Standards
Sigill.ai implements published IETF and ETSI standards rather than proprietary cryptographic schemes. Conformance is a correctness rule: non-conforming output cannot be verified by independent tooling such as openssl ts -verify, Adobe Acrobat Reader, or the eIDAS DSS demo validator.
Standards we implement
| Standard | Scope | Where it applies in Sigill.ai |
|---|---|---|
| RFC 3161 | Internet X.509 PKI Time-Stamp Protocol | All timestamp endpoints; archival re-stamping per RFC 3161 §4 |
| RFC 5816 | ESSCertIDv2 — SHA-2 update to RFC 3161 | Required of upstream TSAs we relay from when SHA-2 is in use; verified by us on every returned token |
| RFC 5652 | Cryptographic Message Syntax (CMS) | Foundation for CAdES and PAdES SignedData structures |
| RFC 5126 | CMS Advanced Electronic Signatures (CAdES) | CAdES-BES and CAdES-T detached signatures for non-PDF files |
| ETSI EN 319 122-1 | CAdES baseline signatures | Detached .p7s seals for non-PDF documents |
| ETSI EN 319 132-1 | PAdES baseline signatures | Embedded signatures inside sealed PDFs |
| ETSI EN 319 142-1 | PAdES profiles | Profile selection for PDF seals, with embedded RFC 3161 timestamp |
| ETSI EN 319 401 | General policy requirements for trust service providers | Reference framework for our operational controls. Sigill.ai is not yet audited against it — see compliance posture. |
| ETSI EN 319 411-1 / -2 | Policy and security requirements for CAs issuing qualified certificates | Reference framework for the CA partners Sigill.ai routes qualified seal issuance to. Sigill.ai is not itself a CA. |
| ETSI EN 319 421 | Policy and security requirements for TSAs | Reference framework for the qualified TSAs Sigill.ai aggregates via the EU Trust List. |
| ETSI TS 119 461 | Identity proofing of trust service subjects | Reference framework. For qualified seal certificate issuance, identity proofing is performed by the CA partner under their own audited procedures — Sigill.ai does not itself perform face-to-face or remote video identity proofing. |
| eIDAS Regulation (EU) 910/2014, as amended by 2024/1183 | EU framework for electronic identification and trust services | Governs the qualified timestamps and qualified electronic seal certificates that Sigill.ai resells or routes to. |
External trust anchors
Sigill.ai is not the trust anchor. It is an aggregator that routes timestamp requests to independent Timestamp Authorities and returns their signed tokens, and that produces PAdES/CAdES seals bound to certificates issued by external Certificate Authorities. The integrity of every proof returned by Sigill.ai can be verified against these authorities directly, without us in the loop.
Standard Timestamp Authorities
| TSA | Hash | Notes |
|---|---|---|
| DigiCert | SHA-256/512 | Adobe AATL-enrolled |
| GlobalSign | SHA-512 | Adobe AATL-enrolled |
| Sectigo | SHA-512 | Public TSA |
| SwissSign | SHA-512 | Public TSA |
| ai.moda RFC3161 | SHA-512 | Public TSA |
Qualified Timestamp Authorities (eIDAS)
The qualified-timestamp path routes to TSAs that appear on the EU List of Trusted Lists (LOTL). The current qualified TSA is:
| QTSA | Curve / key | Status |
|---|---|---|
| SK ID Solutions (Estonia) — ECC endpoint | ECC | Active default |
| SK ID Solutions (Estonia) — RSA endpoint | RSA | Active fallback |
EU List of Trusted Lists (LOTL)
Sigill.ai runs a background worker that fetches the EU LOTL every six hours, follows every national Trusted List pointer, and extracts the currently-active Qualified Trust Service certificates for Timestamping (TSA/QTST) and qualified Certificate Authorities (CA/QC). Those certificates form the trust store we validate qualified timestamps against. We do not maintain a hand-curated trust list — the authoritative source is the EU Commission's LOTL.