I will talk on this page of everything related to security and authentication on the Internet.

PGP and GPG are two compatible asymmetric encryption and signing software. Their features are:

• encrypting emails or files: you use the public key of the receiver to encrypt the message so that only the receiver can decrypt it (using his associated private key).

  gpg --recipient <user-id> --encrypt <file>
  gpg --decrypt <file>.gpg

• signing emails or files: you use your own private key to sign the message so that anyone can verify with you public key that you are the author of the message, and that the message was not altered.

  gpg --detach-sign --armor <file>
  gpg --verify <file>.asc

For emails, you should use some software to automatically manage your keyring and sign, verify signatures, encrypt and decrypt messages, like the Enigmail addon with Thunderbird.

If a trusted third party signs with its private key a document of yours, then it will prove the integrity and the timestamp of your document.

There are a few working and easy enough to use services for individuals:

• https://www.universign.eu/: legally certified, you have 10 free seals. Size limited.
• http://www.itconsult.co.uk/stamper.htm: probably not legally certified, but trustworthy enough for some use. Size limited to 1MB.

Others have more critical limitations:

• http://www.certinomis.com/ and http://www.cachetelectroniquedelaposte.fr: legally certified, but no online registration, needs subscription, and probably too expensive for personal use.
• http://time.certum.pl/: untested, only works with a software client.
• Polito.it: untested, only works with a software client.
• http://www.opentsa.org: only software to make one, experimental.

You can also use a software client to use the RFC 3161 protocol, with a server providing the service:

• https://sites.google.com/site/ntpserverspl/client-tsc-rfc3161: binary only, untested
• /etc/ssl/misc/tsget from openssl, untested
• CryptLib: only a lib ? untested

One problem I encountered with all providers I tried is that they limit the file size (at least for free services), around 1 MB.

So what I do is that I sign the large file with my own PGP key, then I officially timestamp my signature. My PGP key doesn't need to be reliable, only the algorithm used to sign with it needs to be reliable in order to prove that the file was not modified. Actually only a hash would be necessary, and this is what RFC 3161 clients do when the service is not limited. But of course it is better to directly timestamp your file if you can do so.