diff options
Diffstat (limited to 'doc/rfc/rfc3161.txt')
-rw-r--r-- | doc/rfc/rfc3161.txt | 1459 |
1 files changed, 1459 insertions, 0 deletions
diff --git a/doc/rfc/rfc3161.txt b/doc/rfc/rfc3161.txt new file mode 100644 index 0000000..628f300 --- /dev/null +++ b/doc/rfc/rfc3161.txt @@ -0,0 +1,1459 @@ + + + + + + +Network Working Group C. Adams +Request for Comments: 3161 Entrust +Category: Standards Track P. Cain + BBN + D. Pinkas + Integris + R. Zuccherato + Entrust + August 2001 + + + Internet X.509 Public Key Infrastructure + Time-Stamp Protocol (TSP) + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2001). All Rights Reserved. + +Abstract + + This document describes the format of a request sent to a Time + Stamping Authority (TSA) and of the response that is returned. It + also establishes several security-relevant requirements for TSA + operation, with regards to processing requests to generate responses. + +1. Introduction + + A time-stamping service supports assertions of proof that a datum + existed before a particular time. A TSA may be operated as a Trusted + Third Party (TTP) service, though other operational models may be + appropriate, e.g., an organization might require a TSA for internal + time-stamping purposes. + + Non-repudiation services [ISONR] require the ability to establish the + existence of data before specified times. This protocol may be used + as a building block to support such services. An example of how to + prove that a digital signature was generated during the validity + period of a public key certificate is given in an annex. + + + + + +Adams, et al. Standards Track [Page 1] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", + "SHALL", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in + uppercase, as shown) are to be interpreted as described in [RFC2119]. + + In order to associate a datum with a particular point in time, a Time + Stamp Authority (TSA) may need to be used. This Trusted Third Party + provides a "proof-of-existence" for this particular datum at an + instant in time. + + The TSA's role is to time-stamp a datum to establish evidence + indicating that a datum existed before a particular time. This can + then be used, for example, to verify that a digital signature was + applied to a message before the corresponding certificate was revoked + thus allowing a revoked public key certificate to be used for + verifying signatures created prior to the time of revocation. This + is an important public key infrastructure operation. The TSA can + also be used to indicate the time of submission when a deadline is + critical, or to indicate the time of transaction for entries in a + log. An exhaustive list of possible uses of a TSA is beyond the + scope of this document. + + This standard does not establish overall security requirements for + TSA operation, just like other PKIX standards do not establish such + requirements for CA operation. Rather, it is anticipated that a TSA + will make known to prospective clients the policies it implements to + ensure accurate time-stamp generation, and clients will make use of + the services of a TSA only if they are satisfied that these policies + meet their needs. + +2. The TSA + + The TSA is a TTP that creates time-stamp tokens in order to indicate + that a datum existed at a particular point in time. + + For the remainder of this document a "valid request" shall mean one + that can be decoded correctly, is of the form specified in Section + 2.4, and is from a supported TSA subscriber. + +2.1. Requirements of the TSA + + The TSA is REQUIRED: + + 1. to use a trustworthy source of time. + + 2. to include a trustworthy time value for each time-stamp token. + + 3. to include a unique integer for each newly generated time-stamp + token. + + + +Adams, et al. Standards Track [Page 2] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + 4. to produce a time-stamp token upon receiving a valid request + from the requester, when it is possible. + + 5. to include within each time-stamp token an identifier to + uniquely indicate the security policy under which the token was + created. + + 6. to only time-stamp a hash representation of the datum, i.e., a + data imprint associated with a one-way collision resistant + hash-function uniquely identified by an OID. + + 7. to examine the OID of the one-way collision resistant hash- + function and to verify that the hash value length is consistent + with the hash algorithm. + + 8. not to examine the imprint being time-stamped in any way (other + than to check its length, as specified in the previous bullet). + + 9. not to include any identification of the requesting entity in + the time-stamp tokens. + + 10. to sign each time-stamp token using a key generated exclusively + for this purpose and have this property of the key indicated on + the corresponding certificate. + + 11. to include additional information in the time-stamp token, if + asked by the requester using the extensions field, only for the + extensions that are supported by the TSA. If this is not + possible, the TSA SHALL respond with an error message. + +2.2. TSA Transactions + + As the first message of this mechanism, the requesting entity + requests a time-stamp token by sending a request (which is or + includes a TimeStampReq, as defined below) to the Time Stamping + Authority. As the second message, the Time Stamping Authority + responds by sending a response (which is or includes a TimeStampResp, + as defined below) to the requesting entity. + + Upon receiving the response (which is or includes a TimeStampResp + that normally contains a TimeStampToken (TST), as defined below), the + requesting entity SHALL verify the status error returned in the + response and if no error is present it SHALL verify the various + fields contained in the TimeStampToken and the validity of the + digital signature