One of our clients uses a trusted timestamp service to prove that certain documents existed on the day they were created (they don't need a full digital signature, just the timestamp). The server uses OpenSSL to create a timestamp query, receives a timestamp response and saves it in a database column.
Last year, the provider sent them an email that according to a new recommendation (ETSI TS 119 312 V1.3.1 Electronic Signatures and Infrastructures (ESI); Cryptographic Suites) they now provide ECC timestamps and will gradually phase out support for RSA-based ones which only provide adequate security until 31 Dec 2022.
Am I correct in thinking that because our client needs to keep the timestamped documents way beyond that date, we need to create new ECC-based timestamps for all previously timestamped documents? I also think that in that case we need to request a timestamp for the old RSA-based timestamp, and not the document itself. Is that the recommended procedure when switching to a new algorithm?
