Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.


How to be a TimeStamp Authority ?

  • Stefan

    Hi all,

    I'm trying to setup signserver because within my business,
    I need to sign many documents and the signature must contain a time stamp from a TSA (according to RFC 3161).
    Because of commercial TSA are very expensive for the amount of documents I planning to sign,
    I'm thinking to setup my own TSA Service (e.g. using signserver).

    What I not understood so far:
    even if the creation/transmission of a time stam token is protected
    using digital signatures (for which i have to setup valid and not self signed certificates)or similar mechanism,
    what makes a time stamp token of such a deployment trusted (especially if its my own deployment)?

    At the end, independent of how many layers are between my business software and a "clock",
    at the end within the code of the Time-Stamping Service, i could place a lot of "my own magic",
    or manipulate the clock, ...
    Without looking into the software of such a implementation,
    nobody could be sure that this service is really RFC compliant just because I say so ?

    Are there any mechanism, e.g. a audit,
    a Time-Stamping Service provider has to pass, before he gets a certificate (which then signs the created time stamp tokens).

    Very for helpfully answers,
    Regards: Stefan

  • Markus Kilås
    Markus Kilås

    Hi Stefan,

    A document that describes this quite well is ETSI TS 102 023 V1.2.2 (2008-10) "Policy requirements for time-stamping authorities".

    For instance see "Conformance", "Obligations and liability" and the "Practise and Disclosure Statements" where one of the points is an assesment by an independent party (ie an audit).

    Best regards,
    PrimeKey Solutions