Digital Timestamp

In order to prove that a certain document was created before a certain time, you can timestamp it. Such a timestamp needs to be authorative. Therefor, it is common to have a trusted third party declare that the document was created on of before a certain timestamp.

Trusted Third Parties
Naturally, the document creator is not to be trusted, since he can have manually changed the creation or modification timestamp of a file.

Typically public notaries can provide a timestamp service.

However, there are also electronic timestamp services:
 * http://www.digistamp.com/ (commercial, $0.40/document, USA-based, uses X.509)
 * http://timestamping.edelweb.fr/ (free, experimantal, France based, uses X.509)
 * http://www.signedtimestamp.org/ (free, Netherlands based, uses PGP)
 * http://www.itconsult.co.uk/stamper.htm (free, UK-based, uses PGP)

PGP
PGP Time-staamp services are often rather straightforward: they take an e-mail message, add a timestamp to the content and return the message, signed with their private key. If you trust that key, you proved the creation date. Verification is as straightforward as verifying any PGP message.

Time-Stamp Protocol
RFC 3161 defines the "Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)". All X.509 services above use this protocol. Basically, it does not sign documents, but merely the hash of a document. The advantage is that a document will not be exposed to the time stamping service.

See also: http://en.wikipedia.org/wiki/Time_stamp

Verification
The TSP timestamp is basically a signed message with the hash of the document and a timestamp. It is typically (always?) in PCKS #7 format.

Verification of a Signed TSP message requires you to:
 * Extract the hash and timestamp of the PCKS #7 message
 * Verify that the hash is the same as the hash of the original document (which you should keep, unmodified!)
 * Verify the trustworthyness of the X.509 signing certificate.

You can make these verification using OpenSSL version 0.9.9 and up. Use the "openssl ts" keyword. However, 0.9.9 is not yet released, so in the mean time you will have to patch 0.9.8 using a patch available from OpenTSA.

... The exact commands for verification should be added ...