Verify: External hash timestamping for temporal integrity #149
Description
Summary
Add optional external hash timestamping so verification chains have temporal proof — not just "the chain is consistent" but "the chain was consistent at time T."
Problem
Local verification proves internal consistency but cannot prevent an adversary from regenerating the entire hash chain after tampering. External timestamping adds an independent temporal anchor.
Proposed Solution
Record {timestamp, root_hash, project_id} to a third-party service at key moments (submission, revision).
Properties
- Privacy-safe: Only hashes transmitted, never actual data (~100 bytes per record)
- Tamper-evident: External server provides independent temporal proof
Backend options (increasing complexity)
- RFC 3161 Timestamping Authority — established standard
- Zenodo/Figshare deposit — DOI + timestamp for hash tree root
- Simple REST API — lightweight SciTeX-hosted or self-hosted service
API Sketch
scitex verify stamp --service rfc3161 # record root hash externally
scitex verify check --temporal # verify local chain + external timestampScope Note
Future work for the paper Discussion: "The current implementation provides local provenance verification. Integration with external timestamping services (RFC 3161) would additionally guarantee temporal integrity."