the accesskey _ mod _ content

Legal basis for the electronic signature

Law 59 / 2003 of electronic signature

The basic legislation on electronic signature is reflected in the Law 59 / 2003 of 19th December of Electronic signature.

Art. 3.1) The electronic signature is the set of data in electronic form, appropriated alongside other or associated with them, which can be used as a means of identification of the signatory.

Además, la Ley distingue entre dos tipos de firma, la ‘firma electrónica avanzada’ y la ‘firma electrónica reconocida’:

Art. 3.2) The advanced electronic signature is the electronic signature that allows you to identify the signatory and detect any subsequent change of signed data, which is linked to the signatory singly and data referred to and which has been created by means that the author may keep under its exclusive control.

(Art. 3.3) Is considered electronic signature recognized the advanced electronic signature based on a certificate recognized and generated through a secure device signature.

According to the law, electronic signature is the only one that can be considered equivalent to handwritten signature:

(Art. 3.4) The electronic signature will take over disclosures in electronic form, the same value as the signature in a relationship with those contained in paper.

But how do we get, in practice, which an electronic signature is recognized and therefore equivalent to handwritten signature?

The Electronic Signature

An electronic signature recognized must meet the following properties or requirements:

  • Identify the signatory.
  • Check the integrity of the document signed.
  • Ensure the non-repudiation at source.
  • Count with the participation of a trusted third party.
  • Be based on an electronic certificate recognized.
  • Must be generated with a device sure creation of signature.

The 4 first points are possible thanks to the use of cryptographic keys contained in the certificate and the existence of a structure of certification Authorities offering confidence in the delivery of certificates. But according to the law 59 / 2003, these 4 points we only offer a signature advanced.

For the electronic signature is equivalent to the handwritten, i.e. an electronic signature is recognized, it must also:

Based on a certificate Recognized

The certificate must have been recognized by the ministry of industry and commerce as authorized to create signatures and should be listed on its website as such.

Se pueden ver todos los certificados reconocidos por el MITyC en la dirección https: / / sedeaplicaciones.minetur.gob.es / Suppliers /

Certificates are recognized because both the provider that emits as the actual content of the certificate, meet the requirements stated in chapter II of law 59 / 2003 of electronic signature on qualified certificates.

Be generated with a secure device signature

The characteristics of a device sure creation of signing are contained in Article 24 of the law 59 / 2003 of electronic signature.

Principalmente, el dispositivo seguro debe garantizar que las claves sean únicas y secretas, que la clave privada no se puede deducir de la pública y viceversa, que el firmante pueda proteger de forma fiable las claves, que no se altere el contenido del documento original y que el firmante pueda ver qué es lo que va a firmar.

Desde un punto de vista técnico, según el artículo 27 de la Ley 59/2003, un dispositivo seguro de firma debe ser certificado como que cumple las características anteriores según las normas técnicas publicadas en la Decisión 2003/511/CE, de 14 de julio de 2003 de la Comisión Europea.

  • The DNI is considered an Electronic signature and therefore, signatures generated with him, are recognized and has the same validity than the handwritten signature. do are recognized signatures generated in the computer with a certificate software installed in the browser?
  • Puesto que el ordenador no es un dispositivo seguro de creación de firma, las firmas generadas son sólo firmas avanzadas según la definición de la ley.

Signature policy

Cuando se firman datos, el firmante indica la aceptación de unas condiciones generales y unas condiciones particulares aplicables a aquella firma electrónica mediante la inclusión de un campo firmado, dentro de la firma, que específica una política explícita o implícita.

If the corresponding field to the rules of electronic signature is absent, and does not identify any applicable law, then you can assume that the signature has been generated or verified without any restriction rules, and consequently, which are not assigned specific meaning no legal or contractual. This would be a signature not explicitly specify any semantics or concrete meaning and, therefore, you need to derive the meaning of the signature from the context (and especially, semantics of document signed).

The purpose of a signature policy is to strengthen trust in the electronic transactions through a series of conditions for a given context, which can be a particular transaction, a legal regime or a role that take part signatory.

For example, the Signature policy for the overall management of the state (AGE) especifica las condiciones generales aplicables a la firma electrónica para su validación, en la relación electrónica de la Administración General del Estado con los ciudadanos y entre los órganos y entidades de la AGE.

According to Article 24 of the Royal Decree 1671 / 2009 that develops partially law 11 / 2007 electronic access of citizens to public services, the policy of electronic signature and certificates in the area of the General administration of the state and its public authorities, is amounted da by the guidelines and technical standards applicable to the use of certificates and electronic signature within its scope.

Interoperability National schema (ENI)

La política de firma tiene una misión importante ya que define las reglas y obligaciones de todos los actores involucrados en el proceso de firma en determinados contextos (contractual, jurídico, legal,…).

The Royal Decree 4 / 2010 that regulates the schema interoperability National states that the policy of electronic signature and certificates of the General administration of the state, will serve as a general framework of interoperability for authentication and mutual recognition of electronic signatures within its scope. Also states that this policy may be used as a reference by other public administrations to define policies of certificates and signatures to recognize within their Areas of competence.

National security scheme (NHIS)

The Royal Decree 3 / 2010 , of January 8th, that regulates the national security Scheme in the area of E-government, aims to the establishment of the principles and requirements of a security policy protection of information.

Well, the decree, in his article 33 también relega a la Política de Firma toda la función de concretar los procesos de generación, validación y conservación de firmas electrónicas, así como las características y requisitos exigibles a los sistemas de firma electrónica, los certificados, los servicios de sellado de tiempo, y otros elementos de soporte de las firmas.

Moreover, the " in his 5.7.4 annex II point it is very specific about the types of signature that should be applied depending on the level of the information to be protected.

  • Low Level

    You can use any means of electronic signature of the specified in the current legislation.

  • Average

    Los medios utilizados en la firma electrónica serán proporcionados a la calificación de la información tratada. En todo caso:

    Accredited algorithms are used by the National PKIX Centre.

    • Be used, preferably, certificates recognized.
    • Secure devices will be used for signing.

    Will ensure verification and validation the electronic signature during the time required for administrative activity that it support, without prejudice that can extend this period in accordance with the policy of electronic signature certificates and that is applied. To this end:

    • Attach to the signature, or it will index, all relevant information for verification and validation.
    • Protect the signature and the information referred to in the previous paragraph with a time stamp .
    • The agency to seek documents signed by the administered verified and validated the signature received at the time of receipt, attaching or referenciando unambiguously the information described in the headings to) and (b).
    • The electronic signature of documents by the administration annexed or it will index unambiguously the information described in the headings to) and (b).
  • High Level

    Se aplicarán las medidas de seguridad referentes a firma electrónica exigibles en el nivel Medio, además de las siguientes:

    • Certificates will be used.
    • Secure devices are used to create signature.
    • Be used, preferably, certified products [op.pl.5].

    The CCN-STIC-807 rule del Centro Criptológico Nacional establece en el punto 5.7 cuáles son los mecanismos y algoritmos que se pueden utilizar para firmar en función del nivel de la información.

-