What is a Trust Service Provider (TSP)?
A trust service provider (TSP) is an organization that supplies the electronic trust services underpinning digital signatures — issuing digital certificates, providing trusted timestamps, and creating and validating electronic seals. In effect, a TSP is the accountable party that verifies identities and vouches for the credentials your signatures rely on. Under the EU's eIDAS regulation, a subset called qualified trust service providers (QTSPs) are audited and supervised by member states and appear on official Trusted Lists, giving the highest assurance. A TSP is the human-and-organizational trust behind the cryptography.
The organization behind the math
Digital signatures are built on cryptography, but cryptography alone doesn't create trust. A key pair is just numbers; a certificate is only meaningful if someone credible verified the identity it claims. That "someone credible" is a trust service provider (TSP) — the organization that stands behind the credentials and vouches that the trust is real.
Put simply: the math proves that a signature is internally consistent, but a TSP is why you believe the identity attached to it. It's the accountable entity in the system.
What a TSP actually provides
The term "trust service" covers several related functions. A TSP may offer some or all of them:
- Issuing digital certificates. The TSP verifies an applicant's identity and issues an X.509 certificate binding a public key to that verified identity. In this role, a TSP acts as a certificate authority (CA).
- Providing trusted timestamps. The TSP runs a time-stamping authority that attests, independently, to when a document was signed — proof that doesn't rely on anyone's local clock.
- Creating and validating electronic seals. Similar to a signature but for organizations rather than individuals, an electronic seal proves a document's origin and integrity at the entity level.
- Preserving signatures over time. Some TSPs offer long-term preservation services so signatures stay verifiable for years, even after certificates expire.
- Validating signatures. Confirming, on request, that a given signature and its certificate chain are genuine and valid.
Not every TSP does all of these, but together these services form the backbone of trustworthy electronic transactions.
Ordinary vs qualified TSPs
Under the EU's eIDAS regulation, trust service providers come in two grades:
Non-qualified TSPs offer trust services and are subject to general obligations, but aren't held to the strictest regulatory bar. Their services are useful and widely used.
Qualified trust service providers (QTSPs) are the top tier. To earn the "qualified" status, a QTSP must:
- Undergo a conformity assessment by an accredited auditor.
- Be granted qualified status by a national supervisory body.
- Appear on an EU member state's official Trusted List — a public, government-maintained register of approved providers.
Only a QTSP can issue the qualified certificates and provide the qualified timestamps needed for a qualified electronic signature (QES), the tier that legally equals a handwritten signature across the EU. The supervision and public accountability are what elevate a QTSP above an ordinary one.
How a TSP earns your trust
The whole point of a TSP is accountability. A reputable provider:
- Verifies identities rigorously before issuing certificates, so a credential genuinely belongs to the named party.
- Protects its own keys with extreme care — a compromised root or intermediate key would undermine every certificate it ever issued.
- Publishes revocation information so that if a certificate is compromised, verifiers can learn it's no longer valid (via CRL or OCSP).
- Submits to audits (in the qualified case) that hold it to published standards.
This is why your operating system and PDF reader ship with a pre-installed list of trusted roots: those roots belong to TSPs that have met recognized bars for security and process.
TSPs and the Adobe Approved Trust List
For PDF signatures in particular, there's a parallel to eIDAS's Trusted Lists: the Adobe Approved Trust List (AATL). Adobe vets certificate authorities and, if they meet its requirements, adds them to the AATL. When a document is signed with a certificate that chains up to an AATL member, common PDF readers automatically recognize and trust it. In both cases — an EU Trusted List and the AATL — the idea is the same: a curated, accountable set of providers that software can trust on your behalf.
Where PearSign fits
PearSign's tamper-evident signatures rely on this trust infrastructure. Completed documents are sealed with a digital certificate that chains up to the Adobe Approved Trust List, so the trust behind each signature traces back to a vetted, accountable authority — and standard PDF readers can confirm it without any setup on the recipient's side.
FAQ
What is a trust service provider?
A trust service provider (TSP) is an organization that supplies the electronic trust services behind digital signatures — issuing digital certificates, providing trusted timestamps, and creating or validating electronic seals. It's the accountable party that verifies identities and vouches for the credentials your signatures depend on.
What is the difference between a TSP and a certificate authority?
A certificate authority is a specific role — issuing digital certificates — that a trust service provider performs. "TSP" is the broader term: it covers certificate issuance plus other services like trusted timestamping, electronic seals, and long-term signature preservation. Every CA is a kind of TSP, but a TSP may offer more than certificates.
What is a qualified trust service provider (QTSP)?
A QTSP is a trust service provider that has passed a formal conformity assessment, been granted qualified status by a national supervisory body, and been added to an EU member state's official Trusted List. Only a QTSP can issue the qualified certificates and timestamps required for a qualified electronic signature.
Why do I need to trust a TSP at all?
Because cryptography alone can't confirm whose key is whose. A TSP is the accountable organization that verifies identities and issues the certificates that bind keys to real parties. Your trust in a signature ultimately rests on trusting the provider that vouched for the identity behind it.
How is a TSP related to the Adobe Approved Trust List?
The AATL is Adobe's curated list of certificate authorities — a form of trust service provider — that it has vetted for PDF signing. When a document is signed with a certificate chaining to an AATL member, PDF readers trust it automatically. It plays a role similar to the EU's Trusted Lists: a vetted, accountable set of providers software can rely on.
Ready to send your first document with PearSign?
AI drafts it, places the fields, and collects every signature — sealed and audit-trailed.
This article is general information about electronic signatures and related standards — not legal advice. For your specific situation, consult qualified counsel in your jurisdiction.