Qualified timestamping and why it matters
21 January 2026 · 6 min read · Nextarp B.V.
Signatures prove who; timestamps prove when. Without a trusted timestamp, a signature relies on the signer's own clock - which anyone could have set. A cryptographic timestamp fixes a document in time using an independent, trusted source.
How RFC 3161 works
Your system hashes the signature (never the document content itself) and sends the hash to a Time-Stamping Authority (TSA). The TSA returns a signed token binding that hash to its trusted time. Anyone can later verify the token to prove the signed data existed no later than that moment - without seeing the document.
Qualified timestamps under eIDAS
A qualified TSA appears on an EU trusted list and meets strict operational requirements. A qualified electronic timestamp carries a legal presumption of accuracy across the EU - the timestamp equivalent of a qualified signature.
Where timestamps appear
- At signing - proving the signature predates certificate expiry or revocation.
- In long-term validation - archival timestamps chain over the document to extend validity for years.
Practical guidance
Use a reputable (ideally qualified) TSA, configure it once, and let every signature carry a timestamp automatically. DocsNG supports any RFC 3161 TSA, including qualified providers, so your documents are anchored in trusted time by default.
Related articles
- PAdES-LTV: keeping signatures valid for decades · Trust
- Verification and tamper-evidence beyond the PDF · Trust
- Designing multi-party signing workflows · Trust
