Category

Electronic Signatures

New ETSI OIDs for signature validation services policies

By | #eIdAS, eIDAS, Electronic Signatures, OID, Qualified electronic signatures Validation, Servicios de Confianza Digital, Trust Electronic Services, Trust Service Providers | No Comments

New Draft ETSI TS 119 441 proposes new OIDs for Signature Validation Service Policy:

  • itu-t(0) identified-organization(4) etsi(0) VAL SERVICE-policies(9441) policy-identifiers(1) main (1)
  • itu-t(0) identified – organization(4) etsi(0) VAL SERVICE – policies( 9441) policy – identifiers(1) qualified (2)
That is
  • OID 0.4.0.9441.1.1 as the main policy OID for Validation Services, and
  • OID 0.4.0.9441.1.2 as the policy OID for Validation Services that identifies qualified validation services as defined in articles Articles 32 and 33 of the Regulation UE 910/2014 (EIDAS)

Article 32

Requirements for the validation of qualified electronic signatures

1.   The process for the validation of a qualified electronic signature shall confirm the validity of a qualified electronic signature provided that:

(a)

the certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I;

(b)

the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing;

(c)

the signature validation data corresponds to the data provided to the relying party;

(d)

the unique set of data representing the signatory in the certificate is correctly provided to the relying party;

(e)

the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;

(f)

the electronic signature was created by a qualified electronic signature creation device;

(g)

the integrity of the signed data has not been compromised;

(h)

the requirements provided for in Article 26 were met at the time of signing.

2.   The system used for validating the qualified electronic signature shall provide to the relying party the correct result of the validation process and shall allow the relying party to detect any security relevant issues.

3.   The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 33

Qualified validation service for qualified electronic signatures

1.   A qualified validation service for qualified electronic signatures may only be provided by a qualified trust service provider who:

(a)

provides validation in compliance with Article 32(1); and

(b)

allows relying parties to receive the result of the validation process in an automated manner, which is reliable, efficient and bears the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service.

2.   The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation service for a qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

A major step in signature interoperability: Commission Implementing Decision (EU) 2015/1506 of 8 September 2015

By | Electronic Signatures | No Comments

Simplification in the management of electronic signatures is now a legal mandate in all countries of the European Union thanks to the Commission Implementation Decision (EU) 2015/1506 of 8 September 2015 which lays down the specifications concerning the formats of advanced electronic signatures and advanced seals that must be recognized by Public Sector bodies in accordance with Articles 27 (5) and 37 (5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council Electronic identification and trust services for electronic transactions in the internal market.

This standard will have a great impact on the development of the Public Administration and will force the revision of Law 11/2007, the RD 1671/2009 and the RD 4/2010, as well as the General Administration’s electronic signature policy and its certificates profile annex and one of the Technical Norms of Interoperability.

You can see the Commission Implementation Decision below:

 

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having  regard to  Regulation (EU)  No  910/2014 of  the  European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 27(5) and 37(5) thereof,

Whereas:

(1) Member States need to put in place the necessary technical means allowing them to process electronically signed documents that are required when using an online service offered by, or on behalf of, a public sector body.

(2) Regulation (EU) No 910/2014 obliges Member States requiring an advanced electronic signature or seal for  the use  of  an  online service  offered by,  or  on  behalf of,  a  public sector body,  to  recognise advanced electronic signatures and  seals,  advanced electronic signatures and  seals  based on  a  qualified  certificate  and  qualified electronic signatures and seals in specific formats, or alternative formats validated pursuant to specific reference methods.

(3) To define the specific formats and reference methods, existing practices, standards and Union legal acts should be taken into account.

(4) Commission Implementing Decision 2014/148/EU (2)  has  defined  a  number of  the  most  common advanced electronic signature formats  to  be  supported technically by  the  Member States,  where advanced electronic signatures are  required for  an  online administrative procedure. Establishing the  reference formats  aims at facilitating the cross-border validation of electronic signatures and at improving the cross-border interoperability of electronic procedures.

(5) The standards listed in the Annex to this Decision are the existing standards for formats of advanced electronic signatures. Due  to  the  ongoing revision by  the  standardisation bodies of  the  long  term  archival forms  of  the referenced formats, standards detailing long-term archiving are excluded from the scope of this Decision. When the new version of the referenced standards is available, references to the standards and the clauses on long term archiving will be revised.

(6) Advanced electronic signatures and advanced electronic seals  are  similar from  the  technical point  of  view. Therefore, the standards for formats of advanced electronic signatures should apply mutatis mutandis to formats for advanced electronic seals.

(7) Where other electronic signature or seal formats than those commonly technically supported are used to sign or seal, validation means that  allow the  electronic signatures or  seals  to  be  verified  across borders should be

(8) Where electronic signature or  seal validation possibilities suitable for  automated  processing are  available in  a Member State’s  public services,  such  validation possibilities should be  made available and  provided  to  the receiving Member State. Nonetheless, this Decision should not impede the application of Articles 27(1) and (2) and 37(1) and (2) of Regulation (EU) No 910/2014 when the automated processing of validation possibilities for alternative methods is not possible.

