Key takeaways to note about timestamping
- The TSA (Time-Stamping Authority) is the provider that issues timestamp tokens in accordance with a standard protocol (most commonly RFC 3161).
- The TSP protocol defines a request (fingerprint, algorithm, nonce, policy, etc.) and a response containing a signed token.
- The timestamp policy is identified by an OID and sets out the rules declared by the TSA (practices, accuracy, conditions).
- Under eIDAS, a qualified timestamp benefits from a presumption of accuracy of the date/time and integrity of the associated data.
What is TSP (Time-Stamp Protocol)?
TSP (Time-Stamp Protocol) is the protocol standardised by RFC 3161 for requesting and obtaining a timestamp. It defines the format of a request (TimeStampReq) and that of a response (TimeStampResp), together with security requirements applicable to the issuer. The underlying principle is consistent: the requester transmits the fingerprint of data (rather than necessarily the data itself), and the TSA returns a signed object attesting the date and time and linking that date/time to the submitted fingerprint.
From an evidential perspective, the value of TSP lies in interoperability: an RFC 3161 token can be verified using libraries and validation tools compliant with the standard.
What is a TSA (Time-Stamping Authority)?
A TSA is the entity that provides the timestamping service and signs the tokens. RFC 3161 describes it as a “third party” whose role is to generate tokens indicating that data existed at a given moment, and it imposes several operational requirements (for example, the use of a reliable time source and the uniqueness of certain fields). Within the European framework, the “trust service” dimension typically entails compliance with additional requirements, in particular those defined by ETSI for providers delivering timestamping services to the public.
What is a timestamp token?
The timestamp token (often abbreviated to TST for Time-Stamp Token) is the object returned by the TSA. From a technical standpoint, it is a signed container that includes, at a minimum: the date and time, the hash algorithm, the data fingerprint (message imprint), the policy identifier (where provided or accepted), and elements required for validation (certificate(s), identifiers).
The token does not “prove” the original content: it proves that a given fingerprint has been linked to a point in time, and it is this fingerprint that subsequently enables verification that a file presented corresponds to the one that was timestamped.
What is a timestamp policy?
The timestamp policy is a set of rules declared by the TSA: conditions of issuance, operational practices, stated level of accuracy, controls, and related aspects. Within the ETSI framework, standard EN 319 421 sets out policy and security requirements applicable to providers issuing timestamps, and notably defines a “best practices time-stamp policy” (BTSP).
It is useful to distinguish between: the policy (what is declared and documented) and evidence of compliance (what is effectively implemented, typically demonstrated through audits, controls and reports, depending on the applicable framework).
What is an OID in the context of timestamping?
An OID (Object Identifier) is a hierarchical identifier used to unambiguously name objects, policies or attributes within standardised structures (certificates, CMS, RFC 3161). Within RFC 3161, the OID is notably used to identify a timestamp policy (timestamp policy OID).
The OID enables a verifier to recognise the type of policy being asserted and, where appropriate, to apply corresponding validation rules. In evidential practice, the OID is only meaningful if it is linked to an accessible and intelligible policy (policy document, practices, conditions), thereby allowing a given token to be associated with a defined operational framework.
What is a qualified timestamp under eIDAS?
eIDAS governs the legal effect of timestamps. It provides that an electronic timestamp cannot be denied legal effect solely on the grounds that it is in electronic form or that it does not meet the requirements of a qualified timestamp. It further states that a qualified electronic timestamp benefits from a presumption regarding the accuracy of the indicated date/time and the integrity of the data linked to that date/time.
From a legal standpoint, this distinction is significant: it differentiates the general admissibility of a timestamp from the presumption attached to the qualified level, without prejudging other elements of the evidential record (chain of custody, consistency of operations, reproduction).