of the TimeStampToken. In particular, it SHALL + verify that what was time-stamped corresponds to what was requested + to be time-stamped. The requester SHALL verify that the + TimeStampToken contains the correct certificate identifier of the + + + +Adams, et al. Standards Track [Page 3] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + TSA, the correct data imprint and the correct hash algorithm OID. It + SHALL then verify the timeliness of the response by verifying either + the time included in the response against a local trusted time + reference, if one is available, or the value of the nonce (large + random number with a high probability that it is generated by the + client only once) included in the response against the value included + in the request. For more details about replay attack detection, see + the security considerations section (item 6). If any of the + verifications above fails, the TimeStampToken SHALL be rejected. + + Then, since the TSA's certificate may have been revoked, the status + of the certificate SHOULD be checked (e.g., by checking the + appropriate CRL) to verify that the certificate is still valid. + + Then, the client application SHOULD check the policy field to + determine whether or not the policy under which the token was issued + is acceptable for the application. + +2.3. Identification of the TSA + + The TSA MUST sign each time-stamp message with a key reserved + specifically for that purpose. A TSA MAY have distinct private keys, + e.g., to accommodate different policies, different algorithms, + different private key sizes or to increase the performance. The + corresponding certificate MUST contain only one instance of the + extended key usage field extension as defined in [RFC2459] Section + 4.2.1.13 with KeyPurposeID having value: + + id-kp-timeStamping. This extension MUST be critical. + + The following object identifier identifies the KeyPurposeID having + value id-kp-timeStamping. + + id-kp-timeStamping OBJECT IDENTIFIER ::= {iso(1) + identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) + kp (3) timestamping (8)} + +2.4. Request and Response Formats + +2.4.1. Request Format + + A time-stamping request is as follows: + +TimeStampReq ::= SEQUENCE { + version INTEGER { v1(1) }, + messageImprint MessageImprint, + --a hash algorithm OID and the hash value of the data to be + + + +Adams, et al. Standards Track [Page 4] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + --time-stamped + reqPolicy TSAPolicyId OPTIONAL, + nonce INTEGER OPTIONAL, + certReq BOOLEAN DEFAULT FALSE, + extensions [0] IMPLICIT Extensions OPTIONAL } + + The version field (currently v1) describes the version of the Time- + Stamp request. + + The messageImprint field SHOULD contain the hash of the datum to be + time-stamped. The hash is represented as an OCTET STRING. Its + length MUST match the length of the hash value for that algorithm + (e.g., 20 bytes for SHA-1 or 16 bytes for MD5). + + MessageImprint ::= SEQUENCE { + hashAlgorithm AlgorithmIdentifier, + hashedMessage OCTET STRING } + + The hash algorithm indicated in the hashAlgorithm field SHOULD be a + known hash algorithm (one-way and collision resistant). That means + that it SHOULD be one-way and collision resistant. The Time Stamp + Authority SHOULD check whether or not the given hash algorithm is + known to be "sufficient" (based on the current state of knowledge in + cryptanalysis and the current state of the art in computational + resources, for example). If the TSA does not recognize the hash + algorithm or knows that the hash algorithm is weak (a decision left + to the discretion of each individual TSA), then the TSA SHOULD refuse + to provide the time-stamp token by returning a pkiStatusInfo of + 'bad_alg'. + + The reqPolicy field, if included, indicates the TSA policy under + which the TimeStampToken SHOULD be provided. TSAPolicyId is defined + as follows: + + TSAPolicyId ::= OBJECT IDENTIFIER + + The nonce, if included, allows the client to verify the timeliness of + the response when no local clock is available. The nonce is a large + random number with a high probability that the client generates it + only once (e.g., a 64 bit integer). In such a case the same nonce + value MUST be included in the response, otherwise the response shall + be rejected. + + If the certReq field is present and set to true, the TSA's public key + certificate that is referenced by the ESSCertID identifier inside a + SigningCertificate attribute in the response MUST be provided by the + TSA in the certificates field from the SignedData structure in that + response. That field may also contain other certificates. + + + +Adams, et al. Standards Track [Page 5] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + If the certReq field is missing or if the certReq field is present + and set to false then the certificates field from the SignedData + structure MUST not be present in the response. + + The extensions field is a generic way to add additional information + to the request in the future. Extensions is defined in [RFC 2459]. + If an extension, whether it is marked critical or not critical, is + used by a requester but is not recognized by a time-stamping server, + the server SHALL not issue a token and SHALL return a failure + (unacceptedExtension). + + The time-stamp request does not identify the requester, as this + information is not validated by the TSA (See Section 2.1). In + situations where the TSA requires the identity of the requesting + entity, alternate identification /authentication means have to be + used (e.g., CMS encapsulation [CMS] or TLS authentication [RFC2246]). + +2.4.2. Response Format + + A time-stamping response is as follows: + + TimeStampResp ::= SEQUENCE { + status PKIStatusInfo, + timeStampToken TimeStampToken OPTIONAL } + + The status is based on the definition of status