CNX Timestamp Policy Version: 1.0 Effective date: 2026-07-07 Policy OID: 1.3.6.1.4.1.66148.1.2.1 Publisher: Cambodian Network Exchange (CNX) Status: Active This document is the Timestamp Policy (TP) for the CNX Timestamp Authority service operated by the Cambodian Network Exchange (CNX). It defines the obligations, technical standards, and operational procedures governing the issuance and management of timestamp tokens under RFC 3161 and ANSI ASC X9.95. This is an archived, immutable version of this policy. It is not edited after publication. A later revision, if any, is published as a separate dated document; this text remains the authoritative record of the terms in effect during its own effective period. See https://tsa.cnx.net.kh/policy/ for the full version history and to find the version in effect on any given date. Table of contents 1. Introduction 2. Scope and applicability 3. Publication and contact 4. Time source and UTC traceability 5. Cryptographic standards 6. Key management and infrastructure 7. Token issuance and operations 8. Obligations 9. Service levels 10. Liability 11. Governing law 12. Termination and succession 13. Amendments 1. Introduction CNX operates a Timestamp Authority (TSA) that issues cryptographically signed timestamp tokens certifying the existence of specific data at a specific moment in time. The service is anchored to in-country Rubidium atomic oscillators providing UTC-traceable time, with signing keys held in hardware security modules. This policy applies to all timestamp tokens issued by the CNX TSA. Each token's policy field contains the OID listed above, which references this document. A verifier who encounters that OID may retrieve this policy to understand the standards under which the token was issued. 2. Scope and applicability This policy governs: - All RFC 3161 timestamp tokens issued by the CNX TSA, across every endpoint below: * https://free.tsa.cnx.net.kh/ -- free tier, best-effort, no SLA * https://cnx.tsa.cnx.net.kh/ -- subscriber tier, sealed audit log - The technical and operational standards applied to their issuance - The obligations of CNX, subscribers, and relying parties Tokens issued under this policy are intended for use in document integrity verification, audit trail attestation, code signing, and other applications requiring trusted time evidence. They are not financial instruments and do not constitute a guarantee of the content or legal validity of the data being timestamped. 3. Publication and contact This policy is published at https://tsa.cnx.net.kh/policy.html and remains accessible for the lifetime of the service. Every dated version, including this one, is separately archived at https://tsa.cnx.net.kh/policy/, each accompanied by an RFC 3161 timestamp token proving that exact text existed as of its signing date. Queries regarding this policy should be directed to noc@cnx.net.kh. The CNX TSA root CA trust anchor -- an SPKI pin of its public key -- is published as a DNS TXT record at _ca.cnx.net.kh and is independently verifiable without contacting CNX. See https://tsa.cnx.net.kh/validation.html for the full procedure. 4. Time source and UTC traceability The time reference used in all CNX timestamp tokens is derived from the following chain: 1. GNSS receivers -- GPS/GNSS signals providing a UTC-synchronized reference traceable to national metrology laboratories 2. Rubidium atomic oscillators -- disciplined by the GNSS signal; maintaining autonomous stability of less than 1 microsecond/day during periods of GNSS unavailability 3. NTS infrastructure -- authenticated time delivery from the atomic oscillators to the TSA servers, over RFC 8915 Network Time Security 4. TSA servers -- issue timestamp tokens whose genTime field reflects the UTC time at the moment of receipt, derived from the above chain The accuracy of timestamps issued under this policy is within 10 milliseconds of UTC under normal operating conditions -- 10 thousandths of a second, tighter than the 1-second accuracy typical of standard network time (NTP) sources. This is the guaranteed floor: individual tokens assert their own measured accuracy in the token's accuracy field, which under normal conditions is significantly tighter still -- see https://tsa.cnx.net.kh/validation.html for a worked example. The service is designed to meet the time source requirements of ANSI ASC X9.95 -- Trusted Time Stamp Standard, specifically the requirement for a provably accurate time source traceable to a recognised standard. 5. Cryptographic standards Token format RFC 3161 -- Internet X.509 Public Key Infrastructure Time-Stamp Protocol Hash algorithm SHA-256 required; SHA-384 and SHA-512 (requester) accepted Signing algorithm ECDSA P-256 with SHA-256, per NIST FIPS 186-4 and RFC 8624 Certificate EKU id-kp-timeStamping (OID 1.3.6.1.5.5.7.3.8), critical, exclusive X9.95 alignment Time source requirements of ANSI ASC X9.95 -- Trusted Time Stamp Standard 6. Key management and infrastructure Root CA: The CNX root CA key is generated and stored in a hardware security module (HSM) -- non-exportable by hardware design. The root CA issues a single TSA CA certificate, also HSM-held; it is not used for any other purpose. TSA CA and signing certificates: The HSM-held TSA CA, signed by the root CA, issues each TSA service node's local signing certificate -- nodes are not signed directly by the root. Each node generates its signing key within the VM's hardware-backed trusted platform module (vTPM); a Certificate Signing Request is submitted to the TSA CA, and the resulting certificate carries EKU id-kp-timeStamping exclusively. Node signing keys never leave their vTPM. Key rotation: TSA signing certificates are renewed before expiry. The root CA key is rotated on a schedule defined in CNX's internal key management procedure. All key operations are logged for audit. Compromise response: In the event of suspected key compromise, the affected certificate is revoked and replaced. CNX will publish a notice at this policy URL and notify affected subscribers. 