Digital timestamping: what certification claims really hide

8 min read
General

RFC 3161, eIDAS, blockchain, NTP: cutting through the marketing.

A creator once showed me his “timestamp certificate.” He was proud. The provider had shut down six months earlier. You’ve timestamped your file. Good. But if you’re asked to prove it in court, what actually happens?

You want to protect a piece of work, a contract, an important document. You come across services promising “qualified timestamping,” “independent trusted third party,” “international standard,” “certified blockchain.” It all sounds credible. But are those claims interchangeable? Can you rely on them in the same way?

Not really. Here’s why.

The core problem: proving a document existed on a given date

Before we get into technology, remember what you actually need. You want to show that a file—a text, a drawing, a contract, source code—existed on a specific date, in a specific form, and has not been altered since.

In short, you need to establish priority—that your material existed first.

The challenge is simple: anyone can roll back their system clock and create a file that looks ten years old. So you need a third party—an external, independent actor—that can attest the file really existed at that moment.

The question is: which third party? And how much is that proof actually worth?

Four broad families of solutions

1. Timestamping via NTP: the clock, and nothing but the clock

NTP (Network Time Protocol) is what your computer is using right now to keep time. Reference sources (Paris Observatory, Germany’s PTB, NIST in the United States) broadcast accurate time over the internet.

Some providers wave this around as a trust signal. Those sources are indeed highly accurate. But accuracy is not proof.

NTP only tells you “it is 2:32:18 PM.” It signs nothing, certifies nothing, and produces nothing a third party can verify. Anyone can query an NTP server, jot down the time, and write whatever they want next to it. That does not show your file existed at that instant—it only shows someone looked at a clock.

NTP is infrastructure for keeping devices in sync. Useful behind the scenes, useless as standalone evidence. A service that touts NTP as a reason to trust them is selling you clocks, not certification.

When a provider name-drops Paris Observatory or PTB, ask a blunt question: what actually shows you recorded my file at that exact time? The answer is: nothing.

2. RFC 3161: the standard that produces real, signed evidence

RFC 3161 is an international standardized protocol (also published as ISO 18014) that defines how a Time Stamping Authority (TSA) creates cryptographic proof.

How it works:

  1. You send your file’s digital fingerprint (hash) to the TSA.
  2. The TSA binds that fingerprint to an exact time.
  3. It digitally signs the result with its private key.
  4. It returns a timestamp token—a file that contains the proof.

That token can be checked with any RFC 3161–compatible tool, including Adobe Acrobat, legal software, and open-source validators. If the TSA is still operating and its key has not been compromised, the proof holds up.

Then comes the real question: who is the TSA?

RFC 3161 is a format. PDF is also a format. Owning a PDF says nothing about the quality of what is inside. Likewise, holding an RFC 3161 token says nothing about how trustworthy the issuing TSA is. Popular free services issue technically valid RFC 3161 tokens—with no audits, no regulatory obligations, and no guarantee they will still be around tomorrow. The format is sound. The operator behind it may not be.

Two RFC 3161 tokens can therefore carry very different weight if a dispute goes to court.

RFC 3161 has a practical downside: if the TSA vanishes without publishing its certificate chain, some tools will no longer validate the token. That risk is low for a serious, audited provider—and much higher for a free, unaudited one.

3. eIDAS — official recognition in Europe

RFC 3161 builds technical proof. eIDAS gives it legal teeth.

The EU eIDAS regulation (Electronic Identification, Authentication and Trust Services) defines what counts as a qualified trust service provider in the Union.

A qualified eIDAS TSA must:

  • Be audited by an accredited body
  • Keep its private keys in certified hardware security modules (HSMs)
  • Sync its clock to traceable, audited time sources
  • Meet continuity obligations, including publishing certificates so tokens stay verifiable even if the service shuts down one day
  • Appear on a national trust list (in France, overseen by ANSSI)

What that means in practice: a token from a qualified eIDAS TSA benefits from a legal presumption of accuracy. In a dispute, the court starts from the idea that the timestamp is correct. The other side must disprove it—and that is extremely hard.

