TSS FAQs and solutions

What are the roles and respective keys and certificates of the TSS?

See this table for the answers:

In the TSS, where are the keys and certificates?

See this table for the answer:

How are these keys and certificates generated?

See this table for the answers:

How are certificates obtained with the TSS?

Administrators can use the local, browser-based administration system of the TSS to obtain TSA certificates. In local certification, administrators generate a key pair and a certificate request. The PKCS #10 request can then be submitted to the appropriate CA for certificate fulfillment.

What Time Stamp Protocol does the TSS support?

The TSS supports the IETF Time Stamp Protocol (RFC 3161). Time-stamps are requested by means of either the Transmission Control Protocol (TCP) or Hypertext Transfer Protocol (HTTP), as described by RFC 3161. The extensions to RFC 3161 described by RFC 5816 are also supported.

A European standard (ETSI) says that a recommended time-stamp protocol (RFC 3161) should be the http protocol. Do you support the http protocol for time-stamping?

The TSS includes support for the RFC3161 Time-Stamp Protocol through HTTP (Hypertext Transfer Protocol).

Is the time that is used for Windows synchronized to the time-stamp token’s time?

No, the time is not synchronized. The time for Windows is from the Windows system clock.

In the customer’s installation, can the customer integrate the TSS in the firewall? Can the TSS operate correctly in the firewall? Specifically, can the DS/NTP and DSMP be transferred by NAT (Network Address Translation)?

Yes, you can use firewalls/NAT. Customers presently use TSMCs to audit their TSS devices through a firewall and VPN.

When the user employs the TSS with their application server, is a secure connection required between the TSS and the application server?

When issuing time-stamps there is no need for a secure connection between the application server and the TSS. The PKIX TSP (time-stamp protocol) includes all the security that should be needed. The data returned from the TSS is signed and includes the original hash and nonce. Security is part of the reason that the time-stamp request includes only a hash of the original data. Someone watching a session would see only hash information, which is safe. If you need security for other reasons such as identifying the user, billing, and so forth, this security should be implemented on an application server that has a direct unsecured connection to one or more TSSs.

How does the TSS acquire time after a restart?

After a restart, the TSS does not have an operational Time Attribute Certificate and cannot provide time-stamps. The TSS initially contacts the assigned Upper Clock and requests an audit. The first Upper Clock audit may fail, depending on the clock drift rate, and issue a non-operational TAC. The TSS corrects its clock to this first audit. The TSS then does another audit request which is normally successful and receives an operational TAC from the Upper Clock. The Upper Clock then continues to audit the TSS per the configured interval.