Trusted Time - Revisited

This is an implementation of a Time Stamp Authority (no longer RFC 3161, but instead Roughtime) using JWS.

TL;DR: This is an implementation of a Time Stamp Authority (no longer RFC 3161, but instead Roughtime) using JWS. Source is available at Github.

A while back, I made a JWS wrapper around NTP. The reddit crypto community was not impressed:

It's RFC 3161 + JWS? Eww.
How about Roughtime instead?
Reddit user

So I took a look at Roughtime. It turns out that, while it solves some of the inherent problems with NTP, it doesn't even attempt to use json, which would seem like an obvious choice for a modern service.

Enter Roughenough

Initially, it seems that Roughtime is nowhere near being ready for prime time. Google mentions that its own implementation is experimental. Along comes Roughenough who - at least according to the author - is mature enough:

Hi there, I'm an author of roughenough a mature, tested, and feature rich Roughtime client and server.
Here's how to set the clock using Roughenough:
sudo date --utc --set "$(roughenough-client 2002)"
Roughtime is past the experimental stage and is undergoing standardization by the IETF, see

From an older generation

Of course, there is still no mention of json. Or rather, the client actually can emit a json document (with a properly formatted date):

roughenough-client --json --time-format %Y-%m-%dT%H:%M:%S%z 2002

The output looks something like this:

  "midpoint": "2019-12-27T14:54:49+0000",
  "radius": 1000000,
  "verified": false,
  "merkle_index": 0

To make things even better, Cloudflare is running a load-balanced, hopefully always available Roughtime service.


Tooling of the Roughtime protocol is even worse than that of openssl time stamping. So I updated the tsa-json project which aimed to fix the tooling issue:

This project provides the same data points while utilising modern technologies to achieve the same goals. Using the proposed standard RFC 7515 to encode a signed time stamp from the Time-Stamp Authority.

∙   ∙   ∙

Now, it is possible to get a simple, verifiable, time stamp on any json document:

const request = require('request-promise');
const jose = require('jose');

(async () => {
  const response = await request({
    method: 'POST',
    uri: '',
    body: JSON.stringify({
      version: 2,
      message: {
        some: 'value',
        other: 'value'
      nonce: '234534534534'
  const token = jose.JWT.decode(response, { complete: true });
  const keyset = await request(token.header.jku, { json: true });
  // Get the first key from the set of public keys
  // for the purposes of this example
  const key = jose.JWK.asKey(keyset.keys[0]);
  const valid = jose.JWS.verify(response, key);
  if (!valid) return;
  const success = token.payload.status.status == 0;
  if (!success) return;
  const timestamp = Date.parse(token.payload.timeStampToken.genTime);
  console.log('signed time stamp: ' + timestamp);

Final Thoughts

Given this, we can now create trusted time stamps for data that we have available to us and publicly make claims of ownership of said data at the present time, and we can do this using current tools in modern toolchains.

There is a thread about this post on Mastodon.