---
checkId: check.timestamp.evidence.staleness
plugin: stellaops.doctor.timestamping
severity: warn
tags: [timestamping, evidence, staleness, retimestamp]
---
# Evidence Staleness

## What It Checks
Aggregated check for timestamp evidence staleness across six dimensions:

- **TST Expiry**: timestamps approaching signing certificate expiry (warn at 180 days, critical at 90 days).
- **Deprecated Algorithms**: timestamps using deprecated hash algorithms (e.g., SHA1).
- **Missing Stapling**: timestamps without stapled OCSP/CRL revocation data.
- **Retimestamp Queue**: artifacts pending re-timestamping.
- **OCSP Staleness**: OCSP responses approaching expiry (warn at 3 days).
- **CRL Staleness**: CRLs approaching expiry (warn at 7 days).

Fails if any dimension is unhealthy (count exceeds `CriticalStaleCount`, default 10). Warns if any dimension is degraded.

## Why It Matters
Stale evidence loses its verifiability over time. Expired timestamps, deprecated algorithms, and missing revocation data all weaken the chain of trust. Proactive detection enables scheduled re-timestamping before evidence becomes unverifiable.

## Common Causes
- Re-timestamp jobs not running or failing
- TSA signing certificates approaching expiry
- OCSP/CRL cache not refreshed
- Legacy artifacts signed with SHA1

## How to Fix

### Docker Compose
```bash
# Run evidence refresh
docker exec <platform-container> stella evidence refresh --all

# Run retimestamp queue
docker exec <platform-container> stella retimestamp run
```

### Bare Metal / systemd
```bash
# Check evidence status
stella evidence audit --staleness

# Refresh stale evidence
stella evidence refresh --all

# Process retimestamp queue
stella retimestamp run

# Schedule automatic refresh
stella retimestamp schedule create --interval daily
```

### Kubernetes / Helm
```yaml
timestamping:
  evidenceStaleness:
    tstWarnDays: 180
    tstCriticalDays: 90
    criticalStaleCount: 10
    retimestampSchedule: "0 1 * * *"
```

## Verification
```
stella doctor run --check check.timestamp.evidence.staleness
```

## Related Checks
- `check.timestamp.evidence.tst.expiry` — focused check for expiring TSTs
- `check.timestamp.evidence.tst.deprecated-algo` — focused check for deprecated algorithms
- `check.timestamp.evidence.tst.missing-stapling` — focused check for missing stapling
- `check.timestamp.evidence.retimestamp.pending` — focused check for pending retimestamps