Skip to content
Cosmictron Docs

RFC 3161 Timestamping

Overview

Section titled “Overview”

RFC 3161 defines a protocol for obtaining a trusted timestamp from a third-party Timestamp Authority (TSA). The TSA signs a hash of your data along with the current time, providing cryptographic proof that the data existed at a specific point in time — without relying on your own clock.

Cosmictron can request an RFC 3161 timestamp token for every signed event, or selectively for high-value events.

Why RFC 3161?

Section titled “Why RFC 3161?”

Your own clock and your own signature key can both be manipulated by a sufficiently privileged attacker (e.g., a compromised server). An RFC 3161 token from an independent TSA is signed by a third party you do not control — making backdating attacks computationally infeasible.

This is required by several compliance frameworks:

  • 21 CFR Part 11 (FDA electronic records) — requires trusted timestamps on electronic signatures
  • eIDAS (EU) — qualified timestamps for legal documents
  • SOX (certain interpretations) — non-repudiation of financial records

Configuration

Section titled “Configuration”
[compliance.timestamping]
enabled = true
tsa_url = "https://freetsa.org/tsr"   # Any RFC 3161-compliant TSA
tsa_cert_path = "/data/keys/tsa.crt"  # TSA's root certificate for verification
mode = "all"                           # "all" | "selective" | "bundles_only"

Common public TSAs:

  • https://freetsa.org/tsr — free, public
  • https://tsa.quovadisglobal.com/TSS/HttpTspServer — QuoVadis (commercial)
  • DigiCert, Sectigo, Entrust (commercial)

How it works

Section titled “How it works”
  1. Cosmictron computes the SHA-256 hash of a signed event
  2. Sends a TimeStampReq (timestamp request) to the configured TSA
  3. The TSA returns a TimeStampResp (timestamp token) containing:
    • The hash it signed
    • The TSA’s timestamp
    • The TSA’s signature
  4. The token is stored alongside the event in the WAL

Token storage

Section titled “Token storage”

Timestamp tokens are stored in the tsa_tokens table:

SELECT seq, tsa_url, tsa_serial, tsa_timestamp, token_der
FROM tsa_tokens
WHERE seq BETWEEN 1000 AND 2000;

Verifying timestamps

Section titled “Verifying timestamps”
Terminal window
# Verify all TSA tokens in a date range
cosmictron-cli audit verify --check timestamps --from 2026-01-01


# Verify tokens in an exported bundle
cosmictron-cli audit verify-bundle audit-jan-2026.bundle --check timestamps

Selective timestamping

Section titled “Selective timestamping”

For cost or latency reasons, you can apply TSA timestamps only to specific events:

[compliance.timestamping]
mode = "selective"
apply_to = ["audit_export", "key_rotation", "compliance_checkpoint"]

Or apply programmatically from a reducer:

#[reducer]
pub fn submit_compliance_event(ctx: &ReducerContext, event_type: String, payload: String) {
    ctx.request_tsa_timestamp(); // Request TSA token for this event
    ComplianceEvent::insert(ComplianceEvent { event_type, payload, ..Default::default() }).unwrap();
}