La Law 25/2015, of July 28, on second-chance mechanisms, reduction of the financial burden and other measures of social order incorporates, in its fourth final Provision, an amendment to the Law 59/2003, of December 19, of electronic signature aimed at regularizing the centralized signature of a personal nature. This electronic signature system allows personal certificates to be stored on a centralized server and gives its users mechanisms to enable their remote use.
Although for some years now some entities have been using centralized signing devices and tools to manage personal certificates used in an organization, this practice has not been regulated. In fact, it was contrary to the law of electronic signature, which required exclusive control of the key by the signatory in order to be able to consider signatures as advanced. The published modification allows the centralized signatures to be considered advanced, and regulates their use.
Specifically, the articles of Law 59/2003 amended are as follows:
- Article 3.2: Modification of the advanced signature definition. Before the signatory had exclusive control of the key. In order to allow the keys not to be signed by the signatory, "with a high level of trust" has been added to the definition.
- Article 6.2: Modification of the definition of signatory. Earlier, he said that the signatory had to have a secure signature creation device. The Act now says the signatory "uses" this device.
- Article 7.2: Modification on the conditions of custody of the keys to the certificate. They have added "or, where applicable, the means of access to them" so as not to force the signatory to have the certificate at home.
- Article 12.c: Before it was necessary to ensure that the signatory had the private key of the certificate, now it must be ensured that you have exclusive control over its use.
- Article 18.a: Modification of the obligation on the part of the Certification Service Provider not to keep any copy of the private key of the certificate in order to allow the certification service providers to make copies on behalf of the signatory for its management. According to this article, only certification service providers that issue recognized certificates will be able to manage the private keys of the certificates on behalf of the signatory, and therefore offer this service.
- Article 18.b-1: Speaking of information must be given by the lender to the signatory, and they have added "or, where appropriate, the means that protect it" to enable centralized signing.
- Article 20.1-e: PSC's obligations have been added if it manages the signature creation data, which must be guarded and protected.
- Article 23: Modification of the limitations of the liability of the PSC. Where signature creation data was previously referenced, "or data accessing them" has been added.
- Article 29: The system may be audited, if applicable. If so, the audits will be borne by the Lender.
The AOC Consortium offers the whole of Catalan Public Administrations one centralized signature service. Although the service is currently offered by electronic stamp certificates, tests performed by personal signature using TCAT-P Advanced Signature Certificates are still satisfactory. We look forward to offering this as a service in early 2016.