Certification Practice Statement (CPD)

Certification Practice Statement (CPD)

Electronic IDentification
Certification Practice Statement (CPD)
Author: Group/s of work/s technical and Legal
Date of creation: 08/02/2014

Last modification: 1/6/2016

Important note: This document is property of Electronic IDentification Limited Society (eID). Is prohibited its reproduction and distribution without owner’s authorization.

Table of Contents.

Contents of Document 1

1       Introduction. 4

1.1        Basic Service Infrastructure (IBS) of eID (Saas) 4

1.2        Identification.. 4

1.3        Objectives of the Certification Practice Statement (CPD) 5

1.4        References and Standards. 5

1.5        Definitions. 5

1.6        Agreements with third parties. 13

2       Security controls, event registration, and audits. 13

2.1        Event Registration. 13

2.1.1     Types of events recorded. 14

2.1.2     Protection of an activity recorded. 14

2.1.3    Procedures for backup copies of audited records. 14

2.1.4     Systems for the storage of records. 14

2.1.5     Relevant data that will be recorded. 14

2.1.6     File protection. 15

2.1.7    Creation of security copies of files. 15

2.1.8   Obtaining and verifying stored information. 15

2.2      Security controls for physical security, procedures, and personnel. 15

2.3       Physical Security controls. 15

2.3.1     Situation of the Data Processing Center. 15

2.4        Procedural controls. 15

2.5       Employees security controls. 16

2.5.1     Disciplinary procedure. 16

2.5.2     Inadequate behavior. 17

2.5.3     Aplications that compromise security. 17

2.5.4     Activites not allowed. 17

2.5.5     Mandatory reporting. 18

2.6        Technical safety controls. 18

2.6.1    Lifecycle management of the certification services provider keys. 18

2.6.2     Lifecycle management for the subscriber keys. 19

2.6.3     Security controls of the technical components. 20

2.6.4     Network security controls. 20

2.6.5     Cryptographic module engineering controls. 20

2.6.6     Security Levels. 20

2.6.7     Restoration of services in case of failure or disaster. 20

2.6.8     Termination of eIDSL’s activities as a Certificated Services Provider. 21

2.7        Audits. 21

2.7.1     Protection of audit tools. 21

2.7.2     Auditor Identity. 21

2.7.3     Audits results and corrective actions. 22

2.7.4     Comunication of the results. 22

2.7.5     Audits plans. 22

3       Support of eIDSL certificate. 22

4       Types of certificates issued by CSL. 23

5       General service conditions. 23

5.1      Electronic Certificates. 24

5.2       Life cycle of the certificate.. 24

5.2.1     Certificate Request. 24

5.2.2     Issuance of Certificates. 24

5.2.3     File of Signature Verification Data. 24

5.2.4     Use and acceptance of the certificates. 24

5.2.5     Publication of the certificates in the secure directory. 25

5.2.6     Renewal of both signature creation data and signature verification data. 26

5.3       Validity of certificates. 26

5.3.1     Expiration. 26

5.3.2    Extinction of the validity of Certificates. 26

5.3.3     Revocation of the Certificates. 26

5.3.4     Suspension of certificates. 28

5.4        Generation and publication of revocation lists. 29

5.5        Procedures for consulting the status of the certificates. 29

5.6        Validification of certificates and services throught OCSP. 29

5.7        Certificate renovation. 30

5.8       Cessation of Services prodiver’s activities: Tranference of services provider. 30

5.9       Change of Signature creation data by CSL. 30

5.10      Obligations and Guarantees of the parties. 30

5.10.1       Obligations and guarantees of the certification service provider. 30

5.10.2       Obligations of the register office. 32

5.10.3       Subscriber’s obligations. 33

5.10.4       User entities’s obligations. 33

5.11      Parties responsibalites. 34

5.11.1       Responsibility of the certification services provider. 34

5.11.2       Registration office’s responsibilities. 34

5.11.3       Applicant’s reponsibilites. 35

5.11.4       Subscriber responsibilites. 35

5.11.5     User entities responsibility. 35

5.12      Personal Data. 36

5.12.1      Objective and presentation of LOPD security document. 36

5.12.2       Principles and norms of obligatory fulfillment. 36

5.12.3       Staff’s functions and obligations 36

5.12.4       Structure of files with personal data and description of the information systems that deal with them. 37

5.12.5       Procedures for backup copies and data recovery. 38

5.12.6       Control Access. 39

5.12.7       Work regime outside the premises of file location. 39

5.12.8       Temporary files. 39

5.12.9       Media management. 39

5.12.10     Audit. 40

5.12.11     Logical Access. 40

5.12.12     System access. 41

5.12.13     Real data tests. 41

5.12.14     Review processes. 41

5.13      Intellectual and Industrial property. 42

6       Prelate’s order. 42

7       Applicable law, interpretation, and competent jurisdiction. 42

8       Modification of the declaration of certification practices. 42

9       Conflict resolution in the cases of provision of certification services and electronic signature on own certificates. 43

10     Annex I. Particular certification practices of identity certificate for a physical person. 45

10.1     Typology for identity certificate of a physical person. 45

10.2      Lifecycle management of a physical person’s identity certificate.. 45

10.2.1       Certificate request. 45

10.2.2       Personal identification confirmation 45

10.2.3       Sending information to CSL. 46

10.2.4       Issuance of the certificate of a natural person. 46

10.2.5      Validity period for the identity certificate of an individual. 50

10.2.6      Revocation of an individual’s identity certificate. 50

10.2.7       Suspension of an individual’s certificate of identity. 51

10.2.8      Cancelation of the suspension of an individual’s certificate of identity. 51

10.2.9       Renovation of an individual’s certificate of identity. 52

10.2.10     Comprobation of an individual’s certificate of identity status. 52

10.3      Termination of CSl in its activity as a certification services provider. 53

10.4      Obligations, guarantees, and liability of parties. 53

10.5      Limitations in the use of identity certificates of natural persons. 53

1 Introduction

Electronic IDentification (eID), protected under the Community word mark (MC), is a product owned by Electronic IDentification Sociedad Limitada (eIDSL), registered in the Commercial Registry of Madrid on 13 March 2013 with NIF B86681533.

eIDSL, as a certificated service provider, has designed and built the necessary technical infrastructure, in order to provide electronic services for its customers, with maximum security guarantees. This technical infrastructure, called eID, is offered as a platform, with the use of software, for services or client’s facilities. This is a combination of mechanisms, processes, codes, and architectures. It also uses third party software and Public Key Infrastructure, whose sole purpose is to provide a catalogue of services to protect transactions and communications between organizations and people. This product is based on the simple use of electronic certificates for electronic signature, integrity of content, and for electronic identification.

  1. 1 eID Basic Service Infrastructure (IBS)

eIDSL provides a basic eID service platform. This platform meets the basic requirements of security in a closed environment for customers and therefore for private use. This platform is essential for the provision of certificate services.

eID´s IBS has been designed in a robust, fault tolerant, and scalable way. Through the Amazon Cloud Services (AWS-Amazon Web Services), it has been able to use a set of balanced servers in different data processes.

Likewise, the platform has been designed to comply with the highest quality standards with regarding the security of information systems, the privacy of personal data, the laws on electronic signatures, the information society, and electronic commerce. By following the standards indicated in the table below about the different aspects of security and privacy.

Scope Laws / Regulations / Standards Responsible Notes Link

Privacy Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal Electronic IDentification SL Privacy Policy

Privacy LOPD, Safe Harbour Amazon Web Services AWS Customer Agreement AWS Amendment to Customer Agreement about privacy spanish laws

Physical and Logical Security SOC, PCI DSS, CSA, ISO 27001 Amazon Web Services AWS Compliance

Security Open Code Web Application Security Project Methodology OWASP Electronic IDentification SL Penetration Testing Security Audit

1.2 IdentificationThis document is referred to as ¨theCertification Practice Statement¨(CPD). This document will be available in its latest version, in force and in public form, at the following link:

DPC: Declaración de Prácticas de Certificación

1.3 Objectivesof the Certification Practice Statement (CPD) The objective of this document is to describe the policies and good practices used for the provision of eID Platform services in the issuance of electronic certificates, using as a reference the current legislation on electronic signature and identification, electronic commerce, and personal data protection. eIDSL undertakes and obliges, as a Certification Service Provider, to comply with the conditions applicable to the application, issuance, use, suspension, and extinction of the validity of the Certificates in relation to the management of Signature Creation, Verification Data, and the digital Certificates. This document contains details about the liability regime applicable to members of the Electronic Community. It also talks about the security controls applied to their procedures,  the rules on secrecy and confidentiality, and  questions related to the ownership of their property and assets. At the same time it mentions the protection of personal data and other informative matters which they consider interesting to put down to the public.

  1. 4 References and Standards.

In preparing this document, the following references have been taken into account:

The adopted electronic signature scheme, consistent with Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 establishing a common framework for electronic signatures.

RFC 3647 Internet X. 509 Public Key Infrastructure Certificate Policy and Certification Practices Framework and ETSI 101 456 Policy requirements for certification authorities issuing certificates.

  1. 5 Definitions

This section describes the basic concepts related to PKI (Public Key Infrastructure):

Dating Agents: Electronic Dating Service Provider

OCSP agents: OCSP service provider.

APD: Spanish Data Protection Agency. A Public Law entity with its own legal personality and full public and private capacity, which acts with complete independence from Public Administrations. Its main purpose is to ensure compliance with legislation on the protection of personal data and to monitor its implementation.

