# Time Anchor Verification Gap (AIRGAP-TIME-57-001 follow-up)

## Status (2025-11-20)
- Parser: stubbed for Roughtime/RFC3161 with deterministic digest + derived anchor time.
- Staleness: calculator + budgets landed; loader accepts hex fixtures.
- Verification: pipeline exists (`TimeVerificationService`) with stub verifiers; still needs real crypto using guild-provided trust roots.

## What’s missing
- Roughtime parser: parse signed responses, extract `timestamp`, `radius`, `verifier` public key; verify signature.
- RFC3161 parser: decode ASN.1 TimeStampToken, verify signer chain against provided trust roots, extract nonce/ts.
- Trust roots: final format (JWK vs PEM) and key IDs to align with `TrustRootConfig`/Time service.

## Proposed plan
1) Receive finalized token format + trust-root bundle from Time Guild.
2) Implement format-specific verifiers with validating tests using provided fixtures.
3) Expose `/api/v1/time/status` returning anchor metadata + staleness; wire telemetry counters/alerts per sealed diagnostics doc.

## Owners
- AirGap Time Guild (format decision + trust roots)
- AirGap Importer Guild (bundle delivery of anchors)
- Observability Guild (telemetry wiring)