SSM-Clock Stamp – Observed-time Evidence (2.9)

Purpose. When kv:time_mode=observed is used, attach a tiny ASCII sidecar with lightweight time observations. Evidence augments auditability and does not change core checks unless your policy requires it.

Sidecar lines (ASCII)

obs_iso_utc=<ISO_Z>
tolerance_sec=<int>
delta_sec=<int>
obs_sources_ascii=<comma-or-pipe list>
obs_evidence_sha256=<64-hex>

Formats & constraints (must)

  • obs_iso_utc uses exact YYYY-MM-DDThh:mm:ssZ (UTC, no subseconds; reject 23:59:60).
  • tolerance_sec is a non-negative integer.
  • delta_sec is a non-negative integer; SHOULD equal the recomputed delta (nearest-second rounding allowed).
  • obs_sources_ascii is a simple ASCII list of sources such as OS,HTTPS_Date,NTP or OS|HTTPS_Date|NTP.
  • obs_evidence_sha256 is a lowercase 64-hex digest of the canonical evidence string (see below).

Canonical concatenation for evidence hash

  • Build concat_of_sources_and_reported_times as newline-joined ASCII records, each: <source_label> "|" <iso_z> Example lines: OS|2025-10-14T04:59:03Z HTTPS_Date|2025-10-14T04:59:03Z
  • Join with \n (LF). If the sidecar used \r\n (CRLF), verifiers MUST normalize to LF before hashing.
  • Record order SHOULD be ASCII sort by source_label. If unspecified, verifiers MAY sort to stabilize results.
  • Compute: obs_evidence_sha256 = sha256( ascii(concat_of_sources_and_reported_times) )

Verifier checks (deterministic)

  • Delta bound:
    delta_sec' = abs( unix(iso_utc) - unix(obs_iso_utc) )
    Require delta_sec' <= tolerance_sec.
  • Delta consistency: recorded delta_sec equals delta_sec' (or differs by at most 1 second due to rounding).
  • Evidence hash: rebuild the canonical concatenation (LF-normalized) and verify
    sha256( ascii(concat) ) == obs_evidence_sha256.
  • Outcome flag: set EVIDENCE_OK=true iff all evidence checks pass; absent if no sidecar is provided; false if checks fail.

Semantics

  • Evidence is advisory; anchors still provide the public no-later-than bound.
  • If kv:time_mode=observed is present but evidence is missing/invalid, a verifier MAY downgrade to time_mode=derived_utc depending on local policy.

Policy notes

  • Leap second remains invalid: 23:59:60 must not appear in obs_iso_utc.
  • Keep all fields plain ASCII; avoid spaces and locale-specific formats.

Navigation
Back: SSM-Clock Stamp – Canonical Formatting & Normalization (2.8)
Next: SSM-Clock Stamp – Minimal Verifier Outline (2.10)