The Crypto-Module can retrieve and check timestamps according to RFC 3161. The timestamp can be both qualified and unqualified. Any number of timestamp services can be stored in the configuration. At least one timestamp service must be configured.
The timestamp services are defined below the TimestampAuthorities element in the Crypto-Module configuration. When the Crypto-Module retrieves a timestamp, the stored services are requested in the order that the configuration dictates until an obtainable timestamp service is found. The attribute RandomizeOrder can be used to change this behavior, the Crypto-Module then proceeds in a random order.
A timestamp service is defined by a TimestampAuthority element, which consists of the following parts:
-
Attribute ServiceID is a unique identifier for the timestamp service. This identifier is used by the system as part of log and error messages.
-
Element ServiceUrl is the URL of the timestamp service. It must be an HTTP or HTTPS URL.
-
Element HttpEndpointID is the ID of the HTTP endpoint to be used. (See Configure HTTP endpoint.)
-
Element ProxyID is the ID of the proxy server to be used. This element is optional and can be omitted if a direct connection to the timestamp service is to be used.
-
Element PolicyID is the object ID of the policy sent in the timestamp request. The specification is optional.
Example:
<TimestampAuthorities RandomizeOrder="false">
<TimestampAuthorities>
<TimestampAuthority ServiceID="telesec-tsa">
<ServiceUrl>https://tsp.telesec.de/TSPBasic/TSPProxy.pl</ServiceUrl>
<HttpEndpointID>telesec-tsa-endpoint</HttpEndpointID>
<ProxyID>defaultProxy</ProxyID>
</TimestampAuthority>
</TimestampAuthorities>
</TimestampAuthorities>
The example shows the configuration entry for the qualified TeleSec timestamp service. The entry references an HTTP endpoint that uses Basic authentication for access. The connection is established via a proxy server.