in section 3.2.3 + of [RFC2510] as follows: + + PKIStatusInfo ::= SEQUENCE { + status PKIStatus, + statusString PKIFreeText OPTIONAL, + failInfo PKIFailureInfo OPTIONAL } + + When the status contains the value zero or one, a TimeStampToken MUST + be present. When status contains a value other than zero or one, a + TimeStampToken MUST NOT be present. One of the following values MUST + be contained in status: + + PKIStatus ::= INTEGER { + granted (0), + -- when the PKIStatus contains the value zero a TimeStampToken, as + requested, is present. + grantedWithMods (1), + -- when the PKIStatus contains the value one a TimeStampToken, + with modifications, is present. + rejection (2), + waiting (3), + revocationWarning (4), + + + +Adams, et al. Standards Track [Page 6] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + -- this message contains a warning that a revocation is + -- imminent + revocationNotification (5) + -- notification that a revocation has occurred } + + Compliant servers SHOULD NOT produce any other values. Compliant + clients MUST generate an error if values it does not understand are + present. + + When the TimeStampToken is not present, the failInfo indicates the + reason why the time-stamp request was rejected and may be one of the + following values. + +PKIFailureInfo ::= BIT STRING { + badAlg (0), + -- unrecognized or unsupported Algorithm Identifier + badRequest (2), + -- transaction not permitted or supported + badDataFormat (5), + -- the data submitted has the wrong format + timeNotAvailable (14), + -- the TSA's time source is not available + unacceptedPolicy (15), + -- the requested TSA policy is not supported by the TSA + unacceptedExtension (16), + -- the requested extension is not supported by the TSA + addInfoNotAvailable (17) + -- the additional information requested could not be understood + -- or is not available + systemFailure (25) + -- the request cannot be handled due to system failure } + + These are the only values of PKIFailureInfo that SHALL be supported. + + Compliant servers SHOULD NOT produce any other values. Compliant + clients MUST generate an error if values it does not understand are + present. + + The statusString field of PKIStatusInfo MAY be used to include reason + text such as "messageImprint field is not correctly formatted". + + A TimeStampToken is as follows. It is defined as a ContentInfo + ([CMS]) and SHALL encapsulate a signed data content type. + + TimeStampToken ::= ContentInfo + -- contentType is id-signedData ([CMS]) + -- content is SignedData ([CMS]) + + + + +Adams, et al. Standards Track [Page 7] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + The fields of type EncapsulatedContentInfo of the SignedData + construct have the following meanings: + + eContentType is an object identifier that uniquely specifies the + content type. For a time-stamp token it is defined as: + + id-ct-TSTInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 4} + + eContent is the content itself, carried as an octet string. + The eContent SHALL be the DER-encoded value of TSTInfo. + + The time-stamp token MUST NOT contain any signatures other than the + signature of the TSA. The certificate identifier (ESSCertID) of the + TSA certificate MUST be included as a signerInfo attribute inside a + SigningCertificate attribute. + +TSTInfo ::= SEQUENCE { + version INTEGER { v1(1) }, + policy TSAPolicyId, + messageImprint MessageImprint, + -- MUST have the same value as the similar field in + -- TimeStampReq + serialNumber INTEGER, + -- Time-Stamping users MUST be ready to accommodate integers + -- up to 160 bits. + genTime GeneralizedTime, + accuracy Accuracy OPTIONAL, + ordering BOOLEAN DEFAULT FALSE, + nonce INTEGER OPTIONAL, + -- MUST be present if the similar field was present + -- in TimeStampReq. In that case it MUST have the same value. + tsa [0] GeneralName OPTIONAL, + extensions [1] IMPLICIT Extensions OPTIONAL } + + The version field (currently v1) describes the version of the time- + stamp token. + + Conforming time-stamping servers MUST be able to provide version 1 + time-stamp tokens. + + Among the optional fields, only the nonce field MUST be supported. + + Conforming time-stamping requesters MUST be able to recognize version + 1 time-stamp tokens with all the optional fields present, but are not + mandated to understand the semantics of any extension, if present. + + + + + +Adams, et al. Standards Track [Page 8] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + The policy field MUST indicate the TSA's policy under which the + response was produced. If a similar field was present in the + TimeStampReq, then it MUST have the same value, otherwise an error + (unacceptedPolicy) MUST be returned. This policy MAY include the + following types of information (although this list is certainly not + exhaustive): + + * The conditions under which the time-stamp token may be used. + + * The availability of a time-stamp token log, to allow later + verification that a time-stamp token is authentic. + + The messageImprint MUST have the same value as the similar field in + TimeStampReq, provided that the size of the hash value matches the + expected size of the hash algorithm identified in hashAlgorithm. + + The serialNumber field is an integer assigned by the TSA to each + TimeStampToken. It MUST be unique for each TimeStampToken issued by + a given TSA (i.e., the TSA name and serial number identify a unique + TimeStampToken). It should be noticed that the property MUST be + preserved even after a possible interruption (e.g., crash) of the + service. + + genTime is the time at which the time-stamp token has been created by + the TSA. It is expressed as UTC time (Coordinated Universal Time) to + reduce confusion with the local time zone use. UTC is a time scale, + based on the second (SI), as defined and recommended by the CCIR, and + maintained by the Bureau International des Poids et Mesures (BIPM). A + synonym is "Zulu" time which is used by the civil aviation and + represented by the letter "Z" (phonetically "Zulu"). + + The ASN.1 GeneralizedTime syntax can include fraction-of-second + details. Such syntax, without the restrictions from [RFC 2459] + Section 4.1.2.5.2, where GeneralizedTime is limited to represent the + time with a granularity of one second, may be used here. + + GeneralizedTime values MUST include seconds. However, when there is + no need to have a precision better than the second, then + GeneralizedTime with a precision limited to one second SHOULD be used + (as in [RFC 2459]). + + The syntax is: YYYYMMDDhhmmss[.s...]Z + Example: 19990609001326.34352Z + + X.690 | ISO/IEC 8825-1 provides the following restrictions for a + DER-encoding. + + + + + +Adams, et al. Standards Track [Page 9] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + The encoding MUST terminate with a "Z" (which means "Zulu" time). The + decimal point element, if present, MUST be the point option ".". The + fractional-seconds elements, if present, MUST omit all trailing 0's; + if the elements correspond to 0, they MUST be wholly omitted, and the + decimal point element also MUST be omitted. + + Midnight (GMT) shall be represented in the form: "YYYYMMDD000000Z" + where "YYYYMMDD" represents the day following the midnight in + question. + + Here are a few examples of valid representations: + + "19920521000000Z" + "19920622123421Z" + "19920722132100.3Z" + + accuracy represents the time deviation around the UTC time contained + in GeneralizedTime. + + Accuracy ::= SEQUENCE { + seconds INTEGER OPTIONAL, + millis [0] INTEGER (1..999) OPTIONAL, + micros [1] INTEGER (1..999) OPTIONAL } + + If either seconds, millis or micros is missing, then a value of zero + MUST be taken for the missing field. + + By adding the accuracy value to the GeneralizedTime, an upper limit + of the time at which the time-stamp token has been created by the TSA + can be obtained. In the same way, by subtracting the accuracy to the + GeneralizedTime, a lower limit of the time at which the time-stamp + token has been created by the TSA can be obtained. + + accuracy can be decomposed in seconds, milliseconds (between 1-999) + and microseconds (1-999), all expressed as integer. + + When the accuracy optional field is not present, then the accuracy + may be available through other means, e.g., the TSAPolicyId. + + If the ordering field is missing, or if the ordering field is present + and set to false, then the genTime field only indicates the time at + which the time-stamp token has been created by the TSA. In such a + case, the ordering of time-stamp tokens issued by the same TSA or + different TSAs is only possible when the difference between the + genTime of the first time-stamp token and the genTime of the second + time-stamp token is greater than the sum of the accuracies of the + genTime for each time-stamp token. + + + + +Adams, et al. Standards Track [Page 10] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + If the ordering field is present and set to true, every time-stamp + token from the same TSA can always be ordered based on the genTime + field, regardless of the genTime accuracy. + + The nonce field MUST be present if it was present in the + TimeStampReq. In such a case it MUST equal the value provided in the + TimeStampReq structure. + + The purpose of the tsa field is to give a hint in identifying the + name of the TSA. If present, it MUST correspond to one of the + subject names included in the certificate that is to be used to + verify the token. However, the actual identification of the entity + that signed the response will always occur through the use of the + certificate identifier (ESSCertID Attribute) inside a + SigningCertificate attribute which is part of the signerInfo (See + Section 5 of [ESS]). + + extensions is a generic way to add additional information in the + future. Extensions is defined in [RFC 2459]. + + Particular extension field types may be specified in standards or may + be defined and registered by any organization or community. + +3. Transports + + There is no mandatory transport mechanism for TSA messages in this + document. The mechanisms described below are optional; additional + optional mechanisms may be defined in the future. + +3.1. Time-Stamp Protocol Using E-mail + + This section specifies a means for conveying ASN.1-encoded messages + for the protocol exchanges described in Section 2 and Appendix D via + Internet mail. + + Two MIME objects are specified as follows: + + Content-Type: application/timestamp-query + Content-Transfer-Encoding: base64 + <<the ASN.1 DER-encoded Time-Stamp message, base64-encoded>> + + Content-Type: application/timestamp-reply + Content-Transfer-Encoding: base64 + <<the ASN.1 DER-encoded Time-Stamp message, base64-encoded>> + + These MIME objects can be respectively sent and received using common + MIME processing engines and provides a simple Internet mail transport + for Time-Stamp messages. + + + +Adams, et al. Standards Track [Page 11] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + For the application/timestamp-query and application/timestamp-reply + MIME types, implementations SHOULD include the optional "name" and + "filename" parameters. Including a file name helps preserve type + information when time-stamp queries and replies are saved as files. + When these parameters are included, a file name with the appropriate + extension SHOULD be selected: + + MIME Type File Extension + application/timestamp-query .TSQ + application/timestamp-reply .TSR + + In addition, the file name SHOULD be limited to eight characters + followed by a three letter extension. The eight character filename + base can be any distinct name. + +3.2. File Based Protocol + + A file containing