Questions and answers
Electronic signature (ES) is electronic data that is added by the signer to other electronic data or is logically connected with them and is used by the signer as a signature.
Electronic signatures can be simple, advanced (AdES) and qualified (QES).
In contrast to simple signatures, advanced and qualified electronic signatures make it possible to certify the signer's agreement with the content of the electronic document, and identify the signer. Brsides AdES and QES are the basis for the emergence of legal facts and are а reliable evidence in court.
In addition, advanced and qualified electronic signatures are used to ensure the integrity of the electronic document.
The difference between them is that a qualified electronic signature provides higher level of protection, has a high level of trust as a means of electronic identification, and is equivalent to a handwritten signature. Advanced electronic signature has a medium level of trust. In the future, a qualified e-signature will be required for the recognition of Ukrainian electronic signatures in EU countries. One of its main features is that it is stored in a secure private key (SPK) token.
Since the qualified electronic signature has a high level of trust as a means of e-identification, it is mandatory for use in state and local self-government bodies, enterprises, state-owned institutions, as well as by state registrars and notaries.
Electronic seals are used to ensure the authenticity of the origin and integrity of the electronic document.
Electronic seals are reliable evidence in court. As with electronic signatures, there are advanced and qualified electronic seals that provide additional security guarantees compared to simple electronic seals.
In case you want to seal a document as a legal person (e.g. as a business or organisation), you might be instead interested in an electronic seal
An electronic seal is a data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity, where the creator of a seal is a legal person (unlike the electronic signature that is issued by a natural person).
In this purpose, electronic seals might serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document’s origin and integrity.
Nevertheless, across the European Union, when a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person is equally acceptable.
A file medium is a special file that contains your private key. This file is usually called Key-6 with the extension *.dat (the extensions *.pfx, *.pk8, *.zs2, *.jks are also found). In order to use the file medium, you need to: 1. From the list choose your provider of electronic trust services - the entity to which you applied for obtaining an electronic signature. 2. Download the file with your personal key from an external medium or your own computer. 3. Specify the access personal key password to the in the corresponding field.
A secure private key token (Qualified Signature Creation Device) is a device for safe storage of QES. It can be in the form of a token, "cloud storage", Mobile ID or a smart card.
Secure private key token or Qualified Signature Creation Device is a device of qualified electronic signature or seal designed to store a personal key and has built-in hardware and software tools that ensure the protection of data recorded on it against unauthorized access, direct reading of the value of private key parameters, and their copying . The compliance of the qualified electronic signature or seal with the requirements of the Law of Ukraine "On electronic identification and electronic Trust Services" is confirmed by compliance documents or positive expert opinions based on the results of their state expertise in the field of cryptographic information protection.
A secure private key token is a tool designed for safe storage of QES, which is stored in a device and is under the sole control of the signer. SPKT is protected by an access password, and entering the wrong password a specified number of times in a row blocks the medium.
Secure private key tokens ( Qualified Signature Creation Device) are devices of qualified electronic signature or seal, the list of which can be placed at link.
However, please note that in the above list, not all means of cryptographic protection of information are QES means, but only those mentioned in the expert report.
A token is a special hardware and software device that protects private keys from being copied or changed by perpetrators. The token can be in the form of a USB device or in the form of a smart card (card with a chip). Examples of tokens, produced in Ukraine are devices Almaz-1K, Crystal-1, etc.
To use the token, you need to read the key by selecting the "Token" section:
- Connect your token via a USB port (if you have a token in the form of a USB device) or use a special information reader (if you have a token in the form of a smart card).
- Choose from your trust services provider from the list - the entity to which you contacted for obtaining an electronic signature.
- From the list of tokens, select the type of device you want to use.
- Specify the access password to the private key in the corresponding field.
A cloud storage, or simply a cloud, is one or more remote servers that securely store user’s data.
If your personal key is stored using a third-party service (preservation in a secure cloud storage), then to read the key, you have to select the "Cloud" section and your provider from the list at https://www.czo.gov.ua/sign and go through authorization in his system.
The electronic time stamp shows that the electronic signature or seal was applied exactly at the specified time.
- Determine which type of e-signature you chose to sign the file from the proposed - "Electronic signature", Diia. Signature - UA (for work within Ukraine), Diia. Signature - EU (signature for cross-border recognition)
- If your choice is one of the Diia.Signature options. Signature, follow the step-by-step instructions that appear on your monitor.
- If you choose is "Electronic signature", select your key media: file media, token, cloud,
- Select a provider from the appeared list.
