stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

license switch agpl -> busl1, sprints work, new product advisories

Browse Source
This commit is contained in:
master
2026-01-20 15:32:20 +02:00
parent 4903395618
commit c32fff8f86
1835 changed files with 38630 additions and 4359 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
docs/modules/attestor/guides/timestamp-policy.md Normal file
View File

@@ -0,0 +1,50 @@
# RFC-3161 Timestamp Policy Assertions
## Overview
Attestation timestamp policy rules validate RFC-3161 evidence alongside Rekor
inclusion proofs. The policy surface is backed by `AttestationTimestampPolicyContext`
and `TimestampPolicyEvaluator` in `StellaOps.Attestor.Timestamping`.
## Context fields
`AttestationTimestampPolicyContext` exposes the following fields:
| Field | Type | Description |
| --- | --- | --- |
| `HasValidTst` | bool | True when RFC-3161 verification succeeded. |
| `TstTime` | DateTimeOffset? | Generation time from the timestamp token. |
| `TsaName` | string? | TSA subject/name from the TST. |
| `TsaPolicyOid` | string? | TSA policy OID from the TST. |
| `TsaCertificateValid` | bool | True when TSA certificate validation passes. |
| `TsaCertificateExpires` | DateTimeOffset? | TSA signing cert expiry time. |
| `OcspStatus` | string? | OCSP status (Good/Unknown/Revoked). |
| `CrlChecked` | bool | True when CRL data was checked. |
| `RekorTime` | DateTimeOffset? | Rekor integrated time for the entry. |
| `TimeSkew` | TimeSpan? | RekorTime - TstTime, used for skew checks. |
## Example assertions
The policy engine maps the context into `evidence.tst.*` fields. Example rules:
```yaml
rules:
- id: require-rfc3161
assert: evidence.tst.valid == true
- id: time-skew
assert: abs(evidence.tst.time_skew) <= "5m"
- id: freshness
assert: evidence.tst.signing_cert.expires_at - now() > "180d"
- id: revocation-staple
assert: evidence.tst.ocsp.status in ["good","unknown"] && evidence.tst.crl.checked == true
- id: trusted-tsa
assert: evidence.tst.tsa_name in ["Example TSA", "Acme TSA"]
```
## Built-in policy defaults
`TimestampPolicy.Default` enforces:
- `RequireRfc3161 = true`
- `MaxTimeSkew = 5 minutes`
- `MinCertificateFreshness = 180 days`
- `RequireRevocationStapling = true`
## References
- `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampPolicyContext.cs`
- `docs/modules/attestor/architecture.md`