the accesskey _ mod _ content

Legal basis for the electronic signature

Law 59/2003 of electronic signature

The basic legislation on electronic signature is reflected in the Law 59/2003 of 19th December of Electronic signature.

Art. 3.1) The electronic signature is the set of data in electronic form, appropriated alongside other or associated with them, which can be used as a means of identification of the signatory.

Además, la Ley distingue entre dos tipos de firma, la ‘firma electrónica avanzada’ y la ‘firma electrónica reconocida’:

Art. 3.2) La firma electrónica avanzada es la firma electrónica que permite identificar al firmante y detectar cualquier cambio ulterior de los datos firmados, que está vinculada al firmante de manera única y a los datos a que se refiere y que ha sido creada por medios que el firmante puede mantener bajo su exclusivo control.

(Art. 3.3) Se considera firma electrónica reconocida la firma electrónica avanzada basada en un certificado reconocido y generada mediante un dispositivo seguro de creación de firma.

According to the law, electronic signature is the only one that can be considered equivalent to handwritten signature:

(Art. 3.4) La firma electrónica reconocida tendrá, respecto de los datos consignados en forma electrónica, el mismo valor que la firma manuscrita en relación con los consignados en papel.

Pero ¿cómo conseguimos, en la práctica, que una firma electrónica sea reconocida y por tanto, equivalente a la firma manuscrita?

The Electronic Signature

Una firma electrónica reconocida debe cumplir las siguientes propiedades o requisitos:

  • Identify the signatory.
  • Check the integrity of the document signed.
  • Ensure the non-repudiation at source.
  • Count with the participation of a trusted third party.
  • Be based on an electronic certificate recognized.
  • Must be generated with a device sure creation of signature.

The 4 first points are possible thanks to the use of cryptographic keys contained in the certificate and the existence of a structure of certification Authorities offering confidence in the delivery of certificates. But according to the law 59/2003, these 4 points we only offer a signature advanced.

For the electronic signature is equivalent to the handwritten, i.e. an electronic signature is recognized, it must also:

Based on a certificate Recognized

The certificate must have been recognized by the ministry of industry and commerce as authorized to create signatures and should be listed on its website as such.

You can see all certificates recognized by the MITyC in the direction https :// sedeaplicaciones.minetur.gob.es/Suppliers/

Son certificados reconocidos porque tanto el prestador que los emite como el contenido mismo del certificado, cumplen con los requisitos declarados en el Capítulo II de la Ley 59/2003 de firma electrónica sobre Certificados reconocidos.

Be generated with a secure device signature

The characteristics of a device sure creation of signing are contained in Article 24 of the law 59/2003 of electronic signature.

Mainly, the secure device must ensure that the keys are unique and secret, that the private key could not be deduced from the public and vice versa, that the author can protect reliably keys, not to disturb the contents of the original document and that the author can see what is going to sign.

Desde un punto de vista técnico, según el artículo 27 de la Ley 59/2003, un dispositivo seguro de firma debe ser certificado como que cumple las características anteriores según las normas técnicas publicadas en la Decisión 2003/511/CE, de 14 de julio de 2003 de la Comisión Europea.

  • El DNI Electrónico es considerado un de firma y por tanto, las firmas generadas con él, son reconocidas y tienen la misma validez que la firma manuscrita. ¿Son reconocidas las firmas generadas en el ordenador con un certificado software instalado en el navegador?
  • Since the computer is not a device sure creation of signing generated signatures are only advanced signatures as defined by the law.

Signature policy

Cuando se firman datos, el firmante indica la aceptación de unas condiciones generales y unas condiciones particulares aplicables a aquella firma electrónica mediante la inclusión de un campo firmado, dentro de la firma, que específica una política explícita o implícita.

If the corresponding field to the rules of electronic signature is absent, and does not identify any applicable law, then you can assume that the signature has been generated or verified without any restriction rules, and consequently, which are not assigned specific meaning no legal or contractual. This would be a signature not explicitly specify any semantics or concrete meaning and, therefore, you need to derive the meaning of the signature from the context (and especially, semantics of document signed).

The purpose of a signature policy is to strengthen trust in electronic transactions through a series of conditions for a given context, which can be a particular transaction, a legal regime or a role that take part signatory.

For example, the Signature policy for the overall management of the state (AGE) specifies the general conditions applicable to the electronic signature for validation, in the relationship electronic General Administration of the state with citizens and between bodies and entities of the AGE.

According to Article 24 of the Royal Decree 1671/2009 that develops partially law 11/2007 electronic access of citizens to public services, the policy of electronic signature and certificates in the area of the General administration of the state and its public authorities, is constituted by the guidelines and technical standards applicable to the use of certificates and electronic signature within its scope.

Interoperability National schema (ENI)

The signature policy has an important role as defined rules and obligations of all the actors involved in the process of signing in specific contexts (contractual, legal, legal, …).

