stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
b7fc87893ce74e8df5d0e560bc25dae36fd28da7
git.stella-ops.org/docs/doctor/articles/timestamping/tst-deprecated-algorithms.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

1.2 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.timestamp.evidence.tst.deprecated-algo stellaops.doctor.timestamping warn
timestamping
evidence
tst
algorithm
deprecated

TST Deprecated Algorithms

What It Checks

Detects timestamps using deprecated hash algorithms (default: SHA1). Fails if the count exceeds the critical threshold (default 10), otherwise warns.

Why It Matters

Timestamps using deprecated algorithms like SHA1 are vulnerable to collision attacks. Compliance frameworks (eIDAS, FIPS) may reject evidence signed with deprecated algorithms, blocking release attestation verification.

Common Causes

  • Legacy artifacts timestamped with older TSA configurations
  • TSA provider still using SHA1 by default
  • Migration to SHA-256 not yet completed

How to Fix

Re-timestamp affected artifacts using approved algorithms:

stella retimestamp run --algorithm SHA256 --filter deprecated-algo

Ensure TSA providers are configured to use SHA-256 or stronger.

Verification

stella doctor run --check check.timestamp.evidence.tst.deprecated-algo

Related Checks

  • check.timestamp.evidence.staleness — aggregated evidence staleness check
  • check.timestamp.tsa.valid-response — verifies TSA returns valid responses