Protectig your code (copyright) - PGP

This is a discussion on Protectig your code (copyright) - PGP ; Hi all Is there any solution to protect your rights or ideas when you write code ? I am thinking of a way to sign the code, to prove that I am the author. My first tought was to use ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Protectig your code (copyright)

  1. Protectig your code (copyright)

    Hi all

    Is there any solution to protect your rights or ideas when you write
    code ?

    I am thinking of a way to sign the code, to prove that I am the author.
    My first tought was to use digital signature for this. Let's say I have
    my own company and I buy a digital cetificate from VerySign.
    Then I can use tis certificate to PGP sign the code and to prove that
    at a specific date back in time I was the programmer or at least I had
    the code in my possesion.

    Any other sugestion in this respect would be much appreciated

    Thank you
    Mine Me

  2. Re: Protectig your code (copyright)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    MiniME writes:

    >Is there any solution to protect your rights or ideas when you write
    >code ?


    That depends on what you are protecting against what.

    >I am thinking of a way to sign the code, to prove that I am the author.
    >My first tought was to use digital signature for this. Let's say I have
    >my own company and I buy a digital cetificate from VerySign.


    You don't need to buy a verisign cert. Just create your own PGP
    key, and sign with that.

    >Then I can use tis certificate to PGP sign the code and to prove that
    >at a specific date back in time I was the programmer or at least I had
    >the code in my possesion.


    You would need to sign the code, and publish it, or similar. Or sign with
    a detached signature, and at least publish the signature. Maybe
    posting on usenet can count as publishing.

    The concern is this: At some later time, you could set the clock on
    your computer back by several years. Then you sign with a backdated
    signature. Then you correct your computer time. You have, in effect,
    forged the timestamp on your signature with this backdating.

    Now maybe you would never forge the timestamp in that way. But
    somebody could accuse you of doing so. However, if there are public
    records of the document or signature, as of around the date of the
    signature, then you could come up with the evidence to refute such an
    accusation.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (SunOS)

    iD8DBQFC6bI6vmGe70vHPUMRAjplAJsE12ys5LrD5mBZfJvhze yIb2NgzwCggMIQ
    rGq+NerjGIz6bzwePlXgvvg=
    =cs4O
    -----END PGP SIGNATURE-----


  3. Re: Protectig your code (copyright)

    MiniME writes:

    >Hi all


    >Is there any solution to protect your rights or ideas when you write
    >code ?


    >I am thinking of a way to sign the code, to prove that I am the author.
    >My first tought was to use digital signature for this. Let's say I have
    >my own company and I buy a digital cetificate from VerySign.
    >Then I can use tis certificate to PGP sign the code and to prove that
    >at a specific date back in time I was the programmer or at least I had
    >the code in my possesion.


    >Any other sugestion in this respect would be much appreciated


    AFAIK,As with all copyrighted works, you can register it at the Copyright office.
    That would buy you presumption (not proof) of copyright ownership. If
    someone could show that they possessed it before that date, then that
    presumption would fail.

    Note that the digitally signature would not be proof since signing is not a
    proof of date. You could have signed it in Jan 2008, but have rolled back
    your computer's clock to May 2004. You still have to establish the date,
    which you could do by sending to a signature repository. But how that
    differs from sending it to the copyright office I do not know.

    One technique for establishing date is to mail yourself the copy in a
    sealed envelope, and then use that sealed envelope in court as the proof of
    date.

  4. Re: Protectig your code (copyright)

    -----BEGIN PGP SIGNED MESSAGE-----

    MiniME wrote:
    > Hi all
    >
    > Is there any solution to protect your rights or ideas when you write
    > code ?


    http://www.itconsult.co.uk/stamper.htm?

    I myself signed with my
    PGP key and commented out the plain text signature using /* */ so it
    would still compile (ANSI C).

    You could also print it out, seal it, put a stamp over the seal and mail
    it to yourself using snailmail.

    Thomas
    - --
    Life is like a videogame with no chance to win - ATR
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iQB5AwUBQuoPZgEP2l8iXKAJAQEspgMfYM0C914f+ExpgfAhZV h52gbbv5NA5gHB
    LOyl487630pxf3FXDcVm4MDa5qfu5VBFa7Lc+492b3BEju+bUE 2AgrawcZSOtJlt
    ITgiGgl9i48ox3yVGRMS1SqUios/B28L561oQQ==
    =AD4Z
    -----END PGP SIGNATURE-----

  5. Re: Protectig your code (copyright)

    Unruh wrote...

    > One technique for establishing date is to mail yourself the copy in a
    > sealed envelope, and then use that sealed envelope in court as the proof of
    > date.



    or mail yourself an empty unsealed envelope, and put the contents in after you
    get it back. This method proves nothing.

  6. Re: Protectig your code (copyright)

    Thomas J. Boschloo wrote...

    > You could also print it out, seal it, put a stamp over the seal and mail
    > it to yourself using snailmail.



    No-one else would have any faith in your own stamp (ie when you stamped it).
    The stamping, or better still the storage of the document, needs to be done by a
    trusted third party - public domain is often best.


  7. Re: Protectig your code (copyright)

    MiniME wrote:
    >
    > Hi all
    >
    > Is there any solution to protect your rights or ideas when you write
    > code ?
    >
    > I am thinking of a way to sign the code, to prove that I am the author.
    > My first tought was to use digital signature for this. Let's say I have
    > my own company and I buy a digital cetificate from VerySign.
    > Then I can use tis certificate to PGP sign the code and to prove that
    > at a specific date back in time I was the programmer or at least I had
    > the code in my possesion.
    >
    > Any other sugestion in this respect would be much appreciated


    Use PGP to sign the file containing the code, getting a detached
    signature file. Then E-mail the signature file to a digital
    timestamping service for their signature, which they will send back
    to you. Save the file, your detached signature file, and the
    returned signature file from the timestamping service. You have to
    do this again every time you change the code, no matter how slight
    the change.

    The time within your own signature is meaningless because (as
    others point out) you could always reset your computer clock to a
    fraudulent value. However, digital timestamping services are
    subject to outside testing, merely by sending them another file
    (even not a detached signature) to be timestamped.

    I suggest timestamping your detached signature rather than the code
    file for two reasons. First, the detached signature file will
    likely be much smaller than the code file, consuming less
    bandwidth. Some of us still use dial-up modems, and bandwidth is
    still a concern. Second (and far more important), when you sign
    the code file, you demonstrate that you (not someone else) indeed
    pssessed it. The timestamp then marks when you had that possession
    (the date and time by which the code file was available to you for
    signing). Timestamping the code file itself would merely mark when
    it existed, not when you possessed it.

    All this assumes you have PGP, GPG, or the equivalent stored on
    your computer and that you keep a copy of your own key-pair even
    after it expires or is revoked. (An expired or revoked public key
    can still be used to verify a signature made by the corresponding
    private key before the expiration or revocation.)

    --

    David E. Ross


    I use Mozilla as my Web browser because I want a browser that
    complies with Web standards. See .

+ Reply to Thread