Trust Center/Standards

Standards we implement

StandardScopeWhere it applies in sigill.ai
RFC 3161Internet X.509 PKI Time-Stamp ProtocolAll timestamp endpoints; archival re-stamping per RFC 3161 §4
RFC 5816ESSCertIDv2 — SHA-2 update to RFC 3161Required of upstream TSAs we relay from when SHA-2 is in use; verified by us on every returned token
RFC 5652Cryptographic Message Syntax (CMS)Foundation for CAdES and PAdES SignedData structures
RFC 5126CMS Advanced Electronic Signatures (CAdES)CAdES-BES and CAdES-T detached signatures for non-PDF files
ETSI EN 319 122-1CAdES baseline signaturesDetached .p7s seals for non-PDF documents
ETSI EN 319 142-1PAdES baseline signatures and profilesEmbedded signatures inside sealed PDFs, with embedded RFC 3161 timestamp
ETSI EN 319 401General policy requirements for trust service providersReference framework for our operational controls. sigill.ai is not yet audited against it — see compliance posture.
ETSI EN 319 411-1 / -2Policy and security requirements for CAs issuing qualified certificatesReference framework for CAs that issue the seal certificates customers bring (BYOC). sigill.ai does not issue certificates and is not itself a CA. Qualified electronic seals (QESeal) are not offered today — they are on the 2026 roadmap.
ETSI EN 319 421Policy and security requirements for TSAsReference framework for the qualified TSAs sigill.ai aggregates via the EU Trust List.
ETSI TS 119 461Identity proofing of trust service subjectsReference framework. Identity proofing for any customer-brought seal certificate (BYOC) is performed by the issuing CA under their own audited procedures — sigill.ai does not perform face-to-face or remote video identity proofing.
eIDAS Regulation (EU) 910/2014, as amended by 2024/1183EU framework for electronic identification and trust servicesGoverns the qualified RFC 3161 timestamps sigill.ai relays via qualified TSAs. Qualified electronic seals (QESeal) are on the 2026 roadmap; today Sigill applies advanced electronic seals (AdES) — either with the customer's own certificate (BYOC) or with the Sigill Platform Seal certificate — including AdESeal-QC where the signing certificate is a qualified certificate for electronic seal.

External trust anchors

sigill.ai is not the trust anchor. It is an aggregator that routes timestamp requests to independent Timestamp Authorities and returns their signed tokens, and that produces PAdES/CAdES seals bound to certificates issued by external Certificate Authorities. Timestamps are verified against the issuing TSA; seals are verified against the sealing certificate and its issuing CA chain. Either path can be verified directly, without contacting Sigill.

Standard Timestamping

Standard RFC 3161 timestamping uses Sigill-managed automatic routing with redundancy and failover. Customers do not select individual Sigill-managed non-qualified timestamp sources; customer-managed RFC 3161 endpoints can be configured separately as BYOT authorities.

Qualified Timestamp Authorities (eIDAS)

The qualified-timestamp path routes to TSAs that appear on the EU List of Trusted Lists (LOTL). The current qualified TSA is:

QTSACurve / keyStatus
SK ID Solutions (Estonia) — ECC endpointECCActive default
SK ID Solutions (Estonia) — RSA endpointRSAActive fallback

EU List of Trusted Lists (LOTL)

sigill.ai runs a background worker that fetches the EU LOTL every six hours, follows every national Trusted List pointer, and extracts the currently-active Qualified Trust Service certificates for Timestamping (TSA/QTST) and qualified Certificate Authorities (CA/QC). Those certificates form the trust store we validate qualified timestamps against. We do not maintain a hand-curated trust list — the authoritative source is the EU Commission's LOTL.