a time-stamp message MUST contain only the DER + encoding of one TSA message, i.e., there MUST be no extraneous header + or trailer information in the file. Such files can be used to + transport time stamp messages using for example, FTP. + + A Time-Stamp Request SHOULD be contained in a file with file + extension .tsq (like Time-Stamp Query). A Time-Stamp Response + SHOULD be contained in a file with file extension .tsr (like + Time-Stamp Reply). + +3.3. Socket Based Protocol + + The following simple TCP-based protocol is to be used for transport + of TSA messages. This protocol is suitable for cases where an entity + initiates a transaction and can poll to pick up the results. + + The protocol basically assumes a listener process on a TSA that can + accept TSA messages on a well-defined port (IP port number 318). + + Typically an initiator binds to this port and submits the initial TSA + message. The responder replies with a TSA message and/or with a + reference number to be used later when polling for the actual TSA + message response. + + If a number of TSA response messages are to be produced for a given + request (say if a receipt must be sent before the actual token can be + produced) then a new polling reference is also returned. + + When the final TSA response message has been picked up by the + initiator then no new polling reference is supplied. + + + + +Adams, et al. Standards Track [Page 12] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + The initiator of a transaction sends a "direct TCP-based TSA message" + to the recipient. The recipient responds with a similar message. + + A "direct TCP-based TSA message" consists of: + length (32-bits), flag (8-bits), value (defined below) + + The length field contains the number of octets of the remainder of + the message (i.e., number of octets of "value" plus one). All 32-bit + values in this protocol are specified to be in network byte order. + + Message name flag value + tsaMsg '00'H DER-encoded TSA message + -- TSA message + pollRep '01'H polling reference (32 bits), + time-to-check-back (32 bits) + -- poll response where no TSA message response ready; use polling + -- reference value (and estimated time value) for later polling + pollReq '02'H polling reference (32 bits) + -- request for a TSA message response to initial message + negPollRep '03'H '00'H + -- no further polling responses (i.e., transaction complete) + partialMsgRep '04'H next polling reference (32 bits), + time-to-check-back (32 bits), + DER-encoded TSA message + -- partial response (receipt) to initial message plus new polling + -- reference (and estimated time value) to use to get next part of + -- response + finalMsgRep '05'H DER-encoded TSA message + -- final (and possibly sole) response to initial message + errorMsgRep '06'H human readable error message + -- produced when an error is detected (e.g., a polling reference + -- is received which doesn't exist or is finished with) + + The sequence of messages that can occur is: + + a) entity sends tsaMsg and receives one of pollRep, negPollRep, + partialMsgRep, or finalMsgRep in response. + + b) end entity sends pollReq message and receives one of + negPollRep, partialMsgRep, finalMsgRep, or errorMsgRep in + response. + + The "time-to-check-back" parameter is an unsigned 32-bit integer. It + is the time in seconds indicating the minimum interval after which + the client SHOULD check the status again. + + It provides an estimate of the time that the end entity should send + its next pollReq. + + + +Adams, et al. Standards Track [Page 13] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + +3.4. Time-Stamp Protocol via HTTP + + This subsection specifies a means for conveying ASN.1-encoded + messages for the protocol exchanges described in Section 2 and + Appendix D via the HyperText Transfer Protocol. + + Two MIME objects are specified as follows. + + Content-Type: application/timestamp-query + + <<the ASN.1 DER-encoded Time-Stamp Request message>> + + Content-Type: application/timestamp-reply + + <<the ASN.1 DER-encoded Time-Stamp Response message>> + + These MIME objects can be sent and received using common HTTP + processing engines over WWW links and provides a simple browser- + server transport for Time-Stamp messages. + + Upon receiving a valid request, the server MUST respond with either a + valid response with content type application/timestamp-response or + with an HTTP error. + +4. Security Considerations + + This entire document concerns security considerations. When + designing a TSA service, the following considerations have been + identified that have an impact upon the validity or "trust" in the + time-stamp token. + + 1. When a TSA shall not be used anymore, but the TSA private key has + not been compromised, the authority's certificate SHALL be + revoked. When the reasonCode extension relative to the revoked + certificate from the TSA is present in the CRL entry extensions, + it SHALL be set either to unspecified (0), affiliationChanged (3), + superseded (4) or cessationOfOperation (5). In that case, at any + future time, the tokens signed with the corresponding key will be + considered as invalid, but tokens generated before the revocation + time will remain valid. When the reasonCode extension relative to + the revoked certificate from the TSA is not present in the CRL + entry extensions, then all the tokens that have been signed with + the corresponding key SHALL be considered as invalid. For that + reason, it is recommended to use the reasonCode extension. + + + + + + + +Adams, et al. Standards Track [Page 14] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + 2. When the TSA private key has been compromised, then the + corresponding certificate SHALL be revoked. In that case, the + reasonCode extension relative to the revoked certificate from the + TSA may or may not be