[dspillett]

Could you abuse LetsEncrypt as a content signing service? Take the information you want signed, including a timestamp for good measure, and of course some form of your identity, generate a secure enough hash for it, use that as a sub-domain and get a certificate for it via LE?

So my document plus meta-data like my legal name & email address hashes to b8e24cce6743bf2d86195d1781b068b6fdf1e12a413eb61c16e32e1e5f64f5cc, I get a certificate for b8e24cce6743bf2d86195d1781b068b6fdf1e12a.413eb61c16e32e1e5f64f5cc.sha3-256.docs.mydomain.tld from LE (extra “.” due to the 63 characters per name part limit in DNS specs). By handing over the certificate LE has effectively signed to say that hash was presented to it at that time.

The fact the certificate expires in three months is not relevant: that hash was signed at that time, so it must have been generated then or before then, and it is mathematically impossible (assuming a good hashing algorithm was picked) that when challenged at a later date that I managed to manufacture content that hashes to that value and looks like what I'm claiming to be legitimate & extant at the relevant time, and it is similarly implausible that I forged a certificate that looks like it was signed using one of LE's signing certificates.

Of course the next challenge is convincing people that the certificate means this, and that fact is legally meaningful (assuming, for instance, the “signature certificate” is being verified to prove you created the content before someone who claims something more recent of theirs is prior art).

You also need to stay within LE's limits, so if using only one domain that is at most 50 signed documents per week if you do each individually. You could batch the documents to be signed up in a single set and hash that instead of individual documents, so if you are happy with daily granularity that is only 7/week. If sticking to a regular interval with nice round numbers you can get approx 4-hour granularity (4 signing timeslots per day, so 42 per week, leaving you 8 in case there are circumstances where something time sensitive wants signing right this instant).