In accordance with article 11 of the Law on Electronic Signature (Official Gazette of the Republic of Serbia No. 135/04), REGULATION

Transcription

1 In accordance with article 11 of the Law on Electronic Signature (Official Gazette of the Republic of Serbia No. 135/04), the Minister of Telecommunications and Information Society hereby promulgates REGULATION ON TECHNICAL AND TECHNOLOGICAL PROCEDURES FOR CREATING A QUALIFIED ELECTRONIC SIGNATURE AND CRITERIA TO BE MET BY DEVICES FOR CREATING A QUALIFIED ELECTRONIC SIGNATURE Article 1 This Regulation specifies the technical and technological procedures for creating qualified electronic signatures and criteria for devices for creating qualified electronic signatures. Article 2 The technical and technological procedures for creating qualified electronic signatures, as well as criteria which should be met by devices for creation and verification of the qualified electronic signature shall be in line with appropriate international standards and recommendations, or other standards, documents and recommendations which are relevant to creation and verification of the qualified electronic signature, prescribed by this Regulation. Article 3 The qualified electronic signature, apart from terms and conditions under Article 7 of the Law on Electronic Signature (hereinafter: the Law), shall also fulfill the following detailed conditions: 1) that it is formed by application of devices for creation of the qualified electronic signature (SSCD);

2 2) that it is verified based on the qualified electronic certificate of the signatory which is valid at the moment of creation of the qualified electronic signature. Article 4 The qualified electronic signature is formed by applying one of the standardized asymmetric cryptographic algorithms, as follows: 1) RSA (Rivest Shamir Adleman) by applying PKCS#1 standard, with minimal length of RSA modulus n of 1024 bits; 2) DSA (Digital Signature Algorithm) with minimal length of parameters p and q of 1024 and 160 bits, respectively; 3) ECDSA (Elliptic Curve Digital Signature Algorithm) with minimal length of parameters p and q of 192 and 160 bits, respectively.

3 Article 5 Also applied in creation of the qualified electronic signature are hash functions for acquiring message prints of a fixed size (at least 160 bits). Hash functions from paragraph 1 of this Article are implemented by application of standardized hash algorithms, as follows: 1) SHA-1 (Secure Hash Algorithm) hash value with size of 160 bits; 2) RIPEMD-160 hash value with size of 160 bits; 3) SHA-224, SHA-256, SHA-384 and SHA-512. Article 6 Set of standardized algorithms from Articles 4 and 5 of this Regulation are combined with requirements related to selection of parameters, as well as the list of standard combinations of applied algorithms in the form of algorithm links ( signature suites ), shall be in line with the ETSI ESI SR Algorithms and Parameters for Secure Electronic Signatures document. Article 7 Devices for creation of the qualified electronic signature must have features which allow for subsequent implementation of new algorithms, in accordance with further development of cryptographic techniques and standards. Article 8

4 Electronic documents signed with the qualified electronic signatures shall be exchanged in document format which includes basic data on procedure, algorithm and qualified electronic certificate of the signatory, so as to allow the recipient of electronic document to verify the qualified electronic signature based on agreed technology and procedures. Article 9 Format of electronic document which is signed with qualified electronic signature shall be in line with some of the following documents: recommendation PKCS#7, RFC 3852 Cryptographic Message Syntax (CMS), ETSI ESI TS CMS Advanced Electronic Signatures (CAdES), RFC 3275 XMLDSIG or ETSI ESI TS XML Advanced Electronic Signatures (XAdES). Article 10 The qualified electronic signature shall be in line with the recommendation ITU-T X.509 and documents ETSI ESI TS Qualified Certificate Profile, RFC 3739 Internet X.509 Public Key Infrastructure: Qualified Certificates Profile, RFC 3280 Internet X.509 Public Key Infrastructure Certificate Revocation List (CRL) Profile and ETSI TS X.509 V.3 Certificate Profile for Certificates Issued to Natural Persons. Procedures for formulation of qualified electronic signature shall be in line with the document ETSI ESI TR ASN.1 format for signature policies or with the document ETSI ESI TR XML format for signature policies. Article 11 Field subject of the qualified electronic certificate shall have the commonname attribute. Attribute commonname should include first and last name of the signatory, unique identifier of the signatory with the certification authority and, optionally, Personal Identification Number (PIN). Data is entered in the following order: first name, space, last

