Page Comparison

...

• The TSA service must be compliant with RFC3161 specification.

• The TSA service must use HTTP(S) with POST for transportation.

• The TSA service must support SHA-256 or stronger hash functions in requests

• The certificate that is used for time-stamping signatures must have the id-kp-timeStamping value in the Extended Key Usage ExtendedKeyUsage field.

• The TSA service must not require the usage of reqPolicy field in requests.

• The TSA service must use at least 2048-bit RSA key and SHA-256 (or stronger) hash function for response signatures.

• TSA service must maintain its accuracy within 1 second of UTC.

...

Requirements for authentication certificates

• The Key Usage KeyUsage field must include at least one of the following values: digitalSignature, keyEncipherment or dataEncipherment.

• The KeyUsage field must not include nonRepudiation.

• The Extended Key Usage ExtendedKeyUsage field may contain ClientAuthentication or ServerAuthentication.

...

• The KeyUsage field must include nonRepudiation.

• The KeyUsage field must not include any of the following values: digitalSignature, keyEncipherment and dataEncipherment.

• The ExtendedKeyUsage field must not include ClientAuthentication.

• The CA issuing must ensure that Qualified eSeal certificates are issued only if private key is stored on a Qualified Signature Creation Device.

• The CA must ensure that Advanced eSeal certificates are issued only if private key is handle securely by certificate owner.

• When a Qualified Signature Creation Device is used, the Device must support PKCS#11 protocol for connectivity.

...