It is desirable to be able to determine that a version of data, such as a document, is the most recent. For example, consider an electronic document D, which may be obtained via the Internet. If D were digitally signed (e.g., by a recognized authority), a user may be sure of its authenticity. However, even if the document is digitally signed, the user can not be sure of whether somewhere else in the Internet a more recent/more recently modified version of the document exists. This is a fundamental problem, in particular for the Internet, where documents may be easy to find (e.g., via powerful search engines), though there may be no practical way to tell whether any of the documents may have already become “obsolete.”
One way to handle this is, assuming the existence of an entity A who knows when D becomes obsolete, is for a party P to ask A about D in order to determine whether D is current. However, if P relies on D's currentness to take some important action (e.g., one carrying considerable financial consequences), then just being told that D is up-to-date may not be enough, because P may wish to ensure that he has indeed talked to A and because P may wish to archive a proof that D was up-to-date when he relied on its being current. Both concerns could be solved by use of digital signatures (such as the RSA).
Recall that digital signatures are data strings produced via a signing key, SK, and verified via a matching verification key, PK. A user U should keep his own SK secret (so that only U can sign on U's behalf). Fortunately, key PK does not “betray” the matching key SK, that is, knowledge of PK does not give an enemy any practical advantage in computing SK. Therefore, a user U should make his own PK as public as possible (so that every one can verify U's signatures). For this reason PK is preferably called the public key.
To use digital signatures to prove the currentness of a document D, A may, in response to a query of P, compute a digital signature S indicating that D was current at time T: in symbols, S=SIGA(D, “current”, T). Of course, rather than the word “current” another indication can be used, including no indication (for instance if the digital signature is only used to indicate that D is indeed current).
If party P verifies that S is correct and that T is in accordance to his own clock, it may safely rely on the currentness of D. Notice that such a proof of D's currentness may be archived by P for future use, and can be verified by any third party, in particular one charged with verifying that P indeed relied on a current version of D. In fact to verify A's signature, one only needs to know A's public key which may be widely publicized. Though very simple, this approach is rather impractical for a number of reasons.
In the first place, P needs to access A at the very time in which it needs to rely on D. Connection at the time of transaction, however, is a demanding requirement. Secondly, digital signatures are time consuming to generate. Even at 50 milliseconds per signature, A could not service more than 200 currentness requests per second, while it be in charge of millions of documents that may be relied upon by millions of users who may generate way more requests per second.
Another drawback is that, if A uses a single server to answer all document currentness queries, then all such queries would have, eventually, to be routed to this unique server, which then may become a major “network bottleneck” and cause considerable congestion and delays. If huge numbers of relying parties suddenly queried this server, then a disrupting “denial of service” would probably ensue. To prevent the bottleneck problems of centralized implementations, A may consider distributing the request load (about the currentness of its documents) across several, properly certified, responders. In general, distributing the load of a single server across several (e.g., 100) servers, strategically located around the world, alleviates network congestion. (Note that if these servers were not geographically dispersed, no significant advantage would be gained: millions of requests sent to the same address co-locating 100 responders would still result in huge congestions).
In the present case, however, load distribution may introduce worse problems than those it solves. In fact, in order to provide digitally signed responses to the document-currentness queries it receives, each of the one hundred responders should have its own secret signing key. Thus, compromising any of the one hundred servers could effectively compromise the entire currentness system. Indeed, if a responder were compromised, an attacker could use the discovered secret signing key to sign responses indicating that (1) current document are revoked, or (2) obsolete documents are still current.
A secure way to prevent a responder from being compromised is to run it from a secure vault, with 24×7 surveillance. Unfortunately, this is a costly option. A truly secure vault, meeting all the requirements of—say—a financial organization, may cost over $1M to build and $1M/year to operate. Even if an organization were willing to pick up such expenses, vaults cannot be built overnight: armored concrete does not scale. Thus if A needed a few more vaults to lessen the load of its responders, it might have to wait for months before a new one could be constructed.
Moreover, incurring the costs of multiple vaults may not solve the security problems of the envisaged mechanism. This is because this mechanism requires that a responder receive requests coming from un-trusted sources (the relying parties) and then service them using its secret signing key. A malicious relying party (or a malicious agent posing as a relying party) might thus prefer exposing the responder's signing key by exploiting a possible weakness in the underlying operating system, rather than by drilling holes during the night through an armored-concrete wall. In sum, even if a truly secure building housed a responder, its secret key could still be compromised by a software attack. To a sophisticated, digital enemy, the envisaged mechanism transforms a vault into “a bunker with a window.”
Another drawback is that the envisaged mechanism has difficulties in servicing document currentness queries across multiple organizations. For instance, responders run by organization #1 can easily provide responses about the status of documents relating to organization #1, but responders run by another organization may not have enough information to provide responses about “foreign” documents.