stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
b7fc87893ce74e8df5d0e560bc25dae36fd28da7
git.stella-ops.org/docs/doctor/articles/timestamping/evidence-staleness.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

2.4 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.timestamp.evidence.staleness stellaops.doctor.timestamping warn
timestamping
evidence
staleness
retimestamp

Evidence Staleness

What It Checks

Aggregated check for timestamp evidence staleness across six dimensions:

  • TST Expiry: timestamps approaching signing certificate expiry (warn at 180 days, critical at 90 days).
  • Deprecated Algorithms: timestamps using deprecated hash algorithms (e.g., SHA1).
  • Missing Stapling: timestamps without stapled OCSP/CRL revocation data.
  • Retimestamp Queue: artifacts pending re-timestamping.
  • OCSP Staleness: OCSP responses approaching expiry (warn at 3 days).
  • CRL Staleness: CRLs approaching expiry (warn at 7 days).

Fails if any dimension is unhealthy (count exceeds CriticalStaleCount, default 10). Warns if any dimension is degraded.

Why It Matters

Stale evidence loses its verifiability over time. Expired timestamps, deprecated algorithms, and missing revocation data all weaken the chain of trust. Proactive detection enables scheduled re-timestamping before evidence becomes unverifiable.

Common Causes

  • Re-timestamp jobs not running or failing
  • TSA signing certificates approaching expiry
  • OCSP/CRL cache not refreshed
  • Legacy artifacts signed with SHA1

How to Fix

Docker Compose

# Run evidence refresh
docker exec <platform-container> stella evidence refresh --all

# Run retimestamp queue
docker exec <platform-container> stella retimestamp run

Bare Metal / systemd

# Check evidence status
stella evidence audit --staleness

# Refresh stale evidence
stella evidence refresh --all

# Process retimestamp queue
stella retimestamp run

# Schedule automatic refresh
stella retimestamp schedule create --interval daily

Kubernetes / Helm

timestamping:
  evidenceStaleness:
    tstWarnDays: 180
    tstCriticalDays: 90
    criticalStaleCount: 10
    retimestampSchedule: "0 1 * * *"

Verification

stella doctor run --check check.timestamp.evidence.staleness

Related Checks

  • check.timestamp.evidence.tst.expiry — focused check for expiring TSTs
  • check.timestamp.evidence.tst.deprecated-algo — focused check for deprecated algorithms
  • check.timestamp.evidence.tst.missing-stapling — focused check for missing stapling
  • check.timestamp.evidence.retimestamp.pending — focused check for pending retimestamps