-
-
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
https://rfc3161.ai.moda | |
https://rfc3161.ai.moda/adobe | |
https://rfc3161.ai.moda/microsoft | |
https://rfc3161.ai.moda/apple | |
https://rfc3161.ai.moda/any | |
http://rfc3161.ai.moda | |
http://timestamp.digicert.com | |
http://timestamp.globalsign.com/tsa/r6advanced1 | |
http://rfc3161timestamp.globalsign.com/advanced | |
http://timestamp.sectigo.com | |
http://timestamp.apple.com/ts01 | |
http://tsa.mesign.com | |
http://time.certum.pl | |
https://freetsa.org | |
http://tsa.startssl.com/rfc3161 | |
http://dse200.ncipher.com/TSS/HttpTspServer | |
http://zeitstempel.dfn.de | |
https://ca.signfiles.com/tsa/get.aspx | |
http://services.globaltrustfinder.com/adss/tsa | |
https://tsp.iaik.tugraz.at/tsp/TspRequest | |
http://timestamp.entrust.net/TSS/RFC3161sha2TS |
It helped me a lot. Thank you :)
I've added my experimental load balancer to this list. Hopefully, the first URL should "just work" for most applications like Adobe, but you can specify the type of service by appending it to the URL too.
This http://tsa.starfieldtech.com/ doesn't work anymore
You're right, thanks. Removed it from the list completely.
dave@mbp ~ % dig tsa.starfieldtech.com @8.8.8.8 +tcp
; <<>> DiG 9.10.6 <<>> tsa.starfieldtech.com @8.8.8.8 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20019
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;tsa.starfieldtech.com. IN A
;; AUTHORITY SECTION:
starfieldtech.com. 1614 IN SOA cns1.secureserver.net. dns.jomax.net. 2023011200 3600 600 1209600 3600
;; Query time: 60 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 27 15:33:35 EST 2023
;; MSG SIZE rcvd: 117
@Manouchehri Thank you. I think the list should also not contain the following as they are not working anymore
You are correct. My team had already removed those from our rfc3161.ai.moda
load balancer, but I forgot to update the list here too.
Is there link to certificate(s) that are used for the TimeStamp? We need to put them into trusted list.
Found here: https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/
@JohnPlanetary WOW thanks for that list, it really helped.
@JohnPlanetary WOW thanks for that list, it really helped.
Happy for having been useful.
Do https://
URLs actually work for anyone with signtool
? I'm getting:
SignTool Error: Invalid Timestamp URL: https://...
Both for signtool /t
and for signtool /tr
.
I've tried the https:// url's and no, it is not working, it appears the same error.
SignTool sign /fd SHA512 /a /f certificate.pfx /p MYPASSWORD /td SHA384 /tr https://timestamp.sectigo.com c:\sign\MyProgram.exe
SignTool Error: Invalid Timestamp URL: https://timestamp.sectigo.com
The good news is that the http:// still works fine, and most common TimeStamp servers don't even have the https:// version working at all.
But I'm sure the https version did work fine on the past, some update to Windows must have messed up things.
I've had the Windows SDK signing tool 10.0.19041.0, but even in the latest 10.0.22621.0 that I downloaded from: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/ still doesn't work, so isn't just a question of updating the tool, unfortunately something else probably needs to be changed by Microsoft.
My http://rfc3161.ai.moda load balancer should work fine over HTTP. I didn’t add it to the list because I want to encourage everyone to use HTTPS, but it works fine if you must use HTTP.
My http://rfc3161.ai.moda load balancer should work fine over HTTP. I didn’t add it to the list because I want to encourage everyone to use HTTPS, but it works fine if you must use HTTP.
@Manouchehri Could you explain what's behind this service ?
Could you explain what's behind this service ?
@danvy It's a load balancer that:
- Response validation of the timestamp reply before returning it to you.
- Automatic retrying. e.g. if one of the upstream servers returns an invalid timestamp reply, we automatically return the next valid response from the next server.
- Fans out to multiple trusted timestamping servers in parallel. The two steps above happen in multiple threads, so you will always get the fastest response possible, even if the first upstream CA returns us an error (you won't see the error, we handle that).
- Allow CORS requests.
- We update the upstream CAs in our list server-side. i.e. You should never need to update your RFC3161 URL in your application if you use any of the
https://rfc3161.ai.moda/[*]
URLs. e.g. today I noticed that IDnomic/Keynectis took their server down, but we already had 7 fallbacks forhttps://rfc3161.ai.moda/adobe
and 8 fallbacks forhttps://rfc3161.ai.moda/windows
, so it resulted in zero downtime for anyone.
Out of 1.33 million requests this month, we've had 60 errors. So roughly a 99.995% success rate.
http://tsa.baltstamp.lt
In EU trust list, up to SHA512