Standards
sigill.ai implements published IETF and ETSI standards rather than proprietary cryptographic schemes. Conformance is a correctness rule: non-conforming output cannot be verified by independent tooling such as openssl ts -verify, Adobe Acrobat Reader, or the eIDAS DSS demo validator.
Standards we implement
| Standard | Scope | Where it applies in sigill.ai |
|---|---|---|
| RFC 3161 | Internet X.509 PKI Time-Stamp Protocol | All timestamp endpoints; archival re-stamping per RFC 3161 §4 |
| RFC 5816 | ESSCertIDv2 — SHA-2 update to RFC 3161 | Required of upstream TSAs we relay from when SHA-2 is in use; verified by us on every returned token |
| RFC 5652 | Cryptographic Message Syntax (CMS) | Foundation for CAdES and PAdES SignedData structures |
| RFC 5126 | CMS Advanced Electronic Signatures (CAdES) | CAdES-BES and CAdES-T detached signatures for non-PDF files |
| ETSI EN 319 122-1 | CAdES baseline signatures | Detached .p7s seals for non-PDF documents |
| ETSI EN 319 142-1 | PAdES baseline signatures and profiles | Embedded signatures inside sealed PDFs, with embedded RFC 3161 timestamp |
| ETSI EN 319 401 | General policy requirements for trust service providers | Reference framework for our operational controls. sigill.ai is not yet audited against it — see compliance posture. |
| ETSI EN 319 411-1 / -2 | Policy and security requirements for CAs issuing qualified certificates | Reference framework for CAs that issue the seal certificates customers bring (BYOC). sigill.ai does not issue certificates and is not itself a CA. Qualified electronic seals (QESeal) are not offered today — they are on the 2026 roadmap. |
| ETSI EN 319 421 | Policy and security requirements for TSAs | Reference framework for the qualified TSAs sigill.ai aggregates via the EU Trust List. |
| ETSI TS 119 461 | Identity proofing of trust service subjects | Reference framework. Identity proofing for any customer-brought seal certificate (BYOC) is performed by the issuing CA under their own audited procedures — sigill.ai does not perform face-to-face or remote video identity proofing. |
| eIDAS Regulation (EU) 910/2014, as amended by 2024/1183 | EU framework for electronic identification and trust services | Governs the qualified RFC 3161 timestamps sigill.ai relays via qualified TSAs. Qualified electronic seals (QESeal) are on the 2026 roadmap; today Sigill applies advanced electronic seals (AdES) — either with the customer's own certificate (BYOC) or with the Sigill Platform Seal certificate — including AdESeal-QC where the signing certificate is a qualified certificate for electronic seal. |
External trust anchors
sigill.ai is not the trust anchor. It is an aggregator that routes timestamp requests to independent Timestamp Authorities and returns their signed tokens, and that produces PAdES/CAdES seals bound to certificates issued by external Certificate Authorities. Timestamps are verified against the issuing TSA; seals are verified against the sealing certificate and its issuing CA chain. Either path can be verified directly, without contacting Sigill.
Standard Timestamping
Standard RFC 3161 timestamping uses Sigill-managed automatic routing with redundancy and failover. Customers do not select individual Sigill-managed non-qualified timestamp sources; customer-managed RFC 3161 endpoints can be configured separately as BYOT authorities.
Qualified Timestamp Authorities (eIDAS)
The qualified-timestamp path routes to TSAs that appear on the EU List of Trusted Lists (LOTL). The current qualified TSA is:
| QTSA | Curve / key | Status |
|---|---|---|
| SK ID Solutions (Estonia) — ECC endpoint | ECC | Active default |
| SK ID Solutions (Estonia) — RSA endpoint | RSA | Active fallback |
EU List of Trusted Lists (LOTL)
sigill.ai runs a background worker that fetches the EU LOTL every six hours, follows every national Trusted List pointer, and extracts the currently-active Qualified Trust Service certificates for Timestamping (TSA/QTST) and qualified Certificate Authorities (CA/QC). Those certificates form the trust store we validate qualified timestamps against. We do not maintain a hand-curated trust list — the authoritative source is the EU Commission's LOTL.