Infrastructure simple electronic signature. Part 4: Practical aspects of implementation

In Part 1 , Part 2 , and Part 3 , the main PEP infrastructure systems were considered. In this part, we will consider the design procedure for the practical implementation of the infrastructure. Immediately, I note that the description is generalized in nature, and is not a tutorial, nor instruction, nor a guideline. As noted in the first part , the whole article is only a personal vision, based on the practice of PEP implementation into information systems of agents providing complex, multi-stage technological services. The purpose of the PEP implementation is to expand the geography of the service by transferring the workflow to the Internet when providing services to individuals and minimizing the need for personal visits from customers to the company's office. To simplify the example, we will not consider large companies with complex document flow, but take an abstract company that provides home automation services. Document management services of such a company in the minimum version consists of an application for design, an agreement with a technical task and an act of work performed.

Architecture requirements and description

Before starting the design, it is necessary to systematize the existing descriptions of the architecture and gather the requirements of the interested parties. First of all, we note that in system engineering, the requirements of federal legislation, regional legislation, various departmental and corporate regulations are not requirements of interested parties. The state is not an interested party of the project, the state acts as an analyst and designer, and the law provides a high-level description of the architecture, a concept, and not a requirement. This concept must necessarily be embodied in the finished product in order to consider the project successful from the point of view of the state represented by the executive and controlling bodies.

The concept, which is described in the regulations, is almost always scattered across various documents. A single concept of all these disparate descriptions is formed using extracts and clarifications . The statement is the part of the document that is traced to the source document using the extract details - the number, date and title of the source document and the position in the source document (section number, paragraph, paragraph). Sometimes in practice it happens that an extract has uncertainty, in which case an additional document is used - an explanation, usually drawn up in the form of a letter from a state body.
')
The real requirements that give any project uniqueness are only the expectations and needs of specific individuals whose life can change or whose life can be affected by the life cycle of the project's result - the design, planning, implementation and operation of the project's result. In this article, such requirements will not be considered, as they are specific and unique for each project.

The legislative concept of the architecture of the probe

Key storage system

The basis of the signature is the information that it transmits. As was shown in the analysis of the target system, the signature transmits information about the PD , and it is necessary to decide which PD of the counterparty will be locally registered in the agent's case management system. The answer to this question is given by the extract of articles 20 and 21 of the Civil Code of the Russian Federation - full name and place of residence. For the local trust space of these PDs, it is enough, but if there is a goal of the legal significance of the AED , then identification codes assigned to these PDs in the authorized registration system are necessary. The authorized system in the Russian Federation is the Ministry of Internal Affairs. The Ministry of Internal Affairs for a full name and a residence assigns an identification code - a series and number of the passport. Thus, in order for local registration to become potentially authorized-local, it is necessary to register the full name, place of residence, series and passport number.

The next step is to determine the keys PEP - public and private key. Theoretically, any unique sets of codes, passwords and other means associated with PD can be used as keys to the PEP . The extract from FZ-63, namely Article 4, does not specify what the keys are. But since we need to achieve the significance of the signature, here we can rely on documents of a different kind - judicial practice . As the judicial practice shows, the main point that is contested in the courts is that the chosen method of signature does not have signs of an analogue of a handwritten signature (LSA). Different stakeholders solve this issue differently. The most important feature of LSA is inalienability of personal data. You cannot invent a code as a public key, this code must clearly indicate the PD , like a personal signature monogram and must be registered with an authorized body, similarly as a monogram is registered in the passport. Currently, this code is only the SNILS. It is used as the public key of the PEP in the provision of public services, moreover, it is used as the public key of the PEP in the information of electronic certificates of EDS. The question of how SNILS is authorized to fulfill this role is debatable, since it is legally intended for a completely different use. At the legislative level, there are proposals to introduce a new code, specifically for these purposes, but so far the de facto practice has developed so that the SNILS is used, which is unchanged and unique, and is also registered with the authorized body.

It is quite admissible, with reference to the SNILS, to make an additional key, let's call it secondary. This can some unique login. If we talk about the analog of the handwritten signature, then such a login is a handwritten recording of the initials of the full name. For a handwritten signature, the entry of the initials does not cancel the monogram, for the PEP - does not cancel the SNILS.

Any password can be used as a private key. But it is very desirable that this password be used only for signature purposes and does not combine other roles, such as logging into the site. Thereby, two technical tasks are solved: there is a private key known only to the owner of the PD (analogue of the motor skill of the handwritten signature analyzed in part 2) and there is an electronic signature event - entering the PEP private key is similar to the hand movement when rendering a monogram.