BOE: Official Gazette printed and distributed by the Official State Gazette. A public body attached to the Ministry of the Presidency. In addition to printing and distributing the Official Gazette of the Commercial Registry to directories, it also includes copilations of legal texts and the execution of printing works of an official nature requested by the Ministries, agencies, and other public entities.

C: In the scope of this document, it is an abbreviation of the English word “Country” whose meaning in Spanish is “pais”. The “Country” is an attribute that is part of the Distinctive Name (DN) of an object within the X. 500 directory structure used to name the corresponding entry of the object.

Certification Chain: An ordered list of Certificates containing at least one Certificate and the eIDSL Root Certificate, which serves as the Signature Verification Data contained in the latter, in order to enable Certificate authentication.

Certificate: By default, it shall mean any electronic certification for which the Applicant has necessarily accredited the identity of the Subscriber, either physically or by telematic means, through the procedures established for this purpose by eID, which links to this Signature Verification Data and confirms at least his identity.

Electronic Certificate of Natural Person: The electronic certification issued by eIDSL, through its eID platform, that links to its Subscriber a Signature Verification Data, confirms its identity in the parameters established by eID, which may be reflected in the certificate itself. eIDSL issues Certificates of Identity of a natural person (not recognized) under the Certification Policy of eIDSL Certificates.

Root Certificate: A Certificate whose Subscriber is eIDSL and is auto-signed, i. e., it was issued for the use of the Signature Creation Data. This certificate is linked to the Signature of Verification Data, contained in the Certificate itself. This certificate is conformed as the last Certificate in the chain of trust of all Certificates issued by eIDSL.

Asymmetric Encryption: Transcription into symbols, in accordance with an Encryption Key, is a message whose content is to be hidden according to an algorithm. Such that knowledge of the Encryption Key is not sufficient to decrypt the transcription, it requires knowledge of the corresponding Decryption Key. Knowledge of the Encryption Key does not imply knowledge of the Decryption Key, nor vice versa.

Key: Sequence of symbols that controls encryption and decryption operations.

Private Key: Of the pair of cryptographic Keys corresponding to an asymmetric Encryption, the one destined to remain secret. The Private Keys can constitute in function of its generation and use Data of creation of Signature.

Public Key: A pair of cryptographic Keys corresponding to an asymmetric Encryption, the one destined to be disclosed. Public Keys can constitute, depending on their generation and use, Signature Verification Data.

OCSP client: A necessary tool for the Entity users of Private Rights, and in this case, for public Right, can request OCSP. CSL will provide a list of products for free distribution, but will not supply Client OCSP given its wide availability in the Market.

CN: Contraction of the English words “Common Name” whose meaning in Spanish is “Nombre Común”. The “Common Name” is an attribute that is part of the Distinctive Name (DN) of an object within the X. 500 directory structure used to name the entry corresponding to the object.

Electronic Community (from now on Electronic Community or persons and/or user entities): Group of persons and entities that are related to Certificates among themselves, under the general framework of the present Declaration of Certification Practices, and particulars of the corresponding agreements and/or contracts that they have signed directly, or through representatives, with eIDSL.

Persons and entities that use electronic certificates from providers, other than eIDSL, when relating to other members of the electronic Community, provided that these certificates have been declared recognized, and/or equivalent, by eIDSL through the corresponding agreements, shall also be considered members of the Electronic Community.

eIDSL will inform through the web addresses established in this Declaration of the members of the Electronic Community. In the case of Public Administrations, organisms, and/or business entities and organizations. If there is neither a pact nor legal provision that prevents it.

Confidentiality: Quality that implies that the information is not accessible or has not been disclosed to unauthorized persons, entities, nor processes.

Contract or agreement: Legal instruments provided by the corresponding legislation and/or in accordance with the autonomy of the will, in which the relationship for the provision of services by eIDSL is formalized. It is included in the category for contracts of emission (forms) for revocation, renewal of corresponding certificates, and the acceptance of the conditions for use and the limitations.  For which the members of the Electronic Community are informed through electronic, computer, and telematic systems with such character.

CPD: Data Processing Center

Cryptography: Discipline that includes the principles, meanings, and methods for the transformation of data. With the objective of hiding the content, preventing its undetected modification and/or preventing its unauthorized use.

Availability: The quality of the data, or information, implied by its being available. Meaning, the possibility of having it or the possibility of using it.

Signature Creation Device: A program or computer system used to apply the Signature Creation Data, which complies with the requirements established in the specific regulations applicable in Spain. This signature creation device is located in the cloud, available to the user from any device and guarantees, in accordance with the provisions of Law 53/2009, an electronic signature that:

Declaration of Certification Practices: Declaration made available to the public electronically and free of charge, which IDSL makes in its capacity as a Certification Service Provider. In compliance with the provisions of the Law. Its details are: the obligations that undertakes to comply in relation with the management of the Data creation and verification of Signature and Certificates. Which are the conditions applicable to the request, issuance, use, suspension, and extinction of the validity of the Certificates and, if applicable, the existence of coordinating procedures with the corresponding public Registries. These Registries allow the immediate exchange of information, on the validity of the powers of attorney, indicated in the Certificates and that must be included in said registries. This document also includes: the details of the liability regime, which applies to eIDSL as Certification Services Provider,  the Registry Offices,  the Applicants of the Subscribers, the User Entities, the security controls applied to their procedures and facilities, in what can be published without harming their effectiveness, the rules of secrecy and confidentiality, as well as conditions relating to the ownership of goods and assets, to the protection of personal data and other informative matters that eIDSLconsiders interesting to make available to the public.

 

Directory: Information repository thatfollows the ITU-T X. 500 standard.

(a) the data used for signature generation may be produced only once and reasonably ensures its secrecy.

(b) there is reasonable assurance that the data used for signature generation cannot be derived from signature verification, or the signature itself, and that the signature is protected against forgery with the technology in place at any given time.

(c) signature-creation data can be reliably protected by the signatory against the use of third parties.

(d) the device used does not alter the data nor the document to be signed or prevent it from being shown to the signatory prior to the signing process.

DN: Contraction of the English words “Distinguished Name”, whose meaning in Spanish is “Nombre Distintivo”. The “Distinctive Name” is the unique identification of an entry within the X. 500 directory structure. The DN is composed of the common name (CN), of the entry, and a series of attributes that identify the path followed within the X500 directory structure to reach that entry.

Electronic Document: A set of logical records stored in support that can be read by electronic data processing equipment, which contains information that illustrates some facts.

National Electronic Identity Document (DNI-e): Official document issued by the competent bodies of the State that allows the use of identification and electronic signature, if activated by the interested parties. The DNI-e will have the legal regime and effects foreseen in the specific legislation.

LOPC Security Document: Document whose sole objective is to establish the required security measures to be implemented by eIDSL in the environment of the Certification Services Provider, for the protection of the personal data contained in the Users File of Electronic, Computer and Telematic Systems (EIT), regulated by the Order of the Ministry of Economy of December 11, 2001 (BOE of December 28).

Related concepts:

Application Administrator: Person in charge of implementing the policies defined by the File Manager in the application that contains the EIT Systems Users File. It will have the necessary access to grant, alter or cancel the authorized access to the data or resources, with prior authorization from them by the Security Manager. It will be in charge of communicating the security incidents that occur to the Security Manager.

Security Auditor: Person in charge of reviewing and evaluating the controls proposed in this document or any other referenced. Prepare reports with the degree of compliance and discrepancies found.

Assignment (of data): all data collection resulting from the query of a file, the publication of all, or part of, the information contained in a file, its interconnection with other files, and all communication of data made by a person other than the affected.

Consent (of the interested party): any manifestation of unequivocal, specific, and informed free will, through which the interested party consents to the processing of personal data concerning him.

Responsible for the Treatment: the natural person, public authority, service, or any other body that processes personal data on behalf of the data controller.

IT Security Personnel: Personnel in charge of coordinating and controlling the measures defined in this security manual regarding LOPD. It is also responsible for maintaining and reviewing the incidents that occur, and making reports on these incidents to be forwarded to the File Manager through the Security Manager. In addition, by the instruction of the File Manager, authorizations are facilitated to carry out the requests for registrations, modifications, or deletions, of access to the application. Where the data of the EIT Systems Users File are and in case of not agreeing with the request is contrasted with the Security Manager and the File Manager.

Backup operator: Personnel responsible for making backup copies, their subsequent labeling, and storage in a secure manner. This depends on the Exploitation Area, and the eIDSL Certification Services Provider.

Responsible for the File (or the treatment): Person who decides on the purpose, content and use of the treatment. It is in charge of authorizing the necessary accesses and defining the policy that it deems convenient for the security of the data. It is also responsible for reviewing periodic incident reports. All of this without prejudice to the consideration of eIDSL as responsible for the file for the purposes of the provisions of current legislation on the protection of personal data.

Security Manager In charge of coordinating and controlling the measures imposed by the LOPD Security Document regarding the EIT User File according to LOPD.

Users of the Application: Staff that requires the data of the EIT Systems Users File to develop their functions. The types of access will be different in relation to the work that is carried out. Users are employees of the eIDSL Certification Services Provider and have access to the information depending on the level of authorization granted by the File Manager.

EIT: Techniques and electronic, computer and telematic means.

User entity: That public or private entity that has signed a contract or agreement with eIDSL to participate in the Electronic Community.

