|
205 | 205 | } |
206 | 206 | </pre> |
207 | 207 |
|
208 | | -With this approach, the WACZ contains just enough to validate that they |
209 | | -signature with the `publicKey`. |
| 208 | +With this approach, the WACZ contains just enough to validate the signature with |
| 209 | +the `publicKey`. |
210 | 210 |
|
211 | 211 | To validate authorship of the WACZ, external key management is required, and |
212 | 212 | this signature is otherwise anonymous. |
|
243 | 243 | The creator of the WACZ file is the same as the owner of a particular TLS |
244 | 244 | certificate, which can be explored via Certificate Transparency logs. |
245 | 245 |
|
246 | | -This approach also includes an RFC 3161 timestamp server `timeSignature` of the |
247 | | -first `signature`. |
| 246 | +This approach also includes an [[RFC3161]] timestamp server `timeSignature` of |
| 247 | +the first `signature`. |
248 | 248 |
|
249 | 249 | The `timeSignature` includes the timestamped and is designed to further |
250 | 250 | guarantee that the signature was created close to the specified creation time. |
|
291 | 291 | 5. Sign the hash using its private key to generate the first signature |
292 | 292 | (signature) |
293 | 293 |
|
294 | | -6. Use an RFC 3161 timestamp server to sign the previous signature |
| 294 | +6. Use an [[RFC3161]] timestamp server to sign the previous signature |
295 | 295 | (timeSignature) |
296 | 296 |
|
297 | 297 | This approach is based on a 'trusted-third party' which securely creates and |
|
340 | 340 | certificate. |
341 | 341 |
|
342 | 342 | 6. Read the first certificate of `timestampCert` certificate chain and validate |
343 | | -that the `timeSignature` is a valid RFC 3161 timestamp signature of `signature` |
| 343 | +that the `timeSignature` is a valid [[RFC3161]] timestamp signature of `signature` |
344 | 344 |
|
345 | 345 | 7. Validate that the `created` date is within 10 minutes of the signed timestamp |
346 | 346 | in `timeSignature` |
|
382 | 382 | domain-name identity + timestamp approach. This library uses the LetsEncrypt |
383 | 383 | service to generate a domain certificate on-demand, and the |
384 | 384 | [FreeTSA](https://freetsa.org/index_en.php) timestamping service to generate an |
385 | | -RFC 3161 timestamp. |
| 385 | +[[RFC3161]] timestamp. |
386 | 386 |
|
387 | 387 | * The [py-wacz](https://github.com/webrecorder/py-wacz) CLI tool can be used to |
388 | 388 | generate and validate WACZ file with domain-name identity + timestamp, by either |
|
0 commit comments