# RFC-3161 Timestamp Policy Assertions

## Overview
Attestation timestamp policy rules validate RFC-3161 evidence alongside Rekor
inclusion proofs. The policy surface is backed by `AttestationTimestampPolicyContext`
and `TimestampPolicyEvaluator` in `StellaOps.Attestor.Timestamping`.

## Context fields
`AttestationTimestampPolicyContext` exposes the following fields:

| Field | Type | Description |
| --- | --- | --- |
| `HasValidTst` | bool | True when RFC-3161 verification succeeded. |
| `TstTime` | DateTimeOffset? | Generation time from the timestamp token. |
| `TsaName` | string? | TSA subject/name from the TST. |
| `TsaPolicyOid` | string? | TSA policy OID from the TST. |
| `TsaCertificateValid` | bool | True when TSA certificate validation passes. |
| `TsaCertificateExpires` | DateTimeOffset? | TSA signing cert expiry time. |
| `OcspStatus` | string? | OCSP status (Good/Unknown/Revoked). |
| `CrlChecked` | bool | True when CRL data was checked. |
| `RekorTime` | DateTimeOffset? | Rekor integrated time for the entry. |
| `TimeSkew` | TimeSpan? | RekorTime - TstTime, used for skew checks. |

## Example assertions
The policy engine maps the context into `evidence.tst.*` fields. Example rules:

```yaml
rules:
  - id: require-rfc3161
    assert: evidence.tst.valid == true
  - id: time-skew
    assert: abs(evidence.tst.time_skew) <= "5m"
  - id: freshness
    assert: evidence.tst.signing_cert.expires_at - now() > "180d"
  - id: revocation-staple
    assert: evidence.tst.ocsp.status in ["good","unknown"] && evidence.tst.crl.checked == true
  - id: trusted-tsa
    assert: evidence.tst.tsa_name in ["Example TSA", "Acme TSA"]
```

## Built-in policy defaults
`TimestampPolicy.Default` enforces:
- `RequireRfc3161 = true`
- `MaxTimeSkew = 5 minutes`
- `MinCertificateFreshness = 180 days`
- `RequireRevocationStapling = true`

## References
- `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampPolicyContext.cs`
- `docs/modules/attestor/architecture.md`