stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
b7fc87893ce74e8df5d0e560bc25dae36fd28da7
git.stella-ops.org/docs/doctor/articles/timestamping/qts-status-change.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

1.8 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.timestamp.eidas.qts.status-change stellaops.doctor.timestamping warn
timestamping
eidas
qts
status
monitoring

QTS Status Changes

What It Checks

Alerts on TSA qualification status changes in the past 7 days. The check:

  • Queries the status change tracker for recent changes within a 7-day window.
  • Reports each change (provider name, previous status, new status, change date).
  • Warns if any withdrawals occurred (provider moved from Qualified to Withdrawn/Suspended/Deprecated).
  • Passes if no changes occurred or all changes are positive (e.g., new qualification grants).

Why It Matters

Qualification status changes require operational response. A withdrawal means the provider's timestamps no longer satisfy eIDAS requirements, and traffic should be migrated to an alternative provider. Early detection of changes enables proactive migration before compliance deadlines.

Common Causes

  • Supervisory body action against a TSA provider
  • Provider voluntary withdrawal from qualification
  • New provider achieving qualification (positive change)

How to Fix

Docker Compose

# Review recent changes
docker exec <platform-container> stella tsa qualification changes --days 7

# If a provider was withdrawn, add a replacement
docker exec <platform-container> stella tsa add --name "Replacement QTS" --url "https://new-tsa.eu/tsr" --qualified

Bare Metal / systemd

stella tsa qualification changes --days 7
stella tsa qualification status

Kubernetes / Helm

Review changes and update provider configuration as needed.

Verification

stella doctor run --check check.timestamp.eidas.qts.status-change

Related Checks

  • check.timestamp.eidas.qts.qualified — checks provider qualification status
  • check.timestamp.eidas.trustlist.fresh — checks EU Trust List freshness