(9) In order to provide for comparable requirements for validation and to increase trust in the validation possibilities provided by Member States for other electronic signature or seal formats than those commonly supported, the requirements set out in this Decision for  the validation tools, draw from the requirements for  the validation of qualified electronic signatures and seals referred to in Articles 32 and 40 of Regulation (EU) No 910/2014.

(10) The measures provided for in this Decision are in accordance with the opinion of the Committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS DECISION:

Article 1

Member States requiring an advanced electronic signature or an advanced electronic signature based on a qualified certificate as provided for in Article 27(1) and (2) of Regulation (EU) No 910/2014, shall recognise XML, CMS or PDF advanced electronic signature at conformance level B, T or LT level or using an associated signature container, where those signatures comply with the technical specifications listed in the Annex.

Article 2

  1. Member States requiring an advanced electronic signature or an advanced electronic signature based on a qualified certificate as provided for in Article 27(1) and (2) of Regulation (EU) No 910/2014, shall recognise other formats of electronic signatures than those referred to in Article 1 of this Decision, provided that the Member State where the trust service provider used by the signatory is established offers other Member States signature validation possibilities, suitable, where possible, for automated processing.
  2. The signature validation possibilities shall:

(a) allow other Member States to validate the received electronic signatures online, free of charge and in a way that is understandable for non-native speakers;

(b) be indicated in the signed document, in the electronic signature or in the electronic document container; and

(c) confirm the validity of an advanced electronic signature provided that:

(1) the certificate that supports the advanced electronic signature was valid at the time of signing, and when the advanced electronic signature is supported by a qualified certificate, the qualified certificate that supports the advanced electronic signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I of Regulation (EU) No 910/2014 and that it was issued by a qualified trust service provider;

(2) the signature validation data corresponds to the data provided to the relying party;

(3) the unique set of data representing the signatory is correctly provided to the relying party;

(4) the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;

(5) when the advanced electronic signature is created by a qualified electronic signature creation device, the use of any such device is clearly indicated to the relying party;

(6) the integrity of the signed data has not been compromised;

(7) the requirements provided for in Article 26 of Regulation (EU) No 910/2014 were met at the time of signing;

(8) the system used for validating the advanced electronic signature provides to the relying party the correct result of the validation process and allows the relying party to detect any security relevant issues.

Article 3

Member States requiring an advanced electronic seal or an advanced electronic seal  based on a  qualified certificate as provided  for  in  Article  37(1)  and  (2)  of  Regulation (EU)  No  910/2014, shall  recognise XML,  CMS  or  PDF  advanced electronic seal  at  conformance level  B,  T or  LT or  using  an  associated seal  container where those  comply  with  the technical specifications listed in the Annex.

Article 4

  1. Member States requiring an advanced electronic seal or an advanced electronic seal based on a qualified certificate as provided for  in  Article  37(1)  and  (2)  of  Regulation (EU)  No  910/2014, shall  recognise other  formats  of electronic seals  than  those  referred  to  in  Article  3  of  this  Decision, provided  that  the  Member State  where the  trust  service provider  used by the creator of  the seal is established offers other Member States seal validation possibilities, suitable, where possible, for automated processing.
  2. The seal validation possibilities shall:

(a) allow  other  Member States to  validate the  received electronic seals  online, free  of  charge  and  in  a  way  that  is understandable for non-native speakers;

(b) be indicated in the sealed document, in the electronic seal or in the electronic document container

(c) confirm the validity of an advanced electronic seal provided that:

(1) the certificate that supports the advanced electronic seal was valid at the time of sealing, and when the advanced electronic seal  is  supported  by  a  qualified certificate, the  qualified  certificate that  supports  the  advanced electronic seal was, at the time of sealing, a qualified certificate for electronic seal complying with Annex III of Regulation (EU) No 910/2014 and that it was issued by a qualified trust service provider;

(2) the seal validation data corresponds to the data provided to the relying party;

(3)  the unique set of data representing the creator of the seal is correctly provided to the relying party;

(4) the  use  of  any  pseudonym  is  clearly indicated to  the  relying party  if  a  pseudonym  was  used  at  the  time  of sealing;

(5) when the advanced electronic seal is created by a qualified electronic seal creation device, the use of any such device is clearly indicated to the relying party;

(6) the integrity of the sealed data has not been compromised;

(7) the requirements provided for in Article 36 of Regulation (EU) No 910/2014 were met at the time of sealing;

(8) the system used for validating the advanced electronic seal provides to the relying party the correct result of the validation process and allows the relying party to detect any security relevant issues.

Article 5

This Decision shall enter  into force on the twentieth day following  that of  its publication in the Official Journal of  the European Union.

This Decision shall be binding in all its elements and directly applicable in all Member States.

 

Done in Brussels, 8 September 2015.

