| https://rfc3161.ai.moda | |
| https://rfc3161.ai.moda/adobe | |
| https://rfc3161.ai.moda/microsoft | |
| https://rfc3161.ai.moda/apple | |
| https://rfc3161.ai.moda/any | |
| http://timestamp.digicert.com | |
| http://timestamp.globalsign.com/tsa/r6advanced1 | |
| http://rfc3161timestamp.globalsign.com/advanced | |
| http://timestamp.sectigo.com | |
| http://timestamp.apple.com/ts01 | |
| http://tsa.mesign.com | |
| http://time.certum.pl | |
| https://freetsa.org | |
| http://tsa.startssl.com/rfc3161 | |
| http://dse200.ncipher.com/TSS/HttpTspServer | |
| http://zeitstempel.dfn.de | |
| https://ca.signfiles.com/tsa/get.aspx | |
| http://services.globaltrustfinder.com/adss/tsa | |
| https://tsp.iaik.tugraz.at/tsp/TspRequest | |
| http://timestamp.entrust.net/TSS/RFC3161sha2TS |
@sln162 Sorry for the stupid mistake. I didn't find that there's an error on DigiCert's page:
https://knowledge.digicert.com/generalinformation/INFO4231.html
On that page there's only one slash http:/. I just copy and paste that. OpenSSL is error-tolerant, but Adobe Acrobat isn't error-tolerant.
Now DigiCert works fine.
On macOS, I specified http://timestamp.entrust.net/TSS/RFC3161sha2TS for codesigning, and this caused error CSSMERR_TP_NOT_TRUSTED when verifying the signature. I switched to http://timestamp.apple.com/ts1 and it worked.
Anybody knows why or other solutions?
Is anyone else getting a "server not found" in Adobe Reader for http://timestamp.globalsign.com/scripts/timestamp.dll?
Edit: Just saw that globalsign hosts another rfc3161 server at http://rfc3161timestamp.globalsign.com/advanced, which works perfectly in Adobe Reader. I'll go with that one from now on. :)
Does anyone know the state of the http://rfc3161timestamp.globalsign.com time servers? I was originally using standard, and that stopped working, went to advanced which was working for a week, and just now, it's redirecting me to a page that makes it look like it's now a paid service? Is it a temporary outage or did they just make it a paid product?
Hi @seraphire, just noticed the same. I'm not sure what's going on but I'm migrating to a different timestamp server.
First, SHA1 of globalsign has stopped supporting. Reference News: https://globalsign.cn/news/newsdetail_93.shtml
http://timestamp.globalsign.com/scripts/timstamp.dll is SHA1,so it's not available.
http://rfc3161timestamp.globalsign.com/advanced It can't be used half an hour ago. Just now, it's no problem. It may not be stable. You can use other ones first
@seraphire It's a temporary outage...
Thanks @cassolmc. Here's the GlobalSign status URL for anyone looking for it. https://status.globalsign.com/
This is maybe a little off topic - but I built such a server for self hosting. It can be found at https://github.com/elbosso/rfc3161timestampingserver
What is the difference between http://timestamp.globalsign.com/?signature=sha2 and http://rfc3161timestamp.globalsign.com/advanced ?
The first one is not RFC3161 compliant ? Does it change anything ?
Hey Guys, i'm new in java and i want someone to help me. i need to know how to implement a Timestamp method/function using these TSA...
i want to know how to timestamp files.
Thank you.
Hey Guys, i'm new in java and i want someone to help me. i need to know how to implement a Timestamp method/function using these TSA...
i want to know how to timestamp files.
Thank you.
Well - you can try and have a look at https://github.com/elbosso/rfc3161client
Hi guys, I just found a new free TSA. http://tsa.mesign.com
I found it from their website: https://www.mesign.com/en-us/tsa/index.html
Hope this helps.
@go2ready It cannot be used for program signing.
I did a complete review of every site on this list by trying to connect to them using elinks, a text-mode browser. Here are my results:
https://freetsa.org
-- YES! THIS ONE ACTUALLY WORKS!
