What Is Electronic Signature

ipsCA U-Sign Portafirmas FAQs about Electronic Signature General Records on Electronic Signature Companies as well as people or bodies have used until now their handwritten signatures to carry out all kinds of procedures and to state their will in a document. Nowadays, with electronic signature we find a new world of possibilities whereby we access information society. This is possible as those agreements and contracts carried out by electronic means have the same recognition, protection and value as those in paper support. About Electronic Signature What is Electronic Signature? It is a technological mechanism that allows identifying the user when accomplishing procedures by means o the Internet or closed networks. Law and Regulations are the legal basis for citizens and companies to express their will on the Internet, whereby the signer of the electronic document can be identified. What is advanced Electronic Signature? It is a certified signature by an accredited lender, created by means under exclusive control of the titular. Therefore, the said signature only binds the latter and the concerned data. This allows detecting any subsequent modification and verifying the titular’s identity. What is the importance of this type of signature? Electronic signature is vital in order to develop and expand e-Commerce and e-Government. It gives electronic documents, transactions and commercial relations a technical and legal protection. Nowadays, any user, especially those far away from big city centres, will have the opportunity to interact remotely with total tranquillity. These users would not have to travel long distances in order to legalize their operations or carry out any other procedures. How do we grant users security in transactions? Transaction security is provided thanks to the technical way of working of electronic signature. Nevertheless, the main advantage of advanced electronic signature is that it is able to reliably identify the author of the signed document. Moreover, it grants the integrity of the latter and makes the signature unrejectable. Is there any risk of signature falsification? The risk is practically null regarding advanced electronic signature. In fact, the risk is much lower than using handwritten signature. ipsCA March 2007 1 de 5 ipsCA U-Sign Portafirmas Is electronic signature legally recognized? Yes, Royal Decree-Law 14/1999 of 17 September establishes in Article 1: “Article 1 Application area 1. This Royal Decree-Law makes provisions for the use of electronic signature, the recognition of its legal effectiveness and performance of certification services. Rules concerning this activity are of application to the service providers established in Spain. 2. Provisions in this Royal Decree-Law do not modify those rules with regards to making, formalizing, validating and the efficiency of contracts and other legal actions, nor the Legal Regime enforceable to obligations.” What is the difference between simple electronic signature and advanced electronic signature? Simple electronic signature does not comply with requirements set forth by RDL 14/1999. This signature is valid, but does not have automatic effects. Therefore, article 3.2 establishes that “the electronic signature that does not comply with requirements under the previous paragraph, will not be denied legal effect and will not be excluded as evidence on judgement, in the case of being presented electronically.” What is an electronic signature? Technically, electronic signature is a group of characters attached to a document, file or message. It can accredit the author or issuer of the latter and that the message has not been manipulated or modified in the communication process. To digitally sign a message, you must have an electronic certificate and use a navigator (Netscape or Explorer 4.0 or higher). In order to sign, the receiver of the message does not need a certificate. Nevertheless, the receiver will need a public key of the Certification Authority, that issued the certificate of the sender of the signed message, as well as the public key of the certificate whereby the message has been signed. How can the validity of an electronic signature be proven? Anyone with another person’s public key will be able to validate that signature by means of a navigator. An internal process, where the public key of the sender is used, compares the block of characters of the signature that is received with the extract of the text of the message. Only if the characters totally coincide, the signature will be accepted as valid. The receiver of the message decides if the Certification Authority that issued the certificate, whereby the message was signed, is reliable. These CAs solve the only weak point of systems based on public key cryptography (being sure of the identity of the person that signs the document). What if several people carry out different parts of the same document? The system allows accumulating in an only document the signatures of several people. ipsCA March 2007 2 de 5 ipsCA U-Sign Portafirmas What is a hash algorithm? It is a system that enables to find the “fingerprint of a file”. It is unique for every file. What are private and public keys? It is the system that encodes data and that enables another system to decode them with our public key. How can I see a signature? Electronic signature can be seen by means of an application able to treat the way the signature is stored. Nevertheless, it is more interesting being able to verify electronic signature. This is an operation that consists of decoding the signature