ARMWARE RFC Archive <- RFC Index (3601..3700)

RFC 3628


Network Working Group                                          D. Pinkas
Request for Comments: 3628                                          Bull
Category: Informational                                          N. Pope
                                                                 J. Ross
                                                    Security & Standards
                                                           November 2003

        Policy Requirements for Time-Stamping Authorities (TSAs)

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document defines requirements for a baseline time-stamp policy
   for Time-Stamping Authorities (TSAs) issuing time-stamp tokens,
   supported by public key certificates, with an accuracy of one second
   or better.  A TSA may define its own policy which enhances the policy
   defined in this document.  Such a policy shall incorporate or further
   constrain the requirements identified in this document.

Table of Contents

   1.  Introduction. . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Overview. . . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Definitions and Abbreviations . . . . . . . . . . . . . . . .  5
       3.1. Definitions. . . . . . . . . . . . . . . . . . . . . . .  5
       3.2. Abbreviations. . . . . . . . . . . . . . . . . . . . . .  6
   4.  General Concepts. . . . . . . . . . . . . . . . . . . . . . .  6
       4.1. Time-Stamping Services . . . . . . . . . . . . . . . . .  6
       4.2. Time-Stamping Authority. . . . . . . . . . . . . . . . .  7
       4.3. Subscriber . . . . . . . . . . . . . . . . . . . . . . .  7
       4.4. Time-Stamp Policy and TSA Practice Statement . . . . . .  8
            4.4.1.  Purpose. . . . . . . . . . . . . . . . . . . . .  8
            4.4.2.  Level of Specificity . . . . . . . . . . . . . .  8
            4.4.3.  Approach . . . . . . . . . . . . . . . . . . . .  8
   5.  Time-Stamp Policies . . . . . . . . . . . . . . . . . . . . .  9
       5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . .  9
       5.2. Identification . . . . . . . . . . . . . . . . . . . . .  9
       5.3. User Community and Applicability . . . . . . . . . . . . 10

Pinkas, et al.               Informational                      [Page 1]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

       5.4. Conformance. . . . . . . . . . . . . . . . . . . . . . . 10
   6.  Obligations and Liability . . . . . . . . . . . . . . . . . . 10
       6.1. TSA Obligations. . . . . . . . . . . . . . . . . . . . . 10
            6.1.1.  General. . . . . . . . . . . . . . . . . . . . . 10
            6.1.2.  TSA Obligations Towards Subscribers. . . . . . . 11
       6.2. Subscriber Obligations . . . . . . . . . . . . . . . . . 11
       6.3. Relying Party Obligations. . . . . . . . . . . . . . . . 11
       6.4. Liability. . . . . . . . . . . . . . . . . . . . . . . . 11
   7.  Requirements on TSA Practices . . . . . . . . . . . . . . . . 12
       7.1. Practice and Disclosure Statements . . . . . . . . . . . 12
            7.1.1.  TSA Practice Statement . . . . . . . . . . . . . 12
            7.1.2.  TSA Disclosure Statement . . . . . . . . . . . . 13
       7.2. Key Management Life Cycle. . . . . . . . . . . . . . . . 15
            7.2.1.  TSU Key Generation . . . . . . . . . . . . . . . 15
            7.2.2.  TSU Private Key Protection . . . . . . . . . . . 15
            7.2.3.  TSU Public Key Distribution. . . . . . . . . . . 16
            7.2.4.  Rekeying TSU's Key . . . . . . . . . . . . . . . 17
            7.2.5.  End of TSU Key Life Cycle. . . . . . . . . . . . 17
            7.2.6.  Life Cycle Management of the Cryptographic Module
                    used to Sign Time-Stamps . . . . . . . . . . . . 17
       7.3. Time-Stamping. . . . . . . . . . . . . . . . . . . . . . 18
            7.3.1.  Time-Stamp Token . . . . . . . . . . . . . . . . 18
            7.3.2.  Clock Synchronization with UTC . . . . . . . . . 19
       7.4. TSA Management and Operation . . . . . . . . . . . . . . 20
            7.4.1.  Security Management. . . . . . . . . . . . . . . 20
            7.4.2.  Asset Classification and Management. . . . . . . 21
            7.4.3.  Personnel Security . . . . . . . . . . . . . . . 22
            7.4.4.  Physical and Environmental Security. . . . . . . 23
            7.4.5.  Operations Management. . . . . . . . . . . . . . 25
            7.4.6.  System Access Management . . . . . . . . . . . . 26
            7.4.7.  Trustworthy Systems Deployment and Maintenance . 27
            7.4.8.  Compromise of TSA Services . . . . . . . . . . . 28
            7.4.9.  TSA Termination. . . . . . . . . . . . . . . . . 29
            7.4.10. Compliance with Legal Requirements . . . . . . . 29
            7.4.11. Recording of Information Concerning Operation
                    of Time-Stamping Services. . . . . . . . . . . . 30
       7.5. Organizational . . . . . . . . . . . . . . . . . . . . . 31
   8.  Security Considerations . . . . . . . . . . . . . . . . . . . 32
   9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 33
   10. References. . . . . . . . . . . . . . . . . . . . . . . . . . 33
       10.1. Normative References. . . . . . . . . . . . . . . . . . 33
       10.2. Informative References. . . . . . . . . . . . . . . . . 34
   Annex A (informative): Coordinated Universal Time . . . . . . . . 35
   Annex B (informative): Possible for Implementation Architectures
                          and Time-Stamping Services . . . . . . . . 36
   Annex C (informative): Long Term Verification of Time-Stamp
                          Tokens . . . . . . . . . . . . . . . . . . 38
   Annex D (informative): Model TSA Disclosure Statement . . . . . . 39

Pinkas, et al.               Informational                      [Page 2]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . . . 42
   Full Copyright Statement. . . . . . . . . . . . . . . . . . . . . 43

1.  Introduction

   The contents of this Informational RFC is technically equivalent to
   ETSI TS 102 023 V 1.2.1 (2002-06) [TS 102023].  The ETSI TS is under
   the ETSI Copyright (C).  Individual copies of this ETSI deliverable
   can be downloaded from http://www.etsi.org

   In creating reliable and manageable digital evidence it is necessary
   to have an agreed upon method of associating time data to transaction
   so that they might be compared to each other at a later time.  The
   quality of this evidence is based on creating and managing the data
   structure that represent the events and the quality of the parametric
   data points that anchor them to the real world.  In this instance
   this being the time data and how it was applied.

   A typical transaction is a digitally signed document, where it is
   necessary to prove that the digital signature from the signer was
   applied when the signer's certificate was valid.

   A timestamp or a time mark (which is an audit record kept in a secure
   audit trail from a trusted third party) applied to a digital
   signature value proves that the digital signature was created before
   the date included in the time-stamp or time mark.

   To prove the digital signature was generated while the signer's
   certificate was valid, the digital signature must be verified and the
   following conditions satisfied:

      1. the time-stamp (or time mark) was applied before the end of the
         validity period of the signer's certificate,

      2. the time-stamp (or time mark) was applied either while the
         signer's certificate was not revoked or before the revocation
         date of the certificate.

   Thus a time-stamp (or time mark) applied in this manner proves that
   the digital signature was created while the signer's certificate was
   valid. This concept proves the validity of a digital signature over
   the whole of any certificate chain.

   Policy requirements to cover that case is the primary reason of this
   document.  However, it should be observed that these policy
   requirements can be used to address other needs.

Pinkas, et al.               Informational                      [Page 3]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   The electronic time stamp is gaining interest from the business
   sector as an important component of electronic signatures.  It is
   also featured by the ETSI Electronic Signature Format standard [TS
   101733] or Electronic Signature Formats for long term electronic
   signatures [RFC 3126], built upon the Time-Stamp Protocol [RFC 3161].
   Agreed minimum security and quality requirements are necessary in
   order to ensure trustworthy validation of long-term electronic
   signatures.

   The European Directive 1999/93/EC [Dir 99/93/EC] defines
   certification service provider as "an entity or a legal or natural
   person who issues certificates or provides other services related to
   electronic signatures".  One example of a certification-service-
   provider is a Time-Stamping Authority.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14, RFC 2119
   [RFC 2119].

2.  Overview

   These policy requirements are aimed at time-stamping services used in
   support of qualified electronic signatures (i.e., in line with
   article 5.1 of the European Directive on a community framework for
   electronic signatures) but may be applied to any application
   requiring to prove that a datum existed before a particular time.

   These policy requirements are based on the use of public key
   cryptography, public key certificates and reliable time sources. The
   present document may be used by independent bodies as the basis for
   confirming that a TSA may be trusted for providing time-stamping
   services.

   This document addresses requirements for synchronizing TSAs issuing
   time-stamp tokens with Coordinated universal time (UTC) and digitally
   signed by TSUs.

