Electronic signature of an individual (part 1)
I will talk about the Federal Law of April 6, 2011 N63-FZ "On Electronic Signature": what is it, why is it, and most importantly, how can an ordinary person use it. I will consider the problems I have encountered and their solutions. This post is directed more towards society, so for techies there will be some redundant information.
What is a signature? According to Wikipedia, this is a collection of handwritten characters, with the use of certain design techniques, used to identify a person.
We sign the document, therefore, we agree with its contents, leaving a unique imprint. The electronic signature on the same wiki is the requisite of the electronic document, allowing to establish:
I think everyone knows how papers are signed, so I will briefly describe how electronic information is signed. Asymmetric cryptography is used for this purpose, it is so called because its algorithms use not one, but two keys at once: known to all, “open” and known only to one, “closed”. Asymmetric cryptography algorithms, respectively, allow you to encrypt information with one of the keys and decrypt the other.
For me, the owner of the keys, this gives some advantages:
What is the "Electronic Signature" by the legislator? In terms of the law, this is information in electronic form that is attached to other information in electronic form (signed information) or otherwise associated with such information and which is used to determine the person signing the information.
that is, an electronic signature is just some information linking two objects: the document being signed and the signatory.
')
The law also introduces a number of definitions:
Certificate of electronic signature verification key - an electronic document or document on paper issued by the certifying center or authorized representative of the certifying center and confirming that the electronic signature verification key belongs to the holder of the electronic signature verification key certificate.
This is nothing more than a public key certificate.
Qualified certificate of the electronic signature verification key (also known as a qualified certificate) is a certificate of the electronic signature verification key issued by an accredited certification authority or authorized person of an accredited certification authority or by a federal executive body authorized to use an electronic signature.
Excluding the blah-blah-blah, we understand that this is the same public key certificate that was issued by someone very important to them who has received accreditation.
Electronic signature key is a unique sequence of characters used to create an electronic signature.
This is our private key.
The key for verifying an electronic signature is a unique sequence of characters uniquely associated with the key of the electronic signature and intended to verify the authenticity of the electronic signature.
And this is our public key.
Here I will immediately draw attention to the difference, because, as they say, the flies are separate, and the cutlets are separate. A public key is a public key, just a sequence of characters, and a public key certificate is already a whole document consisting of a public key and something else .
Certification Authority - a legal entity or an individual entrepreneur that performs the functions of creating and issuing certificates of keys for verification of electronic signatures.
Accreditation of the certification center - recognition by the authorized federal body of conformity of the certification center to the requirements of the Federal Law.
Remember the difference between a qualified and unqualified certificate? A qualified certificate can be issued only by an accredited center.
Electronic Signature Means — cryptographic cryptographic tools used to implement at least one of the following functions — electronic signature creation, electronic signature verification, creation of an electronic signature key and an electronic signature verification key.
And this is our hard and soft.
Passing a bunch of lines of the law on the duties of all to everyone, I will say that I wanted to get the keys to create a Qualified Electronic Signature . Why? Because information in electronic form, signed by a qualified electronic signature, is recognized as an electronic document equivalent to a document on paper, signed by a handwritten signature, unless the federal laws or regulatory acts adopted in accordance with them require that a document be drafted solely on paper the carrier. Here the beauty is that if the law does not explicitly say “drive the paper, my friend”, then you can only get along with electronic media, and this opens up simply horrific prospects. Case offhand. When applying for a job, the employer is obliged to familiarize the employee with the local regulations in force under the signature list. Theoretically, if you show your passport, pension, military man can be remotely, and you can send the workbook by mail, then you can familiarize with a document with a document before the invention of electronic signature, only locally. So, I need to get the keys to expand my capabilities.
How do i do this? I look at article 18 of the law and see that in order to issue me a certificate, the certifying center should only establish my identity, and I, in turn, provide him with two documents: a passport and evidence of mandatory pension insurance. Fortunately, I have both of these documents. Now it remains to be easy: find the nearest accredited certifying center. In the law itself, the place where to look is described is painfully ornate: "The accreditation of certification centers is carried out by an authorized federal body ." Where is this body? How to find it?
I decided to start digging on the website of the Ministry of Communications of the Russian Federation and immediately got to the point. In accordance with the presidential decree of 25.08.2010. â„–1060 "On the improvement of state management in the field of information technology", the functions of the authorized body in the field of use of electronic signature, including the maintenance of the USR of UL CA certificates, are assigned to the Ministry of Communications and Mass Communications of the Russian Federation.
