This page provides details on what is in the certificate and how it proves that the document is authentic.
The fundamental principle we rely on for this is the same mechanism that is used for SSL / HTTPS web sites.
When you visit a secure website - as most now are - there is a certificate that is published by the website. This certificate is paired with a "Private Key" that the owner of the site must keep secure as without this your browser will not accept that the site is secure and you would see an SSL/Certificate error. Also if the site were to allow the "Private Key" to become known anyone would be able to create a fake copy of their web site.
When a partner wants us to certify a document is authentic for them they send us 3 pieces of data:
The hash of the file. (This is a very long number that is unique to the file and can be computed from its contents).
The name of the website whose private key was used to sign the file.
A digital signature.
When we receive this data we retrieve the certificate from their website - with this we can check that the signature is valid for that hash. And if so we store the information as a authentic file.
When you visit our website and drop a file into the box the following happens:
Your browser computes the "hash" of the file from the contents.
The browser then send this "hash" to our server.
Our servers looks up in our list of all valid documents to see if we have that hash.
If we do we know it is valid - if not we do not know either way.