next up previous
Next: Conclusion Up: The Eternity Service Previous: Payment

Time

One of the complications is that we need to be able to trust the time; otherwise the opponent might manipulate the network time protocol to say that the date is now 2500AD and bring about general file deletion. Does this bring the Network Time Protocol (and thus the Global Positioning System and thus the US Department of Defense) within the security perimeter, or do we create our own secure time service? The mechanics of such a service have been discussed in other contexts, but there is as yet no really secure clock on the Internet.

A dependable time service could benefit other applications, such as currency exchange transactions that are conducted in a merchant's premises while the bank is offline. Meanwhile, we must plan to rely on wide dispersal, plus some extra rules such as `assets may not be deleted unless the sysadmin confirms the date', `the date for deletion purposes may never exceed the creation date of the system software by five years', and `no file may be deleted until all annuity payments for it have been received'.



Ross Anderson
Tue Jun 17 15:08:09 BST 1997