-
-
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
| https://rfc3161.ai.moda | |
| https://rfc3161.ai.moda/adobe | |
| https://rfc3161.ai.moda/microsoft | |
| https://rfc3161.ai.moda/apple | |
| https://rfc3161.ai.moda/any | |
| http://rfc3161.ai.moda | |
| http://timestamp.digicert.com | |
| http://timestamp.globalsign.com/tsa/r6advanced1 | |
| http://rfc3161timestamp.globalsign.com/advanced | |
| http://timestamp.sectigo.com | |
| http://timestamp.apple.com/ts01 | |
| http://tsa.mesign.com | |
| http://time.certum.pl | |
| https://freetsa.org | |
| http://tsa.startssl.com/rfc3161 | |
| http://dse200.ncipher.com/TSS/HttpTspServer | |
| http://zeitstempel.dfn.de | |
| https://ca.signfiles.com/tsa/get.aspx | |
| http://services.globaltrustfinder.com/adss/tsa | |
| https://tsp.iaik.tugraz.at/tsp/TspRequest | |
| http://timestamp.entrust.net/TSS/RFC3161sha2TS | |
| http://timestamp.acs.microsoft.com |
Don't use https://ca.signfiles.com/tsa/get.aspx
It is a demo server with open configuration.
More informations: https://www.signfiles.com/timestamping/
As of 27-AUGUST-2024 here are the TSA that I know work and are available for real use.
Do your own investigation in order to find if any is appropriate for your use case.
"Credible" information is personal opinion based on information that I found, doesn't mean that the service is not credible at least in certain jurisdictions.
Digicert:
http://timestamp.digicert.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
GlobalSign:
http://aatl-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Sectigo:
https://timestamp.sectigo.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA384
Working Hashes: SHA256, SHA384, SHA512
Note: wait 15 seconds between each request.
Sectigo EU Qualified:
https://timestamp.sectigo.com/qualified
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Note: wait 15 seconds between each request.
Entrust:
http://timestamp.entrust.net/TSS/RFC3161sha2TS
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
SwissSign:
http://tsa.swisssign.net
Credible: Yes. [Adobe Approved Trust List].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA512
Note: only 10 requests per day. For bigger quantities contact the company.
QuoVadis + Digicert:
http://ts.quovadisglobal.com/ch
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
QuoVadis + Digicert [EU]:
http://ts.quovadisglobal.com/eu
Credible: Yes. [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
SSL.COM:
http://ts.ssl.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
IdenTrust:
http://timestamp.identrust.com
Credible: Yes. [Adobe Approved Trust List] and [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Belgium Federal Goverment:
http://tsa.belgium.be/connect
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
IRN:
http://ts.cartaodecidadao.pt/tsa/server
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256
Note: only allows 20 requests in 20 minutes, if more requests are done the IP address will be blocked and legal consequences may happen.
ACCV:
http://tss.accv.es:8318/tsa
Credible: Yes. [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
Note: personal use only. For commercial use contact the entity.
BalTstamp:
http://tsa.baltstamp.lt
Credible: Yes. [Adobe: European Union Trusted Lists] and [Windows Cert Store].
Server returns the expected hash value for: SHA256, SHA384, SHA512
Working Hashes: SHA256, SHA384, SHA512
Note: only allows 100 requests per each month per IP.
APED:
https://timestamp.aped.gov.gr/qtss
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
SEP Bulgaria:
http://tsa.sep.bg
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
IZENPE:
http://tsa.izenpe.com
Credible: Yes. [Adobe: European Union Trusted Lists].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
CERTUM:
http://time.certum.pl
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA384
Working Hashes: SHA256, SHA384, SHA512
GlobaSign:
http://rfc3161timestamp.globalsign.com/advanced
http://timestamp.globalsign.com/tsa/r6advanced1
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
Microsoft
http://timestamp.acs.microsoft.com
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256, SHA384, SHA512
Working Hashes: SHA256, SHA384, SHA512
Apple:
http://timestamp.apple.com/ts01
Credible: Yes. [Apple CA].
Server returns the expected hash value for: SHA1
Working Hashes: SHA1, SHA256, SHA384, SHA512
Trustwave:
http://timestamp.ssl.trustwave.com
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Free TSA:
https://freetsa.org/tsr
Credible: No.