But then the state puts a pig in the philistine.
There is a lot, a lot of information according to the old law, the one that did without the presence of individuals in it, and the information on the new law is zero. Nothing, I know about the existence of 59-FZ, so I am writing an appeal to the Ministry of Communications, especially since the eighth article of the Law “On Electronic Signature” directly obliges them to keep a register of accredited certification authorities.
On the same day, fortunately, I accidentally found out that we in St. Petersburg were giving out Rostelecom's keys, so that evening I went to Nevsky, 88 to the service center. Ten minutes of time, 660 rubles of money, four or five signatures on the application, permission to process personal data, familiarization with articles of the old law and the paper version of the certificate for some reason, and now I’m a happy owner of a small usb device resembling a flash drive containing keys and certificate for creating an electronic signature. And after half an hour, at home, I, rubbing my hands, stuck the key in the usb-port and received a new pig from the state.
Article 18 of the law provides that the issuance of a qualified certificate is accompanied by the issuance of a safety manual. In my case, it was a paper in which all safety instructions were limited to the words “when using for the first time, change the PIN from 1234567890 to another”. The legislator did not consider it necessary to issue instructions for use, so I started the search from the website of public services, it seemed to me that I saw something about the electronic signature there. And indeed, the site provides access via ES, and quite quickly there was a CCID driver, a browser plug-in for access, and even a small document entitled “User Guide for Working with ES”. See Section 3, Electronic Signing. It turns out that the key that I received, you can sign only certain services (by the way, I do not have the service specified in the instructions) only on the website of public services and only through a browser.
The law itself does not impose restrictions on the use of an electronic signature, I received the means of creating an electronic signature in an absolutely legal way, and, therefore, I have the right to use it wherever I wish. In the next part, technical, I will describe how the third pig costs, there will be a certain amount of code, terminology, and even one working draft. And in the third part, I plan to go back to the burning mix of social and law, and arrange a stress test with various departments of our vast country with statements signed by my electronic signature.
A bit of theory
What is a signature? According to Wikipedia, this is a collection of handwritten characters, with the use of certain design techniques, used to identify a person.
We sign the document, therefore, we agree with its contents, leaving a unique imprint. The electronic signature on the same wiki is the requisite of the electronic document, allowing to establish:
- no distortion of information in the electronic document from the moment of signing;
- ownership of the signature to the owner.
I think everyone knows how papers are signed, so I will briefly describe how electronic information is signed. Asymmetric cryptography is used for this purpose, it is so called because its algorithms use not one, but two keys at once: known to all, “open” and known only to one, “closed”. Asymmetric cryptography algorithms, respectively, allow you to encrypt information with one of the keys and decrypt the other.
For me, the owner of the keys, this gives some advantages:
- On the one hand, any person can encrypt certain information with my public key and be sure that only I can decrypt it;
- On the other hand, I can encrypt information with my private key, and anyone who contrived to decrypt this information with my public key can be sure that it was I, and no one else, who encrypted this information.
Let's move on to the law
What is the "Electronic Signature" by the legislator? In terms of the law, this is information in electronic form that is attached to other information in electronic form (signed information) or otherwise associated with such information and which is used to determine the person signing the information.
that is, an electronic signature is just some information linking two objects: the document being signed and the signatory.
')
The law also introduces a number of definitions:
Certificate of electronic signature verification key - an electronic document or document on paper issued by the certifying center or authorized representative of the certifying center and confirming that the electronic signature verification key belongs to the holder of the electronic signature verification key certificate.
This is nothing more than a public key certificate.
Qualified certificate of the electronic signature verification key (also known as a qualified certificate) is a certificate of the electronic signature verification key issued by an accredited certification authority or authorized person of an accredited certification authority or by a federal executive body authorized to use an electronic signature.
Excluding the blah-blah-blah, we understand that this is the same public key certificate that was issued by someone very important to them who has received accreditation.
Electronic signature key is a unique sequence of characters used to create an electronic signature.
This is our private key.
The key for verifying an electronic signature is a unique sequence of characters uniquely associated with the key of the electronic signature and intended to verify the authenticity of the electronic signature.
And this is our public key.
Here I will immediately draw attention to the difference, because, as they say, the flies are separate, and the cutlets are separate. A public key is a public key, just a sequence of characters, and a public key certificate is already a whole document consisting of a public key and something else .
