How it works

Privacy first — your document never leaves your device

The RFC 3161 protocol is designed so that the TSA never sees your document. Only a cryptographic hash of the document is transmitted.

Step by step

1. Hash computation — Your client computes a SHA-256 (or SHA-384/512) hash of the document locally. The document is not transmitted.
2. TimeStampRequest (TSQ) — The hash is packaged into an ASN.1-encoded TSQ structure (RFC 3161 §2.4.1) and sent as an HTTP POST to tsr.open-tsa.eu.
3. TSA processing — The server receives the hash, wraps it with the current UTC time and a serial number, and signs it with the TSA Signing Certificate.
4. TimeStampResponse (TSR) — The signed token is returned as a binary ASN.1 structure. It contains the hash, timestamp, policy OID, serial number, and the TSA signature.
5. Verification — At any future point, the TSR can be verified against the original document using the CA certificates. The verification confirms that the hash in the TSR matches the document, and that the TSA signature is valid.

What the TSR proves

• The document existed in its exact form at the stated timestamp
• The timestamp was issued by a specific TSA (identified by certificate)
• The document has not been modified since the timestamp was issued (any change would invalidate the hash)

What it does not prove

• The identity of who created the document (use a digital signature for that)
• That the document was created at that time (only that it existed by that time)
• The document’s legal validity (depends on jurisdiction and use case)