Server returns the expected hash value for: SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
DFN:
http://zeitstempel.dfn.de
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Note: commercial use forbidden.
CatCert:
http://psis.catcert.cat/psis/catcert/tsp
Credible: Yes. [Windows Cert Store].
Server returns the expected hash value for: SHA1
Working Hashes: SHA1, SHA256, SHA384, SHA512
Codegic:
https://pki.codegic.com/codegic-service/timestamp
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
MeSign:
https://tsa.mesign.com
Credible: Yes. [Adobe Approved Trust List].
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
WoTrus:
https://tsa.wotrus.com
Credible: Yes. [Adobe Approved Trust List].
Server returns the expected hash value for: SHA1, SHA256
Working Hashes: SHA1, SHA256
Note: wait 15 seconds between each request.
Lex-Persona:
http://tsa.lex-persona.com/tsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Cesnet:
(ESSCertIDv2:)
https://tsa.cesnet.cz:5817/tsa
http://tsa.cesnet.cz:5816/tsa
(ESSCertID:)
https://tsa.cesnet.cz:3162/tsa
http://tsa.cesnet.cz:3161/tsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
Free TSA Server www.signfiles.com:
http://ca.signfiles.com/TSAServer.aspx
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
chain-provider.com:
http://aloahacoin.chain-provider.com/tsa.aspx
Credible: No.
Server returns the expected hash value for: SHA1, SHA256, SHA384, SHA512
Working Hashes: SHA1, SHA256, SHA384, SHA512
TSA-SINPE:
http://tsa.sinpe.fi.cr/tsaHttp/
Credible: No.
Server returns the expected hash value for: SHA256, SHA512
Working Hashes: SHA256, SHA512
Mahidol University - TSA:
https://tsa.mahidol.ac.th/tsa/get.aspx
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA1, SHA256, SHA384, SHA512
SDA GOV GE:
http://tsa.cra.ge/signserver/tsa?workerName=qtsa
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256, SHA384, SHA512
CNBS:
http://tss.cnbs.gob.hn/TSS/HttpTspServer
Credible: No.
Server returns the expected hash value for: SHA1, SHA256
Working Hashes: SHA1, SHA256
MConnect - Monaco:
https://time.mconnect.mc
Credible: No.
Server returns the expected hash value for: SHA256
Working Hashes: SHA256
Hello everyone, could i know how you verified that ? do you use any Java program to verify those links ???
Thank you
In EU trust list, up to SHA512
Limitation applies to non-registered users: no more than 100 requests within one month; the beginning and the end of the month are defined in UTC time.
It helped me a lot. Thank you :)
I've added my experimental load balancer to this list. Hopefully, the first URL should "just work" for most applications like Adobe, but you can specify the type of service by appending it to the URL too.
This http://tsa.starfieldtech.com/ doesn't work anymore
You're right, thanks. Removed it from the list completely.
dave@mbp ~ % dig tsa.starfieldtech.com @8.8.8.8 +tcp
; <<>> DiG 9.10.6 <<>> tsa.starfieldtech.com @8.8.8.8 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20019
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;tsa.starfieldtech.com. IN A
;; AUTHORITY SECTION:
starfieldtech.com. 1614 IN SOA cns1.secureserver.net. dns.jomax.net. 2023011200 3600 600 1209600 3600
;; Query time: 60 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 27 15:33:35 EST 2023
;; MSG SIZE rcvd: 117
@Manouchehri Thank you. I think the list should also not contain the following as they are not working anymore
You are correct. My team had already removed those from our rfc3161.ai.moda load balancer, but I forgot to update the list here too.
Is there link to certificate(s) that are used for the TimeStamp? We need to put them into trusted list.
Found here: https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/
@JohnPlanetary WOW thanks for that list, it really helped.
@JohnPlanetary WOW thanks for that list, it really helped.
Happy for having been useful.
Do https:// URLs actually work for anyone with signtool? I'm getting:
SignTool Error: Invalid Timestamp URL: https://...
Both for signtool /t and for signtool /tr.
I've tried the https:// url's and no, it is not working, it appears the same error.