Electronic dating: Consignment of the date and time in an electronic document using indelible cryptographic procedures based on the specifications Request form Comments: 3161 – “Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)”, which manages to date the document of objectively. It is also referred to as time stamping.

Advanced electronic signature: Is the electronic signature that allows to establish the personal identity of the user, with respect to the signed data, and check the integrity . It is exclusively linked to the Subscriber, as to the data to which it refers, which have been created by means that it can maintain under its exclusive control.

Electronic Signature: Dataset in electronic form, consigned together with others or associated with them that can be used as a means of personal identification.

Hash function: An operation that is performed on a set of data, of any size, in such a way that another set of data is obtained, sometimes called “summary” or “hash”, of the original data of fixed size and independent of the original size that, in addition, has the property of being univocally associated with the initial data, that is, it is practically impossible to find two different messages that have an identical Hash summary.

Hash: Result of fixed size that is obtained after applying a Hash Function to a message, independently of the size of this, and that fulfills the property of being uniquely associated with the initial data.

Hashing: The use of a hash function onto a data set.

IT Hoster: Provider of IT services for hosting applications, and/or third-party data, that allows the connectivity of the recipient of the service with them and access to them by users.

IT Hoster: Provider of IT services for hosting applications, and/or third-party data, that connects the recipient of the services with them and access by the users.

Public Key Infrastructure (PKI-Public Key Infrastructure): Infrastructure capable of supporting the management of Public Keys for encryption, integrity and non-repudiation authentication services.

Integrity: A quality that implies that the set of data that configures the message does not lack any of its parts. From the point of view of the information that these data could imply, it implies an inalterability for both content and structure.

Issuance Law: Set of characteristics and legal elements of a certain type of electronic Certificate, in accordance with the Certification Policies and Practices expressed in this Certification Practices Statement, in the corresponding contracts and / or agreements with the members of the Electronic Community , on the basis of the autonomy of the will.

Revocation Lists (CRLCertification Revocation List): Restricted access list containing exclusively the relationships of revoked, suspended and, for safety, expired certificates.

LOPD: Organic Law 15/1999, of December 13, on the protection of personal data, whose purpose is to guarantee and protect, as regards the processing of personal data, the public liberties and the fundamental rights of natural persons and especially his honor and personal and family intimacy.

MD5. Message Digest (message summarization algorithm) in its version 5. Developed by R.Rivest in 1991 and who published its description in RFC 1321. The algorithm consists of taking messages of arbitrary length and generating a summary of 128 bits in length. The probability of finding two different messages that produce the same summary is practically null. For this reason, it is used to provide Integrity with the documents during the electronic signature process.

Malware (Malicious software or Malicious Software): See Malicious Software.

Browser (Web browser, browser): Program that allows you to view the contents of web pages on the Internet. It is also known as Browser. Some examples of Web browsers or browser are: Internet Explorer, Chrome, Firefox or Safari.

Certificate serial number: Integer value, unique within the eID Platform, which is unequivocally associated with a Certificate issued by it. In the presence of two different certificates but associated with the same entity, and without revocation confirmation for any, it allows to identify the most recent one thanks to the serial number and revoke ex officio the previous one.

OCSP (Online Certificate Status Protocol): Computer protocol that allows to quickly and easily check the validity of an electronic certificate.

Registration Offices: offices installed by eIDSL, or by another entity provided, where there is an agreement with eIDSL. Signed by said entity or by its administrative hierarchical superior, which is established in order to facilitate, both nationally and internationally, the submission of applications relating to the certificates, with the purpose of confirming their identity and delivering the corresponding certificates of personal quality, powers of representation, and other requirements demanded by the type of Certificate that is requested.

Manual Operations to Explotation: a sequence of operations that are being documented and are being performed manually by an eIDSL operator.

OU: Contraction of the English words “Organizational Unit” whose meaning in Spanish is “Unidad Organizativa”. The organizational unit is an attribute that is part of the Distinctive Name of an object within the X.500 directory structure

O: Within the scope of this document, it is an abbreviation of the English word “Organization” whose meaning in Spanish is “Organization”. “Organization is an attribute that is part of the Distinctive Name (DN) of an object within the X.500 directory structure used to name the entry corresponding to the object.

PC / SC: Contraction of the English words “Personal Computer / Smart Card” whose meaning in Spanish is “Computadores Personales-Tarketas Inteligentes”. It is a specification developed by the PC / SC working Group to facilitate the necessary interoperability to allow the technology of Integrated Circuit Cards, also known as Smart Cards, to be efficiently used in personal computer environments.

PIN: Contraction of English words ” Personal Identification Number ” whose meaning in Spanish is “Numero de Identificacion Personal”. It is a specific number to be known only by the person who has to access a resource that is protected by this mechanism.

PKCS (Public-Key Cryptography Standards): Public Key cryptographic standards produced by RSA Laboratories, and internationally accepted as standards.

PKCS # 7 (Cryptographic Message Syntax Standard): Public Key Cryptographic Standard produced by RSA Laboratories, and accepted internationally as a standard, which defines a generic syntax for messages that include cryptographic improvements, such as digital signature and / or encryption.

PKCS # 10 (Certification Request Syntax Standard): Public Key Cryptographic Standard produced by RSA Laboratories and accepted internationally as a standard, which defines the syntax of a certificate request.

PKCS # 11 (Certification Request Syntax Standard): Public Key Cryptographic Standard produced by RSA Laboratories and accepted internationally as standard , which defines the syntax of a certificate request.

Certification Policy. A document that is part of the Declaration of Certification Practices, which establishes the set of rules that indicate the applicability of a Certificate to the Electronic Community and/or application class with common security requirements. The policies under which cSL issues Certificates are set out in Annex I.

Certification Practice: Document that is part of the Certification Practices Statement, which includes the specific procedures followed by eIDSL in the management´s lifecycle certificate.

Certification Services Provider: Is that natural or legal person who, in accordance with the legislation on electronic signature, issues electronic certificates, and may also provide other services in relation to the Electronic Signature.

RSA: Acronym for Ronald Rivest, Adi Shamir, Leonard Shamir, and Leonard Adleman inventors of the asymmetric key cryptographic system referred to (1977). Public key cryptosystem that allows encryption and digital signature.

Electronic Time Sealing Service: Service provided on demand by eIDSL to interested parties who request it, based on the specifications RFC 3161 and ETSI 101861. They are documents that in an objective way, a temporary moment can be attributed to the existence of an electronic document.

SHA-1: Secure Hash Algorithm (Secure Summary Algorithm -hash-). Developed by NIST and revised in 1994 (SHA-1). The algorithm consists of taking messages of less than 264 bits and generating a summary of 160 bits in length. The probability of finding two different messages that produce the same summary is practically null. For this reason, it is used to provide integrity for documents during the electronic signature process.

Cryptographic System: Collection of clear text transformations in encrypted text and vice versa, in which the transformation are used by Keys. Transformations are usually defined by a mathematical algorithm.

Malware: Any program, document, message, or element that may cause damages to users.

Applicant: Individual over 18 years old or that has the quality of emancipated, that prior identification requests the issuance of a Certificate.

Subscriber (or subject): In the case of Certificates of Identity of Physical Persons, is the person whose personal identity is linked to the data signed electronically, through a Public Key certified by the Certification Services Provider. For strict reasons of international standardization, the concept of Subscriber will be referred to in the Certificates, and in the computer applications related to its issuance, as “Subject”.

Certified Taxonomy: The taxonomy of the certificate is an attribute of the certificate linked to the parameters and methods used by eID for the accreditation of the identity of the subscriber.

Text in figure (“ciphered text”): Set of signs, figures or conventional letters, and that can only be understood by knowing the Keys. In other words, the sequence of symbols that control the operations of Encryption and decryption.

Title (of a Certificate): See Subscriber.

Triple-DES: Encryption system or symmetric that emerges as an evolution of the DES (Data Encription Standard – data encryption standard) described in the FIPS 46-3 (Federal Information Processing Standard) developed by the DEA (data encryption algorithm) also defined in the ANSI X9.32

UIT standard (International Telecommunication Union): International organization of the United Nations systems, in which governments and the private sector coordinate global telecommunications services and networks.

X.500: Standard developed by ITU which defines the recommendations of the Board. It corresponds to the ISO / IEC

9594-1: 1993 standard. It gives rise to the following series of recommendations: X.501 x.509, X.518, X.520, X.521 and X.525.

X.509: Standard developed by the ITU for Public Key Infrastructures and the so-called “attribute certificates”.

1.6 Agreements with Third Parties

EID development and production environments can be housed in the cloud, under the suite of services provided by Amazon, called Amazon Web Services (AWS). With the aim that the personal information nature of the information provided by eIDSL, and hosted by AWS, complies with the legislation. The latter is held responsible through an agreement in addition to the standard service provision document, through the clauses contained in the following document: Electronic IDentification SL – Amendment # 1 to AWS Customer Agmt_EXE – 2014-02-28 ,.

For the provision of the Electronic Time Stamp service, eIDSL has signed an agreement with the ACCV-Communications, Agency of the Valencia Community, which is a recognized Time Stamp Entity (TSA) that provides its services under Spanish legislation and under the recognition of the Ministry of Industry. Review with more specific things.

2 Security controls, event registration and audits

eIDSL has a physical, logical, personnel, and operational control procedures. Designed to guarantee the necessary security in the management of Certificates. Likewise, eIDSL will register all those events related to its services that may be relevant, in order to verify that all internal procedures necessary for the development of the activity are developed in accordance with the applicable regulations. With the objective of determining the causes of an anomaly detected.

