Why does timestamping your code or data matters

When signing your code or data without applying a timestamp would result in having the signature being considered as invalid and trust warnings being displayed in case the certificate expires. This would mean that your signature is valid as long as your code or data hasn’t been tampered with and the certificate and/or its chain has not expired.

In order to avoid this from happening, you can apply timestamping. Timestamping will show that the signature on the code or data was valid at the time the signature and timestamp were applied. You can compare this with a notarized signature. The notary vouches that it was you and your signature at the time you sign the document.

This has the effect that even though the certificate may have been expired, the signature is not being considered as invalid due to the timestamping.

A timestamp is a key element to provide integrity and non-repudiation.

How does timestamping work?

A hash is calculated on the to-be-signed-code or data and sent to a Timestamping Authority (TSA).

The TSA will add to the hash some information, including the authoritative time and sign the whole with its private key, resulting in a timestamp token. This token contains all information that is required later to verify the timestamp. The token is stored with the original code or data.

With this information, any person or application opening the timestamped data or code will use the TSA’s public key to authenticate the TSA. The TSA public key will be found in the person or application trust store. A calculated hash on the original code or data will be compared with the original hash. If both hashes do not match, warnings will be shown indicating that the code or data has been modified since the timestamp has been applied and should not be trusted.

Timestamping Authority Standards and Protocols

  • RFC 3161 (Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)) provides the requirements a Third Party needs to meet in order to operate a Timestamping Authority.
  • The ANSI X9.95 Standard adds to the RFC with minimum security requirements for the effective use of time stamps in a financial services environment.
  • The ISO/IEC 18014 Standard series specifies time-stamping techniques. It consists of three parts, which include the general notion, models for a time-stamping service, data structures, and protocols.
  • ETSI EN 319 422 V1.1.1 (2016-03) – Electronic Signatures and Infrastructures (ESI); Time-stamping protocol and time-stamp token profiles
  • ETSI TS 119 142-3 V1.1.1 (2016-12) – Electronic Signatures and Infrastructures (ESI); PAdES digital signatures; Part 3: PAdES Document Time-stamp digital signatures (PAdES-DTS)
  • ETSI EN 319 421 V1.1.1 (2016-03) – Electronic Signatures and Infrastructures (ESI); Policy and Security Requirements for Trust Service Providers issuing Time-Stamps