SignTool sign /fd SHA512 /a /f certificate.pfx /p MYPASSWORD /td SHA384 /tr https://timestamp.sectigo.com c:\sign\MyProgram.exe
SignTool Error: Invalid Timestamp URL: https://timestamp.sectigo.com
The good news is that the http:// still works fine, and most common TimeStamp servers don't even have the https:// version working at all.
But I'm sure the https version did work fine on the past, some update to Windows must have messed up things.
I've had the Windows SDK signing tool 10.0.19041.0, but even in the latest 10.0.22621.0 that I downloaded from: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/ still doesn't work, so isn't just a question of updating the tool, unfortunately something else probably needs to be changed by Microsoft.
My http://rfc3161.ai.moda load balancer should work fine over HTTP. I didn’t add it to the list because I want to encourage everyone to use HTTPS, but it works fine if you must use HTTP.
My http://rfc3161.ai.moda load balancer should work fine over HTTP. I didn’t add it to the list because I want to encourage everyone to use HTTPS, but it works fine if you must use HTTP.
@Manouchehri Could you explain what's behind this service ?
Could you explain what's behind this service ?
@danvy It's a load balancer that:
- Response validation of the timestamp reply before returning it to you.
- Automatic retrying. e.g. if one of the upstream servers returns an invalid timestamp reply, we automatically return the next valid response from the next server.
- Fans out to multiple trusted timestamping servers in parallel. The two steps above happen in multiple threads, so you will always get the fastest response possible, even if the first upstream CA returns us an error (you won't see the error, we handle that).
- Allow CORS requests.
- We update the upstream CAs in our list server-side. i.e. You should never need to update your RFC3161 URL in your application if you use any of the
https://rfc3161.ai.moda/[*]URLs. e.g. today I noticed that IDnomic/Keynectis took their server down, but we already had 7 fallbacks forhttps://rfc3161.ai.moda/adobeand 8 fallbacks forhttps://rfc3161.ai.moda/windows, so it resulted in zero downtime for anyone.
Out of 1.33 million requests this month, we've had 60 errors. So roughly a 99.995% success rate.
Hi, @Manouchehri. I wonder if there is any document discribing diffrences between each suffix of https://rfc3161.ai.moda/[*]?
Hello users of Trusted Timestamps. I would like to add my own site to the list: https://timestampit.com/. TimeStampIt! is a TSA and it is only a TSA. We do not however offer RFC3161 timestamps, but a new design based on plain text encoded trusted timestamps. I built it because a) RFC3161 timestamps are not easy to work with, and b) there really was not a good dedicated TSA that felt like I could build a commercial application on top of.
It is brand new and experimental. I would love any feedback you might have on it! info at timestampit dot com 💚. If there is enough demand I could even add support for RFC3161 timestamps. But honestly I would rather keep innovating in other directions.
@rschultheis RFC3161 is super easy to work with, lots of programs support it out of the box. I've been using it for years on all of my important PDFs, even those non-technical can see the timestamps easily.
timestampit without RFC 3161 and RFC 5816 support doesn't make a lot of sense here in these topic.
In fact I would argue that since RFC 3161 and RFC 5816 are the standards and are supported by so many programs that is still relevant, the magic part should be the part to be able to verify in the future that the file was really timestamped 23 years ago... I've been testing TSA's for a long time and basically is almost impossible once the TSA expires to proof anything since it will start to give errors... since CRL and or OCSP usually stop working and stops being possible to verify anything.
timestampit could have say a different key for every year using RSA 8192 bit SHA512 key to timestamp using RFC 3161 and RFC 5816, and say 150 years of year key lifetime, the main Root with say 500 years lifetime, RSA 16384 bit SHA512. and every year a new key with 150 years of key lifetime.