present in the CRL entry extensions. When + it is present then it SHALL be set to keyCompromise (1). Any + token signed by the TSA using that private key cannot be trusted + anymore. For this reason, it is imperative that the TSA's private + key be guarded with proper security and controls in order to + minimize the possibility of compromise. In case the private key + does become compromised, an audit trail of all tokens generated by + the TSA MAY provide a means to discriminate between genuine and + false backdated tokens. Two time-stamp tokens from two different + TSAs is another way to address this issue. + + 3. The TSA signing key MUST be of a sufficient length to allow for a + sufficiently long lifetime. Even if this is done, the key will + have a finite lifetime. Thus, any token signed by the TSA SHOULD + be time-stamped again (if authentic copies of old CRLs are + available) or notarized (if they aren't) at a later date to renew + the trust that exists in the TSA's signature. time-stamp tokens + could also be kept with an Evidence Recording Authority to + maintain this trust. + + 4. A client application using only a nonce and no local clock SHOULD + be concerned about the amount of time it is willing to wait for a + response. A `man-in-the-middle' attack can introduce delays. + Thus, any TimeStampResp that takes more than an acceptable period + of time SHOULD be considered suspect. Since each transport method + specified in this document has different delay characteristics, + the period of time that is considered acceptable will depend upon + the particular transport method used, as well as other environment + factors. + + 5. If different entities obtain time-stamp tokens on the same data + object using the same hash algorithm, or a single entity obtains + multiple time-stamp tokens on the same object, the generated + time-stamp tokens will include identical message imprints; as a + result, an observer with access to those time-stamp tokens could + infer that the time-stamps may refer to the same underlying data. + + + + + + + + + + + + +Adams, et al. Standards Track [Page 15] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + 6. Inadvertent or deliberate replays for requests incorporating the + same hash algorithm and value may happen. Inadvertent replays + occur when more than one copy of the same request message gets + sent to the TSA because of problems in the intervening network + elements. Deliberate replays occur when a middleman is replaying + legitimate TS responses. In order to detect these situations, + several techniques may be used. Using a nonce always allows to + detect replays, and hence its use is RECOMMENDED. Another + possibility is to use both a local clock and a moving time window + during which the requester remembers all the hashes sent during + that time window. When receiving a response, the requester + ensures both that the time of the response is within the time + window and that there is only one occurrence of the hash value in + that time window. If the same hash value is present more than + once within a time window, the requester may either use a nonce, + or wait until the time window has moved to come back to the case + where the same hash value appears only once during that time + window. + +5. Intellectual Property Rights + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to per- + tain to the implementation or use of the technology described in this + document or the extent to which any license under such rights might + or might not be available; neither does it represent that it has made + any effort to identify any such rights. Information on the IETF's + procedures with respect to rights in standards-track and standards- + related documentation can be found in BCP-11. Copies of claims of + rights made available for publication and any assurances of licenses + to be made available, or the result of an attempt made to obtain a + general license or permission for the use of such proprietary rights + by implementors or users of this specification can be obtained from + the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + + The following eight (8) United States Patents related to time + stamping, listed in chronological order, are known by the authors to + exist at this time. This may not be an exhaustive list. Other + patents MAY exist or be issued at any time. This list is provided + for informational purposes; to date, the IETF has not been notified + of intellectual property rights claimed in regard to any of the + + + + +Adams, et al. Standards Track [Page 16] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + specification contained in this document. Should this situation + change, the current status may be found at the online list of claimed + rights (IETF Page of Intellectual Property Rights Notices). + + Implementers of this protocol SHOULD perform their own patent search + and determine whether or not any encumbrances exist on their + implementation. + + Users of this protocol SHOULD perform their own patent search and + determine whether or not any encumbrances exist on the use of this + standard. + +# 5,001,752 Public/Key Date-Time Notary Facility +Filing date: October 13, 1989 +Issued: March 19, 1991 +Inventor: Addison M. Fischer + +# 5,022,080 Electronic Notary +Filing date: April 16, 1989 +Issued: June 4, 1991 +Inventors: Robert T. Durst, Kevin D. Hunter + +# 5,136,643 Public/Key Date-Time Notary Facility +Filing date: December 20, 1990 +Issued: August 4, 1992 +Inventor: Addison M. Fischer +Note: This is a continuation of patent # 5,001,752.) + +# 5,136,646 Digital Document Time-Stamping with Catenate Certificate +Filing date: August 2, 1990 +Issued: August 4, 1992 +Inventors: Stuart A. Haber, Wakefield S. Stornetta Jr. +(assignee) Bell Communications Research, Inc., + +# 5,136,647 Method for Secure Time-Stamping