Timestamp Authority
Verification
Trust anchor
The CNX TSA root CA is the trust anchor for all token verification. CNX publishes an SPKI pin of the root CA's public key as a DNS TXT record at _ca.cnx.net.kh. The root CA certificate travels inside every timestamp token, so there is nothing separate to download — extract it from a token you hold and check it against the published pin.
The full, current verification walkthrough — DNS lookup, certificate extraction, SPKI computation, a worked example, batch verification, and the auditor submission checklist — is maintained at tsa.cnx.net.kh/validation.html, generated directly from the live server implementation. The terms governing tokens themselves — retention, liability, key rotation, obligations — are in the TSA policy, which is also referenced directly from the certificate policy extension embedded in every token.
What verification proves
Verification answers three questions simultaneously:
- Authenticity — did this token come from CNX? (signature check against the CNX signing chain)
- Integrity — does this token match this specific data? (hash comparison)
- Time — when did CNX witness this data? (read
genTimefrom the token)
All three must pass. A token that fails any one of them is either forged, mismatched, or the data has been modified since timestamping.
Presenting tokens to auditors
An auditor with OpenSSL installed can independently verify a token without any CNX involvement — the verification is purely cryptographic, and CNX does not need to be contacted, online, or cooperative. The signed token is self-contained evidence. The exact commands and the list of what to hand an auditor are on the validation page.