TimeStampit Root Key (RSA 16384 bit SHA512) [From: 2024-08-12 - Until: 2524-08-12]
TimeStampit 2024 Key (RSA 8192 bit SHA512) [From: 2024-08-13 -> Until: 2174-12-31] [signs between 2024-08-13 00:00:00 until 2024-12-31 23:59:59]
TimeStampit 2025 Key (RSA 8192 bit SHA512) [From: 2025-01-01 -> Until: 2175-12-31] [signs between 2025-01-01 00:00:00 until 2025-12-31 23:59:59]
TimeStampit 2026 Key (RSA 8192 bit SHA512) [From: 2026-01-01 -> Until: 2176-12-31] [signs between 2026-01-01 00:00:00 until 2026-12-31 23:59:59]
TimeStampit 2026 Key (RSA 8192 bit SHA512) [From: 2026-01-01 -> Until: 2176-12-31] [signs between 2026-01-01 00:00:00 until 2026-12-31 23:59:59]
If the CRL('s) can be included within the signature (still doesn't happen in most programs) then theoretically the timestamp could be believed until its expiration date... as long the company itself doesn't have any troubles coming up like the private key being stolen or cracked.
RSA 16834 bit key with SHA512 should be fine for the Root, but usually can't be used for the final signing key because it will give too many errors at least in my tests it would fail on most signing programs because would take too many memory/ space reserved for the signature.
NIST P-521 could theoretically be used but the problem is that in reality the security level of it should be lower than even RSA 3072 bit key at least if quantum computing is used to try to find the private key.
Ok... but what if TimeStampit doesn't want to support RFC 3161 and RFC 5816?
In what it would be different from other services online like: https://truetimestamp.org , https://opentimestamps.org , https://tzstamp.io , https://timestamp.decred.org and https://notbot.me ? What happens if TimeStampit closes in 6 years time, how would people be able to prove to others that timestamp is real? Some of the services above include some sort of bitcoin or other coin integration to make it more easy to proof in the future (as long those continue to exist)... in some cases judges may not accept them since it wouldn't be easy to verify by themselves and they may or may not believe experts, if it seems magic mumbojumbo... and to my knowledge there is no standard log database for timestamp similar to Certificate Transparency (where people can search for the certificate from multiple sources using for example: https://crt.sh ) where I think the certificate companies need to publish to more than one log database (at least one being from others not related to that company) in order for others to trust it and be able to verify things after the fact.
Hi @JohnPlanetary , thank you for this feedback.
I don't want to take over this excellent gist about RFC3161 TSAs (thank you @Manouchehri ) with a discussion of TimestampIt!, therefore I've started a new gist to respond: https://gist.github.com/rschultheis/ea3b17017f520b4b3dcca270fc8dd1b6.
I'd love to keep the discussion going over there, but to quickly respond to one point:
What happens if TimeStampit closes in 6 years time, how would people be able to prove to others that timestamp is real?
This is what the TimestampIt! verification key replica repos are for: https://github.com/timestampit/keychain/. More info in my new gist 💚
Hi, @Manouchehri. I wonder if there is any document discribing diffrences between each suffix of
https://rfc3161.ai.moda/[*]?
That would be really great as I am wondering what are the differences too!
The https://rfc3161.ai.moda/[*] load balancer sounds really great. Unfortunately we are not able to use it as our custom (time)stamping service needs to have list of all used TSA CAs root certificates to consider them trusted.
Would it be possible to have a list with links to root certificates of all active CAs used for https://rfc3161.ai.moda/[*] so we could download them?
