Third party timestamps

[named-dodo]

Media signed with a VIDA record can not be trusted if the corresponding private key leaks.
This is because adversaries can take the private key and sign any media while backdating the recorded timestamp.

To combat this, you can add a second VIDA record which only attests that the media is from before a certain date.
If then the first private key is leaked and revoked after that date, the media will still be valid due to the second signature.
(Because you can't fake the first signature without invalidating the second one)

This process is called timestamping.

There are a few implementation and specification questions:

• Which timestamp servers are available and which one do we trust?
• What protocols do we use and what data do and do we not send?
• How do we communicate timestamping information to the end user?
• Do we even want/need timestamping in the first place?

Some extra info:
There is an RFC for trusted timestamping: https://www.rfc-editor.org/rfc/rfc3161
And it seems that at least digicert has a (public?) timestamping service:
https://knowledge.digicert.com/general-information/rfc3161-compliant-time-stamp-authority-server
Sectigo also provides one: https://www.sectigo.com/resource-library/time-stamping-server
Let's encrypt does not, as far as i can tell.
Setting up our own public timestamping server might also be an option?

Originally posted by @named-dodo in https://github.com/hackerfactor/VIDA/discussions/4#discussioncomment-10022159