What RFC 3161 trusted timestamping means for a sustainability report

ESG disclosure has a credibility problem. Most reports are PDFs. PDFs can be edited after issuance. There is no cryptographic guarantee that a quarterly disclosure was written when it claims to have been written, with the data it claims to have used.

What RFC 3161 does

RFC 3161 defines a Time-Stamping Protocol where a Trusted Timestamp Authority signs a hash of your document with the current time. The signature is verifiable by anyone with the TSA's public certificate chain. EcoVeraZ uses FreeTSA in development and DigiCert in production environments.

The full chain

When EcoVeraZ renders a report: (1) the canonical machine-readable payload is content-hashed via SHA-256, (2) the hash is sent to the TSA, (3) the TSA returns a signed token with the current time and a unique serial, (4) the serial is embedded in a sibling artifact alongside the report. The customer can run openssl ts -verify -in <token> -CAfile <tsa-chain> to independently verify the timestamp without trusting EcoVeraZ at all.

Why this matters

Audit committees can demonstrate to regulators that the disclosure they signed off on existed in its current form on the issuance date. Customers can re-render any historical report and confirm the same content fingerprint emerges - the report has not been silently altered. Regulators investigating after the fact have an externally-anchored timestamp they did not have to trust the platform vendor for.

What it does not do

Trusted timestamping does not certify the truth of the underlying data. It certifies that the report content existed at the timestamped moment. EcoVeraZ separates verifiability from certification. Formal certification, assurance, or validation remains with authorized third parties.