Order of the Office for Personal Data Protection No 366 / 2001 Coll.
Ordinance of the Office for the Protection of Personal Data on the specification of the conditions laid down in Sections 6 and 17 of the Electronic Signature Act and on the specification of the requirements for electronic signature instruments
Valid
Order
Effective from 10.10.2001
Text versions:
10.10.2001
366
DECLARATION
Data Protection Office
of 3 October 2001
specifying the conditions laid down in Sections 6 and 17 of the Electronic Signature Act and specifying the requirements for electronic signature instruments
The Office for the Protection of Personal Data ("the Office ') provides, pursuant to Section 20 of Act No. 227 / 2000 Coll., on Electronic Signature and on the amendment of certain other laws (the Act on Electronic Signature):
Subject matter
This decree specifies the conditions set out in Sections 6 and 17 of the Electronic Signature Act and the way in which they will be demonstrated and the requirements that must be met by the Electronic Signature Instruments and the details of the procedure and the method for assessing the conformity of electronic signature instruments with those requirements.
Means of proving compliance with the obligations laid down in Section 6 of the Electronic Signature Act
(1) The certification service provider issuing qualified certificates demonstrates compliance with the obligations laid down in Section 6 of the Electronic Signature Act with the following documents:
(a) certification policy;
(b) the certification implementing Directive;
(c) overall security policy;
(d) system security policy,
(e) a crisis management and recovery plan; and
(f) an estimate of the adequacy of the financial resources and of the evidence that they have such financial resources.
(2) The content of the certification policy is in particular:
(a) setting out the principles applied by the certification service provider issuing QCs when providing electronic signature services; and
(b) a description of the characteristics of the electronic signature creation data and the corresponding electronic signature verification data generated by the person requesting the issue of a qualified certificate and for which a qualified certificate is to be issued; cryptographic algorithms and their parameters to be used for these data are listed in Annex 1 to this Decree.
(3) A certification service provider issuing qualified certificates shall provide continuous remote access to its certification policy.
(4) In particular, the content of the certification implementing directive is to establish the procedures that the certification service provider issuing the qualified certificates applies when providing services related to electronic signatures.
(5) In particular, the content of the overall security policy shall be the setting of objectives and a description of how the overall safety of the certification service provider issuing the qualified certificates is ensured.
(6) In particular, the content of the system security policy is the setting of objectives and a description of the way in which the information system is ensured, through which the certification service provider issuing qualified certificates provides electronic signature services (hereinafter referred to as the "certification service information system '). The system security policy shall include in particular:
(a) how the overall security policy is applied in relation to the information system for certification services;
(b) a description of the links between the certification services information system and other information systems operated by the certification service provider issuing qualified certificates;
(c) the method of data protection and other elements of the information system for certification services;
(d) a description of the security measures; and
(e) risk analysis evaluation.
(7) The requirements for the overall security policy and the systemic security policy are published by the Office in the Bulletin of the Office for Personal Data Protection (hereinafter the Office Bulletin).
(8) In particular, the content of the crisis management plan shall be to establish the procedures to be applied in the event of an emergency. An exceptional event for the purposes of this Order is an event which threatens the provision of services related to electronic signatures and which occurs mainly due to the failure of the information system or the occurrence of a factor which is not under the control of a certification service provider issuing qualified certificates.
(9) In particular, the content of the recovery plan shall be the establishment of procedures for restoring the proper functioning of the information system for certification services.
(10) When providing services related to electronic signatures, the certification service provider issuing qualified certificates shall proceed according to the documents referred to in points (a) to (f) of paragraph 1.
(11) Sufficient financial resources are the ability of the certification service provider issuing qualified certificates to financially ensure the proper operation of electronic signature services, taking into account the risk of liability for damage.
Safety of the procedure for issuing qualified certificates and operating the list of qualified certificates that have been invalidated
(1) A certification service provider issuing QCs shall sign by guaranteed electronic signature of QCs and lists of QCs that have been invalidated. This guaranteed electronic signature shall be based on the qualified certificate of the certification service provider issuing the qualified certificates.
(2) The electronic signature instrument used for signing in accordance with paragraph 1 cannot be used for other purposes.
(3) The putting into service and the modification of the operational regime of the electronic signature tool used for signing in accordance with paragraph 1 require that at least two natural persons who are designated for this activity by the certification service provider issuing the qualified certificates carry them at the same time.
(4) Where electronic signature creation data are used to sign issued QCs and to sign a list of QCs that have been invalidated, they shall not be used for other purposes.
(5) A certification service provider issuing qualified certificates shall ensure the availability of its qualified certificate in at least two independent ways.
(6) The list of qualified certificates which have been invalidated is operated in such a way that its availability is ensured by at least two independent means on each other that allow remote access and is continuously available.
(7) The period between the expiry of the qualified certificate and the publication of the expiry date in the list of qualified certificates which have been invalidated may not exceed 12 hours. This information shall include the number of the qualified certificate unique to the certification service provider issuing the qualified certificates, date and time, indicating the hour, minute and second from when the qualified certificate was invalidated.
