What are the latest changes in the 63-FZ "on electronic signature"
On December 23, 2015, the State Duma in the 3rd reading adopted the draft FZ-445 on the change in 63-FZ "on electronic signature". Since many colleagues are not yet familiar with this law, I would like to convey and tell what the changes will affect and how it will affect the development of a single space of trust in the Russian Federation. But first things first.
Until now, each certifying center (hereinafter referred to as CA), after passing the accreditation, CAM issued itself a key pair (CA public and private keys) and a certificate of verification of the electronic signature key (hereinafter referred to as certificate). The main feature of the certificate was that it was released by the CA itself and signed by its signature (this version of the certificate is called “self-signed”). Further, this certificate was provided to the operator of the Head Certification Authority of the Russian Federation (hereinafter referred to as the GTC), where this self-signed certificate was included in the trusted ones and the GTC was published on the GTC portal as trusted.
As a result of such a scheme of interaction between the CA and the GTC, we obtained isolation of the trust spaces of each individual CA, since all operating systems and application software verify the key certificate through the certification chain, until the certificate issuer matches the certificate holder. Thus, the picture was obtained that in order for two users with certificates of two different CAs to trust each other, they had to add each other's CA certificates to the trusted ones. Here the experts will politely point out cross-certificates between CAs, but I will surely answer - these are crutches, and explain why: Imagine that you are on the Internet and you go from one network node to another, each of which uses a certificate from its CA. Then, to ensure trust in all nodes (they are really trusted), you will have to have locally certificates of all CAs in the Russian Federation. Moreover, you have to keep them up to date. Do you need it?
This disunity also has one more drawback - to work in the trust space of each CA, you need to receive an ES of this CA or CA entering into the CA trust space. This gave rise to the requirements for the multiplicity of qualified EPs for one person and well-known commercial schemes, for example, as in the picture below:
')
Source https://iitrust.ru/region/uc/tarif.php
What happens as a result of the changes in 63-FZ made on December 30, 2015:
1. "It is prohibited for the certifying center to indicate in the certificate key created by it the electronic signature verification key, which is contained in the certificate certificate key of the electronic signature issued to this certifying center by any other certifying center."
Or “translating from Russian into Russian” CA is now forbidden to independently generate “self-signed” certificates.
Moreover, it is specified: “The accredited certifying center for signing on its own behalf qualified certificates must use a qualified electronic signature based on a qualified certificate issued to it by the parent certifying center, whose functions are performed by an authorized federal body. An accredited certifying center is prohibited to use a qualified electronic signature based on a qualified certificate issued by the parent certification center, the functions of which are performed by an authorized federal body for signing certificates that are not qualified certificates. ”
That is, now it does not matter who issued the certificate of your ES key , since all the certificates for verifying the ES key allow you to build certificate chains up to the Head Certification Authority. And all that remains for the user is to have in trust only the HEC certificate.
2. “An accredited certifying center shall not have the right to authorize third parties to create keys of qualified electronic signatures and qualified certificates on behalf of such an accredited certifying center” - here without comment, see the picture above.
3. “Operators of state and municipal information systems, as well as information systems, the use of which is provided for by regulatory legal acts or public information systems, do not have the right to require that a qualified certificate contains information restricting its use in other information systems”, or translating into Russian:
Office issuers of certificates is now FORBIDDEN to add additional fields with certificates and their mandatory requirements. This will certainly kill the interests of the Federal Tax Service, the Federal Registration Service and other departments requiring only "their" certificates. But, now, having one unique qualified ES, you can be authorized and use ALL state information systems.
4. Fixed annoying inaccuracies in 63-FZ, for example, related to the fact that the CIPF should independently visualize the document being signed, etc.
5. The responsibility of CA for damages to third parties has been increased, the requirements for the publication dates of lists of revoked certificates and their availability on the Internet have been clarified.
I summarize. The amendments to the law on electronic signatures proposed by the Ministry of Communications and State Duma will greatly simplify the lives of ordinary users of electronic signature, and allow them to use one signature to access all state resources. On the other hand, these changes will not make life much harder for the TC, since now instead of a request for “signing a cross” in the IS of the Main Processing Center, they will have to make a request for a subordinate certificate (this is still the same PKCS # 10 request and the software will not be changed).
As a result, in a few years we will get a unified and cohesive trust space in which users can feel comfortable and use their Russian certificates for their web pages, which is currently not possible.
