Entrust hosts a time-stamp authority (TSA) to support our customers who digitally sign data such as code and documents. When a digital signature is created, it is best to also time-stamp the signature. The result will be that the known time of signature will be cryptographically included with the digitally signed data. This may help to show that the data was signed before a deadline. It may also help to allow signatures on data to remain valid after the certificate is revoked.

The process for time-stamping is that the document signing or code signing subscriber will encrypt their data using their private key and provide the TSA with a hash of the data code as a time-stamp request. The TSA will encrypt the hash using the TSA private key, creating a time-stamp record. The TSA will respond with the time-stamp record and the TSA certificate. The TSA certificate includes the TSA public key, which can be used to decrypt the time-stamp record. The result is the verifying software will know which TSA provided the time-stamp record and when the data was signed.

Since the time-stamp request is a hash, the subscriber will choose the hash algorithm to use. These algorithms could be MD5, SHA-1, SHA-256, etc. If the TSA wants to meet RFC 3161 and maintain a high level of integrity, then the TSA should not provide a time-stamp record if the hash algorithm is not collision resistant. As such, this would eliminate hash algorithms such as MD5 and SHA-1.

Entrust has deprecated SHA-1 time-stamp requests, but will continue to support SHA-256, SHA-384, and SHA-512 time-stamp requests.

The Entrust TSA will continue to help subscribers provide long-term digital signatures on data that will be verified using Entrust document signing and code signing certificates.