Security of the information system for certification services
(1) The information system used for certification services shall be considered safe when confidentiality, integrity, availability and demonstrability of their origin are ensured for the data it processes and when it complies with the requirements of the technical standard governing information security. 1)
(2) In order to demonstrate the safety of procedures under Section 6 (1) (j) of the Electronic Signature Act, the certification service provider issuing qualified certificates shall ensure that events are recorded at:
(a) the issue of qualified certificates;
(b) the expiry of qualified certificates;
(c) the handling of electronic signature data and corresponding data for the verification of the electronic signature of the certification service provider issuing qualified certificates (hereinafter referred to as "provider's couples data") during their entire life cycle; and
(d) the handling of a qualified certificate of a certification service provider issuing qualified certificates throughout the life cycle of that certificate.
(3) Records of the events referred to in paragraph 2 shall be acquired, stored and processed with the maintenance of the demonstrability of origin, availability, integrity, timeliness and confidentiality of such records.
(4) The premises in which the activities referred to in paragraphs 1 to 3 and in Article 5 (1) are carried out shall be secured in a similar manner to those of category "D" pursuant to a special legislative regulation.2)
(5) In order to demonstrate the safety of procedures under § 6 (1) (j) and (k) of the Electronic Signature Act, the certification service provider issuing QCs shall record in writing that the persons designated by it to provide electronic signature services are:
(a) to the extent necessary, with the documents referred to in points (a) to (e) of Paragraph 2 (1); and
(b) trained in such a way that their professional qualifications correspond to the activities carried out.
Security of the procedure for the handling of pairs data of the certification service provider issuing qualified certificates
(1) When creating, using and storing pairs data of a certification service provider issuing qualified certificates, any manipulation of such data shall be carried out:
(a) exclusively by natural persons designated for this activity by a certification service provider issuing qualified certificates;
(b) in accordance with the procedures laid down in the certification implementing Directive; and
(c) in accordance with the system security policy.
(2) Cryptographic algorithms and their parameters, as listed in Annex 2 to this Decree, shall be used to create the pairs data of the certification service provider issuing qualified certificates.
(3) A certification service provider issuing qualified certificates shall destroy its electronic signature data after the end of their life cycle; it shall make an entry containing:
(a) a description of the method of data destruction;
(b) the date of destruction of the data;
(c) the date of registration; and
(d) the name, surname and signature of the person designated by the certification service provider issuing qualified certificates to ensure the destruction of the data.
(4) A certification service provider issuing QCs in the event of unauthorised use or of the occurrence of reasonable concern about the misuse of its data for the creation of electronic signatures used for the signing of QCs issued and for the signing of a list of QCs that have been invalidated shall without delay:
(a) terminate the validity of its qualified certificate issued on those dates;
(b) terminate the validity of qualified certificates signed by such dates;
(c) make available information on the expiry of their qualified certificate, indicating the reason for the expiry, in at least two independent means of remote access, and which are continuously available; and
(d) inform persons affected by the termination of the qualified certificate referred to in (a) of the expiry of their qualified certificates issued by that certification service provider. The information shall state the reason for the expiry of the qualified certificate referred to in point (a).
Verification of the safety of the use of the information system for certification services and ensuring sufficient safety of the procedures supported by that system
The requirement for the security of use of the information system for certification services and for ensuring sufficient safety of the procedures supported by that system shall be deemed to be fulfilled if it is supported by:
(a) the documents referred to in Article 2 (1) (a) to (e);
(b) the result of an assessment according to which the requirements of the technical standard governing information security are met, (1) and
(c) a written opinion confirming that, according to a security conformity check carried out in accordance with the technical standard governing the field of information security, (3) the use of an information system for certification services is in accordance with the security arrangements laid down in the documents referred to in Article 2 (1) (c) and (d). The security conformity check shall be carried out repeatedly at the latest 12 months after the last safety check.
Devices for the safe creation and verification of guaranteed electronic signature
(1) The means for the secure creation of the guaranteed electronic signature must have characteristics which, immediately before the signature of the data message, ensure that the signatory:
(a) be informed that he is using the device; and
(b) enter the access password or another similar authentication mechanism has been applied.
(2) The means for the safe creation of the guaranteed electronic signature must use cryptographic algorithms and their parameters as set out in Annex 2 to this Decree.
(3) A means of secure creation of a guaranteed electronic signature requires a sufficient guarantee of safety; This requirement shall be deemed to be met if the device complies with the requirements of the technical standard governing the field of information security. 1)
(4) Compliance with the requirements for the secure creation of the guaranteed electronic signature provided for in Section 17 of the Electronic Signature Act is documented
(a) the result of the evaluation of the device for the secure creation of the guaranteed electronic signature and the list of technical standards governing the information security area under which it was evaluated; and
(b) a detailed description of the function and technical documentation of the means of secure creation of the guaranteed electronic signature.
(5) The requirements set out in paragraphs 2 to 4 must also be met by means of a secure verification of the guaranteed electronic signature.
Details of the procedure and method for assessing the conformity of electronic signature instruments
(1) The Office shall, upon written request, evaluate the conformity of the electronic signature instruments intended for signing the issued QCs and the list of QCs that have been invalidated with the requirements laid down in the Electronic Signature Act.
