CNX Timestamp Authority


Proving when something happened is harder than proving what happened. A document records its content. A backup records its data. A signed contract records its signature. None of these prove — to a third party — when they came into existence, because the system that created them also controls their timestamp.

A Timestamp Authority is an independent third party that witnesses the existence of specific data at a specific moment and issues a cryptographic receipt. The receipt binds the data to the time of submission, signed by an entity outside the institution, at a moment that has now passed and cannot be re-requested. It can be verified by anyone, at any time, without involving CNX again.

CNX operates a Timestamp Authority anchored to its own in-country atomic oscillators — providing RFC 3161 timestamp tokens for Cambodian institutions. Available without charge for evaluation and general use; included under the CNX Precision Time subscription agreement for contracted compliance use.

What a timestamp token proves

A CNX timestamp token is a cryptographic receipt: it proves that a specific piece of data — a transaction record, a log entry, a document, a signed contract — existed in exactly its current form at a specific point in time. The chain of custody — data, time, attestation — is held outside the institution and independently verifiable.

Banks and financial institutions

NBC TCRMG Chapter 4.10 requires audit trails that are accurate and protected from modification. A timestamp from an independent, contractually accountable operator with a documented atomic clock source provides a chain of custody that supports this requirement — and that NBC examiners and dispute resolution bodies can independently verify.

Free use and contracted use

The TSA endpoint is available without charge — no account or registration required for basic use. Rate limits apply to unauthenticated requests. This is suitable for development, testing, and informal use.

For formal compliance documentation, a no-contract free service is not sufficient. Most regulatory frameworks require that third-party services used for audit trail integrity are covered by a contractual relationship — with a defined SLA, documented audit rights, and an identifiable accountable operator.

Contracted use is included in the CNX Precision Time subscription agreement — NTS or PTP. The subscription provides:

  • SLA on TSA availability and response time
  • Audit rights and chain of custody documentation
  • Identified operator with contractual accountability
  • Compliance documentation package

Institutions that subscribe to CNX Precision Time receive full contracted TSA access at no additional cost.

Banks and financial institutions

A free, no-contract TSA service cannot satisfy NBC TCRMG Chapter 7 (third-party supplier risk management). There is no contract to present, no SLA to document, and no audit rights to grant. For NBC-aligned use, the TSA must be covered under the CNX Precision Time subscription agreement, which provides the contractual chain of custody Chapter 7 requires.

One atomic source, end to end

A CNX timestamp token is anchored to the same atomic oscillators that power CNX Precision Time. When your servers synchronise from CNX Precision Time, your internal log timestamps and the TSA attestation tokens are derived from the same physical reference. The chain from oscillator to log entry to timestamp token is unbroken and traceable to a single source.

Getting started

The TSA accepts standard RFC 3161 HTTP requests. No registration is required for basic use.

  • TSA endpoint: https://tsa.cnx.net.kh/
  • CA certificate fingerprint (DNSSEC-proven): query _tsaca.cnx.net.kh TXT — the SHA-256 fingerprint of the CNX TSA CA is published in DNSSEC-signed DNS. Obtain the CA certificate from any source, verify its fingerprint against the DNS record.
dig +dnssec TXT _tsaca.cnx.net.kh