---
checkId: check.timestamp.tsa.valid-response
plugin: stellaops.doctor.timestamping
severity: fail
tags: [timestamping, tsa, validation, rfc3161]
---
# TSA Valid Response

## What It Checks
Verifies that TSA endpoints return valid RFC-3161 timestamp responses. The check:

- Gets active TSA providers from the registry.
- Sends a dummy SHA-256 hash to each provider and requests a timestamp token.
- Validates that each response is a valid RFC-3161 timestamp token.
- Fails if no providers return valid responses. Warns if some providers fail validation.
- Reports degraded if no providers are configured.

## Why It Matters
A reachable TSA that returns invalid timestamps is worse than no TSA at all -- it produces evidence that appears valid but cannot be verified. Invalid timestamps break the chain of trust for release evidence and can cause compliance audit failures. This is a critical-severity check.

## Common Causes
- TSA provider configuration changed (algorithm, certificate)
- TSA provider returned an error response instead of a valid token
- Network issues causing corrupted responses
- TSA provider using an unsupported algorithm or format

## How to Fix

### Docker Compose
Verify TSA configuration and switch to a known-good provider:

```yaml
environment:
  Timestamping__TsaEndpoints__0__Name: "DigiCert"
  Timestamping__TsaEndpoints__0__Url: "http://timestamp.digicert.com"
```

### Bare Metal / systemd
```bash
# Test TSA response manually with openssl
openssl ts -query -data /dev/null -sha256 -cert -no_nonce -out /tmp/ts.req
curl -H "Content-Type: application/timestamp-query" --data-binary @/tmp/ts.req \
  http://timestamp.digicert.com -o /tmp/ts.resp
openssl ts -reply -in /tmp/ts.resp -text
```

### Kubernetes / Helm
```yaml
timestamping:
  tsaEndpoints:
    - name: "DigiCert"
      url: "http://timestamp.digicert.com"
```

If a TSA consistently returns invalid responses, remove it and add an alternative qualified provider.

## Verification
```
stella doctor run --check check.timestamp.tsa.valid-response
```

## Related Checks
- `check.timestamp.tsa.reachable` — verifies TSA endpoint reachability
- `check.timestamp.tsa.cert-expiry` — checks TSA certificate expiry
- `check.timestamp.tsa.chain-valid` — validates TSA certificate chain