   Subscriber and relying parties should consult the TSA's practice
   statement to obtain further details of precisely how this time-stamp
   policy is implemented by the particular TSA (e.g., protocols used in
   providing this service).

   This document does not specify:

      - protocols used to access the TSUs;

Pinkas, et al.               Informational                      [Page 4]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   NOTE 1: A time-stamping protocol is defined in RFC 3161 [RFC 3161]
   and profiled in TS 101 861 [TS 101861].

      -  how the requirements identified herein may be assessed by an
         independent body;

      -  requirements for information to be made available to such
         independent bodies;

      -  requirements on such independent bodies.

   NOTE 2: See CEN Workshop Agreement 14172 "EESSI Conformity Assessment
   Guidance" [CWA 14172].

3.  Definitions and Abbreviations

3.1.  Definitions

   For the purposes of the present document, the following terms and
   definitions apply:

   NOTE: Where a definition is copied from a referenced document this is
   indicated by inclusion of the reference identifier number at the end
   of the definition.

   relying party: recipient of a time-stamp token who relies on that
         time-stamp token.

   subscriber: entity requiring the services provided by a TSA and which
         has explicitly or implicitly agreed to its terms and
         conditions.

   time-stamp token: data object that binds a representation of a datum
         to a particular time, thus establishing evidence that the datum
         existed before that time.

   time-stamping authority: authority which issues time-stamp tokens.

   TSA Disclosure statement: set of statements about the policies and
         practices of a TSA that particularly require emphasis or
         disclosure to subscribers and relying parties, for example to
         meet regulatory requirements.

   TSA practice statement: statement of the practices that a TSA employs
         in issuing time-stamp tokens.

   TSA system: composition of IT products and components organized to
         support the provision of time-stamping services.

Pinkas, et al.               Informational                      [Page 5]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   time-stamp policy: named set of rules that indicates the
         applicability of a time-stamp token to a particular community
         and/or class of application with common security requirements.

   time-stamping unit: set of hardware and software which is managed as
         a unit and has a single time-stamp token signing key active at
         a time.

   Coordinated Universal Time (UTC): Time scale based on the second as
         defined in ITU-R Recommendation TF.460-5 [TF.460-5].

         NOTE: For most practical purposes UTC is equivalent to mean
         solar time at the prime meridian.  More specifically, UTC is a
         compromise between the highly stable atomic time (Temps
         Atomique International
          - TAI) and solar time derived from the irregular Earth
         rotation (related to the Greenwich mean sidereal time (GMST) by
         a conventional relationship).  (See annex A for more details).

   UTC(k): Time-scale realized by the laboratory "k" and kept in close
         agreement with UTC, with the goal to reach plus or minus 100
         ns. (See ITU-R Recommendation TF.536-1 [TF.536-1]).

         NOTE:  A list of UTC(k) laboratories is given in section 1 of
         Circular T disseminated by BIPM and available from the BIPM
         website (http://www.bipm.org/).

3.2.  Abbreviations

   For the purposes of the present document, the following abbreviations
   apply:

      TSA  Time-Stamping Authority
      TSU  Time-Stamping Unit
      TST  Time-Stamp Token
      UTC  Coordinated Universal Time

4.  General Concepts

4.1.  Time-Stamping Services

   The provision of time-stamping services is broken down into the
   following component services for the purposes of classifying
   requirements:

   -  Time-stamping provision: This service component generates
      time-stamp tokens.

Pinkas, et al.               Informational                      [Page 6]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   -  Time-stamping management: The service component that monitors and
      controls the operation of the time-stamping services to ensure
      that the service is provided as specified by the TSA.  This
      service component is responsibile  for the installation and
      de-installation of the time-stamping provision service. For
      example, time-stamping management ensures that the clock used for
      time-stamping is correctly synchronized with UTC.

   This subdivision of services is only for the purposes of clarifying
   the requirements specified in the current document and places no
   restrictions on any subdivision of an implementation of time-stamping
   services.

4.2.  Time-Stamping Authority

   The authority to issue time-stamp tokens, trusted by the users of the
   time-stamping services, i.e., subscribers and relying parties, is
   called the Time-Stamping Authority (TSA).  TSA has overall
   responsibility for time-stamping services identified in clause 4.1.
   The TSA has responsibility for the operation of one or more TSU's
   which creates and signs on behalf of the TSA.  The TSA responsible
   for issuing a time-stamp token is identifiable (see 7.3.1 h).

   The TSA may use other parties to provide parts of the Time-Stamping
   Services.  However, the TSA always maintains overall responsibility
   and ensures that the policy requirements identified in the present
   document are met.  For example, a TSA may sub-contract all the
   component services, including the services which generate time-stamp
   tokens using the TSU's keys.  However, the private key or keys used
   to generate the time-stamp tokens belong to the TSA which maintains
   overall responsibility for meeting the requirements in this document.

   A TSA may operate several identifiable time-stamping units.  Each
   unit has a different key.  See Annex B for possible implementations.

   A TSA is a certification-service-provider, as defined in the EU
   Directive on Electronic Signatures (see article 2(11)), which issues
   time-stamp tokens.

4.3.  Subscriber

   The subscriber may be an organization comprising several end-users or
   an individual end-user.

   When the subscriber is an organization, some of the obligations that
   apply to that organization will have to apply as well to the end-
   users. In any case the organization will be held responsible if the

Pinkas, et al.               Informational                      [Page 7]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   obligations from the end-users are not correctly fulfilled and
   therefore the organization is expected to suitably inform its end
   users.

   When the subscriber is an end-user, the end-user will be held
   directly responsible if its obligations are not correctly fulfilled.

4.4.  Time-Stamp Policy and TSA Practice Statement

   This section explains the relative roles of Time-stamp policy and TSA
   practice statement.  It places no restriction on the form of a time-
   stamp policy or practice statement specification.

4.4.1.  Purpose

   In general, the time-stamp policy states "what is to be adhered to,"
   while a TSA practice statement states "how it is adhered to", i.e.,
   the processes it will use in creating time-stamps and maintaining the
   accuracy of its clock.  The relationship between the time-stamp
   policy and TSA practice statement is similar in nature to the
   relationship of other business policies which state the requirements
   of the business, while operational units define the practices and
   procedures of how these policies are to be carried out.

   The present document specifies a time-stamp policy to meet general
   requirements for trusted time-stamping services.  TSAs specify in TSA
   practice statements how these requirements are met.

4.4.2.  Level of Specificity

   The TSA practice statement is more specific than a time-stamp policy.
   A TSA practice statement is a more detailed description of the terms
   and conditions as well as business and operational practices of a TSA
   in issuing and otherwise managing time-stamping services.  The TSA
   practice statement of a TSA enforces the rules established by a
   time-stamp policy.  A TSA practice statement defines how a specific
   TSA meets the technical, organizational and procedural requirements
   identified in a time-stamp policy.

   NOTE: Even lower-level internal documentation may be appropriate for
   a TSA detailing the specific procedures necessary to complete the
   practices identified in the TSA practice statement.

4.4.3.  Approach

   The approach of a time-stamp policy is significantly different from a
   TSA practice statement.  A time-stamp policy is defined independently
   of the specific details of the specific operating environment of a

Pinkas, et al.               Informational                      [Page 8]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   TSA, whereas a TSA practice statement is tailored to the
   organizational structure, operating procedures, facilities, and
   computing environment of a TSA.  A time-stamp policy may be defined
   by the user of times-stamp services, whereas the TSA practice
   statement is always defined by the provider.

5.  Time-Stamp Policies

5.1.  Overview

   A time-stamp policy is a "named set of rules that indicates the
   applicability of a time-stamp token to a particular community and/or
   class of application with common security requirements" (see clauses
   3.1 and 4.4).

   The present document defines requirements for a baseline time-stamp
   policy for TSAs issuing time-stamp tokens, supported by public key
   certificates, with an accuracy of 1 second or better.

   NOTE 1: Without additional measures the relying party may not be able
   to ensure the validity of a time-stamp token beyond the end of the
   validity period of the supporting certificate.  See Annex C on
   verification of the validity of a time-stamp token beyond the
   validity period of the TSU's certificate.

   A TSA may define its own policy which enhances the policy defined in
   this document.  Such a policy shall incorporate or further constrain
   the requirements identified in this document.

   If an accuracy of better than 1 second is provided by a TSA and if
   all the TSUs have that same characteristics, then the accuracy shall
   be indicated in the TSA's disclosure statement (see section 7.1.2)
   that  each time-stamp token is issued with an accuracy of better than
   1 second.

   NOTE 2: It is required that a time-stamp token includes an identifier
   for the applicable policy (see section 7.3.1).

5.2.  Identification

   The object-identifier [X.208] of the baseline time-stamp policy is:
   itu-t(0) identified-organization(4) etsi(0) time-stamp-policy(2023)
   policy-identifiers(1) baseline-ts-policy (1)

   In the TSA disclosure statement made available to subscribers and
   relying parties, a TSA shall also include the identifier for the
   time-stamp policy to indicate its conformance.

