Growing Certificate Policies (CP)

Posted on 18 May, 2012 by chemalogo

Some time ago I want to create a post on the growing number of certificate policies (CP) that populate the landscape of Spanish Certification Service Providers (CSP).

Assuming that a CP, simplifying a lot, is “What must be met to manage the certificate life-cycle” and the certification practices statement (CPS) are the “how I do it to meet the CP”, it seems clear that each Certification Services Provider must have a CPS, but that the CPs could be cross-Certification Services Provider, at least a very specific CP with a very clear purpose (e.g. legal representative of a company), promoted by the government.

From my point of view, this is especially relevant in two cases:

If the Certification Services Provider has a hierarchy with multiple subordinate or intermediate CAs, depending on the focus of the hierarchy, can be very interesting to define the entire CP cross hierarchy.
Certificates of Spanish Law 11/2007. Profiles are defined with a great level of detail and too much information (looking for interoperability, I suppose) and we were on the verge of these profiles become CPs and providers do not have to create new CPs, with their OIDs, all identical, to comply with these profiles.

What do you think? Is there room to simplify the number of certificate policies? Do they have meaning independent certificate policies (transverse to) the Certification Services Provider?

To try to supplement this entry, I have discussed the topic at LinkedIn, discovering a heated group discussion (restricted) Electronic Signature Group.

Participated in the debate Laszlo Szentirmai – Policy administrator at NetLock Kft., first Hungarian Certification Authority issuing qualified certificates, Charles Moore – CEO and founder of VillageMall – and Vojtech Kment – ICT consultant, lawyer specialized in electronic document security and CEO of axonNet – the latter two very active members of the LinkedIn groups.

Hungary seems to have a similar situation, and more than spewing light on the subject, raises new questions, showing concern especially for the certificate policies not covered by the European Directive and national laws, such as SSL, for example.

Meanwhile, Charles is shown quite critical of which involves the electronic signature with comments like “One takes a simple zero cost process where no-one is disadvantaged, i.e even the poorest and least educated can place a X on a bit of paper, and we try and replace this with a system that no one understands, cost an absolute fortune” and simplifies the issue by arguing that, ultimately a PC is nothing more than an agreement, something with which I agree, but the problem is not what it is, but the high number to manage. I do not think that a simplification of nature reduces this problem.

Of course, Charles is not shown in favor of a PC government.

To Vojtech, the issue is more complex, he detailed the difficulties that a PC can have and which implies the high number.

Finally the debate ended focusing more on just what a CP is and how one shpuld develop it than if one should to minimize their number and whether it would be a development of CP’s from the Public Administration.

What do you think? Is there room to simplify the number of certificate policies? Do they have meaning independent certificate policies (transverse to) the Certification Services Providers?

And you know, if you liked this entry, or you think may be helpful to others, please share it via the buttons you’ll find below.

Firmaprofesional, isigma and 21 CFR of the FDA

Posted on 30 April, 2012 by chemalogo

The 21 CFR

What is 21 CFR?

It is the section of the Code of Federal Regulations of the Food and Drug Administration (FDA) on electronic records and electronic signatures in the United States.

Part 11 of the 21 CFR, as it is commonly referred, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable and equivalent to paper records.

In what areas apply?

In practical terms it applies to those actors operating in the United States, as:

Manufacturers of drugs and medical devices
Manufacturers of biotechnology
Developers of biological products
Research groups

Is it necessary to be enforced?

Yes, the FDA conducts regular audits of companies with a presence in the U.S. market, as dictated by the Federal Food, Drug and Cosmetic Act and the Public Health Service.

How can an electronic signature solution to help in its fulfillment?

By signing a document electronically, provides a range of evidence that guarantee the basic principles of traceability, auditing, integrity and non repudiation of documents generated in an electronic environment.

The solution

The solution is a combination of the application of electronic signatures and digital certificates suitable for the purpose at hand, which is to meet the 21 CFR. For this purpose we set ClickSign of isigma, plus Corporate Certificates of Natural Person (Spanish), from Firmaprofesional (Spanish). Other Corporate Qualified Certificates, for instance, collegiate, would also be valid.

ClickSign

ClickSign is a product of isigma, design to perform electronic signatures in desktop computer.