- Read the private key.
- Enter the password.
- Choose how you want to save the data and signature: according to the recommendation - in the archive - in the ASiC-S format (archive) or choose - "another format from the list that appeared on your monitor.
- Drag and drop into the browser or select on your media the file you want to sign. Click the "Continue" button.
- Check the file name and click the "Sign file" button.
Everything is ready! You see a signed file, an unsigned file, and a protocol that contains signature information. By default, the file is saved in the “Downloads” directory. If this did not happen, click the "Save file" button on the electronic media you need.
The signed document can be downloaded in p7s format (CAdES data storage and signature format) or ZIP archive (ASiC-S or ASiC-E) data storage and signature format). These files contain the original document and the signature file.
When validating e-signature, it is necessary to separate the signatures into those contained in one data file (one file with the extension .p7s or .zip) and those contained in separate files (one is the original file, the other is the QES with the extension .p7s ). In the latter case, the service will also ask for the original file for verification.
-
The case of validation of the signature, which is contained in one file with data in CAdES format in one file (one file with p7s extension):
a. Press the "Select" key.
b. A file selection window from the computer's file system will appear, in which you need to select the necessary file for signature verification (one file with the extension p7s).
c. The service will provide the signature validation results.
d. Press the "Save" key, after which the viewer downloads the original file on which a qualified electronic signature was created. The principle of saving occurs in the same way as in the usual case of downloading a file by a viewer. - The case of validation of the signature contained in a separate file in the CAdES format for individual files (the original file is separated from the signature file with the extension p7s):
a. Press the "Select" key.
b. A file selection window from the computer's file system will appear, in which you need to select the necessary file for signature verification (one file with the extension p7s).
c. In the next step, the system informs the user about the need to add the file for which the signature was created.
d. Click the "Choose" button and in the file selection window from the computer's file system, select the required file for signature verification (one file for which a signature was created).
e. Press the "Save" key.
f. The viewer downloads the original file on which the signature was created. The principle of saving occurs in the same way as in the usual case of downloading a file by a viewer.
The method of adding two files at the same time also works (the external signature is a file with the extension p7s, and the file on which the signature was created). - The case of validation of the signature contained in one data file in ASiC-S or ASIC-E format (one container of a qualified electronic signature with the extension .zip):
a. Press the "Select" key.
b. A window for selecting a file from the computer's file system will appear. In it, you need to select the necessary file for signature verification (one container of a qualified electronic signature with the extension .zip).
c. The next step is is a provision of the signature validation result.
A qualified electronic signature container with a .zip extension has a "META-INF" folder that directly contains the electronic document signature.
An electronic copy of a document with mandatory details, including an electronic signature of the author or a signature equivalent to a handwritten signature, is considered the original of an electronic document. In the case of sending an electronic document to several recipients or storing it on several electronic media, each of the electronic copies is considered the original of the electronic document. An electronic document can be created, transferred, stored and transformed by electronic means into a visual form. The visual form of presentation of an electronic document is the display of the data it contains by electronic means or on paper in a form suitable for the acceptance of its content by a person.
To become the owner of an e-signature, contact any qualified trust service provider:
• fill out the registration form;
• provide passport data;
• provide the registration number of the taxpayer's account card;
• you will also need additional documents that are established by the provider in accordance with its certification practices/regulations.
The list of providers is at the link.
It is necessary to register a legal entity or register as an individual entrepreneur. Next, you need to submit documents to the central certification authority or certification center for inclusion in the trusted list in accordance to the Art. 30 of the Law of Ukraine "On Electronic Identification and Electronic Trust Services". For more details, see the link.
How to provide services through a separate registration point
The trust services provider must:
To issue an appropriate order or enter into an agreement with a legal entity or individual — SRP;
To submit to the Central Certification Authority or Certification Center information about separate registration points and their employees, whose duties will be directly related to the provision of qualified electronic trust services, in accordance with the third part of Article 30 of the Law of Ukraine "On Electronic identification and electronic Trust Services".
Use the online service for creating a qualified electronic signature or seal at the link czo.gov.ua/sign. At step "Step 4 of 4" select "Detached files. CAdES format"
Note: This method allows you to sign files larger than 25 MB, but it has its inconveniences. You need to save 2 files (the signature file and the signed file). Any changes in the signed file will make it impossible to validate the signature.
