Using Simple Electronic Signature in Documents
The purpose of writing this article is to popularize the use of Simple Electronic Signature (PEP) in documents. The more people use, the more popular the mechanism, the less all fears, suspicions and questions. It is very convenient, I signed the account and IAP acts and sent it by email to the accounting department of the counterparty.
A simple electronic signature does not require receipt of it in the certification center, does not require special hardware or software, however, subject to certain conditions, it is recognized by our legislation to be equivalent to a handwritten signature.
Moreover, if you have your own verification service, the PEP guarantees the authenticity of the signature, in contrast to the handwritten signature. For example, it is not known to the third person who has taken the document in his hands, the squiggle in front of the full name is the real signature of that person or not. And here I went to the specified service, entered the number of the signature and you know for sure that this particular document was signed by this person.
')
How to make such a service check, and how to organize your PEP and will be described in this article.
PS: This method is not suitable for signing invoices. The invoice has strict requirements - the signature is either alive or an electronic signature with the operator. A bill, an act, etc. can.
First, a little legislative theory.
Our legislation unambiguously defines the conditions for recognizing electronic documents signed with a simple electronic signature, equivalent documents on paper, signed with a handwritten signature. This is determined by the Federal Law No. 63 of April 6, 2011, Article 9 “Use of a simple electronic signature”. This law votes:
Those. For the legitimate use of PEP we need:
The rules for determining the signatory and the method of ensuring confidentiality are most conveniently described in the contract. The body of the contract should describe that the parties recognize the PECP equivalent to a handwritten signature, subject to the rules described in Appendix 1. In Appendix 1, the rules and the procedure for the formation of the PEP should be described accordingly.
I will give an example of how this was done in my offer contract . I do not pretend that this is an ideal option, but I think as a living example, readers will be interested.
In Section 1, Terms and Definitions, the concept of PEP is introduced.
Further section 4. Agreement on the use of PEP.
Further section 6. Order of settlements. It says that the closing documents can certify PEP.
Finally, Appendix 1, which describes the rules and procedure for the formation of the PEP.
Validation Service Code
PS: do not forget about the exception of SQL injections when submitting an ES request!
A living example of how you can organize the work of users with ES and the work of a verification service can be read here:
I hope the article will be useful, and I will at least a little popularize the PEP mechanism and our life will become easier.
A simple electronic signature does not require receipt of it in the certification center, does not require special hardware or software, however, subject to certain conditions, it is recognized by our legislation to be equivalent to a handwritten signature.
Moreover, if you have your own verification service, the PEP guarantees the authenticity of the signature, in contrast to the handwritten signature. For example, it is not known to the third person who has taken the document in his hands, the squiggle in front of the full name is the real signature of that person or not. And here I went to the specified service, entered the number of the signature and you know for sure that this particular document was signed by this person.
')
How to make such a service check, and how to organize your PEP and will be described in this article.
PS: This method is not suitable for signing invoices. The invoice has strict requirements - the signature is either alive or an electronic signature with the operator. A bill, an act, etc. can.
A lawyer’s comment on this matter: “ There are strict requirements on the invoice - the signature is either alive or an electronic signature with the operator.
There was even a practice at one time whether it was possible to sign a facsimile, it seemed to be about the same as a live signature.
The courts said no.
With EP will be the same. Too much budget is losing because of the SF . "
First, a little legislative theory.
Our legislation unambiguously defines the conditions for recognizing electronic documents signed with a simple electronic signature, equivalent documents on paper, signed with a handwritten signature. This is determined by the Federal Law No. 63 of April 6, 2011, Article 9 “Use of a simple electronic signature”. This law votes:
1. An electronic document is considered to be a signed simple electronic signature if one of the following conditions is fulfilled:
1) a simple electronic signature is contained in the electronic document itself;
...
2. Normative legal acts and (or) agreements between participants of electronic interaction, establishing cases of recognition of electronic documents signed with a simple electronic signature, equivalent documents on paper, signed with a handwritten signature, should include, in particular:
1) the rules for determining the person signing the electronic document, according to his simple electronic signature;
2) the obligation of the person creating and / or using the key of a simple electronic signature to respect its confidentiality.
Those. For the legitimate use of PEP we need:
- enter the signature code in the document (which is understandable)
- come up with the rules for determining the signatory
- confidentiality method
The rules for determining the signatory and the method of ensuring confidentiality are most conveniently described in the contract. The body of the contract should describe that the parties recognize the PECP equivalent to a handwritten signature, subject to the rules described in Appendix 1. In Appendix 1, the rules and the procedure for the formation of the PEP should be described accordingly.
I will give an example of how this was done in my offer contract . I do not pretend that this is an ideal option, but I think as a living example, readers will be interested.
In Section 1, Terms and Definitions, the concept of PEP is introduced.
1.6. “Simple electronic signature” - the signature on the electronic version of the documents transmitted between the Parties and defined by the rules in Appendix 1 of this agreement, clauses 4.2 and 4.3 of this Agreement and article 9 of the Federal Law of 06.04.2011 N 63- “On electronic signature”.
Further section 4. Agreement on the use of PEP.
4. AGREEMENT ON THE USE OF SIMPLE ELECTRONIC SIGNATURE.
4.1. The parties, in accordance with the Federal Law of 06.04.2011 N 63-FZ "On Electronic Signature", agree to the use of simple electronic signature documents transmitted between the Parties, including in the closing documents.