ClickSign, along with a Corporate Certificate Natural Person in Secure Signature Creation Device generates qualified electronic signatures under Spanish law, specifically Law 59/2003 of 19 December on Electronic Signature (LFE -Spanish-).
It necessary to recall that “The electronic signature will have on data in electronic form the same value as a handwritten signature on paper,” according to Article 3.4 of the Act.

ClickSign apply electronic signatures to documents created with other applications, whether office automation, document management, graphics, etc. (PDF, Word, XML, images, video, audio, …), staying away from the production of documents prior to signature.

Firmaprofesional Certificates

An important part of ensuring the reliability of the system are the digital certificates used. In this case certificates from Certification Authority (hereinafter AC) Firmaprofesional, that complies with Spanish legislation on electronic certification and therefore the EU Directive 1999/93/EC, are to be used.

The document that describes how the AC Firmaprofesional operates and has been approved by the MINETUR (Ministry of Industry, Energy and Tourism, former Ministry of Industry, Tourism and Trade -MITyC-) is the Certification Practices Statement (CPS.) The certificate profile and special conditions are set out in the Certificate Policy (CP -Spanish-).

Alignment of the solution with the requirements of 21 CFR

Given the scope of ClickSign and Firmaprofesional certificates, alignment with 21CFR focuses on the following sections of the standard:

Sec. 11.50 Signature manifestations.

(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

The best way to ensure this is to ensure that the signed document itself contains this information, particularly the limitations imposed by paragraph (b).

It is recalled that the certificates provided by Firmaprofesional contain the signer information (name, ID number) and signature embedded in PDF includes information on the date and time of signature, from the signer’s computer.

Notwithstanding the foregoing, and as additional technical measure that provides greater legal guarantees, we recommend the use of Firmaprofesional Time-Stamping (Spanish) service, which supports ClickSign.

Sec. 11.70 Signature/record linking.

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

ClickSign performes PDF- embedded signatures, among other formats. In this way the signature is linked with the signed document from an information standpoint.

On the other hand, the signature is based on asymmetric or public key cryptography, so technically it ensures the link between signature and signer’s identity and document signed by the very nature of the algorithm.

The signature algorithm used is sha1WithRsaEncryption, a standardized algorithm and accepted by the community that guarantees non-falsification or manipulation of data.

Sec. 11.100 General requirements.

(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual`s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations, 12420 Parklawn Drive, RM 3007 Rockville, MD 20857.

(a) The1.024-bit RSA keypair used to produce electronic signatures is generated in the card itself or secure-signature creation device (SSCD), one of whose functions is to ensure “that data used for signature generation can occur only once and their secrecy is reasonably assured” as required in Article 24.3.a of LFE
(b)Firmaprofesional verifies the identity of each signer to whom issues a certificate in accordance with the requirements of Article 12.a) of the LFE (“To check the identity and personal circumstances of applicants under the provisions of the following article. “.) For details, refer to the Certificate Policy (Spanish).
(c) By the very definition of electronic signature (LFE, Article 3.4), the electronic signature generated by ClickSign and Firmaprofesional certificates has recognized functional equivalence to a handwritten signature.

Sec. 11.200 Electronic signature components and controls.

(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

(1) The solution is based on asymmetric cryptography, with a private key (signature creation data) stored on a smart card and it is necessary to enter a PIN (activation data) to use it, so one uses two authentication mechanisms, namely:

something that I have (the card)
something you know (the PIN)

(i) The electronic signature is made in the chip of the card, so if you retire it, you could not continue to produce electronic signatures.
(ii) After removing the card, if you re-enter and you want to sign again, you must enter yourPIN again.
(2) Guaranteed by the two authentication mechanisms explained above.
(3) The card is locked to the third incorrect PIN attempt. The procedures for issuance of Firmaprofesional ensure that a single person can not issue a certificate on behalf of another.

Sec. 11.300 Controls for identification codes/passwords.

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Being a solution based on asymmetric cryptography, public key infrastructure(PKI)-digital certificates, and smart cards, not using personal identification codes, this section does not apply.

Conclusion

Taking into account the requirements of 21CFR and the functional scope of the product ClickSign, and certificates issued by the CA Firmaprofesional, the proposed solution meets the requirements specified in the regulations.

