The basic legislation on electronic signatures is included in the Law 59/2003 of 19 December 2003, Electronic Signature.
Art. 3.1) Electronic signature is the data set in electronic form, consigned with or associated with others, which can be used as a means of identifying the signatory.
In addition, the Act distinguishes between two types of signature, ‘advanced electronic signature’ and ‘recognised electronic signature’:
Art. 3.2) Advanced electronic signature is the electronic signature which enables the signatory to be identified and to detect any subsequent changes to the signed data, which is linked to the signatory in a unique way and to the data to which it relates and which has been created by means which the signatory can maintain under his sole control.
(Art. 3.3) Advanced electronic signature based on a recognised certificate and generated by a secure signature creation device is recognised as a recognised electronic signature.
According to the law, recognised electronic signature is the only one that can be considered equivalent to the handwritten signature:
(Art. 3.4) The recognised electronic signature shall have the same value as the handwritten signature in relation to the data recorded in electronic form.
But how do we, in practice, get an electronic signature recognised and therefore equivalent to handwritten signature?
A recognised electronic signature must comply with the following properties or requirements:
The first 4 points are possible thanks to the use of the cryptographic keys in the certificate and the existence of a structure of Certification Authorities which offer confidence in the delivery of certificates. But according to Law 59/2003, these 4 points only offer us an advanced signature.
For the electronic signature to be equivalent to the manuscript, that is to say that an electronic signature is recognised, it must also:
The certificate must have been recognised by the Ministry of Industry and Commerce as being able to create recognized signatures and must be listed on its website as such.
You can see all certificates recognized by MITyC in the address List of trusted electronic service providers
They are recognized because both the provider who issues them and the contents of the certificate, comply with the requirements stated in Chapter II of Law 59/2003 of electronic signature on Recognized Certificates.
The characteristics of a secure signature creation device are listed in Article 24 of Law 59/2003 on Electronic Signature.
In particular, the safe device should ensure that the unique and secret keys, that the private key cannot be deducted from the public and vice versa, that the signatory can reliably protect the keys, that the content of the original document is not altered and that the signatory can see what he is going to sign.
From a technical point of view, according to Article 27 of Law 59/2003, a secure device the signature must be certified as complying with the above characteristics in accordance with the technical standards published in Decision 2003/511/EC of 14 July 2003 of the European Commission.
Are signatures generated on the computer recognized with a software certificate installed in the browser?
When data are signed, the signatory indicates the acceptance of general conditions and particular conditions applicable to that electronic signature by including a signed field, within the signature, which specifies an explicit or implicit policy.
If the field corresponding to the electronic signature regulations is absent and no regulations are identified as applicable, then it can be assumed that the signature has been generated or verified without any regulatory restrictions, and consequently, that no specific legal or contractual meaning has been assigned to it. It would be a firm that does not explicitly specify any semantics or concrete meaning and, therefore, it will be necessary to derive the meaning of the firm from the context (and especially from the semantics of the signed document).
The aim of a signing policy is to strengthen the confidence in the electronic transactions through a set of conditions for a given context, which may be a given transaction, a legal regime or a role for the signatory party.
For example, the Signature Policy of the General State Administration (AGE) specifies the general conditions applicable to electronic signatures for validation, in the electronic relationship of the General Government of the State with citizens and between the bodies and entities of the AGE.
According to article 24 of Royal Decree 1671/2009 partially implementing Law 11/2007 on Citizens' Electronic Access to Public Services, the policy of electronic signature and certificates in the field of the General Administration of the State and its public bodies is supported by the guidelines and technical standards applicable to the use of certificates and electronic signature within its scope.
The signature policy has an important mission as it defines the rules and obligations of all the actors involved in the signing process in certain contexts (contractual, legal, legal,…).
Royal Decree 4/2010 regulating the National Interoperability Scheme provides that the policy of electronic signatures and certificates of the General Government of the State will serve as a general framework for interoperability for the authentication and mutual recognition of electronic signatures within its scope. It also provides that this policy may be used as a reference by other public administrations to define the policies of certificates and signatures to be recognised within their fields of competence.
Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme in the field of e-government, aims to establish the principles and requirements of an electronic government. security policy protection of information.
The decree, in its article 33, also relegates the Policy of Signature to the whole function of concretizing the processes of generation, validation and preservation of electronic signatures, as well as the characteristics and requirements required of electronic signature systems, certificates, time-stamping services, and other supporting elements of signatures.
Moreover, the RD in Annex II point 5.7.4 is very specific on the types of signature to be applied depending on the level of information to be protected.
Any means of electronic signature of those provided for in existing legislation may be used.
The means used in the electronic signature shall be proportionate to the rating of the information processed. In any case:
Algorithms accredited by the National Crypto Centre shall be used.
It will be ensured that the verification and validation the electronic signature for the time required by the administrative activity which it supports, without prejudice to the possibility of extending this period in accordance with the provisions of the electronic signature and certificate policy applicable. To this end:
The security measures for electronic signatures required at the Medium level shall apply, in addition to the following:
The CCN-STIC-807 standard of the National Cryptologic Center sets out in point 5.7 which mechanisms and algorithms can be used to sign depending on the level of information.