On Sun, Sep 18, 2016 at 03:45:40PM +0200, Jannes Faber wrote:
> Would you not also have to consider (all) earlier blocks?
> 
> T = max(block[i].nTime for i in {x-100, ..., x, ..., x + N-1}) + max_offset
> 
> In case one or more previous blocks have an nTime considerably in the
> future and blocks>= x have honest nTimes (or before true time).
> 
> Maybe not strictly for the goal you were describing here (conservative
> estimate) but rather to prevent distinct timestamp events seeming to have
> happened in the wrong order?

Well that's the thing: timestamps are simply proofs that something existed
prior to some time, nothing more, nothing less.

So it doesn't make sense for there to be any notion of the "wrong order" in a
timestamp proof; the proof either is or is not valid, but that has nothing to
do with other proofs. Additionally, the architecture of OpenTimestamps doesn't
and can't make any 100% guarantees about the apparent order of timestamps,
because it's always possible for an earlier timestamp to end up committed in
the blockchain after a later timestamp gets committed. It's not all that likely
of an event, but it is possible.

If you don't want that to be possible, you're going to need a dedicated chain
of transactions for your particular purpose, which adds a lot of complexity,
cost, and makes it much harder to achieve the same level of availability for
the service as a whole.

Remember that for many use-cases the user experience is that there's two or
more claimed dates, and OpenTimestamps simply verifies that those dates are
plausible. Take for example, timestamped git commits:

    commit 536411e73b8c23dc2fdfd78052c893f578444926
    ots: Got 2 attestation(s) from cache
    ots: Success! Bitcoin attests data existed as of Thu Sep 15 01:07:08 2016 EDT
    ots: Good timestamp
    gpg: Signature made Thu 15 Sep 2016 12:10:25 AM EDT
    gpg:                using RSA key 6399011044E8AFB2
    gpg: Good signature from "Peter Todd <pete@petertodd.org>"
    gpg:                 aka "[jpeg image of size 5220]"
    Author: Peter Todd <pete@petertodd.org>
    Date:   Thu Sep 15 00:10:20 2016 -0400

        Release v0.2.0

Here we have the date on the git commit, another date a few seconds later for
the PGP signature, and a third date an hour later for the Bitcoin timestamp,
attesting to the fact that the two other dates for that one git commit are
plausible.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org