Usually, a barcode or QR code is displayed on the document itself, if the document is signed as a document of the electronic document management system (for example, SED ASKOD)
The presence of an electronic signature or bar code or QR code is not displayed on a document that is not signed in the SED. If the document is signed correctly, you can verify the electronic signature by using the signature verification service on the websites of the Central Certification Authority or the provider "Diia" at the following links: czo.gov.ua/verify or ca.diia.gov.ua/verify. As a result of the file verification, you will receive three files: a document with a signature, a document without a signature and a "protocol of creation and verification of a qualified electronic signature" in a PDF file. Also, on the monitor you will immediately see the result of the signature check with all the data of the signatory.
The file "protocol of creation and validation a qualified electronic signature" will display: information on confirming the integrity of the signature data, the name of the signatory, data on the legal entity of the signatory (if available), the registration number of the qualified key certificate, the name of the trust servises provider that issued this certificate, date of creation of qualified signature.
To save the protocol file to your device, just click the "Save" button.
The answer is yes. We do as follows:
- We sign the file according to the instruction given in the question “How to sign a file on CZO site” (for example, 1.pdf) with the first key. Download the signed document (it will be 1.pdf.p7s).
- We sign this file 1.pdf.p7s with the second key. Download the signed document (it will be 1.pdf.p7s.p7s).
- Sign this file 1.pdf.p7s.p7s with the third key. Download the signed document (it will be 1.pdf.p7s.p7s.p7s).
Thus, we have 1.pdf.p7s.p7s.p7s — this will be a file signed by three signatures.
What function does the QES fulfill?
1.To identify the author of the signature (name, natural or legal person, TIN or EDRPOU).
- Determine whether the document was changed after it was signed.
- Protect the document from forgery.
- Record the time stamp, which is a very important parameter for an electronic document, because it allows you to confirm the authenticity of the signature even after the validity period of the certificate has expired or it has been canceled or revoked (only for QES) with a complete set of data for long-term verification (Signature with Long-Term Validation Data).
The password for a qualified electronic signature or seal cannot be recovered, as it is known only to the user. In case of loss, damage of the personal key or loss of the password for it, it is necessary to contact the provider where you received the QES, at the same time submitting an application for changing the status of the qualified certificate and a new package of documents for receiving the new service of QES issuing.
Revoking a qualified key certificate is an early termination of its validity. Revoked key certificates cannot be renewed.
Temporary suspension of public key certificate validity.
After the procedure of puttting on hold (suspension) of a certificate, its renewal is possible within thirty calendar days. At the end of this time, the qualified certificate will be automatically revoked by the provider.
Renewal of the validity period of a qualified certificate is possible only for blocked qualified certificates, the blocking period of which has not expired.
To renew the term of validity of a qualified certificate, the applicant submits a written application of the prescribed format to the provider.
In accordance with part 2 of Article 22 of the Law of Ukraine dated October 5, 2017 No. 2155-VIII "On Electronic Identification and Electronic Trust Services"
the identification of the person who applied for the service of creation a qualified public key certificate is carried out in one of the following ways:
1) in the personal presence of a natural person, a natural person - an entrepreneur or an authorized representative of a legal entity - based on the results of checking the information (data) about the person obtained in accordance with the procedure established by law from the Unified State Demographic Register, according to the passport of a citizen of Ukraine or other documents issued in accordance with legislation on the Unified State Demographic Register and on documents certifying a person, confirming the citizenship of Ukraine or the special status of a person;
2) remotely (without the person's personal presence), with the simultaneous use of a means of electronic identification with a high or medium level of trust, previously issued to an individual, an individual entrepreneur or an authorized representative of a legal entity in person, and multi-factor authentication;
3) according to the identification data of the person contained in the qualified certificate of electronic signature or seal, previously formed (formed) and issued (issued) in accordance with clause 1 or 2 of this part, provided that such certificate is valid;
4) using other methods of identification defined by law, the reliability of which is equivalent to personal presence and confirmed by the conformity assessment body.
In this way, it is impossible to obtain services for the creation of qualified public key certificates by power of attorney (including notarized)
If you apply for an electronic signature for the first time, in this case, personal presence is required to identify your person in accordance with Article 22 of the Law of Ukraine "On Electronic Trust Services".
No, changes to the certificate are not allowed. To do this, you need to contact the provider for a new key (KEP).
A qualified public key certificate is a public key certificate that is issued by a qualified provider of electronic trust services, a certification center or a central certification body and meets the requirements of the Law of Ukraine "On Electronic Trust Services".
Such a certificate is used to identify the signer of an electronic document. It is worth noting that a qualified certificate is not a private key and can be transferred between subjects of electronic document circulation. It is not possible to impose a qualified electronic signature using only a qualified public key certificate.