Pinkas, et al.               Informational                      [Page 9]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

5.3.  User Community and Applicability

   This policy is aimed at meeting the requirements of time-stamping
   qualified electronic signatures (see European Directive on Electronic
   Signatures) for long term validity (e.g., as defined in TS 101 733
   [TS 101733]), but is generally applicable to any requirement for an
   equivalent quality.

   This policy may be used for public time-stamping services or time-
   stamping services used within a closed community.

5.4.  Conformance

   The TSA shall use the identifier for the time-stamp policy in time-
   stamp tokens as given in section 5.2, or define its own time-stamp
   policy that incorporates or further constrains the requirements
   identified in the present document:

   a) if the TSA claims conformance to the identified time-stamp policy
      and makes available to subscribers and relying parties on request
      the evidence to support the claim of conformance; or

   b) if the TSA has been assessed to conform to the identified time-
      stamp policy by an independent party.

   A conformant TSA must demonstrate that:

   a) it meets its obligations as defined in section 6.1;
   b) it has implemented controls which meet the requirements specified
      in section 7.

6.  Obligations and Liability

6.1.  TSA Obligations

6.1.1.  General

   The TSA shall ensure that all requirements on TSA, as detailed in
   section 7, are implemented as applicable to the selected trusted
   time-stamp policy.

   The TSA shall ensure conformance with the procedures prescribed in
   this policy, even when the TSA functionality is undertaken by sub-
   contractors.

   The TSA shall also ensure adherence to any additional obligations
   indicated in the time-stamp either directly or incorporated by
   reference.

Pinkas, et al.               Informational                     [Page 10]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   The TSA shall provide all its time-stamping services consistent with
   its practice statement.

6.1.2.  TSA Obligations Towards Subscribers

   The TSA shall meet its claims as given in its terms and conditions
   including the availability and accuracy of its service.

6.2.  Subscriber Obligations

   The current document places no specific obligations on the subscriber
   beyond any TSA specific requirements stated in the TSA's terms and
   condition.

   NOTE:  It is advisable that, when obtaining a time-stamp token, the
   subscriber verifies that the time-stamp token has been correctly
   signed and that the private key used to sign the time-stamp token has
   not been compromised.

6.3.  Relying Party Obligations

   The terms and conditions made available to relying parties (see
   section 7.1.2) shall include an obligation on the relying party that,
   when relying on a time-stamp token, it shall:

   a) verify that the time-stamp token has been correctly signed and
      that the private key used to sign the time-stamp has not been
      compromised until the time of the verification;

      NOTE: During the TSU's certificate validity period, the validity
      of the signing key can be checked using current revocation status
      for the TSU's certificate.  If the time of verification exceeds
      the end of the validity period of the corresponding certificate,
      see annex C for guidance.

   b) take into account any limitations on the usage of the time-stamp
      indicated by the time-stamp policy;

   c) take into account any other precautions prescribed in agreements
      or elsewhere.

6.4.  Liability

   The present document does not specify any requirement on liability.
   In particular, it should be noticed that a TSA may disclaim or limit
   any liability unless otherwise stipulated by the applicable law.

Pinkas, et al.               Informational                     [Page 11]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

7.  Requirements on TSA Practices

   The TSA shall implement the controls that meet the following
   requirements.

   These policy requirements are not meant to imply any restrictions on
   charging for TSA services.

   The requirements are indicated in terms of the security objectives,
   followed by more specific requirements for controls to meet those
   objectives where it is necessary to provide confidence that those
   objective will be met.

      NOTE: The details of controls required to meet an objective is a
      balance between achieving the necessary confidence whilst
      minimizing the restrictions on the techniques that a TSA may
      employ in issuing time-stamp tokens.  In the case of section 7.4
      (TSA management and operation), a reference is made to a source of
      more detailed control requirements.  Due to these factors the
      specificity of the requirements given under a given topic may
      vary.

   The provision of a time-stamp token in response to a request is at
   the discretion of the TSA depending on any service level agreements
   with the subscriber.

7.1.  Practice and Disclosure Statements

7.1.1.  TSA Practice Statement

   The TSA shall ensure that it demonstrates the reliability necessary
   for providing time-stamping services.

   In particular:

   a) The TSA shall have a risk assessment carried out in order to
      evaluate business assets and threats to those assets in order to
      determine the necessary security controls and operational
      procedures.

   b) The TSA shall have a statement of the practices and procedures
      used to address all the requirements identified in this time-stamp
      policy.

      NOTE 1: This policy makes no requirement as to the structure of
      the TSA practice statement.

Pinkas, et al.               Informational                     [Page 12]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   c) The TSA's practice statement shall identify the obligations of all
      external organizations supporting the TSA services including the
      applicable policies and practices.

   d) The TSA shall make available to subscribers and relying parties
      its practice statement, and other relevant documentation, as
      necessary, to assess conformance to the time-stamp policy.

      NOTE 2: The TSA is not generally required to make all the details
      of its practices public.

   e) The TSA shall disclose to all subscribers and potential relying
      parties the terms and conditions regarding use of its time-
      stamping services as specified in section 7.1.2.

   f) The TSA shall have a high level management body with final
      authority for approving the TSA practice statement.

   g) The senior management of the TSA shall ensure that the practices
      are properly implemented.

   h) The TSA shall define a review process for the practices including
      responsibilities for maintaining the TSA practice statement.

   i) The TSA shall give due notice of changes it intends to make in its
      practice statement and shall, following approval as in (f) above,
      make the revised TSA practice statement immediately available as
      required under (d) above.

7.1.2.  TSA Disclosure Statement

   The TSA shall disclose to all subscribers and potential relying
   parties the terms and conditions regarding use of its time-stamping
   services.  This statement shall at least specify for each time-stamp
   policy supported by the TSA:

   a) The TSA contact information.

   b) The time-stamp policy being applied.

   c) At least one hashing algorithm which may be used to represent the
      datum being time-stamped. (No hash algorithm is mandated).

   d) The expected life-time of the signature used to sign the time-
      stamp token (depends on the hashing algorithm being used, the
      signature algorithm being used and the private key length).

Pinkas, et al.               Informational                     [Page 13]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   e) The accuracy of the time in the time-stamp tokens with respect to
      UTC.

   f) Any limitations on the use of the time-stamping service.

   g) The subscriber's obligations as defined in section 6.2, if any.

   h) The relying party's obligations as defined in section 6.3.

   i) Information on how to verify the time-stamp token such that the
      relying party is considered to "reasonably rely" on the time-stamp
      token (see section 6.3) and any possible limitations on the
      validity period.

   j) The period of time during which TSA event logs (see section
      7.4.10) are retained.

   k) The applicable legal system, including any claim to meet the
      requirements on time-stamping services under national law.

   l) Limitations of liability.

   m) Procedures for complaints and dispute settlement.

   n) If the TSA has been assessed to be conformant with the identified
      time-stamp policy, and if so by which independent body.

      NOTE 1: It is also recommended that the TSA includes in its
      time-stamping disclosure statement availability of its service,
      for example the expected mean time between failure of the time-
      stamping service, the mean time to recovery following a failure,
      and provisions made for disaster recovery including back-up
      services;

      This information shall be available through a durable means of
      communication.  This information shall be available in a readily
      understandable language.  It may be transmitted electronically.

      NOTE 2: A model TSA disclosure statement which may be used as the
      basis of such a communication is given in annex D. Alternatively
      this may be provided as part of a subscriber / relying party
      agreement.  These TSA disclosure statements may be included in a
      TSA practice statement provided that they are conspicuous to the
      reader.

Pinkas, et al.               Informational                     [Page 14]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

7.2.  Key Management Life Cycle

7.2.1.  TSA Key Generation

   The TSA shall ensure that any cryptographic keys are generated in
   under controlled circumstances.

   In particular:

   a) The generation of the TSU's signing key(s) shall be undertaken in
      a physically secured environment (see section 7.4.4) by personnel
      in trusted roles (see section 7.4.3) under, at least, dual
      control.  The personnel authorized to carry out this function
      shall be limited to those requiring to do so under the TSA's
      practices.

   b) The generation of the TSU's signing key(s) shall be carried out
      within a cryptographic module(s) which either:

      -  meets the requirements identified in FIPS 140-1 [FIPS 140-1]
         level 3 or higher, or

      -  meets the requirements identified in CEN Workshop Agreement
         14167-2 [CWA 14167-2], or

      -  is a trustworthy system which is assured to EAL 4 or higher in
         accordance to ISO 15408 [ISO 15408], or equivalent security
         criteria.  This shall be to a security target or protection
         profile which meets the requirements of the current document,
         based on a risk analysis and taking into account physical and
         other non-technical security measures.

   c) The TSU key generation algorithm, the resulting signing key length
      and signature algorithm used for signing time-stamp tokens key
      shall be recognized by any national supervisory body, or in
      accordance with existing current state of art, as being fit for
      the purposes of time-stamp tokens as issued by the TSA.

