A digital signature proves who has signed a file. A time stamp shows when the file was signed. This is comparable to signing a document in the presence of a notary. In this case the notary witnesses both the identity of the signatory and the time of signing. Both the PDF Signing and Code Signing certificates are suitable for time stamping PDF files and software.
Long term validation
Digital signatures are designed primarily for the purpose of immediate validation after signing. For safety reasons, certificates have a limited validity period. The technology used to design digital signatures is constantly evolving. Used algorithms can eventually be hacked by increasingly powerful computers, which is why increasingly stronger algorithms are used. This makes digital signatures less suitable for the purpose of long-term validation, while this is exactly what is required when signing, for example, digital invoices and other documents that have to be archived.
Using digital signatures provides the possibility of completely digitalizing the paper-flow within your company. This helps companies save a great deal of space, time and money because a digitally signed document is legally valid (instead of, for example, a paper version of said document). A logical consequence is the need for digital archiving where checking of documents should also be possible after ten or more years. Invoices, to name an example, have a retention period of 6 years.
The validity of a digital signature depends on the validity of the digital certificate that was used. If the certificate is no longer valid, the digital signature will show an error message. As a consequence, the validity of a digital signature is often only a couple of years. On top of this, the parent root certificate of the certificate might have a validity period of, for example, ten years. Another possibility is that the Certificate Authority (CA) might cease to exist. In all of the cases mentioned above, it is no longer possible to validate the digitally signed document. Using a timestamp in combination with a digital signature will prevent error messages. The timestamp will prove that the certificate was valid at the time it was signed, and because of this the timestamp never becomes invalid. This enables long term validation even if the certificate used or the root certificate is no longer valid, or if the CA is no longer active.
Most signing software offers the option of adding a timestamp to a digital signature. In doing so, the exact time and date of the signing is recorded within the digital signature. The time in the timestamp is based on an external and independent timestamp server (TSA), which gives the signature the added value of the placing of the timestamp by an independent third party.
Example of a signed PDF with time stamp: