The difference in the information that must be contained in the KEP certificates of Ukraine and the EU.
In today's world, we can observe a frantic pace of digitization in all areas of our lives. Digitization refers to the process of converting information in all its forms (text, sound, graphics) into a digital format that is comprehensible to computer language and all our gadgets.
Thanks to this, it is possible to process any information without problems, which significantly saves our time and optimizes human resources.
This direction did not bypass the public sector either, because the level of digitization in European countries is at a very high level, and we strive to achieve a similar level.
The state leadership is undoubtedly interested in accelerating the process of Ukraine's integration into the European Union's Single Digital Market.
Analyzing the situation in Ukraine, one can observe that the state is trying with all its might to introduce digitization and electronic document flow into your and our lives, and it is succeeding.
Thanks to the efforts of the Ministry of Digital Transformation and other government bodies, almost everyone has the "Diya" application on their smartphone, where they can easily issue and sign certain documents, create a qualified electronic signature, etc.
At the moment, there is a large list of state and non-state institutions, services, which have been transferred to electronic document management.
A mandatory condition for signing and approving electronic documents is signing them with a qualified electronic signature of a person.
Qualified electronic signature - an improved electronic signature that is created using a qualified electronic signature tool and is based on a qualified public key certificate (Chapter I, Article 1, Clause 23 of the Law "On Electronic Trust Services" No. 2155-VII dated 01.01.2022) .
An integral part of a qualified electronic signature is a qualified electronic key certificate.
Your electronic signature is issued on the basis of an electronic signature certificate. If we use the analogy of paper documents, the certificate is the pen with which you sign, and the signature is what remains on the document (such as ink).
Qualified public key certificate - a public key certificate that is issued by a qualified provider of electronic trust services, a certification center or a central certification body and meets the requirements of the Law "On electronic trust services" (Chapter I, Article 1, Clause 25).
This certificate is a document that certifies that the public key belongs to a natural or legal person, confirms its identification data and/or provides an opportunity to authenticate the website.
If we talk about Ukraine's integration into the EU's Single Digital Market, it is important to understand that all legal acts of Ukraine and EU member states in the field of electronic document management and mutual recognition of qualified electronic trust services must be mutually agreed upon and not contradict each other.
In accordance with Part 1, Art. 38 of the Law of Ukraine "On Electronic Trust Services", electronic trust services provided in accordance with the requirements of legal acts regulating legal relations in the field of electronic trust services in foreign countries are recognized in Ukraine as electronic trust services of the same type in case of compliance, although b one of the following conditions:
- a qualified provider of electronic trust services of a foreign country meets the requirements of this Law, which is confirmed by the central certification body (or the certification center in the case of providing electronic trust services in the banking system of Ukraine and when transferring funds);
- the qualified provider of electronic trust services is included in the Trust List of the state with which Ukraine has concluded a relevant bilateral or multilateral international agreement.
In order to understand whether KEP certificates issued by providers of electronic trust services in Ukraine meet the requirements of KEP certificates issued by EU countries, and vice versa, it is necessary to establish the difference in the information contained in them.
Information that must be contained in the KEP certificate of Ukraine.
According to Part 2, Art. 23 of the Law of Ukraine "On Electronic Trust Services", qualified public key certificates must contain:
1) a mark that the public key certificate was issued as a qualified public key certificate;
2) a mark that the public key certificate was issued in Ukraine;
3) identification data that uniquely identify the qualified provider of electronic trust services, the certification center or the central certification body that issued the qualified public key certificate (hereinafter referred to as the entities that issued the certificate), including necessarily:
for a legal entity: name and code according to the Unified State Register of Enterprises and Organizations of Ukraine, according to which its state registration was carried out;
for an individual entrepreneur: surname, first name, patronymic (if available) and a unique entry number in the Unified State Demographic Register or the registration number of the taxpayer's registration card, or the series and number of the passport (for individuals who, due to their religious beliefs refuse to accept the registration number of the taxpayer's registration card and have notified the relevant tax authority about it and have a note in the passport about the right to make payments according to the series and number of the passport), according to which its state registration was carried out;
4) identification data that uniquely identify the user of electronic trust services, including necessarily:
surname, first name, patronymic (if available) of the signatory and the unique number of the entry in the Unified State Demographic Register or the registration number of the taxpayer's registration card, or the series and number of the passport (for individuals who, due to their religious beliefs, refuse to accept a registration number of the taxpayer's registration card and have notified the relevant tax authority about it and have a note in the passport about the right to make payments by series and passport number) or;
the name or surname, first name, patronymic (if available) of the creator of the electronic seal and the code according to the Unified State Register of Enterprises and Organizations of Ukraine, according to which his state registration was carried out, or the unique number of the entry in the Unified State Demographic Register, or the registration number of the accounting taxpayer cards, or passport series and number (for individuals who, due to their religious beliefs, refuse to accept the registration number of the taxpayer's registration card and have notified the relevant tax authority about this and have a note in the passport about the right to make payments according to the passport series and number) ;
5) location of the legal entity to which a qualified public key certificate was issued;
6) the value of the public key, which corresponds to the private key;
7) information on the beginning and end of the term of validity of the qualified public key certificate;
8) serial number of a qualified public key certificate, unique to the entity that issued the certificate;
9) qualified electronic signature or qualified electronic seal created by the subject that issued the certificate;
10) information on placing in free access qualified certificates of public keys of the entity that issued the certificate;
11) information on the placement of information necessary for obtaining a qualified electronic trust service of formation, verification and confirmation of the validity of qualified public key certificates;
12) information that the personal key is stored in a means of a qualified electronic signature or seal (for a qualified certificate of an electronic signature or seal);
13) information on restrictions on the use of a qualified electronic signature or seal (for a qualified electronic signature or seal certificate);
14) domain name(s) belonging to the natural or legal entity to which the public key certificate was issued (for a qualified website authentication certificate).