El Real Decreto 4/2010 por el que se regula el Esquema Nacional de Interoperabilidad establece que la política de firma electrónica y de certificados de la Administración General del Estado, servirá de marco general de interoperabilidad para la autenticación y el reconocimiento mutuo de firmas electrónicas dentro de su ámbito de actuación. También establece que dicha política podrá ser utilizada como referencia por otras Administraciones Públicas para definir las políticas de certificados y firmas a reconocer dentro de sus ámbitos competenciales.

National security scheme (NHIS)

The Royal Decree 3/2010 , of January 8th, that regulates the national security Scheme in the area of E-government, aims to the establishment of the principles and requirements of a security policy protection of information.

Well, the decree, in his article 33 también relega a la Política de Firma toda la función de concretar los procesos de generación, validación y conservación de firmas electrónicas, así como las características y requisitos exigibles a los sistemas de firma electrónica, los certificados, los servicios de sellado de tiempo, y otros elementos de soporte de las firmas.

Moreover, the "in his 5.7.4 annex II point es muy específico sobre los tipos de firma que deben aplicarse en función del nivel de la información que debe protegerse.

  • Low Level

    You can use any means of electronic signature of the specified in the current legislation.

  • Average

    The means used in the electronic signature will be provided to the qualification of the information treated. In any case:

    Accredited algorithms are used by the National PKIX Centre.

    • Be used, preferably, certificates recognized.
    • Secure devices will be used for signing.

    Will ensure verification and validation de la firma electrónica durante el tiempo requerido por la actividad administrativa que aquélla soporte, sin perjuicio de que se pueda ampliar este período de acuerdo con lo que establezca la política de firma electrónica y de certificados que sea de aplicación. Para tal fin:

    • Attach to the signature, or it will index, all relevant information for verification and validation.
    • Se protegerán la firma y la información mencionada en el apartado anterior con un time stamp .
    • El organismo que recabe documentos firmados por el administrado verificará y validará la firma recibida en el momento de la recepción, anexando o referenciando sin ambigüedad la información descrita en los epígrafes a) y b).
    • The electronic signature of documents by the administration annexed or it will index unambiguously the information described in the headings to) and (b).
  • High Level

    Apply security measures relating to electronic signature due on the average level, in addition to the following:

    • Certificates will be used.
    • Secure devices are used to create signature.
    • Be used, preferably, certified products [op.pl.5].

    The CCN-STIC-807 rule del Centro Criptológico Nacional establece en el punto 5.7 cuáles son los mecanismos y algoritmos que se pueden utilizar para firmar en función del nivel de la información.

Additional Policy notes

  • El reglamento europeo 910/2014, de 23 de julio, relativo a la identificación electrónica y los servicios de confianza para las transacciones electrónicas en el mercado interior y por la que se deroga la Directiva 1999/93/CE, establece la obligación de validar certificados electrónicos emitidos por cualquier Prestador de Servicios de Confianza europeo.
  • The rules of the regulation eIDAS development, implementation decision (HAT) 2015/1506 of 8 September 2015 laying down the specifications formats of advanced electronic signatures advanced and stamps that must recognize the public sector agencies in accordance with articles 27 (5, and 37 (5) of the Rules 910/2014, states that the member states must set the necessary technical means that enable them processed electronically signed documents that are necessary when using an online service offered by, or on behalf of, an agency of the public sector. For this defines a series of formats of advanced electronic signature that must admit technically member states when needed advanced electronic signatures for an administrative procedure online.
  • Article 47 of the royal decree 1671/2009, 6 November, that develops partially law 11/2007, of 22 June, electronic access of citizens to public services, establishes the need to incorporate a temporary reference administrative documents electronic, being one of the modalities of time reference, the ‘ 'time stamp, i.e. the allocation by electronic means of a date and time to an electronic document with the intervention of a certification service provider to ensure the accuracy and completeness of the timestamp of the document.
  • Por otro lado, el Real Decreto 4/2010, de 8 de enero, por el que se regula el Esquema Nacional de Interoperabilidad en el ámbito de la Administración Electrónica expone en su artículo 22.4 que los aspectos relativos a la firma electrónica en la conservación del documento electrónico se establecerán en la Política de firma electrónica y de certificados, y a través del uso de formatos de firma longeva que preserven la conservación de las firmas a lo largo del tiempo.
  • The preservation of signatures longevity over time are specified in the resolution of 19 July 2011, the secretariat of state for the public function, which approves the technical standard of interoperability of electronic signature Policy and certificates of the administration, in paragraph II.7 on the Archived and custody, which states that to ensure the reliability of an electronic signature over time, can be used: lived through the Signatures to add information on the state of the certificate associated, incorporating a time stamp as well as the certificates that comprise the trust chain.
  • The seal of time is an indispensable part of the electronic signature, especially in the case of signatures longevity, needing to be validated long after their generation.
  • Likewise the royal decree 3/2010, of January 8th, that regulates the national security Scheme in the area of E-government, in ANNEX II security measures, in subparagraph 5.7.4 on the electronic signature, specifies that for systems classified middle level in the dimensions of integrity and authenticity, the verification and validation of the electronic signature during the time required for administrative activity that it support, for which attach to the signature, or it will index, all relevant information for verification and validation, and protect the signature and the information referred to in the previous paragraph with a seal of time.