For anything that is not eIDAS-qualified, the burden is flipped: you must persuade the judge the evidence is reliable. That fight happens case by case.

eIDAS is the only regime that automatically shifts the burden of proof.

One more thing about language: when a website calls itself an “independent trusted third party,” read carefully. In eIDAS law, a “trusted third party” is an entity qualified by a Member State. A free tool run by a volunteer may be independent—it is not a trusted third party in that legal sense. Check the official list: https://eidas.ec.europa.eu/efda/trust-services/browse/eidas/tls

4. Public blockchain: a fundamentally different approach

People often pitch blockchain as an “alternative” to RFC 3161. That misses the point. They solve different problems and work best together rather than as strict substitutes.

RFC 3161 depends on a trusted operator. Its value tracks that operator’s seriousness: a regulated, audited service versus a free offering with no backing. Strong when the provider is solid; weak when it is not.

Public blockchains sidestep that dependency. There is no single custodian. The proof sits on a decentralized ledger maintained by thousands of nodes worldwide. To fake your proof, you would have to rewrite the chain’s history—for all practical purposes, impossible. The record is censorship-resistant: no one can unilaterally alter it, erase it, or cut off your access. You also cannot really delete a proof once it is anchored: it stays verifiable indefinitely, without depending on any provider’s survival.

The trade-off? No automatic statutory presumption like eIDAS. French courts have accepted blockchain evidence (Tribunal judiciaire de Marseille, March 2025), but you still have to persuade the judge.

There are two common patterns for on-chain timestamping, and they are not equivalent.

Merkle tree (batching): many proofs are rolled into one batch; only the Merkle root (a single hash) lands on-chain. Verifying your entry usually needs dedicated tools, an auxiliary file you must keep, and often intermediary servers to hand you the Merkle path.

Dedicated transaction: each proof gets its own on-chain transaction. Your document’s hash appears directly in that transaction—readable on any public block explorer, with no vendor-specific tool and no extra file.

The second model costs more (one transaction per proof) but delivers verification anyone can reproduce—something batched Merkle schemes cannot honestly claim.

Which chain matters, too. Bitcoin is the most decentralized and battle-tested, but also the slowest (roughly one to two hours to finality). Newer networks confirm in seconds with security that is often adequate for this use case.

And if someone sells “qualified” blockchain timestamping: under eIDAS, “qualified” has a specific meaning—a TSA on the EU trust list. Any other use of the word is marketing.

What to take away

NTP alone does not create evidence a neutral third party can verify. Full stop. That is synchronizing clocks, not certification.

RFC 3161 and blockchain are parallel paths with different strengths. RFC 3161 gives you formal evidence recognized by legal tools—but it depends on the provider staying in business. Blockchain gives you a permanent, sovereign anchor that French courts already recognize—but without an automatic legal presumption. Used together, they complement each other well.

RFC 3161 and blockchain both supply strong technical building blocks for an evidence bundle. The judge still decides how much weight to give them.

Qualified eIDAS is the gold standard: automatic presumption in Europe, with the other party bearing the burden of showing the timestamp is wrong. That is what regulated industries reach for when litigation is a real risk.

Where you land on the scale is a judgment call. On-chain anchoring alone is enough for most everyday uses, and the same holds for non-qualified RFC 3161 timestamping. Two valid approaches, two different strengths, both at modest cost.

Adding a qualified eIDAS layer brings statutory presumption—what you want for a patent filing or a six-figure commercial dispute.

Choose your level of protection with your eyes open. The rest is marketing.

Back to blogProtect now

Related articles

Digital timestamping explained simply: how to protect your creations

Digital timestamping explained simply: how to protect your creations You’ve just finished your novel. Or drawn your company logo. Or documented an invention you can’t afford to patent yet. And you...

5 min read

Why Protect Your Creations When You're an Amateur Creator?

Why Protect Your Creations When You're an Amateur Creator? The illusion of "I'm just an amateur" You draw in the evening after work, you write short stories on weekends, you compose music in your...

10 min read