Timestamp Policy


Version 1.0 · Effective 7 July 2026 · OID: 1.3.6.1.4.1.66148.1.2.1

This document is the Timestamp Policy (TP) for the CNX Timestamp Authority service operated by the Cambodian Network Exchange (CNX). It defines the obligations, technical standards, and operational procedures governing the issuance and management of timestamp tokens under RFC 3161 and ANSI ASC X9.95.

1. Introduction

CNX operates a Timestamp Authority (TSA) that issues cryptographically signed timestamp tokens certifying the existence of specific data at a specific moment in time. The service is anchored to in-country Rubidium atomic oscillators providing UTC-traceable time, with signing keys held in hardware security modules.

This policy applies to all timestamp tokens issued by the CNX TSA. Each token's policy field contains the OID listed above, which references this document. A verifier who encounters that OID may retrieve this policy to understand the standards under which the token was issued.

2. Scope and applicability

This policy governs:

  • All RFC 3161 timestamp tokens issued by the CNX TSA at https://tsa.cnx.net.kh/
  • The technical and operational standards applied to their issuance
  • The obligations of CNX, subscribers, and relying parties

Tokens issued under this policy are intended for use in document integrity verification, audit trail attestation, code signing, and other applications requiring trusted time evidence. They are not financial instruments and do not constitute a guarantee of the content or legal validity of the data being timestamped.

3. Publication and contact

This policy is published at https://cnx.net.kh/time/tsa/policy/ and remains accessible for the lifetime of the service. Queries regarding this policy should be directed to noc@cnx.net.kh.

The CNX TSA CA certificate fingerprint is published as a DNSSEC-signed TXT record at _tsaca.cnx.net.kh and is independently verifiable without contacting CNX.

4. Time source and UTC traceability

The time reference used in all CNX timestamp tokens is derived from the following chain:

  1. GNSS receivers — GPS/GNSS signals providing a UTC-synchronized reference traceable to national metrology laboratories
  2. Rubidium atomic oscillators — disciplined by the GNSS signal; maintaining autonomous stability of less than 1 µs/day during periods of GNSS unavailability
  3. NTS infrastructure — authenticated time delivery from the atomic oscillators to the TSA servers, over RFC 8915 Network Time Security
  4. TSA servers — issue timestamp tokens whose genTime field reflects the UTC time at the moment of receipt, derived from the above chain

The accuracy of timestamps issued under this policy is within 1 second of UTC under normal operating conditions. The service is designed to meet the time source requirements of ANSI ASC X9.95 — Trusted Time Stamp Standard, specifically the requirement for a provably accurate time source traceable to a recognised standard.

5. Cryptographic standards
Token formatRFC 3161 — Internet X.509 Public Key Infrastructure Time-Stamp Protocol
Hash algorithm (requester)SHA-256 required; SHA-384 and SHA-512 accepted
Signing algorithmECDSAP256SHA256 — NIST P-256 curve with SHA-256, per NIST FIPS 186-4 and RFC 8624
Certificate EKUid-kp-timeStamping (OID 1.3.6.1.5.5.7.3.8), critical, exclusive
X9.95 alignmentTime source requirements of ANSI ASC X9.95 — Trusted Time Stamp Standard
6. Key management and infrastructure

Root CA: The CNX TSA root CA key is generated and stored in a hardware security module (HSM) — non-exportable by hardware design. The root CA issues TSA signing certificates; it is not used for any other purpose.

TSA signing certificates: Each TSA service node generates its signing key within the VM's hardware-backed trusted platform module (vTPM). A Certificate Signing Request is submitted to the root CA; the resulting certificate carries EKU id-kp-timeStamping exclusively. Node signing keys never leave their vTPM.

Key rotation: TSA signing certificates are renewed before expiry. The root CA key is rotated on a schedule defined in CNX's internal key management procedure. All key operations are logged for audit.

Compromise response: In the event of suspected key compromise, the affected certificate is revoked and replaced. CNX will publish a notice at this policy URL and notify affected subscribers.

7. Token issuance and operations

The CNX TSA issues timestamp tokens in response to RFC 3161 TimeStampReq messages received at the TSA endpoint. Each token contains:

  • The messageImprint — hash algorithm OID and hash value submitted by the requester
  • The genTime — UTC time of receipt, to millisecond precision
  • A unique serialNumber
  • The policy OID referencing this document
  • CNX's digital signature

CNX does not retain the data submitted for timestamping — only the hash. The CNX TSA logs the serial number, timestamp, requester address, and hash algorithm for each token issued. Logs are retained for a minimum of 7 years.

8. Obligations

CNX obligations: To operate the TSA in accordance with this policy; to maintain the accuracy of the time reference; to protect the signing keys; to maintain audit logs; to publish revocation notices promptly; to maintain this policy document.

Subscriber obligations: To use timestamp tokens only for lawful purposes; to include the CNX TSA CA certificate and this policy URL when presenting tokens to relying parties; to report any suspected compromise or irregularity to CNX promptly.

Relying party obligations: To verify token signatures against the CNX TSA CA certificate; to verify that the hash in the token matches the data being validated; to accept the limitations of this policy as stated.

9. Service levels
Time accuracyWithin 1 second of UTC under normal operations
Service availability99.9% monthly (contracted subscribers: 99.99%)
Response timeToken issued within 5 seconds of valid request
Audit log retentionMinimum 7 years
Incident notificationWithin 24 hours of confirmed key compromise or service integrity event

Service level commitments above apply to subscribers under a CNX Precision Time subscription agreement. The free/unauthenticated endpoint is provided on a best-effort basis with no SLA.

10. Liability

CNX's total liability to any subscriber or relying party arising from the use of timestamp tokens issued under this policy — whether in contract, tort, or otherwise — shall not exceed the lesser of: (a) direct damages actually suffered; or (b) the total fees paid by the subscriber to CNX in the twelve months preceding the claim.

CNX is not liable for: indirect, consequential, or incidental damages; losses arising from subscriber failure to verify tokens correctly; losses arising from use of the free/unauthenticated endpoint.

Nothing in this policy limits CNX's liability for fraud, wilful misconduct, or personal injury.

11. Governing law

This policy and any dispute arising from it are governed by the laws of the Kingdom of Cambodia. CNX is licensed by the Ministry of Post and Telecommunications of Cambodia. Any dispute not resolved by mutual agreement shall be submitted to the courts of Phnom Penh, Cambodia.

12. Termination and succession

If CNX terminates the TSA service, CNX will provide a minimum of 90 days' notice to subscribers. CNX will maintain public access to this policy document and the CA certificate for a minimum of 10 years following termination, to allow continued verification of previously issued tokens.

Previously issued tokens remain verifiable after service termination provided the relying party retains the CNX TSA CA certificate. The token is self-contained cryptographic evidence and does not require CNX to be operational for verification.

13. Amendments

CNX reserves the right to amend this policy. Material changes will be announced with a minimum of 30 days' notice. The version number and effective date at the top of this document will be updated on each revision. Tokens issued under a prior version remain valid under the terms of that version.


Cambodian Network Exchange · cnx.net.kh · Licensed by the Ministry of Post and Telecommunications, Cambodia