2.0 KiB
2.0 KiB
RFC-3161 Timestamp Policy Assertions
Overview
Attestation timestamp policy rules validate RFC-3161 evidence alongside Rekor
inclusion proofs. The policy surface is backed by AttestationTimestampPolicyContext
and TimestampPolicyEvaluator in StellaOps.Attestor.Timestamping.
Context fields
AttestationTimestampPolicyContext exposes the following fields:
| Field | Type | Description |
|---|---|---|
HasValidTst |
bool | True when RFC-3161 verification succeeded. |
TstTime |
DateTimeOffset? | Generation time from the timestamp token. |
TsaName |
string? | TSA subject/name from the TST. |
TsaPolicyOid |
string? | TSA policy OID from the TST. |
TsaCertificateValid |
bool | True when TSA certificate validation passes. |
TsaCertificateExpires |
DateTimeOffset? | TSA signing cert expiry time. |
OcspStatus |
string? | OCSP status (Good/Unknown/Revoked). |
CrlChecked |
bool | True when CRL data was checked. |
RekorTime |
DateTimeOffset? | Rekor integrated time for the entry. |
TimeSkew |
TimeSpan? | RekorTime - TstTime, used for skew checks. |
Example assertions
The policy engine maps the context into evidence.tst.* fields. Example rules:
rules:
- id: require-rfc3161
assert: evidence.tst.valid == true
- id: time-skew
assert: abs(evidence.tst.time_skew) <= "5m"
- id: freshness
assert: evidence.tst.signing_cert.expires_at - now() > "180d"
- id: revocation-staple
assert: evidence.tst.ocsp.status in ["good","unknown"] && evidence.tst.crl.checked == true
- id: trusted-tsa
assert: evidence.tst.tsa_name in ["Example TSA", "Acme TSA"]
Built-in policy defaults
TimestampPolicy.Default enforces:
RequireRfc3161 = trueMaxTimeSkew = 5 minutesMinCertificateFreshness = 180 daysRequireRevocationStapling = true
References
src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampPolicyContext.csdocs/modules/attestor/architecture.md