If you liked this entry, or you think may be helpful to others, please share it via the buttons you’ll find below.

Posted in Digital Signature Software, Digital certificate practices, Digital signature success stories | Tagged 21 CFR, electronic signature, FDA, Firmaprofesional, isigma | Leave a comment

e-voting: towards a direct democracy?

Posted on 15 March, 2012 by chemalogo

Two key technologies have had to reach their maturity to even think of remote electronic voting as an alternative to cast voting: the Internet and public key cryptography. The first one allows the access of millions of people to servers anywhere in the world, and the second one because it allows to apply the technical security measures to ensure the integrity of the vote and, where necessary, privacy and non-repudiation.

The explosion of smartphones and tablets do nothing but transform the remote electronic voting in a much more attractive alternative. Nowadays we are also witnessing the dawn of Internet-connected televisions; so, in a world where the percentage of people with Internet access is very significant on the global and increasingly high, what are we waiting to start voting electronically from our homes, hotels or wherever we are? Of course, no t before the “organizers” (e.g. governments) put the resources.

Let’s start defining remote e-Voting as where voting is performed within the voter’s sole influence, and is not physically supervised by representatives of governmental authorities (e.g. voting from one’s personal computer,mobile phone,television via the internet (i-voting) and, for the purpose of this paper, we will focus on elections to the state governments, autonomous regions, municipalities, namely the election of public office, usually by universal suffrage.

Who is interested in the remote electronic voting?

If we assume, as is the case, that remote electronic voting can offer the same guarantees that voting in person (which is secret, non-transferable, which may not have more than one vote per voter, where provided for the election, …) the first actor is the voter: you can vote from wherever your are, no traveling, no queues and still wearing pajama.

In addition, the voter, as a stakeholder in the outcome of the vote, is also interested in the speed of count (although this is not unique to remote electronic voting) and the fact that minimize counting errors. This account, incidentally, is also much cheaper either in euros or in hours of people or both.

These benefits, I may insist, associated with electronic voting in general, not just with the remote electronic voting in particular, should also engage governments (parties) for obvious reasons.

All parties are filled her mouth with “participation”, the importance of participation in elections and the fact is that if we want the parliaments represent the plurality of the people who elect them, participation is very important … and a appropriate electoral law even more.

With voting facilities granted by the remote e-voting is evident that it will increase participation.

Challenges of remote electonic voting

It is biased

Basically for two reasons: because, although an increasing percentage of citizens with Internet access (ranging from 13.5% in Africa and 78.6 in North America with a global average of 32.7% and an increase of 528% between 2000 and 2011, see http://www.internetworldstats.com/stats.htm) it is not UNIVERSAL, and because the profile of people who use it frequently or use it for something as personal as voting is not a representative sample of all strata of society, nor economic neither cultural.

Therefore, the remote electronic voting today can not eliminate voting in person, but to complement it, so that voters who so wish to use this medium and state and voters take advantage of its benefits, at least partially.

Several generations have to pass to think of remote electronic voting as the unique way to vote in general elections.

However, in other elections where the electorate is more closed and controlled and where the universality of access and frequent use of internet is the norm, remote electronic voting stands as a great solution

Is it personal and not transferable?

Despite efforts in securing the remote electronic voting is clear if you vote in person in front of representatives is highly unlikely that I impersonate another person, anything likely to be my wife who impersonates me and of course, the threats to which I can be subjected, at least not contemplate the immediate physical harm to me.

This, by the very nature of “remote” electronic voting at hand, is much more difficult to guarantee. And at this point, I honestly do not know what else can be done and if these deficiencies someday allow government elections in one country can be fully by remote electronic voting.

If you liked this post, or you think it may be helpful to others, please share it via the buttons you’ll find below.

Posted in Digital signature success stories | Tagged e-voting | Leave a comment

February and electronic invoicing

Posted on 1 March, 2012 by chemalogo

electronic invoicing

During this month of February we left behind, two events related to electronic invoicing have been held.

On the one hand, very close, the Sixth Congress of Electronic Invoicing and Certified Scanning, organized by the Association of ICT Sector (AMETIC) and held last February 23.

