stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
b7fc87893ce74e8df5d0e560bc25dae36fd28da7
git.stella-ops.org/docs/doctor/articles/timestamping/qts-providers-qualified.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

2.0 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.timestamp.eidas.qts.qualified stellaops.doctor.timestamping fail
timestamping
eidas
qts
qualification
compliance

QTS Providers Qualification

What It Checks

Checks that configured qualified TSA providers are still listed on the EU Trust List. The check:

  • Gets qualified TSA providers from the registry.
  • For each provider, queries the trust list cache for current qualification status.
  • Fails if any provider is no longer qualified (withdrawn, suspended, or not found).
  • Passes if no qualified providers are configured (optional feature) or all are still qualified.

Why It Matters

Under eIDAS regulation, only qualified TSA providers can produce timestamps with legal effect equivalent to handwritten signatures. If a provider loses qualification, timestamps from that provider no longer meet eIDAS compliance requirements, potentially invalidating evidence used for regulated releases.

Common Causes

  • TSA provider's qualified status withdrawn by a supervisory body
  • Provider suspended due to compliance issues
  • Provider not yet (re-)listed on the current trust list version
  • Trust list cache is stale (check check.timestamp.eidas.trustlist.fresh)

How to Fix

Docker Compose

# Refresh trust list first
docker exec <platform-container> stella trust-list refresh

# Check provider status
docker exec <platform-container> stella tsa qualification status

Bare Metal / systemd

stella trust-list refresh
stella tsa qualification status

# Replace non-qualified provider
stella tsa remove --name "Withdrawn Provider"
stella tsa add --name "New QTS" --url "https://new-qualified-tsa.eu/tsr" --qualified

Kubernetes / Helm

Update TSA provider configuration to use only qualified providers.

Verification

stella doctor run --check check.timestamp.eidas.qts.qualified

Related Checks

  • check.timestamp.eidas.trustlist.fresh — checks EU Trust List freshness
  • check.timestamp.eidas.qts.status-change — alerts on qualification status changes