Then, using the RFC 3647 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework as a working model, all the controls implemented by eIDSL as Certification Services Provider are shown, without prejudice to the confidential and secret nature of the controls. Those that are not reported for security reasons.

2.1 Event Registration

2.1.1 Types of events recorded

eIDSL will register all those significant events, in order to verify that all the internal procedures necessary for the development of the activity are executed according to this document, to the applicable legal regulations, which allow detecting the causes of an anomaly detected.

The recorded events will be all those operations that are performed in key management, certificate management, file publication, recovery, directory, event registration, and user registration. eIDSL will keep all the most important registered events archived, maintaining its accessibility, for a period never less than 15 years.

All registered events are subject to auditing.

2.1.2 Protection of an activity record

Once the activity of the systems is registered, the records cannot be modified or deleted, they will remain archived in the original conditions.

This registry will have only read access being restricted to persons authorized by eIDSL.

The recording of a record, in order that no data can be manipulated by anyone, will be automatically performed by a specific software that eIDSL deems appropriate for that purpose.

The audited record, in addition to the security measures established in its recording and subsequent verification, will be protected from any contingency, modification, loss, and disclosure of its data during its recording on external media, change of this support and storage thereof.

2.1.3 Procedures for backup copies of audited records

eIDSL, in its activity of Certification Services Provider, has a high security system, guarantees the existence of copies and security of all audited records.

2.1.4 Records archiving systems

The file systems used by eIDSL to keep these audited records will be the internal ones of the infrastructure, and external media with storage capacity will be used for long periods of time. These media files will have sufficient guarantees to prevent the records from suffering any type of alteration.

eIDSL will make several copies that will be stored in different places, which will have all the physical and logical security measures to avoid, in what is reasonably possible, an alteration of the stored support and the data contained in these supports.

This file is provided with a high level of integrity, confidentiality and availability to avoid attempts to manipulate certificates and stored events.

2.1.5 Relevant data that will be recorded

They will be registered:

Issuance and revocation, and other relevant events related to the certificates.

The signatures, and other relevant events related to the Revocation Lists (CRL’s).

All the operations of access to the file of Certificates.

Relevant events of the generation of pairs of random and pseudo-random numbers for the generation of Keys.

Relevant events of the generation of own key pairs or of authenticity support. In no case will they include the numbers themselves or any data that facilitates their prediction.

All operations related to the activity as a reliable third party.

2.1.6 File protection

eIDSL guarantees that the file of registered events meets the following requirements:

It cannot be modified by unauthorized means.

It must have a high degree of availability and reliability.

Trace of the accesses made will be saved.

2.1.7 Making copies and security of the files

At all times there will be a backup copy of all existing files in eIDSL, in its activity as a Certification Services Provider.

2.1.8 Obtaining and verifying archived information

Access to the file registry will be limited to personnel authorized by eIDSL.

Access to encrypted data by third parties through the data recovery service, without the user’s authorization, must always be carried out under the conditions established by the Law and, where appropriate, the corresponding contracts and agreements.

2.2 Physical security controls, of procedures and personnel. This section will describe the non-technical controls used by eIDSL, as a Certification Services Provider, to safely execute the functions associated with the management of Certificates.

2.3 Physical Security Controls.

eIDSL guarantees that it complies with the applicable regulations in all aspects of physical security and describes them throughout this chapter. Several security perimeters have been established, where critical or sensitive activities are carried out, always taking into account that the Data Processing Center and all the systems of the eID platform are physically housed in a third party.

2.3.1 Situation of the Data Processing Center.

eID´s application “Service Provider Certification”, for business flexibility and versatility in the provision of services, can be found in the Amazon Inc dependencies. In accordance with the provision of its AWS-Amazon Web services. Services in Ireland or in the facilities of its clients.

The physical access, as well as its entry controls, and safe working areas have been compliant with international standards as a first level that can be consulted through https://aws.amazon.com/Compliance and request more detail through eIDSL.

In the case of the application being in the facilities of its customers, physical access and entry controls will be the responsibility of the customer. Also, electricity, air conditioning of infrastructure machines, wiring security, prevention, fire protection, and storage of supports, comply with required practices and follow the criteria of frameworks and international standards of the first level and can be consulted through https://aws.amazon.com/compliance and request detail through eIDSL.

2.4 Procedural controlseIDSL ensures that all management, both operating and administrative procedures, is carried out reliably and in accordance with the provisions of this document, conducting audits to avoid any defect that may lead to loss of confidence. Reviews are carried out, in order to verify compliance with safety measures and technical requirements already dministrativos.Se segregation of functions is done to prevent a single person can achieve full control of the infrastructure. To make it impossible to avoid the set of existing safeguard measures, multiple profiles assigned to the infrastructure personnel are defined, among which the different tasks and responsibilities are distributed.

2.5 Personnel security controls

The procedures for the management of the personnel of the infrastructure will promote the competence and know-how of its employees, as well as the fulfillment of its obligations. They will be considered positions of trust within the scope of this document, those that imply access or control of components that may directly affect the issue, use or revocation of certificates. All employees, own or contracted, who have access or control over these cryptographic operations, including restricted access to the Directory, are considered as employees of trust. This staff includes, but is not limited to, customer service personnel, system administrator personnel, engineering personnel, and executives who were appointed to verify the infrastructure of the security systems of the Certification Services Provider. or temporarily for these positions, will be duly accredited and identified by eIDSL. Periodically, an assurance will be made that these people continue to have the confidence of eIDSL to carry out these confidentiality work. Relations between third parties and eIDSL are protected by the corresponding confidentiality agreement if in the course of this relationship the exchange is necessary. of sensitive information. eIDSL staff requires the express existence of a personal confidentiality agreement. The incidents are reported to the Directorate regardless of whether the appropriate corrective actions are activated through an incident system established in eIDSL to drive to its solution in the fastest possible way. The security weaknesses are classified as incidents, and as such are resolved, giving rise to the appropriate corrective actions, as described in the aforementioned procedures. Likewise, the software failures are classified as incidents and as such, it is solved with leading to the appropriate corrective actions.

2.5.1 Disciplinary procedure

In the development of their work activity for eIDSL, or whenever they use means and / or material of eIDSL, their employees cede exclusively, in all their extension, for the maximum duration foreseen in the Law and for the global scope to eIDSL all the exploitation rights that may correspond to them and in particular, and without this enumeration being understood with a limiting character, the rights of reproduction, distribution, transformation and public communication related to intellectual property, as well as other industrial property rights, or related to topography of semiconductors, about the works, works, inventions and creations that originate and / or develop. The worker, as a result of the exclusive transfer of the aforementioned rights over works, works, inventions and creations created or created as a result of the employment relationship that binds them with eIDSL or as a consequence of the use of material and / or technical means of eIDSL, will not enjoy the right to exploit the aforementioned works and / or creations in any way, although this will not prejudice the exploitation or use of the same, apart from eIDSL.

In order to comply with the internal regulations of eIDSL, the applicable laws and regulations and the safety of its employees, eIDSL reserves the right to inspect at any time and keep track of all the eIDSL computer systems and its eID platform. .

Computer systems subject to inspection include, but are not limited to, electronic mail system files, personal computer hard disk files, voicemail files, print queues, fax documentation, desk drawers, and areas of stored. These inspections will be carried out after having been approved by the legal advice department, with the procedures established in the applicable legal regulations and intervention of the union representatives, if applicable eIDSL also reserves the right to remove from its computer systems any material that consider offensive or potentially illegal or fraudulent.

2.5.2 Inadequate behavior

The eIDSL address reserves the right to revoke the privileges of the systems of any user at any time. Any behavior that interferes with the usual and proper rhythm of the eIDSL computer systems, which prevents others from using these systems or that is dangerous or offensive, will not be allowed.

eIDSL will not be responsible for the opinions, acts, transactions and / or fund business that the members of the Electronic Community will carry out using the eIDSL certification services; all without prejudice to the obligation of eIDSL to inform the competent authority, should they so know.

2.5.3 Applications that compromise security

Unless authorized by the eIDSL Directorate, the employees of eIDSL shall not acquire, possess, negotiate or use hardware or software tools that could be used to evaluate or compromise the computer security systems. Some examples of these tools are: those that ignore software protection against unauthorized copying, detect secret passwords, identify vulnerable security points and decrypt files. Also, without proper permission, employees are prohibited from using trackers or other hardware or those cases that its use is necessary to perform system tests and prior communication to the person in charge of the area.

2.5.4 Activities not allowed

Users must not check or attempt to compromise the security measures of a computer or communication system unless such action has been previously approved in writing by the Directorate of eIDSL. Incidents related to “hacking”, discovery of passwords, decryption of files, unauthorized copying of software, protection of personal data and other activities that pose a threat to security measures, or are illegal, will be considered serious violations of the internal regulations of eIDSL. It is also strictly forbidden to use bypass systems, whose objective is to avoid protective measures, and other files that may compromise protection systems or resources.

2.5.5 Mandatory reporting

All alleged violations of the regulations, intrusions in the system, affections by malicious software and other conditions that pose a risk to the information or the eIDSL computer systems, should be immediately notified to the eIDSL address.

