Skip to main content

Timestamp Requests and SHA-1 Deprecation

May

17

2022

Time to read

Read so far

Written by: 

Bruce Morton

Time to read

Written by: 

Digital,Signature,On,Contract,Document,Online,Using,Smartphone

Entrust hosts a time-stamp authority (TSA) to support our customers who digitally sign data such as code and documents. When a digital signature is created, it is best to also time-stamp the signature. The result will be that the known time of signature will be cryptographically included with the digitally signed data. This may help to show that the data was signed before a deadline. It may also help to allow signatures on data to remain valid after the certificate is revoked.

The process for time-stamping is that the document signing or code signing subscriber will encrypt their data using their private key and provide the TSA with a hash of the data code as a time-stamp request. The TSA will encrypt the hash using the TSA private key, creating a time-stamp record. The TSA will respond with the time-stamp record and the TSA certificate. The TSA certificate includes the TSA public key, which can be used to decrypt the time-stamp record. The result is the verifying software will know which TSA provided the time-stamp record and when the data was signed.

Since the time-stamp request is a hash, the subscriber will choose the hash algorithm to use. These algorithms could be MD5, SHA-1, SHA-256, etc. If the TSA wants to meet RFC 3161 and maintain a high level of integrity, then the TSA should not provide a time-stamp record if the hash algorithm is not collision resistant. As such, this would eliminate hash algorithms such as MD5 and SHA-1.

Entrust has deprecated SHA-1 time-stamp requests, but will continue to support SHA-256, SHA-384, and SHA-512 time-stamp requests.

The Entrust TSA will continue to help subscribers provide long-term digital signatures on data that will be verified using Entrust document signing and code signing certificates.

photo-bruce-morton
Bruce Morton
Director for Certificate Services
Bruce Morton is a pioneering figure in the PKI and digital certificate industry. He currently serves as Director for Certificate Services at Entrust, where he has been employed since 1997. His day-to-day responsibilities include managing standards implementations, overseeing Entrust’s policy authority, and monitoring Entrust Certificate Services for industry compliance.
View all of Bruce's Posts