As indicated in www.facturae.es, there have been significant developments since the lastcongress, including the adoption of the COUNCIL DIRECTIVE 2010/45/EU of 13 July 2010 amending Directive 2006/112/EC on the common system of value added tax as regards the rules on invoicing (PDF)

One of the most controversial points of this directive is paragraph (11)

The authenticity and integrity of electronic invoices can also be ensured by using certain existing technologies, such as Electronic Data Interchange (EDI) and advanced electronic signatures. However, since other technologies exist, taxable persons should not be required to use any particular electronic-invoicing technology

that seems to go against the mandatory use of electronic signature (much less qualified) to ensure the authenticity and integrity of electronic invoices.

Borja Adsuara, recently appointed CEO of Red.es (ES), also announced that the Ministry of Telecommunications and Information Society (SETSI) will invest 650,000 euros to foster the development of the electronic invoice (ES), an amount may seem high, but, according to the administration, would save 15,000 million euros, or what is the same, 1.5% of Spanish GDP.

A great summary of the Congress can be read in the post CONCLUSIONS AND COMMENTS ON THE SIXTH CONGRESS OF ELECTRONIC INVOICING AND CERTIFIED SCANNING (ES), written by Bartolomé Borrego (ES).

The other event related to the electronic invoicing of February took place on 15th, at the offices of CEN (European Standardization Center) in Brussels. This was the end of phase 3 of the e-Invocing CEN Workshop.

After completion of the first workshop on electronic invoicing (e-Invoicing Workshop) in 2006 and the second phase of the workshop in 2009, a third phase was established in Brussels, 9 February 2010 (CEN WS EINV III) that has been completed on 15th February.

In this third phase have been developed the following deliverables (links to the drafts, since the final versions are not yet released):

This third phase has been very focused on the barriers to adoption of electronic invoicing in Europe and how to extend its benefits to all types and sizes of companies.

From isigma we believe strongly in the economic and environmental benefits of electronic invoicing and create products affordable and easy to use (as ClickSign or PortaSigma -ES-) to deliver electronic invoices to any user or business class, aligning with the guidelines of the third phase of e-Invoicing CEN Workshop.

As always, if you liked this post, or you think it may be helpful to others, please share it via the buttons you’ll find below.

Posted in electronic invoicing | Tagged electronic invoicing, events | Leave a comment

PortaSigma users take 4 days less than its competitors to collect customer signatures

Posted on 28 February, 2011 by rdeblas

PortaSigma users are companies that need to collect signatures from their customers on a recurring basis. Traditionally, there were three methods to perform this operation:

Method 1: Moving to customer’s office

1. An authorized person in the company, looked for a gap in its calendar

2. Prepared two printed copies of the document

3. Took them in hand to the customer

4. In the office, both signed the documents

5. The authorized person, came back with the document copy

6. The authorized stored his copy in the corresponding file

Method 2: Sending the documents

1. The authorized person, prepared two copies of the document

2. Signed both copies

3. Prepared the envelop, and sent the documents to the customer’s office

4. The customer signed both copies

5. Stored its own copy

5 Prepared a new envelop and sent the original copy to the authorized

6. Who stored the copy in the corresponding file

Method 3: Receiving the customer

1. The authorized person dated the customer for the signature

2. Prepared two copies of the document

2. The customer went to the authorized office

3. Both copies were signed by both parts

4. The customer took his copy of the document

5. El autorizado de la empresa archivaba su copia

Since using PortaSigma, their routine is the following:

1. They upload a document to PortaSigma

2. Define the name, e-mail and identifier of the customer

3. Send the signature request, and in a few seconds, the customer has the possibility to sign form its PC or mobile phone

4. The customer signs the document

Thanks to this, these companies could spend more time to its core business.

Moreover, thanks to digital storage, these companies need less rooms to storage their physical files. As a reference, a traditional file fits 400 documents.

But maybe the must important benefit is the improovement of the service level to the customers.

With the cost reduction, and the service level improovement, PortaSigma users are obtaining a competitive advantage with their competitors, who keep applying handwritten signatures to their documents.

