CNX Timestamp Policy

Version 1.0 · Effective 2026-07-07 · OID: 1.3.6.1.4.1.66148.1.2.1

This document is the Timestamp Policy (TP) for the CNX Timestamp Authority service operated by the Cambodian Network Exchange (CNX). It defines the obligations, technical standards, and operational procedures governing the issuance and management of timestamp tokens under RFC 3161 and ANSI ASC X9.95.

1. Introduction

CNX operates a Timestamp Authority (TSA) that issues cryptographically signed timestamp tokens certifying the existence of specific data at a specific moment in time. The service is anchored to in-country Rubidium atomic oscillators providing UTC-traceable time, with signing keys held in hardware security modules.

This policy applies to all timestamp tokens issued by the CNX TSA. Each token's policy field contains an OID listed above, which references this document. A verifier who encounters that OID may retrieve this policy to understand the standards under which the token was issued.

2. Scope and applicability

This policy governs:

Tokens issued under this policy are intended for use in document integrity verification, audit trail attestation, code signing, and other applications requiring trusted time evidence. They are not financial instruments and do not constitute a guarantee of the content or legal validity of the data being timestamped.

3. Publication and contact

This policy is published at https://tsa.cnx.net.kh/policy.html and remains accessible for the lifetime of the service. This page reflects the current version; every dated version, including this one, is separately archived, each accompanied by an RFC 3161 timestamp token proving that exact text existed as of its signing date. Consult the archive to find the version in effect on any given date. Queries regarding this policy should be directed to noc@cnx.net.kh.

The CNX TSA root CA trust anchor — an SPKI pin of its public key — is published as a DNS TXT record at _ca.cnx.net.kh and is independently verifiable without contacting CNX. See Validation for the full procedure.

4. Time source and UTC traceability

The time reference used in all CNX timestamp tokens is derived from the following chain:

  1. GNSS receivers — GPS/GNSS signals providing a UTC-synchronized reference traceable to national metrology laboratories
  2. Rubidium atomic oscillators — disciplined by the GNSS signal; maintaining autonomous stability of less than 1 µs/day during periods of GNSS unavailability
  3. NTS infrastructure — authenticated time delivery from the atomic oscillators to the TSA servers, over RFC 8915 Network Time Security
  4. TSA servers — issue timestamp tokens whose genTime field reflects the UTC time at the moment of receipt, derived from the above chain

The accuracy of timestamps issued under this policy is within 10 milliseconds of UTC under normal operating conditions — 10 thousandths of a second, tighter than the 1-second accuracy typical of standard network time (NTP) sources. This is the guaranteed floor: individual tokens assert their own measured accuracy in the token's accuracy field, which under normal conditions is significantly tighter still — see Validation for a worked example. The service is designed to meet the time source requirements of ANSI ASC X9.95 — Trusted Time Stamp Standard, specifically the requirement for a provably accurate time source traceable to a recognised standard.

5. Cryptographic standards

Token formatRFC 3161 — Internet X.509 Public Key Infrastructure Time-Stamp Protocol
Hash algorithm (requester)SHA-256 required; SHA-384 and SHA-512 accepted
Signing algorithmECDSA P-256 with SHA-256, per NIST FIPS 186-4 and RFC 8624
Certificate EKUid-kp-timeStamping (OID 1.3.6.1.5.5.7.3.8), critical, exclusive
X9.95 alignmentTime source requirements of ANSI ASC X9.95 — Trusted Time Stamp Standard

6. Key management and infrastructure

Root CA: The CNX root CA key is generated and stored in a hardware security module (HSM) — non-exportable by hardware design. The root CA issues a single TSA CA certificate, also HSM-held; it is not used for any other purpose.

TSA CA and signing certificates: The HSM-held TSA CA, signed by the root CA, issues each TSA service node's local signing certificate — nodes are not signed directly by the root. Each node generates its signing key within the VM's hardware-backed trusted platform module (vTPM); a Certificate Signing Request is submitted to the TSA CA, and the resulting certificate carries EKU id-kp-timeStamping exclusively. Node signing keys never leave their vTPM.