In addition, it should be noted that qualified public key certificates may contain other identification data of individuals or legal entities, optional additional special attributes defined in the standards for qualified public key certificates.
These attributes should not affect the interoperability and recognition of qualified electronic signatures (Part 3, Article 24 of the Law on Electronic Trust Services).
Information that must be contained in the KEP certificate of the EU countries.
If we are talking about the KEP certificates of European states, then the requirements for their content may differ slightly in each state, but there are general requirements for the mandatory information in the KEP certificates of each of the EU states.
These requirements are established by Regulation of the European Parliament and Council (EU) No. 910/2014 of July 23, 2014 "On electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC" (hereinafter - the Regulation).
Appendix I of this Requirements for qualified certificates of electronic signatures are established.
According to it, qualified electronic signature certificates must contain:
(a) indicating, at least in a form suitable for automated processing, that the certificate is issued as a qualified electronic signature certificate;
(b) a set of data uniquely identifying a qualified trust service provider issuing qualified certificates, containing at least the name of the Member State in which such provider is established, and:
- for a legal entity: name and, if appropriate, registration number, as indicated in official records,
- for a natural person: surname and first name of the person;
(c) at least the signer's first and last name or pseudonym; if a pseudonym is used, it must be clearly indicated;
(d) data for the validation of the electronic signature, which correspond to the data for the creation of the electronic signature;
(e) detailed information on the beginning and end of the validity period of the certificate;
(f) the identification code of the certificate, which must be unique for the qualified trust service provider;
(g) the enhanced electronic signature or enhanced electronic seal of the qualified trust service provider issuing the certificate;
(h) a place where a certificate supporting an advanced electronic signature or an advanced electronic seal referred to in clause (g) is provided free of charge;
(i) the place of provision of services that can be used to submit a request for verification of the validity status of the qualified certificate;
(j) if the electronic signature creation data associated with the electronic signature validation data resides in the means for creating a qualified electronic signature, a proper indication of this at least in a form suitable for automated processing.
As with the KEP certificates of Ukraine, the Regulation states that electronic signature certificates may have optional additional specific characteristics. Such characteristic features should not affect the interoperability and recognition of qualified electronic signatures (Article 28, Part 3 of the Regulation).
Having analyzed the above norms, we can see that the requirements are mostly similar, but they also have their differences.
Let's consider in more detail the differences in the information that must be contained in KEP certificates.
- Qualified KEP certificates of EU countries may contain information about the signer's pseudonym, if it is used. There is no such concept in the legislation of Ukraine regarding the KEP, and the identification of a natural person is based on the last name, first name, and patronymic.
- Qualified KEP certificates of EU countries must contain at least the surname and first name of the signatory, while qualified certificates of Ukraine must contain the surname, first name and patronymic persons, as well as the unique number of the record in the Unified State Demographic Register, or the registration number of the taxpayer's card, or passport series and number.
- Qualified certificates of the KEP of Ukraine must contain information about the location of the legal entity to which the qualified public key certificate was issued. No such requirement is specified for EU KEP certificates.
- Similarly, the certificates of the Ukrainian State Register of Enterprises must contain information on restrictions on the use of a qualified electronic signature or seal (for a qualified certificate of an electronic signature or seal). No such requirement is specified for EU KEP certificates.
- And finally, in KEP certificates there is a requirement for information about the domain name(s) belonging to the individual or legal entity to which the public key certificate was issued (for a qualified website authentication certificate).
Thus, we see that the legislation of Ukraine provides for a more extensive list of requirements for a qualified certificate of an open electronic key.
And if, as a result of such a comparison, we want to establish whether the information specified in the certificates of the CEP of the EU states corresponds to the certificates of Ukraine, then we can come to the conclusion that the certificates of the CEP of the EU do not contain all the information that is mandatory according to the Law "On electronic trust services" ".
However, it should be understood that the provisions of the Regulation have general mandatory features for all EU member states, and if we consider a particular state, then we should compare the information contained in the KEP certificates of this particular state. After all, as we found out earlier, each EU member state has the right to establish its own additional provisions regarding KEP certificates. And after studying these provisions, we can find out that they fully and completely coincide with the provisions of the legislation of Ukraine.
It is to solve such issues that, for the time being, draft law No. 6173 has been adopted, which brings the legislation of Ukraine on CEP as close as possible to the legislation of the EU and provides for mutual recognition of qualified electronic trust services of the EU and Ukraine.
This draft law was adopted as a basis with a shortened preparation period and is being prepared for the second reading.
So it is quite possible that in the near future the EU states will freely recognize electronic trust services of Ukraine and vice versa.
Until then, you can set up an electronic document management system using our service https://instaco.com.ua/.
You can easily implement electronic document management in your enterprise (institution, organization). You will be able to use the services of receiving and sending electronic documents through our service, as well as use the extended functionality of the system in terms of keeping a register of counterparties, generate a document filled with data and sign it with a qualified electronic digital signature.
Date of publication: 17.08.2022