question.
Virtually every Real Estate company in the US has a pet notary public on staff, as do many larger bank branches,
and they notarize all sorts of business documents to which their own employer is a party.

At best, these certify that the Notary's numbered seal on a document can be traced to someone who witnessed
the signing, and that person' should have a log. But that log can't always be found, and even when it can,
all the notary can testify to is that the seal matches the l

Re:

[icebike]

Posting as AC you are trying to make it seem like you exist, but in reality, you don't.

Re:

[Emin Gün Sirer]

The Internet has really changed the game here. What does a trusted person mean in a global context? More importantly, what exactly is the global entity that would declare a person to be trusted? If you've ever had to deal with international notarization, you'll know that the best that the current system can offer is a system of irregular local standards, glued together through Apostilles on dead trees. These are at best inefficient, though archaic would probably be a more accurate description.

Changing tha

Re:

[icebike]

Bitcoin plays no central part of this, and does not add any trust to the hash.

Each hash validates every prior hash, and bitcoin adds nothing.

Re:

[mlts]

Easy fix: Timestamp a list of document hashes of both the file and the file's size. For example, MD5 hash, SHA1, SHA2, and SHA3. One has might be forgable, but it will be extremely difficult for someone to make a new document of the same exact size, but have all the hashes match.

Using this method, the timestamper has zero knowledge of what is in the document, not even how big it is. All they can tell is if a subsequent document was the same as a previous one that went through their system.

Do they even know what notarizing is?

[frovingslosh]

Pure nonsense. And I actually looked at the link this time, not just the /. summary. From the website: You select a factoid that you would like notarized. We check that factoid, create a record of it that you can refer to later, and issue you a cryptographically-signed certificate that attests to that factoid.

That has nothing to do with notarizing. Notarizing is about witnessing and confirming that you (the signer of a document) are who you say you are. It has nothing to do with the the accuracy of th

Re:

[Emin Gün Sirer]

If you were to look at the subsection called "Truth vs. Notarization" in this link in the article [hackingdistributed.com], you'll find much of the same points made.

Re:

[icebike]

It documents the fact that there was something recorded (they make a perpetual copy of some digital thing) on a date and time specific.
It doesn't really matter to them what it was, or who you are. It merely proves the existence of the digital item on a date in the past

A notary can't notarize a digital version of anything. It only works for paper documents.

When someone steals you software 5 years from now, and you have a Cornell Notarization number for that digital file dated today, you have a third party s

Re:

[Chelloveck]

They don't check the accuracy of the factoid. They're just attaching a timestamp and their digital signature to whatever factoid you give them. You can later use this to prove that the factoid was a particular byte string at a particular time. (Though I'm not sure the level of "proof" this is, unless they're willing to appear in court and testify that the timestamp is accurate.)

The language on their website is very misleading.

Ummm...

[fuzzyfuzzyfungus]

Am I missing something that makes this idea different from RFC3161 [ietf.org]?

Ever since the invention of cryptography capable of 'signature', 'virtual notary' has merely been a matter of finding somebody you'd actually trust to be a notary, and then having them sign stuff. If you give them a clock, you can even have 'trusted' timestamps!

The bigger trick, and something that would actually be worth writing home about, is doing this without trusting somebody who almost certainly doesn't deserve it.

Re:

[Emin Gün Sirer]

There are quite a few ways in which RFC3161 falls short of what someone might want:

• 1. This particular online notary differs from previous online notaries in that it can issue statements based on its own view of factoids on the Internet. So it can issue statements like "from the VN's vantage point, the DNS A record for domain X is Y." In contrast, a timestamp service only issues statements of the form "at time X, client Y said Z."
• 2. VN is a concrete implementation whereas RFC3161 is only a protocol spe

Re:

[icebike]

Your point 4 is wrong.

Bitcoin and twitter are not central to the prevention of rollbacks. The mere existence of any single key validates all prior keys, therefore
once created a new keyvalue prevents roll back of ALL prior values.

Twitter and Bitcoin are merely good public records. They lend no strength to the methodology.
You could hack their twitter account and post a bogus key, but said bogus key would be immediately falsifiable based on the key itself.

Re:

[icebike]

He was explaining it wrong, and contradicting his own web page.

History repeating

[skaag]

Yah well, I created something exactly like this back in 2004 called robonotary.com but the lack of interest was very palpable and I was no longer motivated to pursue it.
(still own the domain).

Re:

[EvanED]

The domain existed, but Twitter didn't. Not really. Twitter wasn't created until 2006 [wikipedia.org], and they bought the domain twitter.com for $7500 in that year [domainnamewire.com].

Re:

[EvanED]

This is really only useful as proof that you knew something that's resistant to guessing lots of times (Like some specific description of an event, a long private key, etc).

That's still really useful, you know. For example, suppose you take a photo of some damage when you move into an apartment or something, and want a third party to be able to attest that you took it when you moved in instead of moved out.

As they explain in the FAQ, they can't really attest to the truth of something for obvious reasons, bu

How does it works?

[manu0601]

It seems to always use an online source. For instance, real estate certification is done using data from Zillow [wikipedia.org], an online service I did not know before reading that news.

It means it is not real estate certification, but certification of what Zillow says on real estate

How about Virtual Witness for live-aloners?

[ivi]

Elderly folks & maybe younger singles who want to live -safely- in their own homes longer, even after a spouse passes on, need protection from scammers who visit & try to defraud them out of money, etc.

If they record people who telemarket, show-up on their door steps to sell and/or just won't take no for an answer, in such a way that they recording are uploaded to Virtual Witness or (today) Virtual Notary for a time-stamp, etc., ie, whatever might be needed to make it usable in court, could have it

high concept but useless

[JimtownKelly]

Most of my needs for notarized docs are overseas, where chops, ribbons, big stickers, and all sorts of other bureacratic crap are necessary for validation. I hope these guys are able to get the credibility they need for this project to succeed, but am initially skeptical in light of all the big governments everywhere.

This is about the stupidest thing for inventors

[tlambert]

This is about the stupidest thing for inventors.

In most countries other than the U.S., where you have a year from first public disclosure to file for a patent, disclosure automatically nullifies your ability to file for patents.

Re:

[FreshnFurter]

You are mistaken it is not disclosure. You just have proof that the document you produced, which only you can see, was certified to be generated on that day. It can be used if there is a dispute on prior knowledge. Let's say that you a Non disclosure agreement with someone and the topic is whatever you wanted to patent so they tell you what you wanted to patent. Then you have proof that you thought of this prior to the NDA. This could be important.

I thought a "factoid" ...

[dbIII]

I thought a "factoid" was supposed to be something that looked like a fact but wasn't, but was a more polite way of saying "a lie that's been pulled out of the void at moments notice but sounds plausable".

Won't Work

[coofercat]

http://virtual-notary.org/log/33fe2f36-ea0f-4658-ac5b-7433c4403345/ [virtual-notary.org]

You heard it here first - anyone else saying the same thing just copied me ;-)