WACZ Signing and Verification spec: Support for timestamped anonynous signatures

[matteocargnelutti]

The WACZ Signing and Verification spec currently supports either anonymous signing or domain-name Identity + timestamp signing.

It could be beneficial to extend the anonymous signing portion of the spec to support RFC 3161 timestamping.

The addition of a timestamp to an anonymous signature could improve its intrinsic "value":
While it is difficult to assert the authenticity of a given file with an anonymous signature alone, the addition of an external timestamp shows that a given signed WACZ file:

• Was indeed made at datetime X
• And that it hasn't been altered since then

signedData objects would look as follows in that context:

{
    "hash": "<sha256 hash of datapackage.json>",

    "created": "<ISO 8601 Date>",
    "software": "<string>",
    "version": "<string>",

    "signature": "<base64 encoded signature>",
    "publicKey": "<base64 encoded public key (ECDSA)>",

    "timeSignature": "<base64 encoded signature>",
    "timestampCert": "<PEM certificate chain>",
}

---

js-wacz would be one of the first tool in the WACZ ecosystem to take advantage of this feature.
archiveweb.page could also use this extension of the spec to reinforce the signatures it currently generates with a trusted timestamp.