Additionally, you can check that the "hand moves" is the owner. To do this, use the secondary public key - the phone number. An SMS with a code is sent to the phone number, which, in this case, plays the role of a one-time private key. Entering the code when signing is similar to the use of a private key. With such an application of a telephone number, it is desirable to ensure that codes are unsteady, which ensures that the private key is known only to the owner of the PD at the time of signing. It is possible to use the phone number simply as an additional public key, the use of which confirms the fact of the signature. In this case, the code sent is not a private key and the private key must be separate.

Summarizing all the above, the following should be stored in the PD processing system:

1. Personal data of the counterparty - full name and address of the place of residence;
2. Identification code of authorized registration of personal data - passport number and series;
3. Authorized public key (signature sample) - SNILS;
4. Secondary public keys (if necessary) - site login, email address, phone number;

In sum, this forms a kind of an electronic passport - a locally authorized analogue of a regular passport, where SNILS is the analogue of a handwritten signature monogram.

The system for the formation of a message about the personal data of the counterparty

The next step is to decide how DDs are registered in the agent system. Here we run into a big contradiction inherent in the description of the architecture of working with PD in FZ-152 and FZ-63. The extract of article 9 from FZ-152 reads as follows:

In cases provided for by federal law, the processing of personal data is carried out only with the consent in writing of the subject of personal data. The written consent on paper is recognized as equivalent to a consent in the form of an electronic document signed in accordance with federal law with an electronic signature.

The problem is that, in the case of the PEP , it is necessary to obtain PD in order to form an electronic signature, and in order to collect PD , it is necessary to obtain consent already signed with an electronic signature. Plus, according to the statement of article 9 of FZ-63, an agreement on the use of a simple electronic signature is necessary. It turns out a vicious circle, which, at first glance, can be broken only by handwritten signature of the agreement and agreement with a personal visit. But, if we use a certain form of agreement on the use of the PEP , namely the contract of accession (public offer), and combine the receipt of PD with the signing of consent, it is possible to do everything remotely. Thus, with virtually no options, the law dictates the following algorithm for registering PD counterparty for use in AES systems, if the task is to do without personal visits:

1. You need an agreement on the use of simple electronic signature , developed by qualified lawyers, which should be taken anonymously, without using a signature. This gives the legal basis for the electronic signature of consent to provide PD with the help of AED . The law provides the option of organizing an anonymous agreement: the contract of accession, to which an unlimited number of users can join (public offer). This is the first thing that a user should see when registering. The fact of joining the offer (acceptance) is confirmed by the formation and entry of the private key. The process depends on whether the reusable private key (password) or one-time private keys will be used in the future.
2. The form for entering personal data listed above, namely, full name, place of residence, series and number of passport, SNILS, etc., must include consent to the provision of personal data . The consent itself must be personal, and, in addition to the model clauses listed in Article 9 of the Federal Law-152, must contain a clause stating that the consent is signed by the PEP listing the public keys: SNILS + secondary keys (if any). Subscribe the entire form (personal data and consent) in one action. The device of the signature system will be described in more detail later in the section “Public Key Transmission System Based on the Private Key”
3. After performing these actions, the user is registered in the system and gets the opportunity to submit applications, applications, applications and complaints signed by the EGP . The consent must be maintained, as it may be withdrawn.

Having decided on the list of preserved APs , it is necessary to design the architecture incorporated in the description of the Federal Law-152. The implementation of this architecture consists of technical and organizational measures that protect PD from unauthorized access. The main steps that need to be done:

1. Choose a platform certified by FSTEC for work with PD . The platform, in accordance with the requirements of the law, in the minimum version should ensure the delimitation of access to PD and logging of all operations of access to PD . In my practice, the following options were usually considered: MS SharePoint 2013/2016, Bitrix, Alfresco, Liferay, and accordingly, MS SQL Server, PostgreSQL (as part of AltLinux certified), MySQL as the database. Naturally, other options are possible. The choice in favor of one or another option is made on the basis of a comparative analysis of the cost of ownership and on the basis of the expectations of the technical department of the agent - which platform will be easier for them to accompany.
2. Develop a policy for the processing of personal data
3. Based on the developed PD processing policy, it is necessary to decide whether additional certified PD protection tools and registration as an operator of personal data are necessary. There are certain techniques for accomplishing this step and it is better to involve licensed specialists, especially if the PD wraps the word “mystery”, for example, medical secrecy.

In the simplest case, if PDs cannot be used for any other purpose than identifying the PD subject for the purpose of providing the service and PDs under no circumstances can be transferred to third parties, it is permissible to skip step 3, with the informed permission of a qualified information security specialist .