of Digital Documents +Filing date: August 2, 1990 +Issued: August 4, 1992 +Inventors: Stuart A. Haber, Wakefield S. Stornetta Jr. +(assignee) Bell Communications Research, Inc., + +# 5,373,561 Method of Extending the Validity of a Cryptographic +Certificate +Filing date: December 21, 1992 +Issued: December 13, 1994 +Inventors: Stuart A. Haber, Wakefield S. Stornetta Jr. +(assignee) Bell Communications Research, Inc., + + + + + +Adams, et al. Standards Track [Page 17] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + +# 5,422,953 Personal Date/Time Notary Device +Filing date: May 5, 1993 +Issued: June 6, 1995 +Inventor: Addison M. Fischer + +# 5,781,629 Digital Document Authentication System +Filing date: February 21, 1997 +Issued: July 14, 1998 +Inventor: Stuart A. Haber, Wakefield S. Stornetta Jr. +(assignee) Surety Technologies, Inc., + +6. References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol, Version 1.0", + RFC 2246, January 1999. + + [RFC2510] Adams, C. and S. Farrell, "Internet X.509 Public Key + Infrastructure, Certificate Management Protocols", RFC + 2510, March 1999. + + [RFC2459] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet + X.509 Public Key Infrastructure, Certificate and CRL + Profile", RFC 2459, January 1999. + + [CMS] Housley, R., "Cryptographic Message Syntax", RFC 2630, + June 1999. + + [DSS] Digital Signature Standard. FIPS Pub 186. National + Institute of Standards and Technology. 19 May 1994. + + [ESS] Hoffman, P., "Enhanced Security Services for S/MIME", RFC + 2634, June 1999. + + [ISONR] ISO/IEC 10181-5: Security Frameworks in Open Systems. + Non-Repudiation Framework. April 1997. + + [MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, + April 1992. + + [SHA1] Secure Hash Standard. FIPS Pub 180-1. National Institute + of Standards and Technology. 17 April 1995. + + + + + + + +Adams, et al. Standards Track [Page 18] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + +7. Authors' Addresses + + Carlisle Adams + Entrust, Inc. + 1000 Innovation Drive + Ottawa, Ontario + K2K 3E7 + CANADA + + EMail: cadams@entrust.com + + + Pat Cain + BBN + 70 Fawcett Street + Cambridge, MA 02138 + U.S.A. + + EMail: pcain@bbn.com + + + Denis Pinkas + Integris + 68 route de Versailles + B.P. 434 + 78430 Louveciennes + FRANCE + + EMail: Denis.Pinkas@bull.net + + + Robert Zuccherato + Entrust, Inc. + 1000 Innovation Drive + Ottawa, Ontario + K2K 3E7 + CANADA + + EMail: robert.zuccherato@entrust.com + + + + + + + + + + + + +Adams, et al. Standards Track [Page 19] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + +APPENDIX A - Signature Time-stamp attribute using CMS + + One of the major uses of time-stamping is to time-stamp a digital + signature to prove that the digital signature was created before a + given time. Should the corresponding public key certificate be + revoked this allows a verifier to know whether the signature was + created before or after the revocation date. + + A sensible place to store a time-stamp is in a [CMS] structure as an + unsigned attribute. + + This appendix defines a Signature Time-stamp attribute that may be + used to time-stamp a digital signature. + + The following object identifier identifies the Signature Time-stamp + attribute: + + id-aa-timeStampToken OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) aa(2) 14 } + + The Signature time-stamp attribute value has ASN.1 type + SignatureTimeStampToken: + + SignatureTimeStampToken ::= TimeStampToken + + The value of messageImprint field within TimeStampToken shall be a + hash of the value of signature field within SignerInfo for the + signedData being time-stamped. + +APPENDIX B - Placing a Signature At a Particular Point in Time + + We present an example of a possible use of this general time-stamping + service. It places a signature at a particular point in time, from + which the appropriate certificate status information (e.g., CRLs) + MUST be checked. This application is intended to be used in + conjunction with evidence generated using a digital signature + mechanism. + + Signatures can only be verified according to a non-repudiation + policy. This policy MAY be implicit or explicit (i.e., indicated in + the evidence provided by the signer). The non-repudiation policy can + specify, among other things, the time period allowed by a signer to + declare the compromise of a signature key used for the generation of + digital signatures. Thus a signature may not be guaranteed to be + valid until the termination of this time period. + + To verify a digital signature, the following basic technique may be + used: + + + +Adams, et al. Standards Track [Page 20] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + A) Time-stamping information needs to be obtained soon after the + signature has been produced (e.g., within a few minutes or hours). + + 1) The signature is presented to the Time Stamping Authority + (TSA). The TSA then returns a TimeStampToken (TST) upon + that signature. + + 2) The invoker of the service MUST then verify that the + TimeStampToken is correct. + + B) The validity of the digital signature may then be verified in the + following way: + + 1) The time-stamp token itself MUST be verified and it MUST be + verified that it applies to the signature of the signer. + + 2) The date/time indicated by the TSA in the TimeStampToken + MUST be retrieved. + + 3) The certificate used by the signer MUST be identified and + retrieved. + + 4) The date/time indicated by the TSA MUST be within the + validity period of the signer's certificate. + + 5) The revocation information about that certificate, at the + date/time of the Time-Stamping operation, MUST be retrieved. + + 6) Should the certificate be revoked, then the date/time of + revocation shall be later than the date/time indicated by + the TSA. + + If all these conditions are successful, then the