Certification Authority - a legal entity or an individual entrepreneur that performs the functions of creating and issuing certificates of keys for verification of electronic signatures.
Accreditation of the certification center - recognition by the authorized federal body of conformity of the certification center to the requirements of the Federal Law.
Remember the difference between a qualified and unqualified certificate? A qualified certificate can be issued only by an accredited center.
Electronic Signature Means — cryptographic cryptographic tools used to implement at least one of the following functions — electronic signature creation, electronic signature verification, creation of an electronic signature key and an electronic signature verification key.
And this is our hard and soft.
Passing a bunch of lines of the law on the duties of all to everyone, I will say that I wanted to get the keys to create a Qualified Electronic Signature . Why? Because information in electronic form, signed by a qualified electronic signature, is recognized as an electronic document equivalent to a document on paper, signed by a handwritten signature, unless the federal laws or regulatory acts adopted in accordance with them require that a document be drafted solely on paper the carrier. Here the beauty is that if the law does not explicitly say “drive the paper, my friend”, then you can only get along with electronic media, and this opens up simply horrific prospects. Case offhand. When applying for a job, the employer is obliged to familiarize the employee with the local regulations in force under the signature list. Theoretically, if you show your passport, pension, military man can be remotely, and you can send the workbook by mail, then you can familiarize with a document with a document before the invention of electronic signature, only locally. So, I need to get the keys to expand my capabilities.
Getting
How do i do this? I look at article 18 of the law and see that in order to issue me a certificate, the certifying center should only establish my identity, and I, in turn, provide him with two documents: a passport and evidence of mandatory pension insurance. Fortunately, I have both of these documents. Now it remains to be easy: find the nearest accredited certifying center. In the law itself, the place where to look is described is painfully ornate: "The accreditation of certification centers is carried out by an authorized federal body ." Where is this body? How to find it?
I decided to start digging on the website of the Ministry of Communications of the Russian Federation and immediately got to the point. In accordance with the presidential decree of 25.08.2010. â„–1060 "On the improvement of state management in the field of information technology", the functions of the authorized body in the field of use of electronic signature, including the maintenance of the USR of UL CA certificates, are assigned to the Ministry of Communications and Mass Communications of the Russian Federation.
But then the state puts a pig in the philistine.
Pig 1. There is no information on the receipt of keys by individuals on the site of the relevant executive authority.
There is a lot, a lot of information according to the old law, the one that did without the presence of individuals in it, and the information on the new law is zero. Nothing, I know about the existence of 59-FZ, so I am writing an appeal to the Ministry of Communications, especially since the eighth article of the Law “On Electronic Signature” directly obliges them to keep a register of accredited certification authorities.
On the same day, fortunately, I accidentally found out that we in St. Petersburg were giving out Rostelecom's keys, so that evening I went to Nevsky, 88 to the service center. Ten minutes of time, 660 rubles of money, four or five signatures on the application, permission to process personal data, familiarization with articles of the old law and the paper version of the certificate for some reason, and now I’m a happy owner of a small usb device resembling a flash drive containing keys and certificate for creating an electronic signature. And after half an hour, at home, I, rubbing my hands, stuck the key in the usb-port and received a new pig from the state.
Pig 2. In Windows XP, eToken does not work without additional manipulations.
Article 18 of the law provides that the issuance of a qualified certificate is accompanied by the issuance of a safety manual. In my case, it was a paper in which all safety instructions were limited to the words “when using for the first time, change the PIN from 1234567890 to another”. The legislator did not consider it necessary to issue instructions for use, so I started the search from the website of public services, it seemed to me that I saw something about the electronic signature there. And indeed, the site provides access via ES, and quite quickly there was a CCID driver, a browser plug-in for access, and even a small document entitled “User Guide for Working with ES”. See Section 3, Electronic Signing. It turns out that the key that I received, you can sign only certain services (by the way, I do not have the service specified in the instructions) only on the website of public services and only through a browser.
Pig 3. The lack of tools for creating electronic signatures outside the site.
The law itself does not impose restrictions on the use of an electronic signature, I received the means of creating an electronic signature in an absolutely legal way, and, therefore, I have the right to use it wherever I wish. In the next part, technical, I will describe how the third pig costs, there will be a certain amount of code, terminology, and even one working draft. And in the third part, I plan to go back to the burning mix of social and law, and arrange a stress test with various departments of our vast country with statements signed by my electronic signature.
Source: https://habr.com/ru/post/131367/
All Articles