Integrating TimeCert with GitHub
TimeCert is my project to timestamp the web. It’s a completely free service that will tell you the first time it saw a particular sha1 digest (think of this as a digital fingerprint of any digital data).
Now I’ve added specific support for GitHub Post Receive Hooks to TimeCert. Just add http://timecert.org/github to the Service Hooks page of any or all of your github projects and TimeCert will automatically timestamp all your commits.
As we never actually need access to your repository, but only the sha1 digests of the commits, you can safely use it even for private projects.
Why time stamp your code?
There are all sorts of reasons why this could be useful. The most important reason for individual software developers is to protect your own Intellectual Property. None of this should be considered Legal advice, please talk to a lawyer if you’re really worried.
Lets imagine you were working on your own side project or an open source project. Now you get hired by a company and you decide to use some of your own code to save time on your work within the company. If you use your own code again in the future you could be in big trouble, unless you can prove that you wrote this code before.
GitHub and TimeCert together should provide all the proof you need. GitHub shows the details of the code you committed and TimeCert shows an impartial timestamp of that commit.
Subscribe
Follow me on Twitter
the link from this page to its certification on timecert.org says "A TimeCert certificate can provide thirty party proof that you were the first to write or create something. "
i think you mean third party proof, not thirty party.
Thanks. Fixed. How embarrassing. That must have been there a long time.
I don’t think that sending an SHA1 sum will be enough as proof of prior art at court. You should look into trusted timestamping (http://en.wikipedia.org/wiki/Trusted_timestamping), it would be a nice addition to your service ;-)
So I’m not sure I understand the importance of this. Why is this different than the time stamp the is already attached to commits? (example http://github.com/icco/crackquotes/commits/master has dates…)
I am not a lawyer, but I believe the courts would find this to be as valid a implementation as the implementations mentioned in that wikipedia article.
The only difference here is that we don’t provide a digital signature on the timestamps. An early iteration of TimeCert (5+ years ago) had digital signatures, but I got rid of it as I really don’t think they add anything to the process here.
Digital signatures like digests are really software engineering concepts and not really accepted by the courts on their own without any context.
This is where GitHub comes in. GitHub provides the context in a readable way.
The X.509 group of standards including RFC 3161 are extremely over engineered standards. The only part that has really taken off are SSL certs.
TimeCert relies like all other web apps on the trust it’s users have in the operator. I’m experimenting with various things to improve the trust such as it being OpenSourced and it having a new audit page.
I’m also playing with the idea of posting daily backups of the data on s3 where other people could mirror it and check for changes.
Ideally someone would setup one or two other timecert services and we exchange a digest feed, that we each individually timestamp.
@Nat The main difference is that github trusts the timestamp the committers local git client generates. Please correct me if I’m wrong.
GitHub could easily provide this service if they wished, that is true. However the more evidence the merrier, there would still be value even if they start doing so.
Maybe I’m missing it but I don’t see where commits are being time stamped.
@Dave,
The timestamps are done in the background. There aren’t any additional evidence on the GitHub site.
However by going to the timecert.org page for the commits sha you will see the timestamp.
eg. http://timecert.org/f4c0455618fc24ce878451284a8ffbdd5d26d45e
This information could actually be embedded as an iframe like here on the TimeCert Audit Page