To be honest, I am pleased with the work of the ISS on the development of a space of trust, which is outgrowing childhood diseases in the use of electronic signature in Russia, it is high time.
Until now, each certifying center (hereinafter referred to as CA), after passing the accreditation, CAM issued itself a key pair (CA public and private keys) and a certificate of verification of the electronic signature key (hereinafter referred to as certificate). The main feature of the certificate was that it was released by the CA itself and signed by its signature (this version of the certificate is called “self-signed”). Further, this certificate was provided to the operator of the Head Certification Authority of the Russian Federation (hereinafter referred to as the GTC), where this self-signed certificate was included in the trusted ones and the GTC was published on the GTC portal as trusted.
As a result of such a scheme of interaction between the CA and the GTC, we obtained isolation of the trust spaces of each individual CA, since all operating systems and application software verify the key certificate through the certification chain, until the certificate issuer matches the certificate holder. Thus, the picture was obtained that in order for two users with certificates of two different CAs to trust each other, they had to add each other's CA certificates to the trusted ones. Here the experts will politely point out cross-certificates between CAs, but I will surely answer - these are crutches, and explain why: Imagine that you are on the Internet and you go from one network node to another, each of which uses a certificate from its CA. Then, to ensure trust in all nodes (they are really trusted), you will have to have locally certificates of all CAs in the Russian Federation. Moreover, you have to keep them up to date. Do you need it?
This disunity also has one more drawback - to work in the trust space of each CA, you need to receive an ES of this CA or CA entering into the CA trust space. This gave rise to the requirements for the multiplicity of qualified EPs for one person and well-known commercial schemes, for example, as in the picture below:
')
Source https://iitrust.ru/region/uc/tarif.php
What happens as a result of the changes in 63-FZ made on December 30, 2015:
1. "It is prohibited for the certifying center to indicate in the certificate key created by it the electronic signature verification key, which is contained in the certificate certificate key of the electronic signature issued to this certifying center by any other certifying center."
Or “translating from Russian into Russian” CA is now forbidden to independently generate “self-signed” certificates.
Moreover, it is specified: “The accredited certifying center for signing on its own behalf qualified certificates must use a qualified electronic signature based on a qualified certificate issued to it by the parent certifying center, whose functions are performed by an authorized federal body. An accredited certifying center is prohibited to use a qualified electronic signature based on a qualified certificate issued by the parent certification center, the functions of which are performed by an authorized federal body for signing certificates that are not qualified certificates. ”
That is, now it does not matter who issued the certificate of your ES key , since all the certificates for verifying the ES key allow you to build certificate chains up to the Head Certification Authority. And all that remains for the user is to have in trust only the HEC certificate.
2. “An accredited certifying center shall not have the right to authorize third parties to create keys of qualified electronic signatures and qualified certificates on behalf of such an accredited certifying center” - here without comment, see the picture above.
3. “Operators of state and municipal information systems, as well as information systems, the use of which is provided for by regulatory legal acts or public information systems, do not have the right to require that a qualified certificate contains information restricting its use in other information systems”, or translating into Russian:
Office issuers of certificates is now FORBIDDEN to add additional fields with certificates and their mandatory requirements. This will certainly kill the interests of the Federal Tax Service, the Federal Registration Service and other departments requiring only "their" certificates. But, now, having one unique qualified ES, you can be authorized and use ALL state information systems.
4. Fixed annoying inaccuracies in 63-FZ, for example, related to the fact that the CIPF should independently visualize the document being signed, etc.
5. The responsibility of CA for damages to third parties has been increased, the requirements for the publication dates of lists of revoked certificates and their availability on the Internet have been clarified.
I summarize. The amendments to the law on electronic signatures proposed by the Ministry of Communications and State Duma will greatly simplify the lives of ordinary users of electronic signature, and allow them to use one signature to access all state resources. On the other hand, these changes will not make life much harder for the TC, since now instead of a request for “signing a cross” in the IS of the Main Processing Center, they will have to make a request for a subordinate certificate (this is still the same PKCS # 10 request and the software will not be changed).
As a result, in a few years we will get a unified and cohesive trust space in which users can feel comfortable and use their Russian certificates for their web pages, which is currently not possible.
To be honest, I am pleased with the work of the ISS on the development of a space of trust, which is outgrowing childhood diseases in the use of electronic signature in Russia, it is high time.
Source: https://habr.com/ru/post/277591/
All Articles