7.2.2.  TSU Private Key Protection

   The TSA shall ensure that TSU private keys remain confidential and
   maintain their integrity.

   In particular:

   a) The TSU private signing key shall be held and used within a
      cryptographic module which:

Pinkas, et al.               Informational                     [Page 15]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

      -  meets the requirements identified in FIPS 140-1 [FIPS 140-1]
         level 3 or higher; or

      -  meets the requirements identified in CEN Workshop Agreement
         14167-2 [CWA 14167-2]; or

      -  is a trustworthy system which is assured to EAL 4 or higher in
         accordance to ISO 15408 [ISO 15408], or equivalent security
         criteria. This shall be a security target or protection profile
         which meets the requirements of the current document, based on
         a risk analysis and taking into account physical and other
         non-technical security measures.

      NOTE: Backup of TSU private keys is deprecated in order to
      minimize risk of key compromise.

   b) If TSU private keys are backed up, they shall be copied, stored
      and recovered only by personnel in trusted roles using, at least,
      dual control in a physically secured environment. (see section
      7.4.4).  The personnel authorized to carry out this function shall
      be limited to those requiring to do so under the TSA's practices.

   c) Any backup copies of the TSU private signing keys shall be
      protected to ensure its confidentiality by the cryptographic
      module before being stored outside that device.

7.2.3.  TSU Public Key Distribution

   The TSA shall ensure that the integrity and authenticity of the TSU
   signature verification (public) keys and any associated parameters
   are maintained during its distribution to relying parties.

   In particular:

   a) TSU signature verification (public) keys shall be made available
      to relying parties in a public key certificate.

      NOTE: For example, TSU's certificates may be issued by a
      certification authority operated by the same organization as the
      TSA, or issued by another authority.

   b) The TSU's signature verification (public) key certificate shall be
      issued by a certification authority operating under a certificate
      policy which provides a level of security equivalent to, or higher
      than, this time-stamping policy.

Pinkas, et al.               Informational                     [Page 16]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

7.2.4.  Rekeying TSU's Key

   The life-time of TSU's certificate shall be not longer than the
   period of time that the chosen algorithm and key length is recognized
   as being fit for purpose (see section 7.2.1c)).

   NOTE 1: The following additional considerations apply when limiting
   that lifetime:

   -  Section 7.4.10 requires that records concerning time-stamping
      services shall be held for a period of time,as appropriate, for at
      least 1 year after the expiration of the validity of the TSU's
      signing keys.  The longer the validity period of the TSU
      certificates will be, the longer the size of the records to be
      kept will be.

   -  Should a TSU private key be compromised, then the longer the
      life-time, the more affected time-stamp tokens there will be.

   NOTE 2: TSU key compromise does not only depend on the
   characteristics of the cryptographic module being used but also on
   the procedures being used at system initialization and key export
   (when that function is supported).

7.2.5.  End of TSU Key Life Cycle

   The TSA shall ensure that TSU private signing keys are not used
   beyond the end of their life cycle.

   In particular:

   a) Operational or technical procedures shall be in place to ensure
      that a new key is put in place when a TSU's key expires.

   b) The TSU private signing keys, or any key part, including any
      copies shall be destroyed such that the private keys cannot be
      retrieved.

   c) The TST generation system SHALL reject any attempt to issue TSTs
      if the signing private key has expired.

7.2.6.  Life Cycle Management of the Cryptographic Module used to Sign
        Time-Stamps

   The TSA shall ensure the security of cryptographic hardware
   throughout its lifecycle.

Pinkas, et al.               Informational                     [Page 17]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   In particular the TSA shall ensure that:

   a) Time-stamp token signing cryptographic hardware is not tampered
      with during shipment;

   b) Time-stamp token signing cryptographic hardware is not tampered
      with while stored;

   c) Installation, activation and duplication of TSU's signing keys in
      cryptographic hardware shall be done only by personnel in trusted
      roles using, at least, dual control in a physically secured
      environment. (see section 7.4.4);

   d) Time-stamp token signing cryptographic hardware is functioning
      correctly; and

   e) TSU private signing keys stored on TSU cryptographic module are
      erased upon device retirement.

7.3.  Time-Stamping

7.3.1.  Time-Stamp Token

   The TSA shall ensure that time-stamp tokens are issued securely and
   include the correct time.

   In particular:

   a) The time-stamp token shall include an identifier for the time-
      stamp policy;

   b) Each time-stamp token shall have a unique identifier;

   c) The time values the TSU uses in the time-stamp token shall be
      traceable to at least one of the real time values distributed by a
      UTC(k) laboratory.

      NOTE 1: The Bureau International des Poids et Mesures (BIPM)
      computes UTC on the basis of its local representations UTC(k) from
      a large ensemble of atomic clocks in national metrology institutes
      and national astronomical observatories round the world.  The BIPM
      disseminates UTC through its monthly Circular T [list 1].  This is
      available on the BIPM website (www.bipm.org) and it officially
      identifies all those institutes having recognized UTC(k) time
      scales.

Pinkas, et al.               Informational                     [Page 18]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   d) The time included in the time-stamp token shall be synchronized
      with UTC within the accuracy defined in this policy and, if
      present, within the accuracy defined in the time-stamp token
      itself;

   e) If the time-stamp provider's clock is detected (see section
      7.3.2c)) as being out of the stated accuracy (see section 7.1.2e))
      then time-stamp tokens shall not be issued.

   f) The time-stamp token shall include a representation (e.g., hash
      value) of the datum being time-stamped as provided by the
      requestor;

   g) The time-stamp token shall be signed using a key generated
      exclusively for this purpose.

      NOTE 2: A protocol for a time-stamp token is defined in RFC 3631
      and profiled in TS 101 861 [TS 101861].

      NOTE 3: In the case of a number of requests at approximately the
      same time, the ordering of the time within the accuracy of the TSU
      clock is not mandated.

   h) The time-stamp token shall include:

      -  where applicable, an identifier for the country in which the
         TSA is established;

      -  an identifier for the TSA;

      -  an identifier for the unit which issues the time-stamps.

7.3.2.  Clock Synchronization with UTC

   The TSA shall ensure that its clock is synchronized with UTC within
   the declared accuracy.

   In particular:

   a) The calibration of the TSU clocks shall be maintained such that
      the clocks shall not be expected to drift outside the declared
      accuracy.

   b) The TSU clocks shall be protected against threats which could
      result in an undetected change to the clock that takes it outside
      its calibration.

Pinkas, et al.               Informational                     [Page 19]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

      NOTE 1: Threats may include tampering by unauthorized personnel,
      radio or electrical shocks.

   c) The TSA shall ensure that, if the time that would be indicated in
      a time-stamp token drifts or jumps out of synchronization with
      UTC, this will be detected (see also 7.3.1e)).

      NOTE 2: Relying parties are required to be informed of such events
      (see section 7.4.8).

   d) The TSA shall ensure that clock synchronization is maintained when
      a leap second occurs as notified by the appropriate body.  The
      change to take account of the leap second shall occur during the
      last minute of the day when the leap second is scheduled to occur.
      A record shall be maintained of the exact time (within the
      declared accuracy) when this change occurred.  See annex A for
      more details.

      NOTE 3: A leap second is an adjustment to UTC by skipping or
      adding an extra second on the last second of a UTC month.  First
      preference is given to the end of December and June, and second
      preference is given to the end of March and September.

7.4.  TSA Management and Operation

7.4.1.  Security Management

   The TSA shall ensure that the administrative and management
   procedures applied are adequate and correspond to recognized best
   practice.

   In particular:

   TSA General

   a) The TSA shall retain responsibility for all aspects of the
      provision of time-stamping services within the scope of this
      time-stamp policy, whether or not functions are outsourced to
      subcontractors.  Responsibilities of third parties shall be
      clearly defined by the TSA and appropriate arrangements made to
      ensure that third parties are bound to implement any controls
      required by the TSA.  The TSA shall retain responsibility for the
      disclosure of relevant practices of all parties.

Pinkas, et al.               Informational                     [Page 20]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   b) The TSA management shall provide direction on information security
      through a suitable high level steering forum that is responsible
      for defining the TSA's information security policy.  The TSA shall
      ensure publication and communication of this policy to all
      employees who are impacted by it.

   c) The information security infrastructure necessary to manage the
      security within the TSA shall be maintained at all times.  Any
      changes that will impact on the level of security provided shall
      be approved by the TSA management forum.

      NOTE 1: See ISO/IEC 17799 [ISO 17799] for guidance on information
      security management including information security infrastructure,
      management information security forum and information security
      policies.

   d) The security controls and operating procedures for TSA facilities,
      systems and information assets providing the time-stamping
      services shall be documented, implemented and maintained.