maybe it will be useful to someone:
#!/bin/bash
#
# tests TSA servers
#
# copyright: public domain / MIT
#
# 1. creates a random hash and nonce
# 2. creates a .tsq file and sends it to the server
# 3. collects certificates from response and saves to .p7b file
# 4. saves validity of certificates from the chain
# 5. saves http address from which any missing certificates can be downloaded
#
# RUN:
# ./tsa_batch.sh
#
hashedMessage_rand () {
echo "$(openssl rand -hex 64)" | cut -c1-64
}
# md5 cut -c1-32
# sha1 cut -c1-40
# sha224 cut -c1-56
# sha256 cut -c1-64
# sha384 cut -c1-96
# sha512 cut -c1-128
#hashedMessage="00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
# change:
# parameter.1 = FORMAT:HEX,OCTETSTRING:$(hashedMessage_rand)
# to:
# parameter.1 = FORMAT:HEX,OCTETSTRING:${hashedMessage}
# sha1/sha256/sha384/sha512
algorithmIdentifier="sha256"
# ~128 bits entropy
nonce_32 () {
echo "$(shuf -i 1-7 -n 1)$(openssl rand -hex 20)" | cut -c1-32
}
asn1parse_timestamp_request () {
cat <<-EOF
asn1 = SEQUENCE:TimeStampReq
[ TimeStampReq ]
parameter.0 = INTEGER:1
parameter.1 = SEQUENCE:messageImprint
#parameter.2 = OID:1.2.3.4
parameter.3 = INTEGER:0x$(nonce_32)
parameter.4 = BOOLEAN:TRUE
[ messageImprint ]
parameter.0 = SEQUENCE:hashAlgorithm
parameter.1 = FORMAT:HEX,OCTETSTRING:$(hashedMessage_rand)
[ hashAlgorithm ]
parameter.0 = OID:${algorithmIdentifier}
parameter.1 = NULL
EOF
}
generate_tsr () {
cat <(echo "$(asn1parse_timestamp_request)") | openssl asn1parse -genconf /dev/stdin -noout -out "${ts_name}_timestamp_query.tsq" && \
openssl ts -query -config /dev/null -text -in "${ts_name}_timestamp_query.tsq" > "${ts_name}_timestamp_query.tsq.txt" && \
curl ${tsr_server} -H 'Content-Type: application/timestamp-query' -s -S --data-binary "@${ts_name}_timestamp_query.tsq" -o "${ts_name}_timestamp_response.tsr" && \
openssl ts -reply -config /dev/null -text -in "${ts_name}_timestamp_response.tsr" > "${ts_name}_timestamp_response.tsr.txt" && \
openssl ts -reply -config /dev/null -token_out -in "${ts_name}_timestamp_response.tsr" | openssl pkcs7 -inform DER -print_certs -text | grep -C1 "Not After" > "${ts_name}_chain_validity.txt" && \
openssl ts -reply -config /dev/null -token_out -in "${ts_name}_timestamp_response.tsr" | openssl pkcs7 -inform DER -print_certs | awk '/^-----BEGIN CERTIFICATE-----/{n++;s=1}s{print}/^-----END CERTIFICATE-----/{s=0}' | openssl crl2pkcs7 -inform PEM -outform DER -nocrl -certfile /dev/stdin -out "${ts_name}_chain.p7b" && \
echo "====" >> "${ts_name}_chain_validity.txt" && \
openssl ts -reply -config /dev/null -token_out -in "${ts_name}_timestamp_response.tsr" | openssl pkcs7 -inform DER -print_certs -text | grep -C0 "CA Issuers" >> "${ts_name}_chain_validity.txt"
echo "DONE :: ${tsr_server}"
echo "-------"
#dumpasn1 -apz "${ts_name}_timestamp_response.tsr" | awk '{ sub(/[ \t]+$/, ""); print }' > "${ts_name}_timestamp_response.tsr.dumpasn1.txt"
}
# https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710
ts_name="digicert"
tsr_server="http://timestamp.digicert.com"
generate_tsr
ts_name="globalsign"
tsr_server="http://aatl-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23"
generate_tsr
ts_name="sectigo"
tsr_server="https://timestamp.sectigo.com"
generate_tsr
ts_name="sectigo_2"
tsr_server="https://timestamp.sectigo.com/qualified"
generate_tsr
ts_name="entrust"
tsr_server="http://timestamp.entrust.net/TSS/RFC3161sha2TS"
generate_tsr
ts_name="swisssign"
tsr_server="http://tsa.swisssign.net"
generate_tsr
ts_name="quovadisglobal"
