Timestamp authorities (TSA) and why they matter for e-signatures

A Timestamp Authority (TSA) is an independent trusted third party that cryptographically vouches for the time a signature was made. Without a TSA, you're trusting the signer's system clock — which could be wrong, tampered, or forged.

Why it matters

Consider: Alice signs a contract on Jan 1, 2025. Her certificate expires Dec 31, 2025. In 2028, Bob disputes the contract. He claims Alice signed it after her certificate expired, making it invalid.

Without a TSA, Alice can't prove when she actually signed. With an RFC 3161 timestamp, there's a cryptographic record from an external authority saying "this signature existed on Jan 1, 2025 at 10:47:33 UTC."

Dispute over.

How RFC 3161 works

1. Signer computes the hash of their signature 2. Sends the hash to the TSA 3. TSA prepends its own timestamp + its signature over (hash + timestamp) 4. Returns a timestamp token 5. Signer embeds the timestamp token in the PAdES signature

To verify: anyone checking the signature later can:

• Decrypt the TSA's signature using the TSA's public key (from the TSA's certificate)
• Read the timestamp
• Verify the hash matches the actual signature
• Conclude: this signature existed at the stated time

Which TSAs are trustworthy

Qualified TSAs are audited under eIDAS (EU) or equivalent frameworks (US, AU). Major providers:

• DigiCert — US-based, widely trusted
• SSL.com — US-based, EU-qualified
• Sectigo — US/UK-based
• FNMT (Fábrica Nacional de Moneda y Timbre) — Spain, EU-qualified
• GlobalSign — global, multiple jurisdictions

SignBolt uses DigiCert as its default TSA with failover to SSL.com.

Non-qualified TSAs (avoid)

Many free timestamp services exist (FreeTSA, timestamp.digicert.com for testing). They're fine for testing but not for legally-binding signatures — they don't meet qualified TSA requirements and their timestamps may not hold up in court.

The archive problem

TSA certificates themselves expire (usually every 1-3 years). A timestamp is only verifiable while the TSA certificate is trusted. Solution:

• Periodic re-timestamping — the TSA certificate used in the original timestamp is about to expire? Get a new timestamp from a currently-trusted TSA that covers the original timestamp + document. This is PAdES-B-LTA.
• Long-term archive — keep timestamping periodically forever. The signature remains verifiable indefinitely.

The practical takeaway

If you're signing a contract that matters, make sure your platform embeds an RFC 3161 timestamp. Ask:

1. "Do you use an RFC 3161 TSA?" (should be yes) 2. "Which TSA?" (should be a qualified provider, not a free service) 3. "Is it embedded in the PAdES signature?" (should be yes — PAdES-B-T or stronger)

Without all three, your signature's time of creation is contestable in court.

Next

• PAdES explained
• X.509 certificates
• SignBolt — RFC 3161 timestamps on every signature