(2) The application referred to in paragraph 1 shall contain:
(a) a detailed description of the function and technical documentation of the electronic signature instrument referred to in paragraph 1; and
(b) the result of an evaluation of cryptographic functions used by the electronic signature tool referred to in paragraph 1 and which must comply with the requirements of the Authority for cryptographic modules. These requirements shall be published by the Office in the Bulletin of the Office. This evaluation is generally provided by the supplier of the relevant electronic signature tool.
(3) Where the electronic signature instrument referred to in paragraph 1 complies with the requirements laid down in the Electronic Signature Act and the Office declares compliance, the instrument shall be considered safe. The Office shall publish a list of instruments for which agreement has been made in the Official Journal of the Office.
Efficacy
This decree shall take effect on the day of its publication.
Chairman:
RNDr. Neuwirt v. r.
Příloha č. 1
Annex No 1 to Decree No 366 / 2001 Coll.
Cryptographic algorithms and their parameters for electronic signature creation data and corresponding electronic signature verification data generated by the person requesting the issue of a qualified certificate and for which a qualified certificate is to be issued
| Podpisové schéma | Asymetrický algoritmus | Minimální parametry asymetrického algoritmu | Metoda určena pro padding | Hašovací funkce |
|---|---|---|---|---|
| 001 | RSA | MinModLen=1020 | emsa-pkcs #1-v1.5 | SHA1 |
| 002 | RSA | MinModLen=1020 | emsa-pss | SHA1 |
| 003 | RSA | MinModLen=1020 | emsa-pkcs #1-vl.5 | RIPEMD160 |
| 004 | RSA | MinModLen=1020 | emsa-pss | RIPEMD160 |
| 005 | DSA | pMinLen=1024 qMinLen=160 | - | SHA1 |
| 006 | ECDSA-Fp | qMinLen=160 r0Min=104 MinClass=200 | - | SHA1 |
| 007 | ECDSA-F2m | qMinLen=160 r0Min=104 MinClass=200 | - | SHA1 |
| 008 | RSA | MinModLen=1020 | emsa-pkcs #1-v1.5 | MD5 |
| 009 | RSA | MinModLen=1020 | emsa-pss | MD5 |
Příloha č. 2
Annex No 2 to Decree No 366 / 2001 Coll.
Cryptographic algorithms and their parameters for the generation of the provider's couples data and for means of secure creation and verification of the guaranteed electronic signature
Signature schemes
| Podpisové schéma | Asymetrický algoritmus | Minimální parametry asymetrického algoritmu | Algoritmus pro generování klíčů | Metoda určená pro padding | Hašovací funkce |
|---|---|---|---|---|---|
| 001 | RSA | MinModLen=1020 | rsagen1 | emsa-pkcs #1-vl.5 | SHA1 |
| 002 | RSA | MinModLen=1020 | rsagen1 | emsa-pss | SHA1 |
| 003 | RSA | MinModLen=1020 | rsagen1 | emsa-pkcs #1-vl.5 | RIPEMD160 |
| 004 | RSA | MinModLen=1020 | rsagen1 | emsa-pss | RIPEMD160 |
| 005 | DSA | pMinLen=1024 qMinLen=160 | dsagen1 | - | SHA1 |
| 006 | ECDSA-Fp | qMinLen=160 r0Min=104 MinClass=200 | ecgen1 | - | SHA1 |
| 007 | ECDSA-F2m | qMinLen=160 r0Min=104 MinClass=200 | ecgen1 | - | SHA1 |
Key Generation Algorithms
| Označení generátoru klíčů | Používané označení | Asymetrický algoritmus | Metoda generování náhodných čísel | Parametry náhodného generátoru |
|---|---|---|---|---|
| 4.01 | rsagen1 | RSA | trueran | EntropyBits≥128 |
| 4.02 | dsagen1 | DSA | trueran nebo pseuran (FIPS 186-2) | EntropyBits≥128 nebo SeedLen≥128 |
| 4.03 | ecgen1 | ECDSA-FP nebo ECDSA-F2m | trueran nebo pseuran | EntropyBits≥128 nebo SeedLen≥128 |
Methods of generating random numbers
| Označení náhodného generátoru | Používané jméno | Parametry náhodného generátoru |
|---|---|---|
| 5.01 | trueran | EntropyBits |
| 5.02 | pseuran | SeedLen |
| 5.03 | FIPS 186-2-31 | SeedLen |
| 5.04 | FIPS 186-2-32 | SeedLen |
1) ČSN ISO / IEC 15408 Information Technology - Security techniques - Criteria for information technology safety assessment, safety profile corresponding to the level of safety assurance 4.
2) Decree No. 339 / 1999 Coll., on Object Security.
3) ČSN ISO / IEC TR 13335 Information Technology - Guidelines for IT Security Management 1 - 3.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree of the Office for Personal Data Protection No 366 / 2001 Coll., on specifying the conditions laid down in Sections 6 and 17 of the Electronic Signature Act and on specifying the requirements for electronic signature instruments |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 10.10.2001 |
|---|---|
| Effective from | 10.10.2001 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0