2.6 Technical safety controls

2.6.1 Lifecycle Management of Certification Services Provider Keys

2.6.1.1 Generation and installation of Calves

For reasons of safety and quality the Keys that eIDSL needs for the development of its activity as a Provider of Certification Services, will be generated by itself within its own infrastructure in a secure physical environment and at least two people authorized for it.The generation of the Keys and the protection of the Private Key , is carried out keeping the necessary confidentiality measures, using safe and reliable hardware and software systems in accordance with EESSI standards CWA14167-1 and CWA14167-2, in addition to taking the necessary precautions to prevent its loss, disclosure, modification or use without authorization, in accordance with the security requirements specified in the EESSI standards (in particular ETSI TS 101 456) applicable to the Certification Services Providers. The algorithms and key lengths used are based on widely recognized standards for the purpose for the which are generated. The technical components necessary for the creation of Keys are designed for That a Password is only generated once, and so that a Private Key can not be calculated from its Public Key

2.6.1.2 Distribution of the PUBLIC key of the Certification AuthorityThe Signature Verification Data of the Certification Services Provider is They are distributed in the form of an “electronic self-signed certificate”, which can be consulted at www.electronicid.eu.

2.6.1.3 Period of use of the Creation and verification data of the Signature The creation and verification data of the Signature of the Service Provider of Certification and Subscribers may be used throughout the validity of the Certificate (on the validity of the Certificates, it can be consulted in the Validity section of the Certificates of this CPD.

2.6.1.4 Use of Creation and Verification Data SignatureThe creation and verification data of the Signature of eIDSL, in its activity as a Provider of Certification Services, will be used only and exclu Sively for the purposes of: Signing of CertificatesSignature of the Revocation ListsSignature of electronic documents other than the Certificates foreseen in the spin and traffic of eIDSL, in the cases foreseen in this Declaration. And in the corresponding regulations. The algorithms and signature parameters used by the Certification Authority of eIDSL for the signature of electronic certificates and lists of revoked certificates are the following: Signature algorithm: RSAParameters of the signature algorithm: Module Length = 1024Algorithm key generation: rsagen1Filling method: emsa-pkcs1-v1_5Cryptographic function of Summary: SHA-1This set of algorithms and parameters correspond to entry 001 in the table of “signature suites approved in ETSI SR 002 176” Electronic Signatures and Infrastructures (ESI): Algorithms and Parameters for Secure Electronic Signatures “. The identification of the signature algorithm used by eIDSL for both certificates issued and for revocation lists is indicated in the basic” signature “field of the certificate and the lists of revoked certificates with the following structure ASN-1: Signature AlgorithmIdentifierAlgorithId entifier :: = SEQUENCE {Algortihm OBJECT IDENTIFIER, Paremeters ANY DEFINED BY algorithm OPTIONAL} Algorithm = sha-1 WithRSAEncryption OBJECT IDENTIFIER :: = {Iso (1) member-body (2) us (840) rsadsi (113549) pkcs (1 ) pkcs-1 (1) 5} Paremeters = NULL

2.6.1.5 Change of Creation and verification data of FirmaeIDSL, based on the progress made in cryptographic matters, it will study the change of its signature verification data, when the circumstances advise it and minimizing the impact on your Electronic Community. In case of opting for such change, eIDSL will inform the members of its Electronic Community, the change of its own creation and signature verification data and will make available the new signature verification data on the site www.electronicid. eu

2.6.1.6 End of the life cycle of the CryptographicKeySIDSL will destroy or properly store the Keys of the Certification Services Provider once the period of validity of the same ends, in order to avoid its inappropriate use.

2.6. 2 Lifecycle Management of Subscriber Keys

2.6.2.1 Generation and storage The Subscriber’s Private Keys are for the exclusive use and control of the Subscriber and generated under procedures that guarantee compliance of the Certification Services Provider according to current legislation. .eIDSL keeps the relevant information to guarantee the availability of the status of the certificates according to the legal order l in force, for a period of not less than 15 years.

2.6.2.2 Uses of user codes The use of user codes is detailed in each of the different Individual Certification Practices covered by eIDSL as Certification Services Provider.

2.6 .2.3 Period of use of user keys Signature creation data and Signature verification data of the members of the Electronic Community, may be used throughout the life of the Certificate. See Validity of Certificates of this CPD.

2.6.3 Security controls of the technical components

The security of all the technical components that eIDSL uses in the development of its activity as a Provider of Certification Services, as well as in its structure and procedures, are present in everything related to the certification of the security of the Information Systems, according to the National Scheme for Security Certification of Information Systems, which are approved in Spain, in particular those relating to EESSI that are published in the Official Gazette of the European Communities or in the corresponding Spanish Official Journals. In addition, criteria for assessing the security of information technologies ISO 15408 (Common Criteria) will be taken into account in the design, development, evaluation and acquisition of Information Technology products and systems, which will form part of the Certification Services Provider, as well as EESSI regulations.

The security management processes of the infrastructure will be evaluated periodically.

2.6.4 Network security controls

The means of communication through public networks, which eIDSL uses in the development of its activities, use sufficient security mechanisms to prevent or adequately control any external aggression through these networks. This system is periodically audited in order to verify its proper functioning.

In the same way, the infrastructure of the network that provides the certification services is equipped with the necessary security mechanisms known to date to guarantee a reliable and comprehensive service. This network is also audited periodically.

2.6.5 Cryptographic module engineering controls

Among the technical components provided to its users, and in order to increase public confidence in its cryptographic methods, eIDSL carries out evaluations of the security of the products and services it offers, using open and accepted market criteria.

2.6.6 Security levels

The levels of security that the different components of the Infrastructure have, as well as the procedures and components that make up the activity of the Certification Services Provider, will be evaluated according to “Criteria of Evaluation of the Safety of the Products and Systems of the Technologies of the Information “(ITSEC / ITSEM) and / or Common Criteria (ISO15408) and, in particular, according to the EESSI initiative.

Likewise, regarding the management of information security, the scheme established in UNE-ISO 17799 Code of Good Practices for Information Security is followed.

With respect to personal data, the current legal regulations will be complied with and in particular the provisions of the LOPD and Royal Decree 994/1999, of June 11, which approves the Security Measures Regulations of the automated files that contain personal data.

2.6.7 Restoration of services in case of failure or disaster

The Certification Services Provider, supported by the services of third parties in the provision of infrastructure and systems, will launch a design of the eID platform, which minimizes failures and / or restores services in the event of any disaster, taking into account the following :

The redundancy of the most critical components.

The start-up of an alternative backup center.

The complete and periodic check-up of backup services.

Commitment of the Signature Creation Data of the Certification Services Provider. In this case eIDSL will inform all the members of the Electronic Community indicating that all the Certificates and Revocation Lists signed with this data are no longer valid, and will proceed to the restoration of the service, as soon as possible and under the new applicable conditions.

eIDSL will not be responsible for the lack of service or anomalies in the same, as well as the damages that could be produced directly or indirectly, when the eID platform failure had its origin in force majeure, terrorist attack, sabotage or wild strikes; all this, without prejudice to carry out the necessary actions for the rectification and / or resumption of the service as soon as possible.

2.6.8 Termination of the eIDSL activity as Certification Services Provider

This contingency and its consequences are described in this CPS in the section “Cessation of the Activity of the Provider of Certification Services: Transfer of the provision of the Service”.

2.7 Audits

eIDSL will maintain a specific system in order to record events for all operations such as: issuance, validation and revocation of Certificates.

In order to minimize the impact on the production systems, audits on the affected production systems will be used in low-activity time slots.

2.7.1 Protection of audit tools All tools, reports, records, files and sources related to the preparation or registration of an audit are considered as sensitive information and, as such, are treated in all aspects, its access being restricted to authorized persons.

2.7.2 Identity of the auditorThe auditor who verifies and verifies the correct operation of the eIDSL Certification Services Provider, must be a person or professional with sufficient accreditation and professional experience on the matter to be audited in accordance with the legislation that is in force at all times. The performance of these audits may be entrusted to external audit firms, to qualified internal staff, to do so (according to current legislation), or both. . In the case of internal personnel and depending on the degree of criticality of the area to be audited, the degree of independence of the personnel involved and their level of experience will be the object of specificity, depending on functional independence parameters. In cases where the audits are prepared by personnel external to eIDSL, the necessary measures and controls are established to regulate the audit requirements, the scope, the access to sensitive information and other agreements of confidentiality and responsibility on the assets. In the external audits, the auditor and the auditing company will never have any type of labor, commercial or any other relationship with eIDSL, or with the party requesting the audit, always being an independent professional who performs the requested audit. Together with the report obtained from the audit , the identification of the auditors will appear. The report resulting from the audit will be signed by the auditors and the person responsible for eIDSL.

2.7.3 Results of the audit and corrective actions All the non-conformities detected in the audit will be treated with the corresponding corrective actions. The action plan for the implementation of the corrective actions will be prepared in the shortest possible time and will be kept together with the audit report for inspection and follow-up in subsequent audits. In the event that the deficiency found involves a serious risk for the security of the System, of the Certificates, of the Creation or verification data of the Signature, or of any document or data considered Confidential in this document, either from the Subscribers, or from the Certification Services Provider itself, eIDSL will act with the maximum diligence, in order to safeguard the security of the entire infrastructure. Similarly eIDsL will act diligently to correct the error or defect detected in the shortest possible time.

2.7.4 Communication of the resultsThe competent administrative or judicial authorities may request audit reports to verify the proper functioning of Service Providers of Certification.