      NOTE 2: The present documentation (commonly called a system
      security policy or manual) should identify all relevant targets,
      objects and potential threats related to the services provided and
      the safeguards required to avoid or limit the effects of those
      threats, consistent with the Risk Assessment required under
      section 7.1.1a).  It should describe the rules, directives and
      procedures regarding how the specified services and the associated
      security assurance are granted in addition to stating policy on
      incidents and disasters.

   e) TSA shall ensure that the security of information is maintained
      when the responsibility for TSA functions has been outsourced to
      another organization or entity.

7.4.2.  Asset Classification and Management

   The TSA shall ensure that its information and other assets receive an
   appropriate level of protection.

   In particular:

    - The TSA shall maintain an inventory of all assets and shall assign
      a classification for the protection requirements to those assets
      consistent with the risk analysis.

Pinkas, et al.               Informational                     [Page 21]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

7.4.3.  Personnel Security

   The TSA shall ensure that personnel and hiring practices enhance and
   support the trustworthiness of the TSA's operations.

   In particular (TSA general):

   a) The TSA shall employ personnel which possess the expert knowledge,
      experience and qualifications necessary for the offered services
      and as appropriate to the job function.

      NOTE 1: TSA personnel should be able to fulfill the requirement of
      "expert knowledge, experience and qualifications" through formal
      training and credentials, actual experience, or a combination of
      the two.

      NOTE 2: Personnel employed by a TSA include individual personnel
      contractually engaged in performing functions in support of the
      TSA's time-stamping services.  Personnel who may be involved in
      monitoring the TSA services need not be TSA personnel.

   b) Security roles and responsibilities, as specified in the TSA's
      security policy, shall be documented in job descriptions.  Trusted
      roles, on which the security of the TSA's operation is dependent,
      shall be clearly identified.

   c) TSA personnel (both temporary and permanent) shall have job
      descriptions defined from the view point of separation of duties
      and least privilege, determining position sensitivity based on the
      duties and access levels, background screening and employee
      training and awareness.  Where appropriate, these shall
      differentiate between general functions and TSA specific
      functions.  These should include skills and experience
      requirements.

   d) Personnel shall exercise administrative and management procedures
      and processes that are in line with the TSA's information security
      management procedures (see section 7.4.1).

      NOTE 3: See ISO/IEC 17799 [ISO 17799] for guidance.

      The following additional controls shall be applied to time-
      stamping management:

   e) Managerial personnel shall be employed who possess:

      - knowledge of time-stamping technology; and
      - knowledge of digital signature technology; and

Pinkas, et al.               Informational                     [Page 22]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

      - knowledge of mechanisms for calibration or synchronization the
        TSU clocks with UTC; and
      - familiarity with security procedures for personnel with security
        responsibilities; and
      - experience with information security and risk assessment.

   f) All TSA personnel in trusted roles shall be free from conflict of
      interest that might prejudice the impartiality of the TSA
      operations.

   g) Trusted roles include roles that involve the following
      responsibilities:

      -  Security Officers: Overall responsibility for administering the
         implementation of the security practices.

      -  System Administrators: Authorized to install, configure and
         maintain the TSA trustworthy systems for time-stamping
         management.

      -  System Operators: Responsible for operating the TSA trustworthy
         systems on a day-to-day basis.  Authorized to perform system
         backup and recovery.

      -  System Auditors: Authorized to view archives and audit logs of
         the TSA trustworthy systems.

   h) TSA personnel shall be formally appointed to trusted roles by
      senior management responsible for security.

   i) The TSA shall not appoint to trusted roles or management any
      person who is known to have a conviction for a serious crime or
      other offense which affects his/her suitability for the position.
      Personnel shall not have access to the trusted functions until any
      necessary checks are completed.

      NOTE 4: In some countries it may not be possible for TSA to obtain
      information on past convictions without the collaboration of the
      candidate employee.

7.4.4.  Physical and Environmental Security

   The TSA shall ensure that physical access to critical services is
   controlled and physical risks to its assets minimized.

Pinkas, et al.               Informational                     [Page 23]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   In particular (general):

   a) For both the time-stamping provision and the time-stamping
      management:

      -  physical access to facilities concerned with time-stamping
         services shall be limited to properly authorized individuals;
      -  controls shall be implemented to avoid loss, damage or
         compromise of assets and interruption to business activities;
         and
      -  controls shall be implemented to avoid compromise or theft of
         information and information processing facilities.

   b) Access controls shall be applied to the cryptographic module to
      meet the requirements of security of cryptographic modules as
      identified in clauses 7.2.1 and 7.2.2.

   c) The following additional controls shall be applied to time-
      stamping management:

      -  The time-stamping management facilities shall be operated in an
         environment which physically protects the services from
         compromise through unauthorized access to systems or data.

      -  Physical protection shall be achieved through the creation of
         clearly defined security perimeters (i.e., physical barriers)
         around the time-stamping management.  Any parts of the premises
         shared with other organizations shall be outside this
         perimeter.

      -  Physical and environmental security controls shall be
         implemented to protect the facility that houses system
         resources, the system resources themselves, and the facilities
         used to support their operation.  The TSA's physical and
         environmental security policy for systems concerned with time-
         stamping management shall address as a minimum the physical
         access control, natural disaster protection, fire safety
         factors, failure of supporting utilities (e.g., power,
         telecommunications), structure collapse, plumbing leaks,
         protection against theft, breaking and entering, and disaster
         recovery.

      -  Controls shall be implemented to protect against equipment,
         information, media and software relating to the time-stamping
         services being taken off-site without authorization.

      NOTE 1: See ISO/IEC 17799 [ISO 17799] for guidance on physical and
      environmental security.

Pinkas, et al.               Informational                     [Page 24]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

      NOTE 2: Other functions may be supported within the same secured
      area provided that the access is limited to authorized personnel.

7.4.5.  Operations Management

   The TSA shall ensure that the TSA system components are secure and
   correctly operated, with minimal risk of failure:

   In particular (general):

   a) The integrity of TSA system components and information shall be
      protected against viruses, malicious and unauthorized software.

   b) Incident reporting and response procedures shall be employed in
      such a way that damage from security incidents and malfunctions
      shall be minimized.

   c) Media used within the TSA trustworthy systems shall be securely
      handled to protect media from damage, theft, unauthorized access
      and obsolescence.

      NOTE 1: Every member of personnel with management responsibilities
      is responsible for planning and effectively implementing the
      time-stamp policy and associated practices as documented in the
      TSA practice statement.

   d) Procedures shall be established and implemented for all trusted
      and administrative roles that impact on the provision of time-
      stamping services.

   Media handling and security

   e) All media shall be handled securely in accordance with
      requirements of the information classification scheme (see section
      7.4.2).  Media containing sensitive data shall be securely
      disposed of when no longer required.

   System Planning

   f) Capacity demands shall be monitored and projections of future
      capacity requirements made to ensure that adequate processing
      power and storage are available.

Pinkas, et al.               Informational                     [Page 25]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   Incident reporting and response

   g) The TSA shall act in a timely and coordinated manner in order to
      respond quickly to incidents and to limit the impact of breaches
      of security.  All incidents shall be reported as soon as possible
      after the incident.

   The following additional controls shall be applied to time-stamping
   management:

   Operations procedures and responsibilities

   h) TSA security operations shall be separated from other operations.

      NOTE 2: TSA security operations' responsibilities include:

         -  operational procedures and responsibilities;
         -  secure systems planning and acceptance;
         -  protection from malicious software;
         -  housekeeping;
         -  network management;
         -  active monitoring of audit journals, event analysis and
            follow-up;
         -  media handling and security;
         -  data and software exchange.

   These operations shall be managed by TSA trusted personnel, but, may
   actually be performed by, non-specialist, operational personnel
   (under supervision), as defined within the appropriate security
   policy, and, roles and responsibility documents.

7.4.6.  System Access Management

   The TSA shall ensure that TSA system access is limited to properly
   authorized individuals.

   In particular (general):

   a) Controls (e.g., firewalls) shall be implemented to protect the
      TSA's internal network domains from unauthorized access including
      access by subscribers and third parties.

      NOTE 1: Firewalls should also be configured to prevent all
      protocols and accesses not required for the operation of the TSA.

Pinkas, et al.               Informational                     [Page 26]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   b) The TSA shall ensure effective administration of user (this
      includes operators, administrators and auditors) access to
      maintain system security, including user account management,
      auditing and timely modification or removal of access.

   c) The TSA shall ensure that access to information and application
      system functions is restricted in accordance with the access
      control policy and that the TSA system provides sufficient
      computer security controls for the separation of trusted roles
      identified in TSA's practices, including the separation of
      security administrator and operation functions.  Particularly, use
      of system utility programs is restricted and tightly controlled.

   d) TSA personnel shall be properly identified and authenticated
      before using critical applications related to time-stamping.

   e) TSA personnel shall be accountable for their activities, for
      example by retaining event logs (see section 7.4.10).

