---
checkId: check.timestamp.evidence.tst.missing-stapling
plugin: stellaops.doctor.timestamping
severity: warn
tags: [timestamping, evidence, tst, stapling, ocsp]
---
# TST Missing Stapling

## What It Checks
Detects timestamps without stapled OCSP/CRL revocation data. Fails if the count exceeds the critical threshold (default 10), otherwise warns.

## Why It Matters
Without stapled revocation data, verifiers must perform live OCSP/CRL lookups to confirm certificate validity. In air-gapped environments, these lookups are impossible, making the timestamp unverifiable. Stapling embeds proof-of-non-revocation directly in the timestamp token for offline verification.

## Common Causes
- TSA provider not configured to include stapled responses
- OCSP stapling disabled in TSA configuration
- Legacy timestamps created before stapling was enabled

## How to Fix
Enable OCSP stapling and re-timestamp affected artifacts:

```bash
stella retimestamp run --with-stapling --filter missing-stapling
```

Ensure TSA providers are configured with stapling enabled.

## Verification
```
stella doctor run --check check.timestamp.evidence.tst.missing-stapling
```

## Related Checks
- `check.timestamp.evidence.staleness` — aggregated evidence staleness check
- `check.timestamp.ocsp.stapling` — checks OCSP stapling configuration