The following table shows the average of time invested in each of the described methods:


Waiting for the meeting	3		3	0
Sign and send the request from PortaSigma				0,1
Preparing two printed copies	0,1	0,1	0,1	0
Preparing and sending the envelop		0,1		0
Waiting for the delivery		3
Moving to customer’s office	0,5
Receiving the customer			0,5
Signature act	0,2	0,1	0,1
Preparing envelop and turning back		0,1
Signing request with PortaSigma				0,1
Returning to the office	0,5
Storing in fil	0,1	0,1	0,2
Total invested time (days)	4,4	3,5	3,9	0,2
Global satisfaction of the agents

Join now PortaSigma, and begin taking profit of these advantages from now on.

Posted in Digital Signature Software, Sin categoría | Leave a comment

Massive digital signature in PortaSigma

Posted on 4 February, 2011 by rdeblas

PortaSigma continues to improve its performance, meeting the demands of our customers. Latest improvement has been the massive digital signature feature.

There are professionals in certain sectors, who need to attend the request to sign many documents. For them, we designed this system that allows quick review, and to sign a batch of documents with just one click.

On screen we can check all the documents pending for signature, and the signature process progress.

Moreover, with this upgrade we’ve included support to ICP Brazil certificates.

If you still don’t have a PortaSigma account, create one now, and tell your partners that you are ready to sign your documents without unnecessary movement.

For additional information:

Román de Blas / rdeblas@isigma.es / +34 93.519.13.75

Posted in Digital Signature Software | Leave a comment

Four institutions sign agreement to integrate Digital Electronic Signature program in Panama

Posted on 25 January, 2011 by rdeblas

The Public Registry signed an agreement with four government institutions to become part of the national Digital Electronic Signature.

Luis Barrios, Public Registry’ Director, said the program will be implemented in the judiciary, the National Land Authority (Anati), the College of Notaries Public and Procurement Directorate.

He added that these four entities are part of a pilot plan to integrate it to all government institutions and civil society.

Barría said that befre ending 2011, the four institutions should already have implemented this digital system. “With this new program we’ll remove the signature on paper, ” he said.

He also noted that the digital signature is safer to which we are accustomed. The pilot scheme had a cost of four million dollars.

Posted in Digital Signature Software, Digital signature success stories | Tagged Panama | Leave a comment

Controlling the User Experience when SSL Root Certificates are not Recognised by Browsers

Posted on 14 January, 2011 by Carles Barrobés

So, Browsers Scare your Users by Saying your SSL Certificates Suck, hmmm?

Yup, we all know SSL is the way to go when protecting your site’s traffic from the bad guys, and it is not that difficult to set up. But what happens when the browsers don’t have pre-installed CA root certificates for the issuer of your SSL certificates? They tend to present very scary messages. Some versions of Internet Explorer heartily recommend users to get away from your site as quickly as possible, lest they be eaten by evil monsters (well, not exactly, but it has a similar effect).

Scare tactics may work well for browser manufacturers, so that certificate issuers are willing to make their certificates recognised and pre-installed in these browsers (or OS) releases. This process might involve some payment to the browser’s manufacturer… (warning: this is my personal unproven claim… call me suspicious if you wish).

In any case, once the user clicks on a link to your secure SSL-protected HTTPS site, funnily enough, the browser’s alarm messages may make it appear as a more insecure choice than using HTTP. What the …?

It looks like you don’t have control over the user’s experience… or do you?

We at Isigma have devised a mechanism that does give you some control over what your users see, and at least skip the browser’s message and replace it by your own page. It involves some Javascript Ajax. We have written it with jQuery but you can use any equivalent Ajax library of choice.

How can I Replace the Browser’s Unrecognised SSL Certificate Message?

Our solution consists of having a plain HTTP welcome page that checks behind the scenes whether the browser can open the HTTPS page, and if so does an automated redirect to the secure page. If the redirect doesn’t happen, it shows a message informing the user that in order to access your site she should install the root certificates, and instructing her how to do so.

For that purpose we created a jQuery-based javascript function ssl_check_and_redirect that honors its name. You give it an https URL, and if the browser can open it with Ajax, it redirects you automatically.

    function ssl_check_and_redirect(url) {
        $.ajax({
            url: url,
            dataType: "script",
            success: function(){
                window.location.replace(url);
            }
        });
    }

The datatype of “script” is a useful trick to avoid browsers’ same-origin policy restrictions when performing Ajax calls.

