RFC 3628 Requirements for Time-Stamping Authorities November 2003 5.4. Conformance. . . . . . . . . . . . . . . . . . . . . . . 10 6. Obligations and Liability . . . . . . . . . . . . . . . . . . 10 6.1. TSA Obligations. . . . . . . . . . . . . . . . . . . . . 10 6.1.1. General. . . . . . . . . . . . . . . . . . . . . 10 6.1.2. TSA Obligations Towards Subscribers. . . . . . . 11 6.2. Subscriber Obligations . . . . . . . . . . . . . . . . . 11 6.3. Relying Party Obligations. . . . . . . . . . . . . . . . 11 6.4. Liability. . . . . . . . . . . . . . . . . . . . . . . . 11 7. Requirements on TSA Practices . . . . . . . . . . . . . . . . 12 7.1. Practice and Disclosure Statements . . . . . . . . . . . 12 7.1.1. TSA Practice Statement . . . . . . . . . . . . . 12 7.1.2. TSA Disclosure Statement . . . . . . . . . . . . 13 7.2. Key Management Life Cycle. . . . . . . . . . . . . . . . 15 7.2.1. TSU Key Generation . . . . . . . . . . . . . . . 15 7.2.2. TSU Private Key Protection . . . . . . . . . . . 15 7.2.3. TSU Public Key Distribution. . . . . . . . . . . 16 7.2.4. Rekeying TSU's Key . . . . . . . . . . . . . . . 17 7.2.5. End of TSU Key Life Cycle. . . . . . . . . . . . 17 7.2.6. Life Cycle Management of the Cryptographic Module used to Sign Time-Stamps . . . . . . . . . . . . 17 7.3. Time-Stamping. . . . . . . . . . . . . . . . . . . . . . 18 7.3.1. Time-Stamp Token . . . . . . . . . . . . . . . . 18 7.3.2. Clock Synchronization with UTC . . . . . . . . . 19 7.4. TSA Management and Operation . . . . . . . . . . . . . . 20 7.4.1. Security Management. . . . . . . . . . . . . . . 20 7.4.2. Asset Classification and Management. . . . . . . 21 7.4.3. Personnel Security . . . . . . . . . . . . . . . 22 7.4.4. Physical and Environmental Security. . . . . . . 23 7.4.5. Operations Management. . . . . . . . . . . . . . 25 7.4.6. System Access Management . . . . . . . . . . . . 26 7.4.7. Trustworthy Systems Deployment and Maintenance . 27 7.4.8. Compromise of TSA Services . . . . . . . . . . . 28 7.4.9. TSA Termination. . . . . . . . . . . . . . . . . 29 7.4.10. Compliance with Legal Requirements . . . . . . . 29 7.4.11. Recording of Information Concerning Operation of Time-Stamping Services. . . . . . . . . . . . 30 7.5. Organizational . . . . . . . . . . . . . . . . . . . . . 31 8. Security Considerations . . . . . . . . . . . . . . . . . . . 32 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 33 10. References. . . . . . . . . . . . . . . . . . . . . . . . . . 33 10.1. Normative References. . . . . . . . . . . . . . . . . . 33 10.2. Informative References. . . . . . . . . . . . . . . . . 34 Annex A (informative): Coordinated Universal Time . . . . . . . . 35 Annex B (informative): Possible for Implementation Architectures and Time-Stamping Services . . . . . . . . 36 Annex C (informative): Long Term Verification of Time-Stamp Tokens . . . . . . . . . . . . . . . . . . 38 Annex D (informative): Model TSA Disclosure Statement . . . . . . 39 Pinkas, et al. Informational