One person can have several KEP — for personal needs and professional activities. The electronic signature issued to the employee by the company contains his name and the organization's EDRPOU code. In the personal KEP, instead of the organization code, the person's individual tax number is written. You cannot use your personal KEP to sign documents on behalf of the company.
A certificate is a means of confirming the ownership of the open (public) key to its owner.
A certificate is issued by a qualified trust services provider and is used to verify that the public key belongs to the owner whose data is specified in it. The certificate file has the extension ".cer", usually these files can be opened by the built-in tools of the operating system.
A certificate file contains identification data that uniquely identify the qualified provider and user of electronic trust services, the validity period of the certificate, etc.
If your personal key is stored using a third-party service (storage in a secure cloud storage), then in order to read the key, you must select your provider from the list and carry out authorization in their system.
Diia. Signature is an electronic identification service for users who received a personal key remotely with a mobile application Diia.
Diia. Signature contains two parts. One part is stored in your smartphone and the other is in a special protected module of portal Diia.
Citizens of Ukraine who are holders of an ID card or a biometric international passport can receive a personal key remotely using the Diia mobile application
To be authorized on the site with the help of Diia you should: 1. Choose the section «Diia. Signature» 2. Scan the QR code. 3. Read a personal key by scanning your face (photo check) and password entering a personal key. 4. In case of successful authentication in a mobile application, the system transmits your personal data, which will allow you to identify yourself.
ASiC is a structured container that allows you to store a set of file objects with associated e-signatures and/or e-timestamps that conform to the ZIP specification.
ASiC-E allows you to store one or more file objects with associated e-signatures and subsequently add file objects, e-signature files and e-timestamps.
ASiC-S allows you to save one file object with an associated e-signature and add new ones later. Also allows you to add files to protect e-timestamps.
XAdES is a unified e-signature that allows e-data of any format to be signed. Also stores e-signature in XML format, separately from or together with e-data. Supports parallel and sequential signing of one or more e-documents.
PAdES is a unified e-signature that allows you to sign e-data in PDF format thanks to the security program for PDF files. Does not support parallel signing of e-data.
CAdES is a unified e-signature that allows you to sign e-data in any format, as well as save e-data and e-signature in separate files. For further verification of CAdES e-signature, two files will be needed: original (without signature) and signed.
Three formats of advanced signature and one format of signature container are specified in the European Telecommunications Standards Institute (ETSI) standards, namely:
• XML advanced electronic signature (XAdES), based on XML signatures;
• PDF advanced electronic signature (PAdES), based on PDF signatures;
• CMS advanced electronic signature (CAdES), based on Cryptographic Message Syntax (CMS);
• Associated Signature Container (ASiC) based on ZIP format and supporting XAdES and CAdES signature formats.
These e-signature formats shall be recognised by Ukrainian and by European public sector bodies.
Advanced electronic signatures and advanced electronic seals being similar from the technical point of view, the standards for formats of advanced electronic signatures apply mutatis mutandisto formats for advanced electronic seals.
When signing/sealing a single document, the format of signature to choose typically depends on the format of the document to sign:
• XML documents are suggested to be signed/sealed using XAdES signature format (either with enveloped or enveloping packaging);
• PDF documents are suggested to be signed/sealed using PAdES signature format;
• Binary files are suggested to be signed/sealed with XAdES or CAdES signature formats (with enveloping packaging).
When signing/sealing multiple documents, it is suggested to use ASiC containers.
Above suggestions are intended for basic usage of the signature/seal of documents. Other formats of signatures might be more appropriate in other specific contexts
When a party needs to rely on signed electronic data (e.g. a signed document), it is very often important that it can verify:
- The integrity of the signed data;
- The authenticity of the signed data.
The requirements for the validation of qualified electronic signatures are, in particular, described in Article 32 of the eIDAS Regulation. In this context, - Integrity means that no modification has been made to the signed data after it has been signed;
- Authenticity means that the signature is supported by a qualified certificate identifying the signatory, and that only the signatory can produce the signature.
A summary and non-exhaustive overview of the steps involved in the validation process for qualified electronic signature would be:
• The verification of the integrity of the data;
• The verification of the validity of the certificate;
• The verification of the qualified status of the certificate and;
• The verification of the signature was created by a qualified electronic signature creation device.
Finally, as numerous steps are involved in this validation process, the answer to a validation request can take the form of a validation report that contains the set of answers regarding the signatoty and the certificate
As defined by technical memorandum RFC 5280, a Trust Anchor is the end point of a certificate validation process.
