sprints work.

docs-archived/product/advisories/2026-01-19_rfc3161_eidas_timestamping.md

@@ -0,0 +1,130 @@
+# Advisory: RFC-3161 / eIDAS Timestamping for CI/CD
+
+**Status:** ARCHIVED
+**Archived:** 2026-01-19
+**Outcome:** Translated to sprints 007-012
+**Sprint References:**
+- `SPRINT_20260119_007_Authority_rfc3161_tsa_client.md`
+- `SPRINT_20260119_008_Cryptography_certificate_status_provider.md`
+- `SPRINT_20260119_009_EvidenceLocker_timestamp_storage.md`
+- `SPRINT_20260119_010_Attestor_tst_integration.md`
+- `SPRINT_20260119_011_Cryptography_eidas_qualified_timestamps.md`
+- `SPRINT_20260119_012_Doctor_timestamp_health_checks.md`
+
+---
+
+## Original Advisory
+
+Here's a practical, low-BS playbook for **proving build time** in CI/CD and for long-term auditability, with clear choices depending on cost/latency vs legal weight.
+
+### CI/CD-grade timestamps (default)
+
+* **Use RFC-3161 Time-Stamp Tokens (TSTs).** A TST is a signed blob (CMS/ASN.1) from a Time-Stamp Authority (TSA) attesting "hash X existed at time T."
+* **When:** every build step that emits a signed artifact (attestations, SBOMs, release bundles, provenance).
+* **How:**
+
+  1. Hash your artifact (SHA-256).
+  2. Send the hash to a TSA via RFC-3161.
+  3. Persist: the **raw TST**, **TSA cert chain**, **OCSP/CRL responses**, and your **request hash**.
+  4. **Re-timestamp periodically** (e.g., yearly or before TSA cert expiry/algorithm deprecation) to keep the proof alive even if keys are rotated or revoked.
+* **Why:** low latency (<~100–300 ms typical), low cost, standard, and defensible for engineering/compliance audits.
+
+### Legal-grade timestamps (when you need EU courtroom weight)
+
+* **Use eIDAS Qualified Time-Stamps (QTS).**
+* **When:** contracts, tender submissions, regulated filings, high-stakes disputes.
+* **Trade-offs:** higher cost, KYC/contract with provider, higher latency—but strong legal presumption of accuracy in the EU.
+
+### Don't rely on Rekor time alone
+
+* **Always anchor artifacts in a transparency log (e.g., Rekor)** for tamper-evidence and inclusion proofs.
+* **But:** **do not** treat Rekor's `integratedTime` as your sole wall-clock proof; it's not part of the signed node. Combine **Rekor inclusion proof + (TST or QTS)** and keep both.
+
+### What to store per artifact
+
+* Artifact digest(s) + media type
+* **TST/QTS** (raw CMS blob)
+* **TSA chain** (certs) + **OCSP/CRL** at issuance time
+* **Rekor entry** (UUID), inclusion proof, tree ID, SignedEntryTimestamp
+* Verification metadata (tool versions, policy version)
+* Retention plan: **re-timestamp schedule** + algorithm migration policy (e.g., SHA-256→SHA-512, PQC later)
+
+### Verification pipeline (offline-capable)
+
+1. Recompute artifact hash.
+2. Verify CMS signature on TST/QTS and validate TSA chain against stored trust roots.
+3. Check OCSP/CRL (at-issuance stapled responses; optionally perform fresh status).
+4. Validate Rekor inclusion proof (Merkle path against stored tree head).
+5. Cross-check: TST time ≤ Rekor integrated inclusion window ≤ release tag time (policy-enforced skew).
+
+### Where this fits in **Stella Ops**
+
+* **Scanner/SBOM/VEX emitters:** attach RFC-3161 TST to every attestation (DSSE/CycloneDX/SPDX).
+* **Release Orchestrator:** block promotion unless (a) TST verifies, (b) Rekor inclusion proof verifies, (c) time-skew within policy.
+* **Authority service:** manages **TSA providers**, **trust anchors**, OCSP/CRL caching, and **re-timestamp jobs**.
+* **Evidence store:** immutable blobs for TST/QTS, OCSP/CRL, Rekor proofs; index by artifact digest and build run.
+* **Doctor checks:** warn on near-expiry TSA roots, missing stapled OCSP, or stale algorithms.
+* **Air-gap profile:** bundle TSA chain + last-known OCSP/CRL; queue re-timestamp when reconnected.
+
+### Example CLI flow (concept)
+
+```bash
+# 1) Create provenance and attach TST
+stella sbom emit --image ghcr.io/acme/app:1.4.2 --out sbom.cdx.json
+stella attest sign --in sbom.cdx.json --out sbom.dsse
+stella ts rfc3161 --hash $(sha256sum sbom.dsse | cut -d' ' -f1) \
+  --tsa https://tsa.example.com --out sbom.dsse.tst
+
+# 2) Rekor anchor
+stella rekor upload --artifact sbom.dsse --bundle sbom.rekor.bundle
+
+# 3) Persist evidence
+stella evidence store --artifact sbom.dsse \
+  --tst sbom.dsse.tst --rekor-bundle sbom.rekor.bundle \
+  --tsa-chain tsa_chain.pem --ocsp ocsp.der --crl crl.der
+
+# 4) Gate before promote
+stella gate verify --artifact sbom.dsse --policy gates/ts_integrity.yaml
+```
+
+### Minimal policy (starter)
+
+```yaml
+rules:
+  - id: require-rfc3161
+    assert: evidence.tst.valid == true
+  - id: require-rekor
+    assert: evidence.rekor.inclusion_proof_valid == true
+  - id: time-skew
+    assert: abs(evidence.tst.time - evidence.release.tag_time) <= "5m"
+  - id: freshness
+    assert: evidence.tst.signing_cert.expires_at - now() > "180d"
+  - id: revocation-staple
+    assert: evidence.tst.ocsp.status in ["good","unknown"] && evidence.tst.crl.checked == true
+```
+
+### Provider strategy
+
+* **Default:** fast, inexpensive RFC-3161 TSA for all builds.
+* **Override per environment/repo:** eIDAS **QTS** for regulated projects.
+* Keep **2+ TSAs** configured for failover; log which one issued each TST.
+
+### Long-term resilience
+
+* Schedule **re-timestamping** before TSA cert/key expiry or after algorithm deprecation.
+* Keep detached evidence so proofs remain verifiable **offline** for years.
+* Plan an optional **post-quantum** mode later (e.g., Dilithium-backed TSA/QTES once practical).
+
+---
+
+## Disposition Notes
+
+Advisory fully translated into implementation sprints covering:
+- RFC-3161 TSA client infrastructure (Sprint 007)
+- OCSP/CRL certificate status provider (Sprint 008)
+- Evidence storage schema extensions (Sprint 009)
+- Attestor pipeline integration (Sprint 010)
+- eIDAS qualified timestamp support (Sprint 011)
+- Doctor health checks and monitoring (Sprint 012)
+
+All advisory recommendations captured. CLI flow mapped to Sprint 010 task ATT-005. Policy rules mapped to Sprint 010 task ATT-003.