2.7.5 Audit Plan The following audits will be carried out:

Security Code Platform eID. Security audit and penetration tests, according to OWASP methodology. A total every three (3) years and a partial one every year. (To be specified when the corresponding certification scheme is established).

Data protection. One every two (2) years internally to be carried out by the information systems department.

Certification service providers: ETSI TS 101456: One partial annual and one total every three (3) years. (To be specified when the corresponding certification scheme is established).

The following controls will be carried out:

Internal controls of network security.

Controls and internal tests of contingency plan

Internal Controls of Quality and Security Internal controls of software development according to OWASP methodology.

Extraordinary: When circumstances so require, at the discretion of eIDSL.

3 Support of the eIDSL certificate will issue the Electronic Certificate following the procedures that guarantee compliance as a Provider of Certification Services according to the current legislation, guaranteeing its sole use by the Subscriber.eIDSL will issue the Certificate in a suitable and safe support. Without the following description having limiting character. Generation of Signature Creation Data and Signature Verification Data will be done following procedures and using secure means under the sole control of the Subscriber. The relevant information for compliance with the current legal framework on the status of the Certificates will be safeguarded by eIDSL.

4 Types of certificates issued by eIDSLeIDSL transmits all the rights necessary for the typical USE of the Certificate to Subscribers and users, for the scope of the Electronic Community to which they have been incorporated through the formalization of contracts and / or corresponding agreements, of which this Certification Practices Statement forms an integral part. The Certificates may never be used outside the Electronic Community, nor for uses other than those included in this Certification Practices Statement and in the corresponding contract or particular agreement. eIDSL issues the following Certificates with the specific limitations of use that are included in the corresponding Particular Certification Practices that are referenced below: Certificate of Identity of a Physical Person. Also known as the eID Platform User Certificate, it is the electronic certification issued by eIDSL that links its Subscriber with Signature verification data and confirms its identity. In these Certificates, the Subscriber can only be a natural person. The Particular Certification practices are detailed in the corresponding Annex.

5 General Service Conditions eIDSL is constituted as an independent Root Certification Service Provider that is not part of external trust structures. The initial registration for the request for the issuance of the certificate that requires of accreditation, will be made through a Registration Office by telematic or face-to-face. From there, the telematic operations when the Certificate is available, for example the telematic request for the revocation of Certificates, the change of personal data of the Subscriber can be made by telematic means through the services of the Registration Offices or failing that , through the services of the eID.eIDSL Platform, as a Certification Services Provider, will issue Certificates for all interested parties who request it under the conditions set forth in this Certification Practices Statement. These Certificates will allow the Subscriber to communicate and identify with their interlocutors in a secure manner. The format of the Certificates used by eIDSL is based on that defined by the International Telecommunications Union, telecommunications standardization sector, in ITU-T Recommendation X.509, dated June 1997 or higher (ISO / IEC 9594-8 of 1997). The format will be the one specified in Version 3 of the mentioned X.509 format and will be valid for use with standard communication protocols such as SSL, TLS, etc. Also, the format of the Revocation Lists published by eIDSL follows the profile proposed in Recommendation ITU-T x.509, in its Version 2 with regard to Revocation Lists

5.1 Electronic CertificatesThe issuance of Certificates implies the generation of Electronic Documents that prove the identity and, where appropriate, other qualities or powers of the Subscriber. All Certificates, to be such, and in order to avoid their alteration or falsification, must be signed by the Root Certificate of eIDSL in its capacity as Certification Services Provider. The power to issue eIDSL Certificates resides solely in this entity, not being in any case delegable. However, for a greater abundance in the practices and procedures followed in the issuance by eIDSL of the Different types of specific Certificates, we refer in each case to the particular procedure described in the annexes.

5.2 Life Cycle of the CertificateThe different phases of the cycle are described in a general manner, which will be complemented according to each case, with the corresponding Certification Practices. the attached in the annexes.5.2.1 Request for CertificateThe phase of application for the Certificate includes, in general, the confirmation of the personal identity of the Applicant.

5.2.2 Issuance of CertificatesThe procedures included in the procedure for issuing the Certificate may be different depending on the requested Certificate. Each of these procedures is specified in the Particular Certification Practices attached in the annexes.

5.2.3 File of the Signature Verification DataThe Signature Verification Data of the Subscribers will remain filed in case their recovery is necessary, in files and supports insurance both physically and logically, during the legally established period of fifteen (15) years.

5.2.4 Use and acceptance of the CertificatesTo be able to use the Certificates or rely on electronically signed documents based on them, you must first be part of the Electronic Community, and acquire the status of User Entity. Outside the Electronic Community, a Certificate or an electronic signature based on a certificate issued under the eIDSL Certificate Certification Policy through the eID platform should not be relied upon. In any case, if this confidence is produced by a third party, coverage of this Certification Practices Statement will not be obtained, and there will be no legitimacy to claim or take legal action. against eIDSL for damages, damages, or conflicts arising from the use or reliance on a Certificate. In addition, even within the scope of the Electronic Community, this type of Certificate can not be used to: Sign another certificate. Sign software or components Generate stamps time for electronic dating proceduresPreser services for free or onerous, as for example would be, by way of example: Provide services OCSPGenerar Lists of RevocationPrester notification servicesRealizar economic transactions over 100 €, unless express written permission of eIDSL to do so. The particular Certification Practices, also included in this Certification Practices Statement, express in more detail the specific limitations for the use of each of the certificates in question, which in case of discrepancy with the ones exposed here, will be of application the mentioned particulate conditions The acceptance of the Certificates by the Subscriber shall be understood to be tacitly produced if, after having generated the Certificate, the Subscriber uses it or makes it available to third parties and does not request its revocation. By accepting the Certificate, the Subscriber also accepts: use and the conditions contained in this Certification Practices Statement, understood as not only the main body of the same but also its annexes. In any case, when accepting a Certificate issued by eIDSL, the Subscriber and, where applicable, The Applicant of the same declares: That all the information delivered during the procedure of application for the Certificate is true. That the Certificate will be used exclusively for legal purposes and authorized by eIDSL, in accordance with this Certification Practices Statement and always within the scope of the Electronic Community. It ensures with high reliability its exclusive control over the Data of Creation of Signature that corresponds to the Signature verification data included in your Certificate issued by eIDSL and linked to your personal identity, which, in any case and merely for illustrative purposes, will include the necessary actions and measures to prevent its loss, disclosure , modification or use by a third party other than the Subscriber.That will immediately notify eIDSL of any circumstance that it considers may compromise the exclusive control, integrity or security of the information related to the Certificate or relatedprocess.eIDSL will consider valid any Certificate accepted by the Subscriber and published in its corresponding secure Directory, provided that it has not expired and that it does not know of any cause of revocation that affects it.

5.2.5 Publication of the Certificates in the Directory SeguroeIDSL will publish in a secure and restricted Directory, both the Certificates and the Lists of Revocation. Operators and administrators of the infrastructure and the internal modules will have access, after authentication, to all the existing information in the Directory, being able to carry out all kinds of operations according to the defined profile with the limits of the legislation on automated processing of personal data and in function of the corresponding contracts and agreements. Individuals and Entities using Private Law will not have access to the Revocation Lists, given the limits derived from the legislation on automated processing of personal data and the corresponding contracts and agreements, validation being carried out through the OCSP service described in the section “Certificate Validation Service through OCSP”

5.2.6 Renewal of Signature Creation Data and Signature Verification DataThe request for the issuance of some new Signature Creation Data, The issuance of a new Certificate will be accompanied. Similarly, each time a Certificate is renewed, new Signature Creation and Verification Data will be generated.

5.3 Validity of Certificates

5.3.1 ExpirationAll Certificates issued by the Certification Services Provider will be valid for a period never greater than five (5) years, with the exception of the Root Certificates. This period will be counted from the date of issuance of the Certificate. Once this period has elapsed and if the Certificate is still active, it will expire, and it is necessary to issue a new one in case the Subscriber wishes to continue using the services of the Certification Services Provider. Each Certificate, according to its type, will have a specific duration, according to the applicable Particular Certification Practices.

5.3.2 Extinction of the validity of the Certificate The Certificates issued by eIDSL, except for the root Certificates, will be without effect in the following cases: Termination of the period of validity of the Certificate depending on the applicable Certification Practice. Cessation of activity as lenders of eIDSL Certification Services, except that, with the express consent of the Subscriber, the Certificates issued by eIDSL have been transferred to another Certification Services Provider. In these cases (a) and (b), the loss of effectiveness of the Certificates will take place as soon as these circumstances occur. Revocation or Suspension of the Certificate for any of the causes included in this Certification Practices Statement. For the purposes listed above, it is stated that the request to issue a certificate when there is another In effect in favor of the same owner and belonging to the same Issuance Law will entail the revocation of the first one obtained. The effects of the revocation or suspension of the Certificate, that is, the extinction of its validity, will take effect from the date on which eIDSL has certain knowledge. of any of the determining facts, and this is stated in the Revocation List of your service consultation on the validity of the Certificates.

5.3.3 Revocation of Certificates The request for revocation of the Certificates may be made during the period of validity stated in the Certificate. Each type of Certificate has a specific duration as set out in the attached Individual Certification Practices as annexes. They will be entitled to request the revocation of a Certificate directly or through a third party with sufficient power.

