Add option to use RFC 3161 timestamp in ICA COSE signature (#192)

Also specify credential revocation mechanism.

docs/modules/ROOT/pages/index.adoc

@@ -943,9 +943,6 @@ The `issuer` property MUST be present and MUST follow the format as specified in
 
 The `validFrom` field MUST exist and it MUST express the date and time when the credential becomes valid, as specified in link:++https://www.w3.org/TR/vc-data-model-2.0/#validity-period++[Section 4.8, “Validity period,”] of the Verifiable credentials data model.
 
-[#issue-64]
-NOTE: TO DO (link:https://github.com/creator-assertions/identity-assertion/issues/64[issue #64]): Consider stronger timestamping mechanism than W3C VC requires.
-
 [#vc-credentialsubject-verifiedIdentities]
 ===== Verified identities
 
@@ -1235,11 +1232,17 @@ NOTE: `identity-claims-aggregation.json` makes use of the `format` JSON Schema k
 
 ==== Verifiable credential proof mechanism
 
-The `signature` field of an *<<_identity_assertion,identity assertion>>* using the identity claim aggregation mechanism MUST be secured as described by link:++https://www.w3.org/TR/vc-jose-cose/#securing-vcs-with-cose++[§3.3.1, “Securing JSON-LD verifiable credentials with COSE,”] of the W3C standard _Securing verifiable credentials using JOSE and COSE._ The `signature` payload MUST begin with the tagged `COSE_Sign1` structure.
+The `signature` field of an *<<_identity_assertion,identity assertion>>* using the identity claim aggregation mechanism MUST be secured using a COSE signature as described by link:++https://www.w3.org/TR/vc-jose-cose/#securing-vcs-with-cose++[Section 3.3.1, “Securing JSON-LD verifiable credentials with COSE,”] of the W3C standard _Securing verifiable credentials using JOSE and COSE._ The `signature` payload MUST begin with the tagged `COSE_Sign1` structure. As described in that standard, the unsecured verifiable credential is the unencoded `COSE_Sign1` payload.
+
+The COSE signature MAY use a link:https://datatracker.ietf.org/doc/html/rfc3161[RFC 3161]-compliant time stamp to provide an additional, independent signal as to when the _<<_identity_claims_aggregator,identity claims aggregator>>_ generated the *<<_identity_assertion,identity assertion>>.* If so, this time stamp shall be generated as described by link:++https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_time_stamps++[Section 10.3.2.5, “Time-stamps,”] of the C2PA technical specification.
+
+IMPORTANT: If a timestamp is present, it MUST use a version 2 or later time-stamp as defined in link:++https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_choosing_the_payload++[Section 10.3.2.5.2, “Choosing the payload.”] A version 1 time stamp MUST NOT be used.
+
+If the _<<_identity_claims_aggregator,identity claims aggregator’s>>_ credential supports querying its online credential status, the _<<_identity_claims_aggregator,identity claims aggregator>>_ SHOULD include credential revocation information as described in link:++https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_credential_revocation_information++[Section 10.3.2.6, “Credential revocation information,”] of the C2PA technical specification.
 
 ===== Signature algorithms
 
-The COSE signature MUST be secured using one of the signature algorithms defined in link:++https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_digital_signatures++[§13.2, “Digital signatures,”] in version 2.1 or any subsequent version of the C2PA technical specification.
+The COSE signature MUST be secured using one of the signature algorithms defined in link:++https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_digital_signatures++[Section 13.2, “Digital signatures,”] in version 2.1 or any subsequent version of the C2PA technical specification.
 
 ===== DID methods
 

docs/modules/ROOT/partials/version-history.adoc

@@ -113,3 +113,4 @@ _This section is non-normative._
 
 * Consolidate wording about `cawg.` and other externally-defined labels
 * Remove `proof` entry from `verifiedIdentities[n]` structure
+* Add option to use RFC 3161 timestamp in ICA COSE signature