The TimeStamp Authority [TSA] provides an independent time from a third-party, such as an atomic clock, that is then used to provide a timestamp token. The timestamp token is proof that the electronic data, payment transaction or electronic document, or Adobe® Acrobat® PDF existed at a particular time. The timestamp provides the verifiable evidence and proof required.
The TimeStamp Authority Gateway [TSAG] Service Module is intended to provide digital TimeStamping network based services in compliance [1] with the RFC 3161 standard and Internet X.509 Public Key Infrastructure TimeStamp Protocol [TSP]. The TimeStamp Protocol, or TSP, is a cryptographic protocol for certifying TimeStamp tokens using X.509 public key certificates and Public Key Infrastructure [PKI [2]] system.
The TSAG can be supplied in three ways:
The term "Gateway" in the module name is purposely used to describe what the TSAG really does. It is essentially a network gateway between the TSP Client and TSP Server. The design concept for this Service Module arose from the results of security assessments applied to RFC 3161 standard.
A typical implementation model for a TSP Server allows that server to directly access the timestamp Authority’s [TSA] Private Key designated for certifying TimeStamp tokens. Due to the fact that the TSP Server is very likely to be exposed for public use, the likelihood of the TSA’s private key accidental exposure to an illegitimate party is relatively high, regardless whether the TSA’s private key is stored in a Software or Hardware Security Module. The TSA forms a key party in the process of validating electronic signatures and non-repudiation and therefore an illegitimate exposure of the TSA’s private key in any form could lead to a potential risk of TSA signature forger that would further result in invalidation of any previously certified TimeStamp tokens and further invalidation of any electronic signatures that these tokens would provide an evidence of.
TSAG was designed to eliminate the above risks. It is a software library built to work with an instance of an Apache web server software and it can be therefore considered as an Apache software module. Its functionality is limited to the following purposes:
The TSP Clients can connect to the TSAG using standard HTTP or secure HTTPS [HTTP over SSL/TLS] protocol using a Uniform Resource Locator [URL] method. TSP requests are accepted either as HTTP POST or HTTP GET requests.
The optional Client Authentication is accomplished by the use of Simple HTTP Authentication where TSP Clients are requested to provide a username and password before their TSP request is accepted. To authenticate a TSP Client, the TSAG will transparently connect to a CA database, where End Entity account information is stored.
The TSAG module is configured and activated inside the Apache web server configuration and can be applied per site, virtual realm or per physical directory configuration. It is loaded the very moment the Apache web server is started.
Links:
[1] https://www.digi-sign.com/compliance/introduction
[2] https://www.digi-sign.com/digi-ca
[3] https://www.digi-sign.com/product/tsa/service
[4] https://www.digi-sign.com/product/tsa/server
[5] https://www.digi-sign.com/product/tsa/device
[6] https://www.digi-sign.com/product/timestamp