4.2. The rules and procedure for the formation of a simple electronic signature key and the rules for determining the person signing an electronic document, according to his simple electronic signature, are defined in Appendix 1 to this Agreement. Appendix 1 is an integral part of this Agreement.
4.3. The parties undertake to respect the confidentiality of the key of their simple electronic signature.
4.4. Based on paragraph 4.2 and paragraph 4.3. of this contract and the provisions of clause 2 of Article 9 of the Federal Law dated April 6, 2011 No. 63- “On Electronic Signature”, electronic versions of documents placed in the Licensee’s personal account, or delivered via email between the Parties, are considered equivalent documents on paper signed handwritten signature.
Further section 6. Order of settlements. It says that the closing documents can certify PEP.
6.7. The closing documents between the parties are transmitted electronically by posting in the Licensee’s personal account and (or) via e-mail and are certified with a Simple electronic signature.
Finally, Appendix 1, which describes the rules and procedure for the formation of the PEP.
Rules and procedure for the formation of a simple electronic signature.
1. Rules of formation of the signature.
1.1. The signature key is a code word or any sequence of characters from 6 to 64 characters known only to the owner.
For example: "Licensee Key"
1.2. Signature Key Hash - a signature key processed by a hash function with a key length from 64 to 256 bits.
Production Example:
- hash ('sha256', 'Licensee Key') = cf7f0afbad1857c1da38477d79889cb378d33dee5430e9e7bf4cc04f0e3354f8
- hash ('sha1', 'Licensee Key') = 7e3ecf5ab5ad710573a028d1a383355293b75438
- md5 ('Licensee Key') = 822f424c94ffbe1e9b0e53df6d851da4
1.3. Hash of the signature key, to enable automatic verification of documents by the system, the user needs to deposit in the personal account on the site https://erp-platforma.com in the Settings-ES section.
1.4. For security reasons, 5-10 characters of the user's key hash value are replaced with asterisks when displaying (for example: instead of 822f424c94ffbe1e9b0e53df6d851da4, 822f4 ***** ffbe1e9b0e53df6d851da4 will be displayed on the screen). This procedure prevents the attacker from copying the user's key, even if the login password of the user account is hacked. The original key must be kept exclusively by the user.
1.5. Algorithm for obtaining a simple electronic signature of the document:
“Simple electronic signature” = hash_sha1 (“Document Type” + “Document Number” + “Document Date” + “Licensee Key”)
PS: the licensee's key in this system is “salt”.
For example:
b554f464d3cf1b128b07e96b960b7bb4a19a3c95 = hash ('sha1', '1'. 'â„–03452'. '09.11.2016'. '822f424c94ffbe1e9b0e53df6d851da4')
Types of documents:
1 - Account
2 - Act
3 - Contract
4 - Annex to the contract
1.6. To improve readability, an electronic signature can be presented in the form of 5 characters separated by hyphens. This procedure is optional. Hyphens when you enter a signature program will automatically be deleted.
b554f464d3cf1b128b07e96b960b7bb4a19a3c95 = b554f-464d3-cf1b1-28b07-e96b9-60b7b-b4a19-a3c95
2. Signature verification rules
2.1. Authentication of the Licensor’s Simple Electronic Signature.
The licensor on its official website erp-platforma.com provides the ability to verify the signature of any document at erp-platforma.com/ecp . To check, you must enter the Simple electronic signature from the document in the field “Simple electronic signature”, enter the captcha code and click on the “Verify document signature” button. In response, the program will issue the details of the document, or write "The document was not found, the signature was not confirmed."
This authentication procedure of the Simple Electronic Signature of the Licensee can be performed by both the Licensee and third parties to whom the Licensee has transferred the documents.
2.2. Authenticate Licensee's Simple Electronic Signature.
Verify the licensee’s signature Licensor can in 4 ways:
1) A signature key Hash must be entered in the personal account of the licensee of the user who signed the document. In this case, when documents are received by e-mail from the Licensor, it becomes possible to automatically verify the authenticity of the signature knowing the type of document, document number, date of signature, and hash of the user's signature key.
2) In the event that the Licensee makes a signature in the personal account, and the user's signature key hash is entered, then it is necessary to enter the generated Simple electronic signature for this Act into the appropriate box of the document and click on the “EA” button. The program will automatically verify the signature and put it into the document.
3) In the event that the Licensee does not deposit the hash of the user's signature key in the personal account, but wants to transmit documents signed by Simple electronic signature via email, the Licensee must deliver to the Licensor the signature-key hash of the user signing the documents in any medium, including on paper
4) In the event that the Licensee does not wish to notify the licensor of the user's signature key hash, he may make a signature verification service on his technical tools similar to erp-platforma.com/ecp and send a link to this service along with the documents so that the Licensor has the ability to authenticate Simple electronic signature document.
Validation Service Code
// if ($_POST['capcha']==$_SESSION['captcha']) { // , . if ((strlen($_POST['ep'])==47)or(strlen($_POST['ep'])==40)) { // $ep=str_replace('-','',$_POST['ep']); if (strlen($ep)==40) { // , } else echo '<br><font color=red> .'.strlen($ep).'</font>'; } else echo '<br><font color=red> . 40 47 .</font>'; } else { if (isset($_POST['capcha'])) echo '<br><font color=red> .</font>'; } PS: do not forget about the exception of SQL injections when submitting an ES request!
A living example of how you can organize the work of users with ES and the work of a verification service can be read here:
I hope the article will be useful, and I will at least a little popularize the PEP mechanism and our life will become easier.
Source: https://habr.com/ru/post/323364/
All Articles