Created
June 9, 2016 00:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| A challenge. | |
| Prove that a file or hash uploaded to stamp.io, and the certificate page that stamp.io provides, can | |
| be used to unequivocally, deterministically, and mathematically prove that the file existed | |
| on or before the timestamp in the certificate. | |
| The answer code: | |
| Sample code in pure javascript, executed with node, using the current stampery NPM package installed from npmjs.org. | |
| All dependencies should be only an 'npm install' away and run with e.g. 'npm test'. | |
| Part 1: | |
| Simulate that you are a lawyer in a court of law, and you need to prove to a judge and jury | |
| that a file in your possession can be proven to have been in existence on a certain date/time. | |
| You can use only the provided file, which hashes to the hashes shown below, and the data present on | |
| the certificate that was generated when I uploaded that file to stamp.io. The URI for that cert | |
| is also below. You can provide the answer in javascript code that I can run locally to match this | |
| file, and a hash derived from it, to that certificate and the data displayed on it. | |
| ``` | |
| wget https://raw.githubusercontent.com/grempe/sirp/master/certs/gem-public_cert_grempe.pem | |
| $ sha256sum gem-public_cert_grempe.pem | |
| 60dfb0a3c86860dc0de93d7a48ce5724d5ddaced917fe899689675f5b4e8d25f gem-public_cert_grempe.pem | |
| $ sha512sum gem-public_cert_grempe.pem | |
| def0fb3da615f0d1ebe55070f3271cdbb1187e53b2122102b77029ad9618d0a001635e5a31398fb1248d57374b59c29d78d3475eda88b4f20d247757e59e18ed gem-public_cert_grempe.pem | |
| # STAMP.IO CERT URI | |
| https://stamp.io/stamp/ip1vw6ir | |
| ``` | |
| Bonus Points: | |
| Using the same data above, and the same certificate and its data, tie the file in possession of | |
| the simulated laywer, to data on the bitcoin and ethereum blockchains which mathematically prove | |
| the existance of the file. Again, only the file, its hash and the public cert can be used as | |
| inputs to finding the data. If you need to run a script to calculate something that should also | |
| be pure JS like above. | |
| Part 2: | |
| Using the same file, or the hash of its contents, provide a script that submits the hash to the | |
| stampery API, receives the proof from the API, and verifies that the file can be proven to be the | |
| only file that matches the web certificate/API data. | |
| This simulates a developer submitting a file through the API and doing an end-to-end test that | |
| not only can the file be uploaded and cert generated, but that the proof data can be provably tied to | |
| the original file. | |
| The challenge solution should also be pure JS code using public NPM packages installable with an NPM | |
| install from a released version on npmjs.org. | |
Let the silence to be the response ....
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This challenge is motivated by my testing of the stamp.io and stampery.com bitcoin notary product. I was a bit frustrated to see that they provided what I considered to be only half a product. Namely, it could accept a file, and hash it (in an undocumented way) and would then provide a public web certificate URL containing that hash and submit that hash to their own private Merkle tree and the bitcoin and ethereum blockchains.
While this first step may be working fine, it is impossible to currently verify that by testing the other half of the equation, verifying that a file in your possession can be matched to data on the certificate. An end user should be able to use the file and cert together to prove, legally and mathematically, that this exact file in hand was notarized sometime before the timestamp on the certificate. A third party in possession of the file and the cert should be able to do the same (e.g. in a legal context).
The analogy that comes to mind is as if they were marketing a public key encryption product that only signed files but could not verify those same signatures. A product of questionable utility indeed.
Their API clients, at least some of which don't work at all, all fail to implement the verification function into the code. They provide some text notes in the comments as to how one might verify but this is clearly not sufficient when dealing with a cryptographic security product.
I first presented my concerns more than five months ago, in emails which were responded to but did not provide any insight into the missing functionality. Today I opened up a Twitter conversation with several of their employees, including their CTO, who accepted this challenge in principle. I could only speculate why they would leave such a gaping hole in their product while continuing to market it.
I look forward to the solutions.
Glenn