tsr_server="http://ts.quovadisglobal.com/ch"
generate_tsr
ts_name="quovadisglobal_2"
tsr_server="http://ts.quovadisglobal.com/eu"
generate_tsr
ts_name="ssl_com"
tsr_server="http://ts.ssl.com"
generate_tsr
ts_name="identrust"
tsr_server="http://timestamp.identrust.com"
generate_tsr
ts_name="belgium"
tsr_server="http://tsa.belgium.be/connect"
generate_tsr
ts_name="cartaodecidadao"
tsr_server="http://ts.cartaodecidadao.pt/tsa/server"
generate_tsr
ts_name="accv_es"
tsr_server="http://tss.accv.es:8318/tsa"
generate_tsr
ts_name="baltstamp"
tsr_server="http://tsa.baltstamp.lt"
generate_tsr
ts_name="aped_gr"
tsr_server="https://timestamp.aped.gov.gr/qtss"
generate_tsr
ts_name="sep_bg"
tsr_server="http://tsa.sep.bg"
generate_tsr
ts_name="izenpe"
tsr_server="http://tsa.izenpe.com"
generate_tsr
ts_name="certum"
tsr_server="http://time.certum.pl"
generate_tsr
ts_name="symantec"
tsr_server="http://sha256timestamp.ws.symantec.com/sha256/timestamp"
generate_tsr
ts_name="globalsign"
tsr_server="http://rfc3161timestamp.globalsign.com/advanced"
generate_tsr
ts_name="globalsign_2"
tsr_server="http://timestamp.globalsign.com/tsa/r6advanced1"
generate_tsr
ts_name="apple"
tsr_server="http://timestamp.apple.com/ts01"
generate_tsr
ts_name="trustwave"
tsr_server="http://timestamp.ssl.trustwave.com"
generate_tsr
ts_name="freetsa"
tsr_server="https://freetsa.org/tsr"
generate_tsr
ts_name="zeitstempel"
tsr_server="http://zeitstempel.dfn.de"
generate_tsr
ts_name="catcert_cat"
tsr_server="http://psis.catcert.cat/psis/catcert/tsp"
generate_tsr
ts_name="codegic"
tsr_server="http://pki.codegic.com/codegic-service/timestamp"
generate_tsr
#ts_name="mesign"
#tsr_server="https://tsa.mesign.com"
#generate_tsr
ts_name="wotrus"
tsr_server="https://tsa.wotrus.com"
generate_tsr
ts_name="lex_persona"
tsr_server="http://tsa.lex-persona.com/tsa"
generate_tsr
ts_name="cesnet"
tsr_server="https://tsa.cesnet.cz:5817/tsa"
generate_tsr
ts_name="cesnet_2"
tsr_server="https://tsa.cesnet.cz:3162/tsa"
generate_tsr
ts_name="signfiles"
tsr_server="http://ca.signfiles.com/TSAServer.aspx"
generate_tsr
#ts_name="signfiles_2"
#tsr_server="https://ca.signfiles.com/tsa/get.aspx"
#generate_tsr
ts_name="aloahacoin"
tsr_server="http://aloahacoin.chain-provider.com/tsa.aspx"
generate_tsr
ts_name="sinpe_cr"
tsr_server="http://tsa.sinpe.fi.cr/tsaHttp/"
generate_tsr
ts_name="mahidol_th"
tsr_server="https://tsa.mahidol.ac.th/tsa/get.aspx"
generate_tsr
ts_name="cra_ge"
tsr_server="http://tsa.cra.ge/signserver/tsa?workerName=qtsa"
generate_tsr
ts_name="gob_hn"
tsr_server="http://tss.cnbs.gob.hn/TSS/HttpTspServer"
generate_tsr
ts_name="mconnect"
tsr_server="https://time.mconnect.mc"
generate_tsr
ts_name="tugraz_at"
tsr_server="https://tsp.iaik.tugraz.at/tsp/TspRequest"
generate_tsr
#ts_name="safecreative"
#tsr_server="http://tsa.safecreative.org"
#generate_tsr
#ts_name="comodoca"
#tsr_server="http://timestamp.comodoca.com/rfc3161"
#generate_tsr
ts_name="nowina_lu"
tsr_server="http://dss.nowina.lu/pki-factory/tsa/good-tsa"
generate_tsr
#
# other
#
# Digidoc4_Client
#ts_name="sk_ee"
#tsr_server="http://tsa.sk.ee/"
#generate_tsr
# EOF
If you choose one between the Adobe: European Union Trusted Lists, and Adobe Approved Trust List, which is more widely accepted? I'm assuming the EU has a higher level of trust and works everywhere?
Symantec's timestamp server appears to be defunct. See this.
Note that there is a new GlobalSign URL:
http://timestamp.globalsign.com/tsa/r6advanced1
I just used it and it works for me. The other GlobalSign URLs seem to be dead indeed.