5.3.3.1 Causes of revocation of CertificadoeIDSL will only be responsible for the consequences arising from not having revoked a Certificate in the following cases: That the revocation should have been made because the contract signed with the Subscriber had expired. That the revocation has been requested by the Subscriber following the procedure referred to in the section “Procedure for the revocation of Certificates”. That the revocation request or the cause that motivates it, has been notified by means of a judicial or administrative resolution. That in the cases c) to h) of the present section, these ends are authenticated credibly. , previous identification of the applicant of the revocation. Taking into account the above, there will be causes for revocation of a Certificate: The request for revocation by the Subscriber, its representative. In any case this request must give rise to: The use by a third party of the Data of creation of Signature of the subscriber, corresponding to the Signature verification data contained in the Certificate and linked to the personal identity of the Subscriber. The violation or endangerment of the secrecy of the Subscriber’s Signature creation data or those of the person in charge of the custody. of the Signature Creation Data. The non-acceptance of the new conditions that may imply the issuance of new Certification Practices Declarations, during the period of one month after its publication. Judicial or administrative resolution that so orders. total or partial, of the Subscriber or its representative. Termination of the representation. Dispute of the represented legal entity. Nexactitudes in the data provided by the Applicant for obtaining the Certificate, or alteration of the data provided for obtaining the Certificate or modification of the verified circumstances for the issuance of the Certificate, such as those relating to the position or powers of representation, in a manner that this was no longer in conformity with reality.Contravention of a substantial obligation of this Certification Practice Statement by the Subscriber of the Certificate or by a Registry Office if, in the latter case, you could have affected the issuance procedure of the Certificate.Resolution of the contract subscribed between the Subscriber of the Certificate or its representative, and the eIDSL.Termination of the service associated with the use of the Certificate.Violation or endangerment of the secrecy of the Signature Creation Data of eIDSL, with which it signs Certificates that limit. Under no circumstances should it be understood that eIDSL assumes any obligation to check the extremes mentioned in letters a) to h) of this section. The actions constituting a crime or lack of which eIDSL does not have knowledge about the data and / or certificate, inaccuracies about the data or lack of diligence in its communication to eIDSL, will produce the exoneration of responsibility of eIDSL.

5.3.3.2 Effects of the revocation

The effects of the revocation of the Certificate, that is, the extinction of its validity, shall take effect from the date on which eIDSL has certain knowledge of any of the determining facts, and this is stated in the Revocation List.

5.3.3.3 Procedure for the revocation of Certificates

The legitimate applicant of the revocation must carry out the pertinent actions in accordance with the procedure that corresponds to him, according to the Particular Certification Practices attached as annexes of this Certification Practices Statement.

This service will be available twenty-four (24) hours a day, every day of the year, except for circumstances beyond eIDSL or maintenance operations.

5.3.4 Suspension of Certificates

The request for suspension of the Certificates may be made during the period of validity thereof.

They will be entitled to request the suspension of a Certificate directly or through a third party with sufficient power the Certificate of identity of natural persons: The subscriber.

5.3.4.1 Causes of suspension

eIDSL may suspend the validity of the Certificates at the request of the legitimate individual interested, or of judicial authority or in the presence of well-founded doubts about the concurrence of the causes of extinction of the validity of the Certificates contemplated in the section “Causes of Revocation of Certificates “. Likewise, the request for suspension may be due to the existence of an ongoing investigation or judicial or administrative proceeding, whose conclusion may determine that the Certificate is actually affected by a cause of revocation. In these cases eIDSL, at the request of the legitimate interested party through the procedure established at https://www.electronicid.eu, will suspend the validity of the Certificate for the period required, and after this period, revoke the Certificate except that eIDSL is requested in a reliable manner by the legitimate interested party to reactivate it.

5.3.4.2 Effects of the suspension

The effects of the suspension of the Certificate, that is, the extinction of its validity, shall take effect from the date on which eIDSL has certain knowledge of any of the determining facts, and this is stated in the Revocation List.

5.3.4.3 Procedure for suspension of Certificates

The legitimate applicant of the suspension must carry out the pertinent actions in accordance with the procedure that corresponds to him, according to the Particular Certification Practices attached as annexes of this Certification Practices Declaration.

5.3.4.4 Procedure to cancel the suspension of Certificates

The legitimate applicant of the suspension may proceed to cancel the suspension of the certificates, according to the Particular Certification Practices attached as annexes to this Certification Practices Statement.

5.4 Generation and publication of Revocation Lists

eIDSL will keep the revoked and suspended Certificates in Revocation Lists for a term equivalent to the theoretical validity of the Certificate at the time of its issuance. Upon the expiration of the original validity period of a Certificate, it will no longer be listed in the Revocation Lists. Not enough, eIDSL, for security reasons, may keep lists of certificates whose original validity period has expired.

These Revocation Lists are published with a maximum periodicity of (24) twenty-four hours and also have a validity of (24) twenty-four hours. New Revocation Lists may be issued each time a Certificate is revoked or suspended.

The Revocation Lists will in any case be authenticated by eIDSL, through the generation of electronic Signature using their Signature Creation Data.

eIDSL may publish the aforementioned information not only directly through its own means, but through public directories offered by other entities or organizations with which it has signed replication agreements, provided that the same guarantee and security is maintained.

The profile of the Revocation Lists issued by eIDSL are in accordance with recommendation UTI-T x.509 version 2.

5.5 Procedures for consulting the status of the Certificates

The Subscriber of the Certificate will not have access to the Revocation Lists. However, you will have an application in an address to be confirmed, through which and after authentication with your Signature Creation Data, you will be informed about the status of your Certificate.

This service will be available twenty-four (24) hours a day, every day of the year, except for circumstances beyond eIDSL or maintenance operations.

Only User Entities under Public Law will have access to the Revocation Lists (originating or replicated), and under the conditions established in the corresponding agreement.

5.9 Change of Signature Creation Data of eIDSL

This contingency and its consequences are described in the section “Lifecycle management of the Keys of the Certification Services Provider” of this Certification Practices Statement.

5.10 Obligations and Guarantees of the Parties

5.10.1 Obligations and guarantees of the Certification Service Provider.

eIDSL will not be subject to other guarantees or other obligations than those established in the sectoral regulations applicable and in this Certification Practices Statement.

Notwithstanding the provisions of the legislation on electronic signature, and its development regulations, as well as in its specific regulations, the Certification Services Provider undertakes to:

5.10.1.1 Prior to the issuance of the Certificate

Check the identity and personal circumstances of the Certificate Subscribers in accordance with the provisions of this Certification Practices Statement (in this regard, the corresponding procedure for registering the attachments can be consulted as annexes). Under no circumstances will certificates be issued for minors unless they have the status of emancipated.

Verify that all the information contained in the certificate application corresponds to that provided by the Applicant.

5.10.1.2 Subscriber Identification

Identify the individual requesting a Certificate through their National Identity Document number or Foreigner Identification Number.

In the processes of verification of the aforementioned ends, eIDSL will be able to carry out these checks through the intervention of third parties that have fedatary faculties, the costs being, in the case of these interventions, on behalf of the interested parties.

Likewise, the identification of the subscribers can be carried out through the electronic identification service, to which the Electronic Identification Service Policies referred to in Annex II of this document refer.

5.10.1.3 Generation and delivery of Signature creation data and additional information:

Ensure that the procedures followed ensure that the private Keys that constitute the Signature Creation Data are generated without making copies or the storage thereof by eIDSL

Carry out the communication of information to the interested party or Applicant in such a way that their Confidentiality is procured.

Make the following information available to the Applicant:

Instructions for the Subscriber, in particular:

The way in which the Signature Creation Data must be guarded.

The general mechanisms that guarantee the reliability of the electronic signature of a document over time.

The procedure to communicate the loss or misuse of said Data.

A description of the method used by eIDSL to verify the identity of the Subscriber and those other data that appear on the Certificate.

The certifications obtained by eIDSL.

The applicable procedure for the resolution of conflicts.

A copy of these Certification Practices Statement.

5.10.1.4 Preservation of information by eIDSL

Keep all the information and documentation related to each Certificate, in the due security conditions, for fifteen (15) years from the time of issuance, so that the signatures made with it can be verified.

Maintain a safe and updated Directory of Certificates in which the issued Certificates are identified, as well as their validity, including in the form of Revocation Lists the identification of the Certificates that have been revoked or suspended. The integrity of this Directory will be protected through the use of systems that comply with the specific regulatory provisions that are issued in Spain and, where appropriate, of the EU, and their access may be made as provided in the corresponding section.

Maintain a consultation service on the validity of the Certificates. This service is described in the section “Procedure for consulting the status of Certificates” of this document.

Keep the CPS for 15 years from its repeal by publication of a new CPS, in due security conditions.

5.10.1.5 Protection of Personal Data:

eIDSL undertakes to know and comply with the legislation in force regarding the Protection of Personal Data, basically Organic Law 15/1999, of December 13, on the Protection of Personal Data. For this purpose and with an enunciative nature, it undertakes to comply with the obligations set forth in such regulations regarding information for those affected, file declaration before the Spanish Agency for Data Protection, conservation and access to information, as well as with the security measures established in Royal Decree 994/1999. Likewise, it guarantees that the use of the personal data collected will be limited to those purposes for which they were collected. To learn about the data protection policy followed by eIDSL and agree on the use of the data, you can consult the section “LOPD Security Document” of this Certification Practices Statement and annex related to data protection policies.

5.10.1.6 Suspension and revocation of Certificates: About the suspension and revocation of Certificates and the obligations that eIDSL undertakes to assume in this regard, can be consulted in addition to the annexes, the sections corresponding to the suspension and revocation of Certificates of this Certification Practices Statement.