   The following additional controls shall be applied to time-stamping
   management:

   f) The TSA shall ensure that local network components (e.g., routers)
   are kept in a physically secure environment and that their
   configurations are periodically audited for compliance with the
   requirements specified by the TSA.

   g) Continuous monitoring and alarm facilities shall be provided to
   enable the TSA to detect, register and react in a timely manner upon
   any unauthorized and/or irregular attempts to access its resources.

   NOTE 2: This may use, for example, an intrusion detection system,
   access control monitoring and alarm facilities.

7.4.7.  Trustworthy Systems Deployment and Maintenance

   The TSA shall use trustworthy systems and products that are protected
   against modification.

   NOTE: The risk analysis carried out on the TSA's services (see
   section 7.1.1) should identify its critical services requiring
   trustworthy systems and the levels of assurance required.

Pinkas, et al.               Informational                     [Page 27]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   In particular:

   a) An analysis of security requirements shall be carried out at the
      design and requirements specification stage of any systems
      development project undertaken by the TSA or on behalf of the TSA
      to ensure that security is built into IT systems.

   b) Change control procedures shall be applied for releases,
      modifications and emergency software fixes of any operational
      software.

7.4.8.  Compromise of TSA Services

   The TSA shall ensure in the case of events which affect the security
   of the TSA's services, including compromise of TSU's private signing
   keys or detected loss of calibration, that relevant information is
   made available to subscribers and relying parties.

   In particular:

   a) The TSA's disaster recovery plan shall address the compromise or
      suspected compromise of TSU's private signing keys or loss of
      calibration of a TSU clock, which may have affected time-stamp
      tokens which have been issued.

   b) In the case of a compromise, or suspected compromise or loss of
      calibration the TSA shall make available to all subscribers and
      relying parties a description of compromise that occurred.

   c) In the case of compromise to a TSU's operation (e.g., TSU key
      compromise), suspected compromise or loss of calibration the TSU
      shall not issue time-stamp tokens until steps are taken to recover
      from the compromise

   d) In case of major compromise of the TSA's operation or loss of
      calibration, wherever possible, the TSA shall make available to
      all subscribers and relying parties information which may be used
      to identify the time-stamp tokens which may have been affected,
      unless this breaches the privacy of the TSAs users or the security
      of the TSA services.

      NOTE:  In case the private key does become compromised, an audit
      trail of all tokens generated by the TSA may provide a means to
      discriminate between genuine and false backdated tokens.  Two
      time-stamp tokens from two different TSAs may be another way to
      address this issue.

Pinkas, et al.               Informational                     [Page 28]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

7.4.9.  TSA Termination

   The TSA shall ensure that potential disruptions to subscribers and
   relying parties are minimized as a result of the cessation of the
   TSA's time-stamping services, and in particular ensure continued
   maintenance of information required to verify the correctness of
   time-stamp tokens.

   In particular:

   a) Before the TSA terminates its time-stamping services the following
      procedures shall be executed as a minimum:

      -  the TSA shall make available to all subscribers and relying
         parties information concerning its termination;

      -  TSA shall terminate authorization of all subcontractors to act
         on behalf of the TSA in carrying out any functions relating to
         the process of issuing time-stamp tokens;

      -  the TSA shall transfer obligations to a reliable party for
         maintaining event log and audit archives (see section 7.4.10)
         necessary to demonstrate the correct operation of the TSA for a
         reasonable period;

      -  the TSA shall maintain or transfer to a reliable party its
         obligations to make available its public key or its
         certificates to relying parties for a reasonable period;

      -  TSU private keys, including backup copies, shall be destroyed
         in a manner such that the private keys cannot be retrieved.

   b) The TSA shall have an arrangement to cover the costs to fulfill
      these minimum requirements in case the TSA becomes bankrupt or for
      other reasons is unable to cover the costs by itself.

   c) The TSA shall state in its practices the provisions made for
      termination of service.  This shall include:

      - notification of affected entities;
      - transferring the TSA obligations to other parties.

   d) The TSA shall take steps to have the TSU's certificates revoked.

7.4.10.  Compliance with Legal Requirements

   The TSA shall ensure compliance with legal requirements.

Pinkas, et al.               Informational                     [Page 29]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   In particular:

   a) The TSA shall ensure that the requirements of the European data
      protection Directive [Dir 95/46/EC], as implemented through
      national legislation, are met.

   b) Appropriate technical and organizational measures shall be taken
      against unauthorized or unlawful processing of personal data and
      against accidental loss or destruction of, or damage to, personal
      data.

   c) The information contributed by users to the TSA shall be
      completely protected from disclosure unless with their agreement
      or by court order or other legal requirement.

7.4.11.  Recording of Information Concerning Operation of Time-Stamping
         Services

   The TSA shall ensure that all relevant information concerning the
   operation of time-stamping services is recorded for a defined period
   of time, in particular for the purpose of providing evidence for the
   purposes of legal proceedings.

   In particular:

   General

   a) The specific events and data to be logged shall be documented by
      the TSA.

   b) The confidentiality and integrity of current and archived records
      concerning operation of time-stamping services shall be
      maintained.

   c) Records concerning the operation of time-stamping services shall
      be completely and confidentially archived in accordance with
      disclosed business practices.

   d) Records concerning the operation of time-stamping services shall
      be made available if required for the purposes of providing
      evidence of the correct operation of the time-stamping services
      for the purpose of legal proceedings.

   e) The precise time of significant TSA environmental, key management
      and clock synchronization events shall be recorded.

   f) Records concerning time-stamping services shall be held for a
      period of time after the expiration of the validity of the TSU's

Pinkas, et al.               Informational                     [Page 30]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

      signing keys as appropriate for providing necessary legal evidence
      and as notified in the TSA disclosure statement (see section
      7.1.2).

   g) The events shall be logged in a way that they cannot be easily
      deleted or destroyed (except if reliably transferred to long-term
      media) within the period of time that they are required to be
      held.

      NOTE: This may be achieved, for example, through the use of
      write-only media, a record of each removable media used and the
      use of off-site backup.

   h) Any information recorded about subscribers shall be kept
      confidential except as where agreement is obtained from the
      subscriber for its wider publication.

   TSU key management

   i) Records concerning all events relating to the life-cycle of TSU
      keys shall be logged.

   j) Records concerning all events relating to the life-cycle of TSU
      certificates (if appropriate) shall be logged.

   Clock Synchronization

   k) Records concerning all events relating to synchronization of a
      TSU's clock to UTC shall be logged.  This shall include
      information concerning normal re-calibration or synchronization of
      clocks use in time-stamping.

   l) Records concerning all events relating to detection of loss of
      synchronization shall be logged.

7.5.  Organizational

   The TSA shall ensure that its organization is reliable.

   In particular that:

   a) Policies and procedures under which the TSA operates shall be
      non-discriminatory.

   b) The TSA shall make its services accessible to all applicants whose
      activities fall within its declared field of operation and that
      agree to abide by their obligations as specified in the TSA
      disclosure statement.

Pinkas, et al.               Informational                     [Page 31]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   c) The TSA is a legal entity according to national law.

   d) The TSA has a system or systems for quality and information
      security management appropriate for the time-stamping services it
      is providing.

   e) The TSA has adequate arrangements to cover liabilities arising
      from its operations and/or activities.

   f) It has the financial stability and resources required to operate
      in conformity with this policy.

      NOTE 1: This includes requirements for TSA termination identified
      in section 7.4.9.

   g) It employs a sufficient number of personnel having the necessary
      education, training, technical knowledge and experience relating
      to the type, range and volume of work necessary to provide time-
      stamping services.

      NOTE 2: Personnel employed by a TSA include individual personnel
      contractually engaged in performing functions in support of the
      TSA's time-stamping services.  Personnel who may be involved only
      in monitoring the TSA services need not be TSA personnel.

   h) It has policies and procedures for the resolution of complaints
      and disputes received from customers or other parties about the
      provisioning of the time-stamping services or any other related
      matters.

   i) It has a properly documented agreement and contractual
      relationship in place where the provisioning of services involves
      subcontracting, outsourcing or other third party arrangements.

8.  Security Considerations

   When verifying time-stamp tokens it is necessary for the verifier to
   ensure that the TSU certificate is trusted and not revoked.  This
   means that the security is dependent upon the security of the CA that
   has issued the TSU certificate for both issuing the certificate and
   providing accurate revocation status information for that
   certificate.

