Inoa TSA policy

Inoa Time Stamping Authority (TSA) Policy

1. Reference information

Document location: http://inoa.net/ca/tsa-doc/policy.html
OID: 1.3.6.1.4.1.34756.1.1
Version: 1.4
Date: 2019-02-21

2. Policy scope

Inoa TSA is a certification service provider according to Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1993 on a Community framework for electronic signatures. It provides advanced electronic signatures of time-stamping information. The timestamping digital signatures are of the type described in RFC 3126. The timestamping protocol is according to RFC 3161 over HTTP (Internet X.509 Public Key Infrastructure Time-stamp Protocol (TSP)). The timestamping service complies with ETSI TS 102 023 v.1.2.1.

This policy document conforms to RFC 3628 Policy Requirements for Time-Stamping Authorities.

3. Roles and obligations

The TSA provides its time-stamp tokens to Subscribers and allows Relying Parties to check validity.

3.1. TSA

Obligation to work according to this policy
Obligation to keep time-stamp accuracy within 1 second of UTC
Obligation to keep to the requirements of advanced electronic signatures as defined by the EC directive.
Obligation to adhere to the protocol as defined in RFC 3161.

3.2. Subscribers

Obligation to abstain from using the service if required by law or if their certification needs require a qualified certificate.
Obligation to verify the advanced electronic signature received.
Obligation to limit requests to 100 electronic signatures per day. All requests need to adhere to RFC3161.

3.3. Relying Parties

Obligation to abstain from using the service if required by law or if their certification needs require a qualified certificate.
Obligition to limit all type of requests to 100 per day.
Obligation to verify that the time-stamp token has been correctly signed and that the private key used to sign the time-stamp has not been compromised until the time of the verification.
Obligation to take into account any limitations on the usage of the time-stamp indicated by the time-stamp policy.

4. Liability

No liabilities are carried towards availability, accuracy, qualification, legal effectiveness, or any other value possibly given to the electronic signature.

5. TSA Practice Statement

5.1. Key Management

The signing key is kept in a physically secured area only accessible under supervision of the General Manager. The hardware is of standard PC type, behind a double firewall (application-level and network-protocol-level firewalls). In total at least 3 machines in physical series connection protect the private key.

5.2. Time-stamping

The timestamp synchronization is guaranteed by synchronisation with a GPS receiver and via NTP. This is verified against a built-in clock. Other sanity checks (monotonicity, maximum jump) are added. In case of inconsistency no timestamps are issued.

5.3. Management

The TSA has a management procedure, with definition of management roles.

5.4. Termination

Upon termination all TSU private keys will be destroyed. After this, the TSA will be free of any further obligation.

6. TSA Disclosure Statement

This policy statement is entirely part of the the TSA Disclosure. Additional information:

Allowed hash includes at least: SHA1
Expected lifetime of the digital signatures: 5 years
Log retention: 10 years (not guaranteed) at http://inoa.net/ca/era/ Evidence Recording Authority
Current public key: tsa.pem

This page is maintained by Frederik Vermeulen.