digital signature + shall be declared as valid. + +APPENDIX C: ASN.1 Module using 1988 Syntax + +PKIXTSP {iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-tsp(13)} + +DEFINITIONS IMPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL -- + +IMPORTS + + + + +Adams, et al. Standards Track [Page 21] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + Extensions, AlgorithmIdentifier + FROM PKIX1Explicit88 {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-explicit-88(1)} + + GeneralName FROM PKIX1Implicit88 {iso(1) + identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2)} + + ContentInfo FROM CryptographicMessageSyntax {iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) cms(1)} + + PKIFreeText FROM PKIXCMP {iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-cmp(9)} ; + + -- Locally defined OIDs -- + +-- eContentType for a time-stamp token + +id-ct-TSTInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) +us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 4} + +-- 2.4.1 + +TimeStampReq ::= SEQUENCE { + version INTEGER { v1(1) }, + messageImprint MessageImprint, + --a hash algorithm OID and the hash value of the data to be + --time-stamped + reqPolicy TSAPolicyId OPTIONAL, + nonce INTEGER OPTIONAL, + certReq BOOLEAN DEFAULT FALSE, + extensions [0] IMPLICIT Extensions OPTIONAL } + +MessageImprint ::= SEQUENCE { + hashAlgorithm AlgorithmIdentifier, + hashedMessage OCTET STRING } + +TSAPolicyId ::= OBJECT IDENTIFIER + + +-- 2.4.2 + +TimeStampResp ::= SEQUENCE { + status PKIStatusInfo, + timeStampToken TimeStampToken OPTIONAL } + + + +Adams, et al. Standards Track [Page 22] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + +-- The status is based on the definition of status +-- in section 3.2.3 of [RFC2510] + +PKIStatusInfo ::= SEQUENCE { + status PKIStatus, + statusString PKIFreeText OPTIONAL, + failInfo PKIFailureInfo OPTIONAL } + +PKIStatus ::= INTEGER { + granted (0), + -- when the PKIStatus contains the value zero a TimeStampToken, as + requested, is present. + grantedWithMods (1), + -- when the PKIStatus contains the value one a TimeStampToken, + with modifications, is present. + rejection (2), + waiting (3), + revocationWarning (4), + -- this message contains a warning that a revocation is + -- imminent + revocationNotification (5) + -- notification that a revocation has occurred } + + -- When the TimeStampToken is not present + -- failInfo indicates the reason why the + -- time-stamp request was rejected and + -- may be one of the following values. + +PKIFailureInfo ::= BIT STRING { + badAlg (0), + -- unrecognized or unsupported Algorithm Identifier + badRequest (2), + -- transaction not permitted or supported + badDataFormat (5), + -- the data submitted has the wrong format + timeNotAvailable (14), + -- the TSA's time source is not available + unacceptedPolicy (15), + -- the requested TSA policy is not supported by the TSA. + unacceptedExtension (16), + -- the requested extension is not supported by the TSA. + addInfoNotAvailable (17) + -- the additional information requested could not be understood + -- or is not available + systemFailure (25) + -- the request cannot be handled due to system failure } + +TimeStampToken ::= ContentInfo + + + +Adams, et al. Standards Track [Page 23] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + -- contentType is id-signedData as defined in [CMS] + -- content is SignedData as defined in([CMS]) + -- eContentType within SignedData is id-ct-TSTInfo + -- eContent within SignedData is TSTInfo + +TSTInfo ::= SEQUENCE { + version INTEGER { v1(1) }, + policy TSAPolicyId, + messageImprint MessageImprint, + -- MUST have the same value as the similar field in + -- TimeStampReq + serialNumber INTEGER, + -- Time-Stamping users MUST be ready to accommodate integers + -- up to 160 bits. + genTime GeneralizedTime, + accuracy Accuracy OPTIONAL, + ordering BOOLEAN DEFAULT FALSE, + nonce INTEGER OPTIONAL, + -- MUST be present if the similar field was present + -- in TimeStampReq. In that case it MUST have the same value. + tsa [0] GeneralName OPTIONAL, + extensions [1] IMPLICIT Extensions OPTIONAL } + +Accuracy ::= SEQUENCE { + seconds INTEGER OPTIONAL, + millis [0] INTEGER (1..999) OPTIONAL, + micros [1] INTEGER (1..999) OPTIONAL } + +END + +APPENDIX D: Access descriptors for Time-Stamping. + + [This annex describes an extension based on the SIA extension that + will be defined in the "son-of-RFC2459". Since at the time of + publication of this document, "son-of-RFC2459" is not yet available, + its description is placed in an informative annex. The contents of + this annex will eventually become incorporated into the son-of- + RFC2459 document, at which time this annex will no longer be needed. + A future version of this document will likely omit this annex and + refer to son-of-RFC2459 directly.] + + A TSA's certificate MAY contain a Subject Information Access (SIA) + extension (son of RFC2459) in order to convey the method of + contacting the TSA. The accessMethod field in this extension MUST + contain the OID id-ad-timestamping: + + The following object identifier identifies the access descriptors for + time-Stamping. + + + +Adams, et al. Standards Track [Page 24] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + + id-ad-timeStamping OBJECT IDENTIFIER ::= {iso(1) + identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) + ad (48) timestamping (3)} + + The value of the accessLocation field defines the transport (e.g., + HTTP) used to access the TSA and may contain other transport + dependent information (e.g., a URL). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Adams, et al. Standards Track [Page 25] + +RFC 3161 Time-Stamp Protocol (TSP) August 2001 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2001). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Adams, et al. Standards Track [Page 26] + |