Sealing
The seal is a property of the bytes
A wet stamp on a printed page is one stamper, one moment, one piece of paper. A digital seal must be all of that — plus verifiable by anyone, decades from now, without trusting us to confirm it. We layer four published cryptographic standards so the seal survives copy-paste, server outages, and EngineeringID itself going away.
Executive summary
One sealing operation produces a SHA-256 hash of the document bytes, an X.509 PKI digital signature over that hash, an RFC 3161 timestamp from a third-party authority, and a PDF/A archival conversion. Any change to a single byte breaks the hash; the seal becomes mathematically invalid.
Sealing requires MFA, a current credential, and an active session — the gate is at the moment of signing, not at login. A stolen session cookie cannot produce a forged seal. A leaked password cannot produce a forged seal. The friction is the feature.
Our commitments
Five rules for the sealing operation
The hash is over the bytes, not a representation
We hash the raw PDF stream, not a normalized rendering. Re-saving, flattening, or rewriting metadata changes bytes and invalidates the seal.
The timestamp is from an external clock — on every seal
Every seal carries an RFC 3161 timestamp from DigiCert's public TSA, embedded in the PDF and stored on the seal record. The seal time is signed by an independent third party — we cannot backdate or alter it after the fact.
MFA gates every seal
Even on a fully trusted device with an active session, sealing requires a fresh TOTP. The gate is at the moment of signing, not at login.
The credential must be current at seal time
An expired or suspended license fails the gate before the cryptographic operation runs. Backdated seals against expired licenses are not possible.
Verification works without us
The seal is a PKCS #7 / X.509 container — verifiable with Acrobat, openssl, or any standard tool. Our infrastructure can disappear and the seal still verifies.
Implementation — the seal envelope
What sealing actually does
Implementation — batch sealing
When you need to seal a hundred at once
The full picture
What is built, what is being built, and what we chose not to build
Live today
Single-document sealing with the full envelope
LiveSHA-256 + X.509 + RFC 3161 + PDF/A-2b in a single operation. The DigiCert TSA token is embedded in the PDF's PKCS#7 SignerInfo and persisted on the seal record on every seal (KMS and BYO-key).
Batch sealing via Oban
LiveMulti-document with per-item retry, real-time progress, partial-failure tolerance.
Cloud storage post-commit upload
LiveSealed documents auto-sync to S3 / Azure / Google Drive / SharePoint / Box / etc.
Public verification API
LivePOST /v1/verify/pdf — anyone can confirm authenticity without an account.
Bring-your-own X.509 certificate
LiveUse a cert from your existing CA; we never see the private key for those signatures.
Building now
Long-Term Validation (LTV) embedding
Building nowETSI PAdES B-LTA — embed the full revocation chain so seals stay verifiable after the signing cert expires.
Target: this quarter.
Multi-page seal placement controls
Building nowPer-page seal positioning rules instead of single-page default.
Roadmap
Customer-configurable RFC 3161 TSA endpoint
RoadmapOrg-level TSA selection — point seals at your compliance team's pre-approved authority instead of the platform default. Today the TSA is set platform-wide via the TSA_URL environment variable.
Hardware-backed signing keys (BYO KMS)
RoadmapPer-customer KMS-resident signing keys so private material never leaves the customer's HSM.
Post-quantum hybrid signatures
RoadmapCRYSTALS-Dilithium primitives are compiled into the Rust NIF. Production signing callers are not yet wired.
On-document QR verification code
RoadmapOptional embedded QR linking directly to the verification page.
Considered & rejected
Blockchain-anchored seals
Considered & rejectedA SHA-256 hash plus an RFC 3161 timestamp from a CA-grade authority gives the same tamper evidence at zero per-seal cost.
Why we rejected it: blockchain solves "no trusted third party exists." We have one — the TSA. RFC 3161 is the eIDAS / 21 CFR Part 11 / common-law-evidence answer to "prove this was unmodified at this time." Blockchain adds latency, unbounded cost, and probabilistic finality without solving any problem we have.
"Normalized" PDF hashing
Considered & rejectedA hash that is stable across "harmless" edits is, by definition, a hash that hides edits.
Why we rejected it: every normalization rule is a way to silently accept some changes. The right answer is: hash the bytes. If the document changes, the hash changes. If you want to seal a different version, seal it explicitly.
Persistent "MFA bypass for sealing" for power users
Considered & rejectedThe MFA prompt at seal time is the entire point. A bypass collapses the gate to login-only.
Why we rejected it: we accept the friction of one TOTP code per seal. The cost is six digits; the benefit is that a stolen session cannot produce a forged engineering seal.
Visual-only watermarks as integrity proof
Considered & rejectedWatermarks survive until the first screenshot. Cryptographic hashes do not survive even one bit change.
Why we rejected it as integrity: the visual stamp is for human recognizability. The cryptographic surface is the integrity. They are different layers — we do not pretend a watermark is tamper detection.
Compliance mappings
Controls this surface satisfies
Detection of Anomalies
Hash mismatch is a deterministic anomaly signal
Cryptographic controls
NIST/IETF-standardized primitives end-to-end
Validation of systems
Documented controls and audit trail for electronic records
Retention of contracts and records
PDF/A-2b archival format meets long-term retention
Legal recognition of electronic signatures
Attribution + intent to sign + consumer disclosure
For compliance teams
Questions you do not need to call to ask
What changes invalidate a seal?
Can a verifier check a seal offline?
What happens to seals when the signing certificate expires?
How does sealing fail safely?
Can we use our own signing certificate?
What's the verification rate limit?
Sealing that holds up to its own audit
Read the deeper document-integrity story or talk to our team about your specific control requirements.