Adding a trusted timestamp from an independent, trusted authority to a PDF provides a digital seal of data integrity and a trusted date and time of when the document was created.
What is a Trusted Timestamp?
These types of timestamps are generated by a trusted third party using secure FIPS-compliant hardware, so they are not subject to manipulation by a local user.
Recipients of documents with a trusted timestamp can verify when the document was digitally signed, as well as verify that the document has not been altered after the date the timestamp vouches for.
RFC 3161 outlines the requirements a third party must meet in order to operate as a Timestamping Authority (TSA).
How Does Timestamping Work?
TSAs use Public Key Infrastructure (PKI) technology to apply timestamps. Here is a summary of the steps involved.
- The client application creates a unique identifier (hash) of the data or file that needs to be timestamped and sends it to the TSA.
- From now on, any change (even by a single bit of information) in the original file will require communication of changes with the TSA server.
- The TSA combines the hash and other information, including the authoritative time. The result is digitally signed with the TSA’s private key, creating a timestamp token which is sent back to the client. The timestamp token contains the information the client application will need to verify the timestamp later.
- The timestamp token is received by the client application and recorded within the document or code signature.
- When the resulting timestamped data or file is opened in the future, the client application will use the TSA’s public key to authenticate the TSA (i.e. validate that the timestamp came from a trusted TSA) and re-calculate a hash of the original data. This new hash is compared to the originally created hash (step 1 above). If any changes have been made to the file since the timestamp was applied, this hash check will fail and warning messages will be shown saying that the file has been altered and it should not be trusted.
More information about trusted timestamps can be found here