A superset of the RFC 3161 protocol, the X9.95 standard includes definitions for specific data objects, message protocols, and trusted timestamp methods, such as digital signature, MAC, linked token, linked-and-signature and transient-key methods. X9.95 compliance can be achieved via several technological approaches, such as transient-key cryptography. Several vendors market X9.95-compliant systems.
In an X9.95 trusted timestamp scheme, there are five entities: the time source entity, the Time Stamp Authority, the requestor, the verifier, and a relying party.
Applications using timestamps on unsigned data can provide evidence to a verifier that the underlying digital data has existed since the timestamp was generated.
When a requestor requires a timestamp for a dataset, it creates a hash of the data, which is a unique string of data that is different for any dataset. Representing a snapshot of the data, the hash is sent to the Time Stamp Authority, which has no awareness of the contents and therefore assumes no liability for the content. Using a cryptographic binding, the TSA binds the hash and a timestamp into a timestamp token, which is returned to the requestor for association with the dataset.
For applications using digitally signed data, the requestor signs the digital hash with its private key and submits the digital signature to the TSA, which performs the same operations as in the previous example: bind the submitted data with a timestamp using its cryptographic binding and return the results to the requestor.
When the requestor receives the timestamp token from the TSA, it signs the token with its private key. The requestor now has evidence that the data existed at the time issued by the TSA. When verified by a verifier or relying party, the timestamp token also provides evidence that digital signature has existed since the timestamp was issued, provided that no challenges to the digital signature's authenticity repudiate that claim.
Timestamp tokens can be obtained from different TSAs on the same data and can be verified at any time by a third party.
These three verifications provide non-repudiable evidence of who signed the data (authentication), when it was signed (timeliness) and what data was signed (integrity). Since public keys are used to decrypt the tokens, this evidence can be provided to any third party. The American National Standard X9.95-2005 Trusted Time Stamps was developed based on RFC 3161 protocol [TSP] and the ISO/IEC 18014 standards [ISO] yet extends its analysis and offerings. The X9.95 standard can be applied to authenticating digitally signed data for financial transactions, regulatory compliance, and legal evidence.