stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
b7fc87893ce74e8df5d0e560bc25dae36fd28da7
git.stella-ops.org/docs/doctor/articles/timestamping/tsa-valid-response.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

2.2 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.timestamp.tsa.valid-response stellaops.doctor.timestamping fail
timestamping
tsa
validation
rfc3161

TSA Valid Response

What It Checks

Verifies that TSA endpoints return valid RFC-3161 timestamp responses. The check:

  • Gets active TSA providers from the registry.
  • Sends a dummy SHA-256 hash to each provider and requests a timestamp token.
  • Validates that each response is a valid RFC-3161 timestamp token.
  • Fails if no providers return valid responses. Warns if some providers fail validation.
  • Reports degraded if no providers are configured.

Why It Matters

A reachable TSA that returns invalid timestamps is worse than no TSA at all -- it produces evidence that appears valid but cannot be verified. Invalid timestamps break the chain of trust for release evidence and can cause compliance audit failures. This is a critical-severity check.

Common Causes

  • TSA provider configuration changed (algorithm, certificate)
  • TSA provider returned an error response instead of a valid token
  • Network issues causing corrupted responses
  • TSA provider using an unsupported algorithm or format

How to Fix

Docker Compose

Verify TSA configuration and switch to a known-good provider:

environment:
  Timestamping__TsaEndpoints__0__Name: "DigiCert"
  Timestamping__TsaEndpoints__0__Url: "http://timestamp.digicert.com"

Bare Metal / systemd

# Test TSA response manually with openssl
openssl ts -query -data /dev/null -sha256 -cert -no_nonce -out /tmp/ts.req
curl -H "Content-Type: application/timestamp-query" --data-binary @/tmp/ts.req \
  http://timestamp.digicert.com -o /tmp/ts.resp
openssl ts -reply -in /tmp/ts.resp -text

Kubernetes / Helm

timestamping:
  tsaEndpoints:
    - name: "DigiCert"
      url: "http://timestamp.digicert.com"

If a TSA consistently returns invalid responses, remove it and add an alternative qualified provider.

Verification

stella doctor run --check check.timestamp.tsa.valid-response

Related Checks

  • check.timestamp.tsa.reachable — verifies TSA endpoint reachability
  • check.timestamp.tsa.cert-expiry — checks TSA certificate expiry
  • check.timestamp.tsa.chain-valid — validates TSA certificate chain