   When a time-stamp is verified as valid at a given point of time, this
   does not mean that it will necessarily remain valid later on.  Every
   time, a time-stamp token is verified during the validity period of
   the TSU certificate, it must be verified again against the current
   revocation status information, since in case of compromise of a TSU

Pinkas, et al.               Informational                     [Page 32]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   private key, all the time-stamp tokens generated by that TSU become
   invalid.  Annex C provides guidance about the long term verification
   of time-stamp tokens.

   In applying time-stamping to applications, consideration also needs
   to be given to the security of the application.  In particular, when
   applying time-stamps it is necessary to ensure that the integrity of
   data is maintained before the time-stamp is applied.  The requester
   ought to really make sure that the hash value included in the time-
   stamp token matches with the hash of the data.

9.  Acknowledgments

   The development of this document was supported by ETSI and the
   European Commission.  Special thanks are due to Franco Ruggieri for
   his valuable inputs.

10.  References

10.1.  Normative References

   [RFC 2119]     Bradner, S. "Key words for use in RFCs to Indicate
                  Requirement Levels", BCP 14, RFC 2119, March 1997.

   [TF.460-5]     ITU-R Recommendation TF.460-5 (1997): Standard-
                  frequency and time-signal emissions.

   [TF.536-1]     ITU-R Recommendation TF.536-1 (1998): Time-scale
                  notations.

   [CWA 14167-2]  CEN Workshop Agreement 14167-2: Cryptographic Module
                  for CSP Signing Operations - Protection Profile
                  (MCSO-PP).

   [FIPS 140-1]   FIPS PUB 140-1 (1994): Security Requirements for
                  Cryptographic Modules.

   [ISO 15408]    ISO/IEC 15408 (1999) (parts 1 to 3): Information
                  technology - Security techniques and Evaluation
                  criteria for IT security.

Pinkas, et al.               Informational                     [Page 33]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

10.2.  Informative References

   [CWA 14172]    CEN Workshop Agreement 14172: EESSI Conformity
                  Assessment Guidance.

   [Dir 95/46/EC] Directive 95/46/EC of the European Parliament and of
                  the Council of 24 October 1995 on the protection of
                  individuals with regard to the processing of personal
                  data and on the free movement of such data.

   [Dir 99/93/EC] Directive 1999/93/EC of the European Parliament and of
                  the Council of 13 December 1999 on a Community
                  framework for electronic signatures.

   [ISO 17799]    ISO/IEC 17799: Information technology Code of practice
                  for information security management

   [RFC 3126]     Pinkas, D., Ross, J. and N. Pope, "Electronic
                  Signature Formats for long term electronic
                  signatures", RFC 3126, September 2001.

   [RFC 3161]     Adams, C., Cain, P., Pinkas, D. and R. Zuccherato,
                  "Internet X.509 Public Key Infrastructure Time-Stamp
                  Protocol (TSP)", RFC 3161, August 2001.

   [TS 101733]    ETSI Technical Specification TS 101 733 V.1.2.2
                  (2000-12) Electronic Signature Formats.  Note: copies
                  of ETSI TS 101 733 can be freely downloaded from the
                  ETSI web site www.etsi.org.

   [TS 101861]    ETSI Technical Specification TS 101 861 V1.2.1.
                  (2001-11).  Time stamping profile.  Note: copies of
                  ETSI TS 101 861 can be freely downloaded from the ETSI
                  web site www.etsi.org.

   [TS 102023]    ETSI Technical Specification TS 102 023.  Policy
                  requirements for Time-Stamping Authorities.  Note:
                  copies of ETSI TS 102 023 can be freely downloaded
                  from the ETSI web site www.etsi.org.

   [X.208]        CCITT Recommendation X.208: Specification of Abstract
                  Syntax Notation One (ASN.1), 1988.

Pinkas, et al.               Informational                     [Page 34]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

Annex A (informative): Coordinated Universal Time

   Coordinated Universal Time (UTC) is the international time standard
   that became effective on January 1, 1972.  UTC has superseded
   Greenwich Mean Time (GMT), but in practice they are never more than 1
   second different.  Hence many people continue to refer to GMT when in
   fact they operate to UTC.

   Zero (0) hours UTC is midnight in Greenwich, England, which lies on
   the zero longitudinal meridian.  Universal time is based on a 24 hour
   clock, therefore, afternoon hours such as 4 pm UTC are expressed as
   16:00 UTC (sixteen hours, zero minutes).

   International Atomic Time (TAI) is calculated by the Bureau
   International des Poids et Mesures (BIPM) from the readings of more
   than 200 atomic clocks located in metrology institutes and
   observatories in more than 30 countries around the world.
   Information on TAI is made available every month in the BIPM Circular
   T (ftp://62.161.69.5/pub/tai/publication).  It is that TAI does not
   lose or gain with respect to an imaginary perfect clock by more than
   about one tenth of a microsecond (0.0000001 second) per year.

   Coordinated Universal Time (UTC): Time scale, based on the second, as
   defined and recommended by the International Telecommunications Radio
   Committee (ITU-R), and maintained by the Bureau International des
   Poids et Mesures (BIPM).  The maintenance by BIPM includes
   cooperation among various national laboratories around the world.
   The full definition of UTC is contained in ITU-R Recommendation
   TF.460-4.

   Atomic Time, with the unit of duration the Systeme International (SI)
   second defined as the duration of 9 192 631 770 cycles of radiation,
   corresponds to the transition between two hyperfine levels of the
   ground state of caesium 133.  TAI is the International Atomic Time
   scale, a statistical timescale based on a large number of atomic
   clocks.

   Universal Time (UT) is counted from 0 hours at midnight, with unit of
   duration the mean solar day, defined to be as uniform as possible
   despite variations in the rotation of the Earth.

      -  UT0 is the rotational time of a particular place of
         observation. It is observed as the diurnal motion of stars or
         extraterrestrial radio sources.

      -  UT1 is computed by correcting UT0 for the effect of polar
         motion on the longitude of the observing site.  It varies from
         uniformity because of the irregularities in the Earth's

Pinkas, et al.               Informational                     [Page 35]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

         rotation. UT1, is based on the somewhat irregular rotation of
         the Earth. Rotational irregularities usually result in a net
         decrease in the Earth's average rotational velocity, and
         ensuing lags of UT1 with respect to UTC.

   Coordinated Universal Time (UTC) is the basis for international
   time-keeping and follows TAI exactly except for an integral number of
   seconds, 32 in year 2001.  These leap seconds are inserted on the
   advice of the International Earth Rotation Service (IERS)
   (http://hpiers.obspm.fr/) to ensure that, having taken into account
   irregularities, the Sun is overhead within 0,9 seconds of 12:00:00
   UTC on the meridian of Greenwich.  UTC is thus the modern successor
   of Greenwich Mean Time, GMT, which was used when the unit of time was
   the mean solar day.

   Adjustments to the atomic, i.e., UTC, time scale consist of an
   occasional addition or deletion of one full second, which is called a
   leap second.  Twice yearly, during the last minute of the day of June
   30 and December 31, Universal Time, adjustments may be made to ensure
   that the accumulated difference between UTC and UT1 will not exceed
   0,9 s before the next scheduled adjustment.  Historically,
   adjustments, when necessary, have usually consisted of adding an
   extra second to the UTC time scale in order to allow the rotation of
   the Earth to "catch up". Therefore, the last minute of the UTC time
   scale, on the day when an adjustment is made, will have 61 seconds.
   Adjustments dates are typically announced several months in advance
   in IERS Bulletin C:
   ftp://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat.

   Coordinated Universal Time (UTC) differs thus from TAI by an integral
   number of seconds.  UTC is kept within 0,9 s of UT1 by the
   introduction of one-second steps to UTC, the "leap second".  To date
   these steps have always been positive.

Annex B (informative): Possible for Implementation Architectures
        and Time-Stamping Services

B.1.  Managed Time-Stamping Service

   Some organizations may be willing to host one or more Time-Stamping
   Units in order to take advantage of both the proximity and the
   quality of the Time-Stamping Service, without being responsible for
   the installation, operation and management of these Time-Stamping
   Units.

Pinkas, et al.               Informational                     [Page 36]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   This can be achieved by using units that are installed in the
   premises from the hosting organization and then remotely managed by a
   Time-Stamping Authority that takes the overall responsibility of the
   quality of the service delivered to the hosting organization.

  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  +                                                                   +
  +                      Time-Stamping Authority                      +
  +_____________              _____________              _____________+
 |+ __________  |            |             |            |  __________ +|
 |+|          | |            |    Time -   |            | |          |+|
 |+|   Time - |<-------------|   Stamping  |------------->|   Time - |+|
 |+| Stamping | | Install.   |  Management | Install.   | | Stamping |+|
 |+|   Unit   | | Management |             | Management | |   Unit   |+|
 |+|__________| |            |_____________|            | |__________|+|
 |+             |                                       |             +|
 |+             |                                       |             +|
 |+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++|
 |   Hosting    |                                       |   Hosting    |
 | Organization |                                       | Organization |
 |______________|                                       |______________|

               Figure B.1: Managed Time-stamping Service

   The requirements for time-stamping services described in the current
   document includes requirements on both the time-stamping management
   and for the operation of the unit which issues the time-stamp tokens.
   The TSA, as identified in the time-stamp token, has the
   responsibility to ensure that these requirements are met (for example
   through contractual obligations).