Trust space

The next step is to resolve the issue of the PEP trust space. If the source of the PD for storage in the PD processing system is the agent site, then this local trust space can only be trusted by the agent. To increase the status of trust, it is necessary to verify this data with the original document issued at the authorized registration of PD - with the original passport. It is the original, since getting scanned copies of passports through the site is just a complicated entry of PD , and it is not much different from just entering PD . Remotely requesting scanned copies of passports does not make much sense and does not increase the status of trust in the data, but it also increases the level of requirements for the protection of PD . And on the part of counterparties, the request for scanned copies of passports often provokes a negative reaction, and this option should be abandoned. For reconciliation, it can be used as a separate personal visit of the counterparty, it can also be combined with any stage of the service, at which personal interaction with the counterparty occurs. Government e-services use reconciliation with the ESIA . It is also planned to create a separate mechanism for electronic verification of personal data . Thus, the PD record in the personal data processing system can have two statuses - confirmed / not confirmed. Similar statuses are used on public service portals.

Signature processing system

The purpose of the signature processing system is to ensure its intolerance to other documents. Both the agent and the counterparty must be sure that the PEP , which the counterparty has signed some document, cannot subsequently be attributed to another document, which he has no idea about. In general, the legislative acts do not provide for the PEP such a function as intolerance, but for the legal significance of the signature it is important. In order to associate the probe with a specific document, it is necessary to have an electronic probe probe in the agent system, where each probe will receive a unique incremental identification number. The increment allows you to bind the signature to the time of its production, a smaller number indicates that the signature was obtained earlier. In fact, such a PEP number is a secondary PEP public key. The register, in addition to the actual materialization of the probe , must be connected by a one-to-one relationship to the contractor's contractual data, the identification number and date of the document, the time of signature and the probe .

The registry also provides another important feature of the signature system - converting a document with a signature from an electronic form into a paper one. In many organizations, such as the courts, adopted paperwork. In order to, if necessary, be able to submit a document with a signature to such an organization, the system must have a service for converting documents from an electronic form into a paper one. Convert signed documents to PDF. When visualizing a simple electronic signature in paper form, the PEP public keys (primary and secondary) should be visualized, i.e., based on our design, the full name, SNILS, phone number (if used), and unique PEP identification number should be visualized. They are visualized according to the accepted rules of office work, usually under the contents of the document, for example:

Signed by simple electronic signature:
Ivanov Ivan Ivanovich, SNILS 000-000-000 00, Phone (000) 000-00-00.
Registration number of the signature: 0000000 from 01/31/2017 10:05:47

You can also rely on the methodological recommendations of interdepartmental electronic document management (MEDO) and visualize it in the PDF / A standard.

The system uses the private key to transfer the public key

The system is described in detail in part 2 . The architecture is built on the basis of article 12 of FZ-63, that is, the system must necessarily provide:

1. Notification to the counterparty that he is launching the signing procedure. In the notification, the user should be shown the details of the document that he signs; ideally, the document should be open for reading. The counterparty must enter the private key of the signature, confidentially known only to him, to confirm both the fact and the moment of signature;
2. Notify the user that the document is signed. Technically, the signing procedure is to create an entry in the probe list and assign a unique number. It is desirable to duplicate the registration number of the signature, the registration number of the document and the time of signing via SMS. Thus, the user virtually gets the "second copy of the document" in his possession;

Adaptation of the office management system

Adaptation of the clerical system should ensure the immutability of the document after signing. The PEP , in its structure, can not fulfill this role. All documents submitted to the office management system can be divided into two types: one-sided and multilateral. Unilateral documents signed only by the counterparty, such as statements and appeals, usually do not require the maintenance of immutability, since, by their nature, are initiating, starting. They can be changed, edited, deviate. For such documents, it is sufficient only to provide the PEP of the counterparty, which, in some cases, can be certified by an enhanced signature of the agent upon admission to the clerical system. In contrast to one-sided documents, multilateral documents should be immutable, so the agent should sign the first signature on such documents, and this signature should be strengthened, using cryptography, to ensure the immutability of the document. In order to provide the counterparty with assurances that the document will not change after the AED has been placed on it, the signature time plays an important role. The enhanced signature of the agent must be in time earlier than the contractor’s PEP , and this fact must be recorded by independent sources. Accordingly, the reinforced signature must be capable of setting time stamps (OID 1.2.643.2.2.34.25). The fulfillment of these conditions is intended to ensure both trust between the counterparty and the agent, as well as the trust of third parties.

Conclusion

Recently, there has been a tangible trend towards a transition to a simple electronic signature in document circulation with individuals due to the complexity and cost of the public key infrastructure. The government services portal translates into most of the government services for individuals. I hope this article will be useful for stakeholders in the development and application of the PEP infrastructure in the provision of services to individuals through the Internet.