Home/Timestamping

Canadian certificate guidance

Timestamping

Timestamping services provide cryptographic proof that a document, signature, or certificate existed at a specific point in time. In regulated industries like fintech, digital identity, and payment services, this matters because it determines whether a digital...

Discuss your use case
On this page
  1. What Is a Trusted Timestamp
  2. RFC 3161 vs Proprietary Timestamping
  3. Timestamping in eIDAS and PSD2 Compliance
  4. How Long-Term Validation (LTV) Depends on Timestamps
  5. TSA Certificate Requirements
  6. Integrating Timestamping Services: Technical Approaches
  7. Timestamping and TLS Certificate Lifecycle Management
  8. Choosing a TSA: What to Verify

Timestamping services provide cryptographic proof that a document, signature, or certificate existed at a specific point in time. In regulated industries like fintech, digital identity, and payment services, this matters because it determines whether a digital signature was valid at the moment of signing, not just today. Without trusted timestamps, signatures tied to expired or revoked certificates become legally and technically unverifiable.

Timestamping — digital certificate and security infrastructure
Illustrative security infrastructure context.

What Is a Trusted Timestamp

A trusted timestamp is a cryptographically signed token issued by a Time Stamping Authority (TSA). The token binds a hash of your data to a specific date and time, sealed by the TSA's private key. No one, including the issuer, can retroactively alter the recorded time without invalidating the token.

The process is defined in RFC 3161 (Internet X.509 Public Key Infrastructure Time-Stamp Protocol). Here is how it works step by step:

  1. Your system generates a hash of the document or signature.
  2. The hash is sent to the TSA in a TimeStampRequest.
  3. The TSA signs the request with its own certificate and returns a TimeStampToken.
  4. The token is stored alongside the original document.
  5. Any verifier can independently confirm the token using the TSA's public certificate.

No raw document content ever leaves your system. Only the hash is transmitted.

RFC 3161 vs Proprietary Timestamping

Not all timestamping is equal. RFC 3161 is the standard used in legal and compliance contexts. Some platforms implement internal or proprietary timestamps, which are unsuitable for regulated use cases.

FeatureRFC 3161 TimestampProprietary Timestamp
Third-party TSAYesNo
Legally recognized (eIDAS)YesTypically no
Cryptographic proof of timeYesDepends on implementation
Audit trail independent of vendorYesNo
Usable after certificate expiryYesNo

For PSD2 compliance, eIDAS qualified signatures, or Canadian federal procurement, RFC 3161 from an accredited TSA is the only acceptable option.

Timestamping in eIDAS and PSD2 Compliance

Under eIDAS Regulation (EU) 910/2014, a qualified electronic timestamp must be issued by a Qualified Trust Service Provider (QTSP). It serves as a legal presumption that the data existed at the stated time. Canadian organizations operating in cross-border EU transactions must understand this requirement directly.

PSD2, enforced under the EBA's Regulatory Technical Standards, requires strong customer authentication and non-repudiation for payment transactions. Timestamping plays a role in audit log integrity, ensuring transaction records are tamper-evident and time-bound.

Key compliance checkpoints where timestamping applies:

  • Signing of contracts and agreements in digital banking
  • Audit logs for payment authorization flows
  • Certificate lifecycle events (issuance, revocation, renewal)
  • Timestamping of qualified electronic signatures (QES) before certificate expiry

In the Canadian context, PIPEDA and provincial privacy legislation require demonstrable data integrity for financial and personal records. RFC 3161 timestamps support this by creating an immutable timeline.

How Long-Term Validation (LTV) Depends on Timestamps

Long-Term Validation is the mechanism that keeps a digitally signed document verifiable beyond the lifetime of the signing certificate. Without LTV, once the certificate expires or is revoked, the signature becomes unverifiable.

LTV works by embedding:

  • The signed document
  • The signing certificate chain
  • The OCSP response or CRL at the time of signing
  • An RFC 3161 timestamp over all of the above

The timestamp proves the signature was applied when the certificate was still valid. This is the foundation of PDF Advanced Electronic Signatures (PAdES) and CAdES formats, both referenced in eIDAS technical standards.

An example: A fintech company signs a loan agreement using a certificate valid through March 2026. The certificate is revoked in July 2026. Without an LTV timestamp from before July 2026, the agreement's signature is unverifiable. With a valid RFC 3161 timestamp from the signing date, the signature remains legally sound indefinitely.

TSA Certificate Requirements

A TSA must operate under its own certificate, specifically issued for timestamping with the Extended Key Usage (EKU) value of id-kp-timeStamping (OID 1.3.6.1.5.5.7.3.8). This certificate must be issued by a trusted CA and should not be used for any other purpose.

Technical requirements for a TSA certificate:

RequirementDetail
Key usagedigitalSignature
Extended key usageid-kp-timeStamping only
Clock synchronizationUTC via NTP/GPS with audit trail
AccuracyTypically 1 second or less
TSA policy OIDEmbedded in each TimeStampToken
Certificate validityUsually 1-3 years, timestamp tokens remain valid longer

If you are evaluating a TSA for enterprise deployment, ask specifically for their time synchronization audit logs and clock accuracy specifications. Accuracy matters in legal disputes where the precise minute of signing is contested.

Integrating Timestamping Services: Technical Approaches

There are three primary integration patterns depending on your architecture:

1. HTTP-Based TSA Query (RFC 3161 over HTTP)

The most common method. Your application sends a DER-encoded TimeStampRequest via HTTP POST to the TSA endpoint. The response is a TimeStampResponse containing the signed token.

Libraries that support this natively:

  • OpenSSL (command line and API)
  • Bouncy Castle (Java, C#)
  • Python rfc3161ng and pyhanko
  • Java BouncyCastle TSP

Example OpenSSL command:

openssl ts -query -data document.pdf -no_nonce -sha256 -out request.tsq
openssl ts -reply -queryfile request.tsq -out response.tsr

2. Embedded Timestamping in PDF Signing Workflows

Adobe Acrobat and most enterprise signing platforms support Document Timestamp (DST) as a separate signature field. This is distinct from a signature-level timestamp and covers the entire signed document state.

3. API-Based Timestamping for High-Volume Pipelines

For fintech platforms processing thousands of transactions per hour, REST or SOAP TSA APIs provide batch timestamping with SLA guarantees. Response times under 200ms are typical for commercial TSAs. Evaluate:

  • Uptime SLA (99.9% is baseline, 99.99% for payment-critical infrastructure)
  • Timestamp volume limits per subscription tier
  • Token format: binary DER vs base64-encoded
  • Webhook support for asynchronous workflows

Timestamping and TLS Certificate Lifecycle Management

Timestamping intersects with TLS certificate management in less obvious ways. When a TLS certificate is used to sign OCSP responses, those responses should also be timestamped for archival purposes. Certificate Transparency logs are themselves timestamped via Signed Certificate Timestamps (SCT), defined in RFC 6962.

For organizations managing internal PKI, timestamps on certificate issuance and revocation events create an auditable chain of custody. This is especially relevant for:

  • Root CA key ceremony records
  • Intermediate CA certificate issuance
  • Hardware Security Module (HSM) audit logs

Canadian federal government PKI guidelines under the Government of Canada's Trust Framework reference time integrity as a foundational element for identity assurance levels 2 and above.

Choosing a TSA: What to Verify

When selecting a timestamping service, do not rely on marketing claims. Verify the following directly:

CriterionWhat to Check
Trust list inclusionIs the TSA root in Mozilla, Microsoft, or Adobe trust stores?
eIDAS QTSP statusListed on the EU Trusted List (EUTL)?
WebTrust / ETSI auditCurrent audit report from accredited auditor
Clock accuracy certificationIs accuracy independently audited?
Geographic redundancyIs the TSA replicated across data centers?
Canadian data residencyDoes the TSA offer Canadian data center options?

For cross-border use between Canada and EU jurisdictions, a QTSP-issued timestamp that meets ETSI EN 319 421 (Policy and Security Requirements for Trust Service Providers issuing Time-Stamps) provides the strongest legal standing.

Common Errors in Timestamping Implementations

Teams frequently encounter these specific issues:

  • Clock skew between the signing system and TSA exceeds the TSA's declared accuracy, causing timestamp rejection
  • Using SHA-1 in the TimeStampRequest hash when the TSA has deprecated it; use SHA-256 minimum
  • Not renewing TSA certificates before embedding them in archive timestamps, causing chain validation failure
  • Assuming that a document-level timestamp covers signatures applied after it, it does not
  • Embedding timestamps in PDF XMP metadata instead of in the PDF signature structure, which has no legal standing

Planning an implementation?

Keep the legal entity, domain controls and certificate lifecycle in the same review.

Discuss your use case

Frequently asked questions

Practical answers

What is the difference between a timestamp and a digital signature?

A digital signature proves who signed the data and that it has not changed. A timestamp proves when the data existed.

Can a timestamp be used after the TSA certificate expires?

Yes, this is one of the key properties of RFC 3161. The timestamp token remains valid as long as the hash algorithm (e.g., SHA-256) remains unbroken and the TSA's certificate chain is archived.

Is RFC 3161 timestamping legally recognized in Canada?

Canada does not have a federal equivalent to eIDAS, but RFC 3161 timestamps from accredited TSAs are accepted as evidence of time in federal court under the Canada Evidence Act, provided the TSA's reliability can be demonstrated. Provincial electronic commerce acts (e.g., Ontario's Electronic Commerce Act, 2000) also support electronic records that include verifiable timestamps.

How does timestamping affect PSD2 open banking compliance?

Under PSD2, account information service providers (AISPs) and payment initiation service providers (PISPs) must maintain audit trails for consent records, transaction logs, and authentication events. RFC 3161 timestamps applied to these records ensure tamper-evidence and support non-repudiation claims in disputes.