7. Token issuance and operations The CNX TSA issues timestamp tokens in response to RFC 3161 TimeStampReq messages received at the TSA endpoint. Each token contains: - The messageImprint -- hash algorithm OID and hash value submitted by the requester - The genTime -- UTC time of receipt, to millisecond precision - A unique serialNumber - The policy OID referencing this document - CNX's digital signature CNX does not retain the data submitted for timestamping -- only the hash. Log retention differs by tier. The applicable tier for any given token is determined by the signer certificate embedded in that token: its Subject CN is the exact domain that issued it (e.g. CN=free.tsa.cnx.net.kh for the free tier, or the subscriber's own subdomain for a paid tier). No separate lookup or contact with CNX is required to determine which of the following applies to a token you hold. Subscriber tier (signer CN is a subscriber subdomain): serial number, timestamp, requester address, and hash algorithm are logged for each token issued. Logs are sealed and archived to S3, retained for a minimum of 7 years, and are available as dispute evidence per section 9. Free tier (signer CN is free.tsa.cnx.net.kh): the same fields are logged, but retained for operational purposes only -- abuse prevention and rate limiting -- for a maximum of 30 days, after which they are purged. Free-tier logs are not sealed, not archived, and are not available as dispute evidence; CNX cannot produce a free-tier log entry after the retention window closes. 8. Obligations CNX obligations: To operate the TSA in accordance with this policy; to maintain the accuracy of the time reference; to protect the signing keys; to maintain audit logs; to publish revocation notices promptly; to maintain this policy document. Subscriber obligations: To use timestamp tokens only for lawful purposes; to include the CNX TSA CA certificate and this policy URL when presenting tokens to relying parties; to report any suspected compromise or irregularity to CNX promptly. Relying party obligations: To verify token signatures against the CNX TSA CA certificate; to verify that the hash in the token matches the data being validated; to accept the limitations of this policy as stated. 9. Service levels Time accuracy Within 10 milliseconds of UTC under normal operations (10 thousandths of a second -- see section 4) Service availability 99.9% monthly (contracted subscribers: 99.99%) Response time Token issued within 5 seconds of valid request Audit log retention Subscriber tier: minimum 7 years, sealed and archived. Free tier: maximum 30 days, operational use only, not archived. See section 7. Incident notification Within 24 hours of confirmed key compromise or service integrity event Service level commitments above apply to subscribers under a CNX Precision Time subscription agreement. The free/unauthenticated endpoint is provided on a best-effort basis with no SLA. 10. Liability CNX's total liability to any subscriber or relying party arising from the use of timestamp tokens issued under this policy -- whether in contract, tort, or otherwise -- shall not exceed the lesser of: (a) direct damages actually suffered; or (b) the total fees paid by the subscriber to CNX in the twelve months preceding the claim. CNX is not liable for: indirect, consequential, or incidental damages; losses arising from subscriber failure to verify tokens correctly; losses arising from use of the free/unauthenticated endpoint. Nothing in this policy limits CNX's liability for fraud, wilful misconduct, or personal injury. 11. Governing law This policy and any dispute arising from it are governed by the laws of the Kingdom of Cambodia. CNX is licensed by the Ministry of Post and Telecommunications of Cambodia. Any dispute not resolved by mutual agreement shall be submitted to the courts of Phnom Penh, Cambodia. 12. Termination and succession If CNX terminates the TSA service, CNX will provide a minimum of 90 days' notice to subscribers. CNX will maintain public access to this policy document and the CA certificate for a minimum of 10 years following termination, to allow continued verification of previously issued tokens. Previously issued tokens remain verifiable after service termination provided the relying party retains the CNX TSA CA certificate. The token is self-contained cryptographic evidence and does not require CNX to be operational for verification. 13. Amendments CNX reserves the right to amend this policy. Material changes will be announced with a minimum of 30 days' notice. A revision is published as a new, separately dated document at https://tsa.cnx.net.kh/policy/; this document is not edited in place. Tokens issued under a prior version remain valid under the terms of that version -- consult the version whose effective date range covers the token's genTime. -- Cambodian Network Exchange - cnx.net.kh Licensed by the Ministry of Post and Telecommunications, Cambodia