Policy Requirements for Time-Stamping Authorities (TSAs)
RFC 3628
Network Working Group D. Pinkas
Request for Comments: 3628 Bull
Category: Informational N. Pope
J. Ross
Security & Standards
November 2003
Policy Requirements for Time-Stamping Authorities (TSAs)
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This document defines requirements for a baseline time-stamp policy
for Time-Stamping Authorities (TSAs) issuing time-stamp tokens,
supported by public key certificates, with an accuracy of one second
or better. A TSA may define its own policy which enhances the policy
defined in this document. Such a policy shall incorporate or further
constrain the requirements identified in this document.
Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Definitions and Abbreviations . . . . . . . . . . . . . . . . 5
3.1. Definitions. . . . . . . . . . . . . . . . . . . . . . . 5
3.2. Abbreviations. . . . . . . . . . . . . . . . . . . . . . 6
4. General Concepts. . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Time-Stamping Services . . . . . . . . . . . . . . . . . 6
4.2. Time-Stamping Authority. . . . . . . . . . . . . . . . . 7
4.3. Subscriber . . . . . . . . . . . . . . . . . . . . . . . 7
4.4. Time-Stamp Policy and TSA Practice Statement . . . . . . 8
4.4.1. Purpose. . . . . . . . . . . . . . . . . . . . . 8
4.4.2. Level of Specificity . . . . . . . . . . . . . . 8
4.4.3. Approach . . . . . . . . . . . . . . . . . . . . 8
5. Time-Stamp Policies . . . . . . . . . . . . . . . . . . . . . 9
5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 9
5.2. Identification . . . . . . . . . . . . . . . . . . . . . 9
5.3. User Community and Applicability . . . . . . . . . . . . 10
Pinkas, et al. Informational [Page 1]
RFC 3628 Requirements for Time-Stamping Authorities November 2003
5.4. Conformance. . . . . . . . . . . . . . . . . . . . . . . 10
6. Obligations and Liability . . . . . . . . . . . . . . . . . . 10
6.1. TSA Obligations. . . . . . . . . . . . . . . . . . . . . 10
6.1.1. General. . . . . . . . . . . . . . . . . . . . . 10
6.1.2. TSA Obligations Towards Subscribers. . . . . . . 11
6.2. Subscriber Obligations . . . . . . . . . . . . . . . . . 11
6.3. Relying Party Obligations. . . . . . . . . . . . . . . . 11
6.4. Liability. . . . . . . . . . . . . . . . . . . . . . . . 11
7. Requirements on TSA Practices . . . . . . . . . . . . . . . . 12
7.1. Practice and Disclosure Statements . . . . . . . . . . . 12
7.1.1. TSA Practice Statement . . . . . . . . . . . . . 12
7.1.2. TSA Disclosure Statement . . . . . . . . . . . . 13
7.2. Key Management Life Cycle. . . . . . . . . . . . . . . . 15
7.2.1. TSU Key Generation . . . . . . . . . . . . . . . 15
7.2.2. TSU Private Key Protection . . . . . . . . . . . 15
7.2.3. TSU Public Key Distribution. . . . . . . . . . . 16
7.2.4. Rekeying TSU's Key . . . . . . . . . . . . . . . 17
7.2.5. End of TSU Key Life Cycle. . . . . . . . . . . . 17
7.2.6. Life Cycle Management of the Cryptographic Module
used to Sign Time-Stamps . . . . . . . . . . . . 17
7.3. Time-Stamping. . . . . . . . . . . . . . . . . . . . . . 18
7.3.1. Time-Stamp Token . . . . . . . . . . . . . . . . 18
7.3.2. Clock Synchronization with UTC . . . . . . . . . 19
7.4. TSA Management and Operation . . . . . . . . . . . . . . 20
7.4.1. Security Management. . . . . . . . . . . . . . . 20
7.4.2. Asset Classification and Management. . . . . . . 21
7.4.3. Personnel Security . . . . . . . . . . . . . . . 22
7.4.4. Physical and Environmental Security. . . . . . . 23
7.4.5. Operations Management. . . . . . . . . . . . . . 25
7.4.6. System Access Management . . . . . . . . . . . . 26
7.4.7. Trustworthy Systems Deployment and Maintenance . 27
7.4.8. Compromise of TSA Services . . . . . . . . . . . 28
7.4.9. TSA Termination. . . . . . . . . . . . . . . . . 29
7.4.10. Compliance with Legal Requirements . . . . . . . 29
Show full document text