For the Commission

The President

Jean-Claude JUNCKER

 

ANNEX

List of technical specifications for XML, CMS or PDF advanced electronic signatures and the associated signature container

Advanced electronic signatures mentioned in Article 1 of the Decision must comply with one of the following ETSI technical specifications with the exception of clause 9 thereof:

XAdES Baseline Profile – ETSI TS 103171 v.2.1.1.(1)

CAdES Baseline Profile – ETSI TS 103173 v.2.2.1.(2)

PAdES Baseline Profile – ETSI TS 103172 v.2.2.2.(3)

(1)http://www.etsi.org/deliver/etsi_ts/103100_103199/103171/02.01.01_60/ts_103171v020101p.pdf

(2)http://www.etsi.org/deliver/etsi_ts/103100_103199/103173/02.02.01_60/ts_103173v020201p.pdf

(3)http://www.etsi.org/deliver/etsi_ts/103100_103199/103172/02.02.02_60/ts_103172v020202p.pdf

Associated signature container mentioned in Article 1 of the Decision must comply with the following ETSI technical specifications:

Associated Signature Container Baseline Profile – ETSI TS 103174 v.2.2.1 (1)

(1)http://www.etsi.org/deliver/etsi_ts/103100_103199/103174/02.02.01_60/ts_103174v020201p.pdf

 

List of technical specifications for XML, CMS or PDF advanced electronic seals and the associated seal container

Advanced electronic seals mentioned in Article 3 of the Decision must comply with one of the following ETSI technical specifications, with the exception of clause 9 thereof:

XAdES Baseline Profile – ETSI TS 103171 v.2.1.1

CAdES Baseline Profile – ETSI TS 103173 v.2.2.1

PAdES Baseline Profile – ETSI TS 103172 v.2.2.2

Associated seal container mentioned in Article 3 of the Decision must comply with the following ETSI technical specifications:

Associated Seal Container Baseline Profile – ETSI TS 103174 v.2.2.1

 

Guidelines on electronic signatures and #EIDAS Regulation

By | Electronic Signatures | No Comments

The first regulation on electronic signature took place in the United States, and in the works of international organizations such as United Nations Commission on International Trade Law (UNCITRAL).

The United Nations published the Model Law on Electronic Commerce (1996) and the Model Law on Electronic Signatures (2001).

At a European level, the common regulation has been based until 2016 on Directive 1999/93/EC, establishing a Community framework for electronic signatures and the Directive 2000/31/EC on certain legal aspects of Information Society services, in particular electronic commerce.

On July 23, 2014, and published in the Official Journal of the European Union (DOUE) on August 28 2014, the European Parliament and the Council of the European Union adopted the Regulation 910/2014 (identified under the label # eIdAS) on electronic identification and trustworthy services in electronic transactions in the internal market and repealing Directive 1999/93 / EC.

The derogation of the Directive would lead to the derogation of the national laws developed by mandate of the aforementioned Directive, but in practice, this derogation is not explicit and raises problems of interpretation when an article of the Law (in Spain Law 59/2003) conflicts with the Regulation, which is directly applicable.

From 1 July 2016 (Article 50), a transitional regime is established until 1 July 2017, during which secure signature creation devices which compliance has been determined in accordance with Directive 1999/93/EC shall be considered as qualified devices for the creation of electronic signatures in accordance with the new regulation.

In this period, recognized certificates of natural person previously issued will be considered qualified certificates of natural person under the new regulation until they expire. However, recognized certificates of legal person previously issued will NOT be considered qualified certificates under the new regulation.

From July 1, 2016 to July 1, 2017, Certification Service Providers who issue recognized certificates of natural person may continue providing the service and maintaining the consideration of Qualified Trust Electronic Service Providers , although in order to maintain that consideration  from 1 July 2017, they must submit to the supervisory agency (MINETAD) a Conformity Assessment Report carried out by a conformity assessment entity accredited to the accreditation body of each country (in Spain, ENAC).

The new legislation extends the regulatory framework of Directive 1999/93 / EC, interacting with data protection regulation, with intercommunity electronic health, with cybersecurity, with prevention of money laundering and with the Second Payments Directive.

Regulation #eIdAS compels Public Administrations in the European Union to accept qualified electronic services provided by Providers from other Member States, and especially to accept the notified identification and authentication systems.

In this way, it seeks to eliminate the existing barriers to the cross-border use of electronic identification devices used in Member States to authenticate at least in public services, and by requiring that national notified electronic identification systems (we insist, notified) are admitted in all Member States.

The creation of a common trust Brand for the qualified Trusted Electronic Service Providers will contribute to blur the cross-border barriers.

The trust mark has been established by the Implementing Regulation (EU) 2015/806 of 22 May 2015 of the EU Commission, which establishes the specifications regarding the the form of the EU ‘trust’ label for qualified trusted services .

The creation of a technical reference system which identifies all the qualified providers of the European Union contributes to the cross-borders access, so the obtaining of the census of electronic trust service providers can be automated by virtue of the Trusted Services List – TSL .

These TSLs, in their most up-to-date version (since there was another version developed under Directive 1999/93 / EC) are imposed by the Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 establishing technical specifications and formats related to trust lists in accordance with Article 22 (5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.