====== Timestamps - Information for users ======

===== What timestamps are for =====

The purpose is to associate unquestionable time information with a particular object. This usually serves as proof that the document existed at that time in the past. The user can request a timestamp for the file (it is possible to generate timestamps for PDF documents in Adobe Acrobat Reader after it has been configured) or a server (for logging).

===== Technical parameters of the service =====

Timestamps are issued by the time stamp authority. CESNET operates two servers (primary and secondary) with a time stamp service. They are managed by CESNET PKI.

The service can be used for timestamps with both the old attribute format (ESSCertID, see [[https://tools.ietf.org/html/rfc3161|rfc3161]]) and the new attribute format (ESSCertIDv2, see [[https://tools.ietf.org/html/rfc5816|rfc5816]]). The old format only supports SHA1 hash, but is the most widespread yet. The new format is supported in OpenSSL up to version 1.1.1. If possible, we **recommend using the new ESSCertIDv2 format**.

Timestamp servers are available at:

  * http://tsa.cesnet.cz:3161/tsa/ - Old ESSCertID attribute format, unsecured connection.
  * https://tsa.cesnet.cz:3162/tsa/ - Old ESSCertID attribute format, secure connection (HTTPS).
  * http://tsa.cesnet.cz:5816/tsa/ - New ESSCertIDv2 attribute format, unsecured connection.
  * https://tsa.cesnet.cz:5817/tsa/ - New ESSCertIDv2 Attribute Format, Secure Connection (HTTPS).

==== How to obtain and verify a timestamp ====

//The following procedure is for UNIX-type OS only. In this process, we prepare a data file, generate a timestamp for it, and verify that the tag is valid.//

First prepare the data file:

<code>
echo 'sator arepo tenet opera rotas'> data.txt
</code>

We have a file named data.txt for which we want to get a timestamp. First we need to generate a TSA request using OpenSSL:

<code>
openssl-ts -query -data data.txt -no_nonce -cert -out data.tsq
</code>

The request is stored in the data.tsq file. All you have to do is send the request to the timestamp server:

<code>
cat data.tsq | curl -s -S 'Content-Type: application / timestamp-query' --data-binary @ - http: // tsa1.cesnet.com: 3161 / tsa -o data.tsr
</code>

The stamp is now stored in the data.tsr file. Use the command to get the content of the stamp in human readable form

<code>
openssl ts -reply -in data.tsr -text
</code>

You can now verify that no one has tampered with the file. To verify the signature, you must first download all CA certificates to the root and place them in one file:

<code>
curl -s https://crt.cesnet-ca.cz/CESNET_CA_Root.pem -o CESNET_CA_Root.pem
curl -s https://crt.cesnet-ca.cz/PersonalSigning2.pem -o PersonalSigning2.pem
cat CESNET_CA_Root.pem PersonalSigning2.pem> TrustedCertificates.pem
</code>

The TrustedCertificates.pem file lists CA certificates after this step. You can now verify your signature:

<code>
openssl ts -verify -data ./data.txt -in ./data.tsr -CAfile ./TrustedCertificates.pem
</code>

If everything went right, you should see something like

<code>
Verification: OK
</code>

You can now try what happens if you modify the data.txt data file. Change the contents of this file:

<code>
echo 'Roma tibi subito motibus ibit amor'> data.txt
</code>

and run the command again

<code>
openssl ts -verify -data ./data.txt -in ./data.tsr -CAfile ./TrustedCertificates.pem
</code>

Verification should fail with an error message similar to the following:

<code>
Verification: FAILED
140345687674584: 2F064067: time stamp routines: TS_CHECK_IMPRINTS: message imprint mismatch: ts_rsp_verify.c: 672:
</code>

===== Terms of Service =====

Currently the service is intended for research and educational institutions and other registered users.

===== Price =====

The service is provided free of charge by CESNET.

===== Contact =====

All suggestions and comments should be sent to support@cesnet.cz.