--- checkId: check.timestamp.eidas.qts.qualified plugin: stellaops.doctor.timestamping severity: fail tags: [timestamping, eidas, qts, qualification, compliance] --- # QTS Providers Qualification ## What It Checks Checks that configured qualified TSA providers are still listed on the EU Trust List. The check: - Gets qualified TSA providers from the registry. - For each provider, queries the trust list cache for current qualification status. - Fails if any provider is no longer qualified (withdrawn, suspended, or not found). - Passes if no qualified providers are configured (optional feature) or all are still qualified. ## Why It Matters Under eIDAS regulation, only qualified TSA providers can produce timestamps with legal effect equivalent to handwritten signatures. If a provider loses qualification, timestamps from that provider no longer meet eIDAS compliance requirements, potentially invalidating evidence used for regulated releases. ## Common Causes - TSA provider's qualified status withdrawn by a supervisory body - Provider suspended due to compliance issues - Provider not yet (re-)listed on the current trust list version - Trust list cache is stale (check `check.timestamp.eidas.trustlist.fresh`) ## How to Fix ### Docker Compose ```bash # Refresh trust list first docker exec stella trust-list refresh # Check provider status docker exec stella tsa qualification status ``` ### Bare Metal / systemd ```bash stella trust-list refresh stella tsa qualification status # Replace non-qualified provider stella tsa remove --name "Withdrawn Provider" stella tsa add --name "New QTS" --url "https://new-qualified-tsa.eu/tsr" --qualified ``` ### Kubernetes / Helm Update TSA provider configuration to use only qualified providers. ## Verification ``` stella doctor run --check check.timestamp.eidas.qts.qualified ``` ## Related Checks - `check.timestamp.eidas.trustlist.fresh` — checks EU Trust List freshness - `check.timestamp.eidas.qts.status-change` — alerts on qualification status changes