Unfortunately, if you try to use an error callback for the case where the SSL certificate is not recognised (I know that’s what you’re thinking, because it’s what I thought), you’ll find out that it is never called. To detect that case, you may want to use a workaround based on some sort of timeout instead.

Calling this function upon page load with jQuery is as simple as:

    $(function() {
        ssl_check_and_redirect("https://app.portasigma.com/");
    });

A simplified full welcome page (accessible via plain HTTP, no SSL) could look like:

<!DOCTYPE html>
<html>
<head>
    <script src="http://code.jquery.com/jquery-1.4.4.js"></script>
    <script>
    function ssl_check_and_redirect(url) {
        $.ajax({
            url: url,
            dataType: "script",
            success: function(){
                window.location.replace(url);
            }
        });
    }

    $(function() {
        ssl_check_and_redirect("https://app.portasigma.com/");
    });
    </script>
</head>
<body>
    <div id="log">
        <p>Performing a check before accessing our secure site</p>
        <p>If after a few seconds the secure page doesn't show up, you will
           have to install our SSL root certificate etc... (your friendly personal
           message to avoid browser scare)</p>
    </div>
</html>

Possible Improvements

This solution could be improved by using a three-page structure:

Welcome page that tells performs checks and redirects the user to the SSL page if OK. It has a timeout that, in case the SSL redirect doesn’t happen, takes the user to the warning page
Warning page, informing that the user should install the root certificates…
The good HTTPS page, the original page where you want your users to go

We leave this improved version as an exercise to the reader.

Posted in Digital certificate practices | Leave a comment

Moving to digital signature in Paraguay

Posted on 4 January, 2011 by rdeblas

Paraguay’s government published oficially the law project, that gives legal validity to electronic signatures, digital, data messages and electronic case files.

President Fernando Lugo had objected entirely the project, but both houses of Congress were ratified in their approval, which is why the executive had no choice but to enact.

The government must regulate the project 90 days after publication, on December 24th.

The electronic signature is the integrated set of electronic data, linked and logically associated with other electronic data, used by the signatory as their means of identification.

The digital signature is an electronic signature certified by an accredited provider while the message data is any information generated, sent, received through electronic means (mail, telegram, telex, telefax, etc.)..

Posted in Digital signature success stories | Tagged Paraguay | Leave a comment

ECB urges financial institutions to incorporate electronic signatures for its operations

Posted on 23 December, 2010 by rdeblas

The Central Bank of Ecuador, will incorporate its services, electronic signature technology. It can increase the level of confidence in electronic transactions and information exchange, so it also urged financial institutions to use this technological tool to secure the electronic transactions of their customers, and reduce the risks of theft and fraud in the banking system.

This technology guarantees the authenticity of who generates a data message, digitally signed document integrity, and also there is no possibility for a signatory to deny its action.

The electronic signature is data in electronic form attached to a data message, that identify the signature holder in relation to the data message and indicate that the signatory approves and recognizes the information contained therein. It has the same legal validity as a handwritten signature.

This signature is generated using a digital certificate, with which the certifying authority assures the link between the user’s identity, its public key and the private one.

El Banco Central del Ecuador, incorporará a sus servicios el uso de la tecnología de firma electrónica, la misma permite aumentar el nivel de confianza en la realización de transacciones electrónicas y en el intercambio de información, por lo también instó a las Instituciones Financieras a usar esta herramienta tecnológica con el fin de asegurar las transacciones electrónicas de sus clientes y reducir los riesgos de robo y fraude en el sistema bancario.

Dicha tecnología ofrece garantías de autenticidad de quien genera un mensaje de datos, integridad de documentos firmados electrónicamente, confidencialidad y además no existe la posibilidad para que el firmante niegue su acción.

La firma electrónica, son datos en forma electrónica adjuntados en un mensaje de datos, que identifican al titular de la firma en relación con el mensaje de datos, e indican que el titular de la firma aprueba y reconoce la información ahí contenida. Tiene la misma validez legal que una firma autógrafa.

Dicha firma se la generará a través de un certificado digital mediante el cual la autoridad de certificación asegura la vinculación entre la identidad del usuario, su clave pública, y privada.

Posted in Digital signature success stories | Tagged Ecuador | Leave a comment

International Digital Signature