-- It gives detailed instructions on how to use it with the OpenSSL toolset
-- Has a form where you can give data to the browsers, which will send a hash to their server
http://timestamp.globalsign.com/scripts/timstamp.dll
http://timestamp.globalsign.com/?signature=sha2
http://rfc3161timestamp.globalsign.com/advanced
-- These sites all bring up the same page. It appears they no longer offer a free service.
https://timestamp.geotrust.com/tsa
-- Timed out
http://timestamp.sectigo.com
-- No longer a free service; must sign up for a trial. Their only link to a client application is from Microsoft.
http://timestamp.wosign.com
http://tsa.startssl.com/rfc3161
-- These two timed out with no output.
http://time.certum.pl
-- Retured the following output:
Time Stamp Service Version 2.0
Can only POST to TSA server.
http://timestamp.digicert.com
-- No ouput. Digicert no longer appears to offer anything for free, not even email sigining.
http://dse200.ncipher.com/TSS/HttpTspServer
-- Timed out; no output
http://tsa.safecreative.org
-- Page indicates the service is shutting down in July 2021
http://zeitstempel.dfn.de
-- Page returns the following text (from elinks):
DFN-Verein Kontakt und Support
Fehler
Ein Fehler ist aufgetreten.
Mit freundlichen Grüßen
Ihr DFN-PKI-Team
Impressum
https://ca.signfiles.com/tsa/get.aspx
-- Connect successfully; got back the following:
RFC 3161 and Autheticode TSA Server
http://services.globaltrustfinder.com/adss/tsa
https://tsp.iaik.tugraz.at/tsp/TspRequest
-- Both pages failed to respond; I had to kill elinks
http://timestamp.apple.com/ts01
-- Returns a page with a list of Apple's certificates
http://timestamp.entrust.net/TSS/RFC3161sha2TS
-- Connect successfully but got no output. It might be expecting POST data.
http://tsa.starfieldtech.com/
-- Site no longer exists
David, it appears you're actively maintaining the list. I'd like to suggest you add text to the gist indicating when was the last time you updated it.
@Neepawa
Pretty sure that this is not the way to test if they work or not. I'm still not entirely sure how to easily fully verify if the services are working, but if you look at freetsa.org in the "Basics: TCP-based client" it shows how the services can be talked to via openssl and curl.
Then you can see in the resulting tsr file whether it worked and so for example http://timestamp.digicert.com seems to output valid data. And so does http://rfc3161timestamp.globalsign.com/advanced
Note that there is a new GlobalSign URL:
http://timestamp.globalsign.com/tsa/r6advanced1
I just used it and it works for me. The other GlobalSign URLs seem to be dead indeed.
Don't use https://ca.signfiles.com/tsa/get.aspx
It is a demo server with open configuration.
More informations: https://www.signfiles.com/timestamping/
As of 28-DECEMBER-2022 here are the TSA that I know work and are available for real use.
Do your own investigation in order to find if any is appropriate for your use case.
"Credible" information is personal opinion based on information that I found, doesn't mean that the service is not credible at least in certain jurisdictions.
Digicert:
http://timestamp.digicert.com
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
GlobalSign:
http://aatl-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Sectigo:
https://timestamp.sectigo.com
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA384
Working Hashes: SHA256, SHA384, SHA512
Note: wait 15 seconds between each request.
Sectigo EU Qualified:
https://timestamp.sectigo.com
Credible: Yes . [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Note: wait 15 seconds between each request.
Entrust:
http://timestamp.entrust.net/TSS/RFC3161sha2TS
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
SwissSign:
http://tsa.swisssign.net
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA512
Note: only 10 requests per day. For bigger quantities contact the company.
Docusign:
http://kstamp.keynectis.com/KSign/
Credible: Yes . [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
QuoVadis + Digicert:
http://tsa.quovadisglobal.com/TSS/HttpTspServer
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
IdenTrust
http://timestamp.identrust.com
Credible: Yes . [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Belgium Federal Goverment
http://tsa.belgium.be/connect
Credible: Yes . [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
IRN:
http://ts.cartaodecidadao.pt/tsa/server
Credible: Yes . [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256
Note: only allows 20 requests in 20 minutes, if more requests are done the IP address will be blocked and legal consequences may happen.
ACCV:
http://tss.accv.es:8318/tsa
Credible: Yes . [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
BalTstamp
http://tsa.baltstamp.lt
Credible: Yes . [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA256, SHA384, SHA512
Working Hashes: SHA256, SHA384, SHA512
Note: only allows 100 requests per each month per IP.