5 name, space, unique identifier with the certification authority and, at the end, optionally, dash and PIN. UTF8string coding should be used for the attribute commonname so as to allow for true presentation of all letters contained in first and last name by appropriate characters. Certification authority is obliged to clearly inform the user whether the certificate will include PIN. Certificates used in communication between authorities, between authorities and parties, in delivery and creation of decisions of authorities in electronic form in administrative, judicial and other procedure involving a government authority should include PIN. Certificates which include PIN or personal number may not be made publicly available by the certification authority. Article 12 The procedure of verification of the qualified electronic signature includes the procedure of verification of the qualified electronic certificate of the signatory, which consists of the following elements: 1) verification of the validity period of the certificate; 2) verification of data on certification authority which issued the qualified electronic certificate of the signatory; 3) verification whether the given certificate is on the list of revoked certificates. There is a possibility to perform additional verification checks other than that given in paragraph 1 of this Article, if there is such a definition in Regulations of the competent certification authority which issued the qualified electronic certificate. Article 13

6 Creation and verification of the qualified electronic signature is performed by applying the following: 1) devices for creation of the qualified electronic signature (SSCD); 2) secure application for creation and verification of the qualified electronic signature (SSCA and SSVA, respectively); 3) technical components of certification authorities; 4) qualified electronic certificate. Article 14 Devices for creation of qualified electronic signature, apart from conditions under Article 8 of the Law, shall meet the following criteria: 1) the data for creation of the qualified electronic signature shall be generated within the devices for creation of the qualified electronic signature and should never leave them; 2) qualified electronic signature shall be formed in the very devices for creation of the qualified electronic signature; 3) ensuring that devices for creating the qualified electronic signature are used solely by the signatory, including previously conducted reliable procedure of authentication; 4) the devices shall be such that the signatory is allowed to use them in different applications and environments of information technology. Article 15

7 Secure application for creation of qualified electronic signature (SSCA Secure Signature Creation Application) shall be used together with and inseparable from SSCD. SSCA may include a secure application for verification of the qualified electronic signature (SSVA Secure Signature Verification Application) and validation of qualified electronic certificate of the signatory, as well as results overview. Article 16 Technical components from the domain of certification authorities are software and hardware products which: 1) create data needed for creation of qualified electronic signature and transfer it to an appropriate hardware device of characteristics which are in line with this Regulation, or generate data directly in the given hardware device; 2) make available qualified certificates of users (with consent of the user and without PIN and personal number) and status of certificates, or list of revoked certificates which call for additional verification and consideration of the revoked status and, if necessary, for retrieval by interested parties.

8 Article 17 Devices for creation of the qualified electronic signature (SSCD) from Article 14 of this Regulation shall be in line with one of the following standards: 1) preferably CEN Workshop Agreement (CWA) 14169: Secure Signature-Creation Device (EAL 4+) ; 2) FIPS (Federal Information Processing Standard) of level 2 or higher. Article 18 Application for creation of the qualified electronic signature (SSCA) from Article 15 paragraph 1 of this Regulation shall be in line with the standard CEN Workshop Agreement Security requirements for signature creation applications. Article 19 Application for verification of the qualified electronic signature (SSVA) from Article 15 paragraph 2 of this Regulation shall be in line with the standard CEN Workshop Agreement General guidelines for electronic signature verification. Article 20 Technical components of the certification authorities from Article 16 of this Regulation shall be in line with the following standards: 1) for generation of asymmetrical cryptographic keys with the certification authority, in line with some of the following standards:

9 (1) CEN Workshop Agreement : Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 3: Cryptographic Modules for CSP Key Generation Services - Protection Profile (CMCKG-PP), (2) CEN Workshop Agreement (CWA) 14169: Secure Signature-Creation Device (EAL 4+), (3) FIPS (Federal Information Processing Standard) of level 3 or higher; 2) for generation of qualified certificates, in line with some of the following standards: (1) CEN Workshop Agreement : Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 2: Cryptographic Module for CSP Signing Operations - Protection profile (MCSO-PP), (2) CEN Workshop Agreement : Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 4: Cryptographic Module for CSP Signing Operations - Protection profile (CMCSO-PP), (3) CEN Workshop Agreement (CWA) 14169: Secure Signature-Creation Device (EAL 4+), (4) FIPS (Federal Information Processing Standard) of level 3 or higher. Article 21 Software equipment and procedures which are implemented to verify the qualified electronic signature must be fully disabled to provide data for creation of the qualified electronic signature by using data for its verification. Article 22

10 Signatory is obliged to protect data for creation of the qualified electronic signature from unauthorized access, disposal and improper utilization. Protection from paragraph 1 of this Article additionally includes utilization of passwords or PIN codes, biometric procedures or other protective techniques. Article 23 By enactment of this Regulation, the Regulation on Technical and Technological Procedures for Creating a Qualified Electronic Signature and Criteria Which Should be Met by Devices for Creating a Qualified Electronic Signature (The Official Gazette of the Republic of Serbia, No. 48/05, 82/05, 116/05) shall no longer be effective. Article 24 This Regulation shall enter into force on the eighth day after publication in the Official Gazette of the Republic of Serbia. Number: / In Belgrade, 10 March 2008 MINISTER Ph.D. Aleksandra Smiljanic