   It should be clear that the hosting organization will generally want
   to be able to monitor the use of the service and, at a minimum, know
   whether the service is working or not and even be able to measure the
   performances of the service, e.g., the number of time-stamps
   generated during some period of time.  Such monitoring can be
   considered to be outside of TSA's time-stamping authority.

   Therefore the description of the management operation described in
   the main body of the document is not limitative.  Monitoring
   operations, if performed directly on the unit, may be permitted by
   the Time-Stamping service provider.

Pinkas, et al.               Informational                     [Page 37]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

B.2.  Selective Alternative Quality

   Some relying parties may be willing to take advantage of particular
   characteristics from a time-stamp token such as a specific signature
   algorithm and/or key length or a specific accuracy for the time
   contained in the time stamp token.  These parameters can be
   considered as specifying a "quality" for the time stamp token.

   Time stamp tokens with various qualities may be issued by different
   time-stamping units operated by the same or different TSAs.

   A particular time-stamping unit will only provide one combination of
   algorithm and key length (since a time-stamping unit is a set of
   hardware and software which is managed as a unit and has a single
   time-stamp token signing key).  In order to obtain different
   combinations of algorithm and key length, different time-stamping
   units shall be used.

   A particular time-stamping unit may provide a fixed accuracy for the
   time contained in the time stamp token or different accuracy if
   instructed to do so either by using a specific mode of access (e.g.,
   e-mail or http) or by using specific parameters in the request.

Annex C (informative): Long Term Verification of Time-Stamp Tokens

   Usually, a time-stamp token becomes unverifiable beyond the end of
   the validity period of the certificate from the TSU, because the CA
   that has issued the certificate does not warrant any more that it
   will publish revocation data, including data about revocations due to
   key compromises.  However, verification of a time-stamp token might
   still be performed beyond the end of the validity period of the
   certificate from the TSU, if, at the time of verification, it can be
   known that:

      - the TSU private key has not been compromised at any time up to
        the time that a relying part verifies a time-stamp token;

      - the hash algorithms used in the time-stamp token exhibits no
        collisions at the time of verification;

      - the signature algorithm and signature key size under which the
        time-stamp token has been signed is still beyond the reach of
        cryptographic attacks at the time of verification.

   If these conditions cannot be met, then the validity may be
   maintained by applying an additional time-stamp to protect the
   integrity of the previous one.

Pinkas, et al.               Informational                     [Page 38]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   The present document does not specify the details of how such
   protection may be obtained.  For the time being, and until some
   enhancements are defined to support these features, the information
   may be obtained using-out-of bands means or alternatively in the
   context of closed environments.  As an example, should a CA guaranty
   to maintain the revocation status of TSU certificates after the end
   of its validity period, this would fulfill the first requirement.

   NOTE 1: An alternative to Time-Stamping is for a Trusted Service
   Provider to record a representation of a datum bound to a particular
   time in an audit trail, thus establishing evidence that the datum
   existed before that time.  This technique, which is called Time-
   Marking, can be a valuable alternative for checking the long term
   validity of signatures.

   NOTE 2: The TSA or other trusted third party service provider may
   support the verification of time-stamp tokens.

Annex D (informative): Model TSA Disclosure Statement Structure.

   The TSA disclosure statement contains a section for each defined
   statement type.  Each section of a TSA disclosure statement contains
   a descriptive statement, which MAY include hyperlinks to the relevant
   certificate policy/certification practice statement sections.

   D.1.  STATEMENT TYPE: Entire agreement

         STATEMENT DESCRIPTION: A statement indicating that the
         disclosure statement is not the entire agreement, but only a
         part of it.

   D.2.  STATEMENT TYPE: TSA contact info

         STATEMENT DESCRIPTION: The name, location and relevant contact
         information for the TSA.

   D.3.  STATEMENT TYPE: time-stamp token types and usage

         STATEMENT DESCRIPTION: A description of each class/type of
         time-stamp tokens issued by the TSA (in accordance with each
         time-stamp policy) and any restrictions on time-stamp usage.

         SPECIFIC REQUIREMENT: Indication of the policy being applied,
         including the contexts for which the time-stamp token can be
         used (e.g., only for use with electronic signatures), the
         hashing algorithms, the expected life time of the time-stamp
         token signature, any limitations on the use of the time-stamp
         token and information on how to verify the time-stamp token.

Pinkas, et al.               Informational                     [Page 39]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   D.4.  STATEMENT TYPE: Reliance limits.

         STATEMENT DESCRIPTION: reliance limits, if any.

         SPECIFIC REQUIREMENT: Indication of the accuracy of the time in
         the time-stamp token, and the period of time for which TSA
         event logs (see section 7.4.10) are maintained (and hence are
         available to provide supporting evidence).

   D.5.  STATEMENT TYPE: Obligations of subscribers.

         STATEMENT DESCRIPTION: The description of, or reference to, the
         critical subscriber obligations.

         SPECIFIC REQUIREMENT: No specific requirements identified in
         the current document.  Where applicable the TSA may specify
         additional obligations.

   D.6.  STATEMENT TYPE: TSU public key status checking obligations of
         relying parties.

         STATEMENT DESCRIPTION: The extent to which relying parties are
         obligated to check the TSU public key status, and references to
         further explanation.

         SPECIFIC REQUIREMENT: Information on how to validate the TSU
         public key status, including requirements to check the
         revocation status of TSU public key, such that the relying
         party is considered to "reasonably rely" on the time-stamp
         token (see section 6.3).

   D.7.  STATEMENT TYPE: Limited warranty and disclaimer/Limitation of
         liability.

         STATEMENT DESCRIPTION: Summary of the warranty, disclaimers,
         limitations of liability and any applicable warranty or
         insurance programs

         SPECIFIC REQUIREMENT: Limitations of liability (see section
         6.4).

   D.8.  STATEMENT TYPE: Applicable agreements and practice statement.

         STATEMENT DESCRIPTION: Identification and references to
         applicable agreements, practice statement, time-stamp policy
         and other relevant documents.

Pinkas, et al.               Informational                     [Page 40]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

   D.9.  STATEMENT TYPE: Privacy policy.

         STATEMENT DESCRIPTION: A description of and reference to the
         applicable privacy policy.

         SPECIFIC REQUIREMENT: Note: TSA's under this policy are
         required to comply with the requirements of Data Protection
         Legislation.

   D.10. STATEMENT TYPE: Refund policy

         STATEMENT DESCRIPTION: A description of and reference to the
         applicable refund policy.

   D.11. STATEMENT TYPE: Applicable law, complaints and dispute
         resolution mechanisms.

         STATEMENT DESCRIPTION: Statement of the choice of law,
         complaints procedure and dispute resolution mechanisms.

         SPECIFIC REQUIREMENT: The procedures for complaints and dispute
         settlements.  The applicable legal system.

   D.12. STATEMENT TYPE: TSA and repository licenses, trust marks, and
         audit.

         STATEMENT DESCRIPTION: Summary of any governmental licenses,
         seal programs; and a description of the audit process and if
         applicable the audit firm.

         SPECIFIC REQUIREMENT: If the TSA has been assessed to be
         conformant with the identified time-stamp policy, and if so
         through which independent party.

Pinkas, et al.               Informational                     [Page 41]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

Authors' Addresses

   Denis Pinkas
   Bull
   Rue Jean Jaures,
   78340 Les Clayes CEDEX
   FRANCE

   EMail: Denis.Pinkas@bull.net

   Nick Pope
   Security & Standards
   192 Moulsham Street
   Chelmsford, Essex
   CM2 0LG
   United Kingdom

   EMail: pope@secstan.com

   John Ross
   Security & Standards
   192 Moulsham Street
   Chelmsford, Essex
   CM2 0LG
   United Kingdom

   EMail: ross@secstan.com

   This Informational RFC has been produced in ETSI ESI.

   ETSI
   F-06921 Sophia Antipolis, Cedex - FRANCE
   650 Route des Lucioles - Sophia Antipolis
   Valbonne - France
   Tel: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16
   secretariat@etsi.fr
   http://www.etsi.org

   Contact Point

   Claire d'Esclercs
   ETSI
   650 Route des Lucioles
   F-06921 Sophia Antipolis, Cedex
   FRANCE

   EMail: claire.desclercs@etsi.org

Pinkas, et al.               Informational                     [Page 42]



RFC 3628       Requirements for Time-Stamping Authorities  November 2003

Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.

Pinkas, et al.               Informational                     [Page 43]