APED
https://timestamp.aped.gov.gr/qtss
Credible: Yes . [Adobe: European Union Trusted Lists]
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
SEP Bulgaria
http://tsa.sep.bg
Credible: Yes . [Adobe: European Union Trusted Lists]
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
IZENPE:
http://tsa.izenpe.com
Credible: Yes . [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
CERTUM:
http://time.certum.pl
Credible: Yes . [Windows Cert Store]
Server returns the expected hash value for: SHA384
Working Hashes: SHA256, SHA384, SHA512
Symantec
http://sha256timestamp.ws.symantec.com/sha256/timestamp
Credible: Yes . [Windows Cert Store]
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
GlobaSign:
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.globalsign.com/tsa/r6advanced1
Credible: Yes . [Windows Cert Store]
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Apple:
http://timestamp.apple.com/ts01
Credible: Yes. [Apple CA]
Server returns the expected hash value for: SHA1
Working Hashes: SHA1, SHA256, SHA384, SHA512
Trustwave
http://timestamp.ssl.trustwave.com
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Free TSA:
https://freetsa.org/tsr
Credible: No.
Server returns the expected hash value for: SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
DFN:
http://zeitstempel.dfn.de
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Note: commercial use forbidden.
CatCert:
http://psis.catcert.cat/psis/catcert/tsp
Credible: No.
Server returns the expected hash value for: SHA1
Working Hashes: SHA1, SHA256, SHA384, SHA512
Codegic
https://pki.codegic.com/codegic-service/timestamp
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
MeSign:
http://tsa.mesign.com
Credible: Yes . [Adobe Approved Trust List]
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
WoTrus:
https://tsa.wotrus.com
Credible: No.
Server returns the expected hash value for: SHA1, SHA256
Working Hashes: SHA1, SHA256
Note: wait 15 seconds between each request.
Lex-Persona:
http://tsa.lex-persona.com/tsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Cesnet:
(ESSCertIDv2:)
https://tsa.cesnet.cz:5817/tsa
http://tsa.cesnet.cz:5816/tsa
(ESSCertID:)
https://tsa.cesnet.cz:3162/tsa
http://tsa.cesnet.cz:3161/tsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Free TSA Server www.signfiles.com
http://ca.signfiles.com/TSAServer.aspx
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
chain-provider.com
http://aloahacoin.chain-provider.com/tsa.aspx
Credible: No.
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
TSA-SINPE
http://tsa.sinpe.fi.cr/tsaHttp/
Credible: No.
Server returns the expected hash value for: SHA256, SHA512
Working Hashes: SHA256, SHA512
Mahidol University - TSA
https://tsa.mahidol.ac.th/tsa/get.aspx
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
SDA GOV GE
http://tsa.cra.ge/signserver/tsa?workerName=qtsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
CNBS
http://tss.cnbs.gob.hn/TSS/HttpTspServer
Credible: No.
Server returns the expected hash value for: SHA1, SHA256
Working Hashes: SHA1, SHA256
E-GÜVEN
http://zd.e-guven.com/TSS/HttpTspServer
Credible: No.
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
Philippine Government
http://govca.npki.gov.ph:8442/signserver/tsa?workerName=TimeStampSigner
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Hello everyone, could i know how you verified that ? do you use any Java program to verify those links ???
Thank you
In EU trust list, up to SHA512
Limitation applies to non-registered users: no more than 100 requests within one month; the beginning and the end of the month are defined in UTC time.
It helped me a lot. Thank you :)
I've added my experimental load balancer to this list. Hopefully, the first URL should "just work" for most applications like Adobe, but you can specify the type of service by appending it to the URL too.
This http://tsa.starfieldtech.com/ doesn't work anymore
You're right, thanks. Removed it from the list completely.
dave@mbp ~ % dig tsa.starfieldtech.com @8.8.8.8 +tcp
; <<>> DiG 9.10.6 <<>> tsa.starfieldtech.com @8.8.8.8 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20019
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;tsa.starfieldtech.com. IN A
;; AUTHORITY SECTION:
starfieldtech.com. 1614 IN SOA cns1.secureserver.net. dns.jomax.net. 2023011200 3600 600 1209600 3600
;; Query time: 60 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 27 15:33:35 EST 2023
;; MSG SIZE rcvd: 117
@Manouchehri Thank you. I think the list should also not contain the following as they are not working anymore
You are correct. My team had already removed those from our rfc3161.ai.moda load balancer, but I forgot to update the list here too.
@sln162 I tested again and yes it seems there's no problem with OpenSSL, but when I tried to timestamp a PDF document using the DigiCert TSA in Adobe Acrobat Reader DC, it said the protocol is not supported. In the past I can timestamp PDF documents using DigiCert TSA but now I can't. I don't know why.