using a public key (complementary to the one used in the creation of the signature) and of comparing the digest of the coded information. Can I send my signature without danger of being copied to impersonate me? As the signature depends on the signatory’s private key, no impersonation can be done as long as this key is kept safe. Where is my private key stored? Private key can be stored in a floppy disk, in the hard disk of the signatory’s PC, in a memory chip card and ideally, in a cryptographic card. How is my private key protected? Usually with a PIN or password. It is possible to use biometric systems to replace traditional ones, but this is still unusual. About digital certificates What is a digital certificate and what sorts are there? It is a unique identifier of someone. It is similar to a membership card, but in digital format. There are different types; the standard is X-509, Class 3. It consists of a group of information: a petition ID (identifier), a password, the name, last name, email address and optional details of the company of the titular, as the department, city and country, issue and expiration date of the certificate. It is used to ensure the veracity of the public key of the owner of the certificate, therefore, it can grant its identity, privacy and that it cannot be rejected. How is a certificate obtained? It must be requested to a Certification Authority that will manage the petition. ipsCA March 2007 3 de 5 ipsCA U-Sign Portafirmas How is a certificate delivered? The person that receives it is identified by means of an ID and subsequently signs a receipt-contract. Do certificates expire? YES, they are issued with years of validity. What are Certification Authority (CA) and Registration Authority (RA)? A CA is an entity with moral, legal or commercial authority to certify something of its competence. RA is the office where the necessary procedures are carried out. When a certificate is revoked, what happens to documents signed so far? If the certificate was valid on the date of the signature, those documents signed previous to the revocation are valid. What are the contents of a digital certificate? This document contains at least the fields stated by the Real Decree-Law 14/1999. Moreover, it collects other optional details as for instance email address: Unique identification code of the certificate Identification of the Certification Service Provider (Certification Authority) that issues the certificate Electronic signature of the Certification Service Provider that issues the certificate Identification of the titular of the certificate: name, last name, etc. Titular’s email address Titular of the certificate’s public key Validity period of the certificate Where are digital certificates stored? The copy of the certificate can be stored in a floppy disk, in the hard disk of a PC, in a chip card (memory, cryptographic, etc.) and, in short, in any support with enough capacity to store a small computer file. Besides the copy of the titular’s certificate, the latter can be stored in a public repository of certificates (usually a LDAP directory) and in every S/MIME message generated by the titular. Where can I use it? The digital certificate can be used in applications arranged for this purpose. That is, applications that use public key cryptography based on digital certification. The most common examples are email, web navigators, etc. ipsCA March 2007 4 de 5 ipsCA U-Sign Portafirmas Can information sent by the Internet be captured by third parties? Information does not travel coded if the digital certificate is unavailable. In this situation, if someone intercepts a communication (email, sending a credit card number to make a purchase, etc.), this person will be able to read or capture the data sent. If issuer and receiver have electronic certificates, messages or information between them will be coded (encrypted). Therefore, if this information is captured, the only result is a cryptogram (a group of characters without meaning). It is essential to know the private key in order to access information. What is Certification Practice Declaration? It is a document that describes the practice of the Certification Authority, certification area, possible uses of certificates and responsibilities of the Certification Authority and of the holders of the certificates. It also describes technical and security measures used in the generation of digital certificates. What is Certification Policy? It is a document that explains in detail the Certification Practice Declaration for a type of certificate connected to a specific application or service. How can I obtain another person’s digital certificate? The easiest ways of obtaining another person’s certificate are the following: from a public repository of certificates managed by the CA, that issued the certificate or from a S/MIME message the user sent. What is a Certificate Revocation List? (CRL) It is a list of certificates invalid before the expiration date and which are not reliable. What is Public Key Infrastructure (PKI)? It is a system built by Registration Authorities, Certification Authorities and other services related to certificate management and under the control of Certification Service Provider. What is cryptography? It is the science that studies the transformation of legible information into information unavailable to be read at first sight. In this process, information is coded to avoid being read or modified by third parties. Ciphered information can be intercepted but it will be unintelligible for those unable to decipher it. ipsCA March 2007 5 de 5