This is a website for generating trusted timestamps. Trusted timestamps can prove a specific piece of data existed in that exact form at a given time (and has not been altered since). Among its applications, this can be useful for scientific data integrity and transparency.
There are three timestamping options from this website: "Timestamp File", "Timestamp Directory" and "Timestamp Hash". The first two timestamp a file or a directory on the local system. The third timestamps an existing hash digest.
The data to be timestamped is processed locally by the web browser, and a hash digest is calculated. This digest, which contains no details or information about the originating data, is sent to a server through a Web API that timestamps the digest against several public timestamp authority servers in compliance with RFC 3161 using the OpenSSL library and its timestamping commands.
The timestamp generated by the server is then:
There are a number of uses of trusted timestamping. Most scientific-related uses involve asserting data integrity. This can be experimental scientific data or sections of an electronic lab notebook.
A researcher may want to prove that a given piece of data has not changed since it was collected. This could be useful to prove data integrity during publication, even years later. It can also be used to prove conception/invention dates of new scientific ideas/methods/tools/etc.
There are minimal limited data privacy concerns with this trusted timestamping website. Data never leaves your local computer. The hash digest is calculated locally by the web browser via the JavaScript Crypto library using SHA-256. SHA-256 is a one-way operation that yields a unique number (one of 2^256 possibilities) generated by the original input data. This algorithm cannot be run in reverse to generate the original data, and it is effectively impossible to find a different piece of data that yields the same digest.
For these reasons, there is no data privacy risk in sharing the digest, or even making it public (as this service does, at the timestamp record repository). The digest is the only item sent to the server, and there is no additional information actively gathered. The digest does not identify the data or the user in any way, unless the data owner voluntarily reveals the data themselves.
The only potential privacy concern is the possible loss of confidentiality of the owner of the digest. Since this website is a web service, client connection information, such as IP address and time of connection are automatically logged. This website runs as a cloud service on Google Cloud Platform in the United States and logs all client connection information for 400 days as part of the required logging policy. This should not be a concern for most scientific applications. A VPN service can mask the client computer's IP if greater anonymity from these logging policies is desired.
There is no obligation to use this web service to generate timestamps. Timestamps can be generated locally without the web service using the openssl wrapper scripts available at github.com/bil/timestamping. The scripts in this repository are used by this web service to generate its timestamps.
One additional benefit of using the web service is that it acts as an Evidence Recording Authority which can provide long-term validation of otherwise limited lifetime timestamps (explained further in the FAQ on expiration).
The software for this web service and timestamping framework is released under an open source license, specifically the AGPL v3. All code is available at the timestamping repository. This openness is both important for scientific transparency and furthers scientific progress.
There is no cost to using this web service. It is provided free of charge to the scientific community (and general public).
These timestamps are generated by an open standard and use public key infrastructure based on X.509 certificates (the same as HTTPS used for encrypted web browsing). While these timestamps are relatively long-lived, they are not valid forever, and will expire when one of the certificates associated with the timestamp expires or is revoked. In either scenario, the timestamp, on its own, is no longer valid.
This timestamping web service takes measures to ensure that timestamps remain valid even after the associated certificates have expired or were revoked. This web service publishes all new timestamps daily on a publicly-visible record repository, which is based on git. Git uses a Merkle tree to store and update all changes to the repository. Each version of the repository is hashed and has a unique SHA-1 digest. This digest is timestamped using this framework and added the record repository, appearing as a separate commit (see example timestamp commit), similar to a prior git-focused trusted timestamping framework. So long as the repository digest is regularly timestamped, this approach provides long-term validation of prior timestamps even after their respective certificates expire. In this manner, the web service and timestamp record act as an Evidence Recording Authority by notarizing all new (and prior) timestamps daily, as recommended by RFC 3161 Section 4.3.
While there is no specific requirement to trust this timestamping web service to generate trusted timestamps, all attempts at transparency are made. All code, from the timestamping OpenSSL wrapper scripts to the web services (front and back ends), are released as open source software under the AGPL v3 license and made available at github.com/bil/timestamping. Alternatively, timestamps can be generated locally and stored privately. Long-term validation can be achieved by maintaining a private, timestamped git repository of timestamp records. This web service serves as a reference example and provides a convenience for those who do not wish to deploy their own services.
This service was made by Prof. Paul Nuyujukian who directs the Brain Interfacing Laboratory. This service was developed because of the identified need to timestamp scientific data and the scientific record, but there did not exist an easy way to do so. While public RFC3161 timestamp servers have been around for years, the tools for generating timestamps, especially ones with long-term validation, were not readily accessible, particularly to individuals with limited programming and systems administration background. This web service addresses this unmet need for the scientific community.