Usage and configuration instructions for this module are available in the following associated documentation: Digi-CA™Administrator Guide.
The TimeStamp Authority Gateway [TSAG] Service Module is intended to provide digital Time-Stamping network based services in compliance with RFC 3161 standard, Internet X.509 Public Key Infrastructure Time-Stamp Protocol [TSP].
The Time-Stamp Protocol, or TSP, is a cryptographic protocol for certifying time-stamp tokens using X.509 public key certificates and public key infrastructure. The time-stamp token is the signer's assertion that a piece of electronic data existed at, or before, a particular time. Time-Stamp tokens are effectively used to provide evidence data in the process of validating long-term electronic signatures applied to digital communication or payment transactions and electronic documents such as Adobe® Acrobat® PDF.<,/
TSAG, in the overview of the CA supplementary services, acts as the Timestamping Service.
The term "Gateway" in the module name is purposely used to describe what the TSAG really does. It is essentially a network gateway between the TSP Client and TSP Server. The design concept for this Service Module arose from the results of security assessments applied to RFC 3161 standard.
A typical implementation model for a TSP Server allows that server to directly access the Timestamp Authority’s [TSA] Private Key designated for certifying TimeStamp tokens. Due to the fact that the TSP Server is very likely to be exposed for public use, the likelihood of the TSA’s private key accidental exposure to an illegitimate party is relatively high, regardless whether the TSA’s private key is stored in a Software or Hardware Security Module. The TSA forms a key party in the process of validating electronic signatures and non-repudiation and therefore an illegitimate exposure of the TSA’s private key in any form could lead to a potential risk of TSA signature forger that would further result in invalidation of any previously certified Time-Stamp tokens and further invalidation of any electronic signatures that these tokens would provide an evidence of.
TSAG was designed to eliminate the above risks. It is a software library built to work with an instance of an Apache web server software and it can be therefore considered as an Apache software module. Its functionality is limited to the following purposes:
|a. Optionally authenticate connecting TSP Clients against a database|
|b. Qualify correctly formatted TSP requests|
|c. Transparently pass TSP requests to the CA Application Service [CAAS]|
|d. Retrieve responses from CAAS|
|e. Transparently pass responses retrieved from CAAS to TSP Clients|
The TSP Clients can connect to the TSAG using standard HTTP or secure HTTPS [HTTP over SSL/TLS] protocol using a Uniform Resource Locator [URL] method. TSP requests are accepted either as HTTP POST or HTTP GET requests.
The optional Client Authentication is accomplished by the use of Simple HTTP Authentication where TSP Clients are requested to provide a username and password before their TSP request is accepted. To authenticate a TSP Client, the TSAG will transparently connect to a CA database, where End Entity account information is stored.
The TSAG module is configured and activated inside the Apache web server configuration and can be applied per site, virtual realm or per physical directory configuration. It is loaded the very moment the Apache web server is started.
Important Note: TSAG Service Module can place significant demands on your servers and IT hardware environment and should only be deployed and offered to relying parties if you have the correct infrastructure that meets the recommended model of High Availability.