Key rotation: TSA signing certificates are renewed before expiry. The root CA key is rotated on a schedule defined in CNX's internal key management procedure. All key operations are logged for audit.

Compromise response: In the event of suspected key compromise, the affected certificate is revoked and replaced. CNX will publish a notice at this policy URL and notify affected subscribers.

7. Token issuance and operations

The CNX TSA issues timestamp tokens in response to RFC 3161 TimeStampReq messages received at the TSA endpoint. Each token contains:

CNX does not retain the data submitted for timestamping — only the hash.

Log retention differs by tier. The applicable tier for any given token is determined by the signer certificate embedded in that token: its Subject CN is the exact domain that issued it (e.g. CN=free.tsa.cnx.net.kh for the free tier, or the subscriber's own subdomain for a paid tier). No separate lookup or contact with CNX is required to determine which of the following applies to a token you hold.

8. Obligations

CNX obligations: To operate the TSA in accordance with this policy; to maintain the accuracy of the time reference; to protect the signing keys; to maintain audit logs; to publish revocation notices promptly; to maintain this policy document.

Subscriber obligations: To use timestamp tokens only for lawful purposes; to include the CNX TSA CA certificate and this policy URL when presenting tokens to relying parties; to report any suspected compromise or irregularity to CNX promptly.

Relying party obligations: To verify token signatures against the CNX TSA CA certificate; to verify that the hash in the token matches the data being validated; to accept the limitations of this policy as stated.

9. Service levels

Time accuracyWithin 10 milliseconds of UTC under normal operations (10 thousandths of a second — see §4)
Service availability99.9% monthly (contracted subscribers: 99.99%)
Response timeToken issued within 5 seconds of valid request
Audit log retentionSubscriber tier: minimum 7 years, sealed and archived. Free tier: maximum 30 days, operational use only, not archived. See §7.
Incident notificationWithin 24 hours of confirmed key compromise or service integrity event

Service level commitments above apply to subscribers under a CNX Precision Time subscription agreement. The free/unauthenticated endpoint is provided on a best-effort basis with no SLA.

10. Liability

CNX's total liability to any subscriber or relying party arising from the use of timestamp tokens issued under this policy — whether in contract, tort, or otherwise — shall not exceed the lesser of: (a) direct damages actually suffered; or (b) the total fees paid by the subscriber to CNX in the twelve months preceding the claim.

CNX is not liable for: indirect, consequential, or incidental damages; losses arising from subscriber failure to verify tokens correctly; losses arising from use of the free/unauthenticated endpoint.

Nothing in this policy limits CNX's liability for fraud, wilful misconduct, or personal injury.

11. Governing law

This policy and any dispute arising from it are governed by the laws of the Kingdom of Cambodia. CNX is licensed by the Ministry of Post and Telecommunications of Cambodia. Any dispute not resolved by mutual agreement shall be submitted to the courts of Phnom Penh, Cambodia.

12. Termination and succession

If CNX terminates the TSA service, CNX will provide a minimum of 90 days' notice to subscribers. CNX will maintain public access to this policy document and the CA certificate for a minimum of 10 years following termination, to allow continued verification of previously issued tokens.

Previously issued tokens remain verifiable after service termination provided the relying party retains the CNX TSA CA certificate. The token is self-contained cryptographic evidence and does not require CNX to be operational for verification.

13. Amendments

CNX reserves the right to amend this policy. Material changes will be announced with a minimum of 30 days' notice. A revision is published as a new, separately dated document in the archive; this document is not edited in place. Tokens issued under a prior version remain valid under the terms of that version — consult the archived version whose effective date range covers the token's genTime.


Cambodian Network Exchange · cnx.net.kh · Licensed by the Ministry of Post and Telecommunications, Cambodia