As part of the EU Trusted List, when validating a qualified certificate (i.e. QC for electronic signatures, QC for electronic seals, other QC), the Trust Anchor is the Service digital identity (Sdi) of a trust service entry (cf. ETSI TS 119 612 v2.1.1). It means that, when validating a certificate, there is no need to chain up to the Root CA of a qualified certificate but only to the related CA/QC issuer entry within the Trusted List.
In order to extract the certificate chain from a qualified certificate to its issuer, you may use the “certificate validation” tool.
The eIDAS Regulation introduces the concept of Trusted List (TL) in the following statement:
“Each Member State shall establish, maintain and publish trusted lists, including information related to the qualified trust service providers for which it is responsible, together with information related to the qualified trust services provided by them.” (eIDAS article 22.1).
It may therefore be understood that all qualified trust services providers (QTSP’s) and the qualified trust services (QTS) they provide are mandatorily listed in its national TL, and that this is the main goal the TL’s serve. Nevertheless, while not mandatory in eIDAS, Member States can also include in their TL’s information related to non-QTSP and non-QTS.
The information related to the trust services includes information about the status (e.g. granted, withdrawn) and the status history of the trust services in compliance with the applicable requirements and the relevant provisions of the eIDAS Regulation.
In addition to the legal definition provided by eIDAS, the Commission Implementing Decision (EU) 2015/1505 specifies the technical specifications and formats for Trusted List.
Trusted List browser is a publicly available tool provided by the European Commission. It allows the user to browse through the information present in the Member States national Trusted Lists (TLs), as well as in the European Commission central list named List of Trusted Lists (LOTL). It provides an intuitive interface that is user-friendly and human-readable.
Trusted List Browser should be taken as a tool to search for Trust Service Providers and the services associated with them that are listed in a Member State national Trusted List. It is not intended to provide sufficient information to be used in a validation process.
Four levels of baseline signatures have been defined by ETSI standards for the CAdES, XAdES, and PAdES formats. They are the:
- B-B level, which is the level of a Basic Signature meaning that it is a signature that can be validated as long as the signing certificate is valid (not revoked or expired).
- B-T level, which is the level of a Signature with Time , meaning that it is a signature that proves that the signature existed at a given point in time. It is built from the previous level by adding a time stamp token on the signature as unsigned properties.
- B-LT level, which is the level of a Signature with Long-Term Validation Material , meaning that it is a signature that provides the long-term availability of the validation material by incorporating all the material or references to material required for validating the signature. It is built from the previous level by adding this material, that is: the complete certificate and revocation data on the signature and the time stamp(s) as unsigned properties.
- B-LTA level, which is the level of a Signature providing Long Term Availability and Integrity of Validation Material . It is built from the previous level by adding a time stamp token on the validation material as unsigned properties, thereby establishing evidence that the validation data existed at the indicated time. This level targets the long-term availability and integrity of validation material, and if appropriate measures are put in place (e.g. periodical timestamping), a signature at this level could still be validated long after the cryptographic algorithms used for its creation are no longer considered secure enough, or more simply after the expiration of the validation data.
The appropriate level to use when creating an electronic signature depends on the intended usage of the signature: - If the signature only needs to be validated in the short term (e.g. when signing invoices), a basic signature at the B-B level would usually be enough;
- On the other hand, if there is a need for a signature (and its eventual qualification level) to be able to be validated in the long term, a preservation process of periodical B-LTA level augmentation should be considered. Such a preservation process is however usually much heavier to put in place than the simple generation of an electronic signature and its application should be duly justified.
More information about these levels can be found in the standards ETSI EN 319 102-1 (section 4.3), 122-1, 132-1, and 142-1 (section 6).
У всіх країнах-членах ЄС юридична сила електронних підписів викладені в статті 25 eIDAS.
Електронний підпис (простий, удосконалени або кваліфікований) не може бути позбавлений юридичної сили та прийнятності як доказу в судочинстві лише на тій підставі, що він має електронну форму або не відповідає вимогам до кваліфікованого електронного підпису.
Що стосується кваліфікованих електронних підписів, вони явно мають еквівалентну юридичну силу власноручних підписів у всіх державах-членах ЄС.
Across all EU Member States, the legal effects of electronic seals are laid down in Article 35 of eIDAS.
Like an electronic signature, an electronic seal shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic seals.
Еlectronic seals might serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document’s origin and integrity. Nevertheless, across the European Union, when a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person is equally acceptable.
Regarding qualified electronic seals, they explicitly enjoy the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked across all EU Member States.