5.10.1.7 Cessation of the activity of eIDSL as Certification Services Provider: To this respect you can consult the section “Cessation of the activity of the Certifie Service Provider ication “: Transfer of service provision of this Certification Practices Statement.

5.10.2 Obligations of the Registry Office In general, follow the procedures established by eIDSL in the Certification Practices Statement and Certification Policies, in the performance of its functions of management, issuance, renewal and revocation of Certificates and not leave said framework of action. In particular, verify the identity and any personal circumstances of the Applicants of the relevant Certificates for their own purpose, using any of the means admitted to Rights, and in accordance with the general provisions set forth in the Certification Practices Statement and with a particular nature in the corresponding Particular Certification Practices attached as an annex to it. Keep all the information and documentation related to the Certificates, whose request, reindeer vation, suspension or revocation manages for fifteen (15) years. Allow eIDSL access to the files and the audit of its procedures in relation to the data obtained as Registry Office. Inform eIDSL of any aspect that affects the Certificates issued by eIDSL Handle the formalization of the certificates issuance agreements with the Subscriber thereof, under the terms and conditions established by eIDSL.Communicate to eIDSL diligently the requests for the issuance of Certificates. Regarding the extinction of the validity of the certificates. certificates. To diligently verify the causes of revocation and suspension that could affect the validity of the Certificates. To communicate to eIDSL diligently the requests for revocation and suspension of the Certificates. With respect to the Protection of Personal Data, the following will apply: provided in the section “Personal data”

5.10.3 Obligations of the Subscriber rDo not use the Certificate outside of the Electronic Community, nor of the limits specified in the particular Certification Practices contained in the corresponding annexes of this Certification Practices Statement. Do not use the certificate in case the Certification Services Provider has ceased its activity as a Certificate Issuing Entity that issued the certificate in question, especially in cases in which the Signature Creation Data of the provider may be compromised, and thus communicated. Provide true information in the application for the Certificates, and keep it updated. Act diligently with regard to the custody and conservation of Signature Creation Data or any other sensitive information such as Keys, Certificate activation codes, access words, personal identification numbers, etc., as well as the support of the Certificates, which includes, in any case, the None of the aforementioned data. Know and comply with the conditions of use of the Certificates provided in the Certification Practices Statement and in particular, the limitations on the use of the Certificates. Know and comply with the modifications that occur in the Declaration of Certification. Certification Practices. Request the revocation of the corresponding Certificate, according to the procedure described in the corresponding section, diligently notifying eIDSL or any Registry Office, the circumstances or suspicion of loss of Confidentiality, the disclosure, modification or unauthorized use of the Data. of Creation of Signature. Review the information contained in the Certificate, and notify the Registry Office of any error or inaccuracy. Verify prior to trusting the Certificates, the Electronic Signature of the Certification Services Provider issuing the Certificate. Diligently notify to eIDSL or any Registration Office any modification of the data provided in the Certificate application, requesting when the revocation of the same is pertinent.

5.10.4 Obligations of the User Entity

Verify prior to trusting the Certificates, the electronic Signature of the Certification Services Provider issuing the Certificate.

Verify that the certificate of the Subscriber received is still valid.

Verify the status of the certificates in the certification chain, by consulting the Revocation Lists.

Check the limitations of use of the Certificate that is verified

Know the conditions of use of the Certificate in accordance with this Certification Practice Statement.

Notify CSL of any anomaly or information related to the Certificate that may be considered as a reason for renewal of the same, providing all the evidence available.

5.11 Responsibility of the Parties

In order to use Certificates issued by eIDSL, you must first form part of the Electronic Community, and acquire the status of User Entity. Outside the Electronic Community you should not rely on a certificate or an electronic signature that is based on a Certificate. In any case, if this confidence is produced by a third party, coverage of this Certification Practices Statement will not be obtained, and there will be no legitimacy to claim or take legal action against eIDSL for damages, damages or conflicts arising from the use or confidence in a Certificate.

5.11.1 Responsibility of the Certification Services Provider

eIDSL only responds to the correct personal identification of the Applicant, but not of its qualities or any other information contained in the Certificate. Regarding this information, eIDSL is limited only to expressing it in a Certificate for which the identity of its Subscriber has been accredited by means of a public document.

It is a sine qua non condition for the application of the guarantees, obligations and responsibilities that the damage or the fact has occurred within the scope of the Electronic Community as defined by this concept in this Certification Practices Statement.

eIDSL will only respond for deficiencies in the procedures of its activity as a Certification Services Provider, and in accordance with the procedures of its activity as a Certification Services Provider and in accordance with the provisions of these Certification Policies or the Law, more in no other case will be responsible for the actions or losses incurred by the Subscribers, User Entities, or third parties involved, which are not due to errors attributable to eIDSL in the aforementioned issuance and / or management procedures of the Certificates .

eIDSL will not respond in cases of force majeure, terrorist attack, savage strike, as well as in cases involving actions constituting a crime or offense that affect its lending infrastructure, unless the entity has been guilty of serious negligence. In any case, in the corresponding contracts and / or agreements eIDSL may establish clauses limiting liability.

eIDSL will not be liable to persons whose behavior in the use of the Certificates has been negligent, and for this purpose should be considered and in any case as negligence the lack of compliance with the provisions of the Certification Practice Statement, and especially the provisions of the paragraph referred to the obligations and the responsibility of the parties.

eIDSL will not respond for any software that you have not provided directly.

eIDSL does not guarantee the cryptographic algorithms nor will it respond for the damages caused by successful external attacks to the used cryptographic algorithms, if it kept due diligence according to the current state of the art, and proceeded according to the provisions of this Certification Practices Statement and In the law.

In any case, the amounts that in concept of damages should satisfy by imperative judicial eIDSL to third parties harmed, and / or members of the electronic Community in the absence of specific regulation in contracts or agreements, are limited to a maximum of SIX THOUSAND EUROS (€ 6,000) euros

5.11.2 Responsibility of the Registration Office

In any case eIDSL may repeat against the Registry Office that would have carried out the identification procedure, if the cause of the damage had its origin in the fraudulent or culpable action of this.

5.11.3 Responsibility of the Applicant

The Applicant will respond that the information presented during the application for the Certificate is true.

The Applicant shall keep safe and defend at its cost to eIDSL against any action that could be taken against this Entity as a result of the falseness of the information provided in the aforementioned procedure for issuing the Certificate, or against any damage suffered by eIDSL as a consequence of an act or omission of the Applicant

5.11.4 Responsibility of Suscriptor In any case, it is the obligation of the Subscriber and consequently his responsibility to inform eIDSL about any variation of status or information with respect to that reflected in the Certificate, for its revocation and new issuance. Also, the Subscriber will have to respond to the Entities users or, as the case may be, before third parties of the improper use of the Certificate, or of the falseness of the manifestations in the collections, or acts or omissions that cause damages to eIDSL or to third parties. It will be the responsibility and, therefore, obligation of the Subscriber not use the certificate in the event that the Certification Services Provider has ceased in the activity Entity issuer of Certificates that originated the issuance of the certificate in question and the subrogation provided by law has not occurred. In any case, the Subscriber will not use the certificate in cases in which the signature creation data of the Provider may be threatened and / or compromised, and so has been communicated by the Provider or, where appropriate, would have had notice of in these circumstances, the Subscriber.

5.11.5 Responsibility of the User Entity

The User Entity will be responsible, unless hiring this obligation with eIDSL the verification of the recognized electronic Signatures of the documents, as well as the certificates, in no case fitting to presume authenticity of documents or Certificates without such verification. The User Entity can not be considered to have acted with the minimum due diligence if it relies on an electronic signature based on a Certificate issued by eIDSL without having observed the provisions of this Declaration of Practices of Certification and verification that said electronic signature can be verified by reference to a Chain of c Valid ertificación.If the circumstances indicate need for additional guarantees, the user entity must obtain additional guarantees for such confidence is reasonable.Also, it will be the responsibility of the user entity to observe the provisions of this Certification Practices Statement and possible future modifications , with special attention to the limits of use established for the Certificates in their corresponding Certification Policies.

5.12 Personal Data

The system of protection of personal data derived from the application of this Certification Practices Declaration will be that provided in Organic Law 15/1999, of December 13, on the Protection of Personal Data and in its development regulations. The files will be of public ownership and their creation, modification or deletion will be done in accordance with the law.

5.12.1 Objective and presentation of the LOPD Security Document.

The objective of this document is to establish the security measures to be implemented by eIDSL in the environment of the Provider of Certification Services, for the protection of personal data, contained in the Users File of Electronic, Computer and Telematic Systems (EIT), registered in the APD.eIDSL, as a Provider of Certification Services, requires of personal data of its registered users, in order to be able to identify them and provide the Data of creation and verification of Signature indispensable to relate through electronic, computer and telematic means. Given the nature of this type of data, as indicated in Royal Decree 994/1999 of the Regulation on security measures for automated files containing personal data, medium-level security measures must be adopted. by object to preserve the personal data processed within the Provider of Certification Services of eIDSL, so it will affect all those resources (personnel, machines, applications, methods) that are involved in the processing of this data. From the Information System that performs the registration functions of the users, where the data is collected, to the storage and archiving thereof in Secure Directory systems, including the interfaces and means of communication between the different systems, whether they are networks private or public telematics. This document is mandatory for all personnel belonging to the eIDSL Certification Services Provider, as well as for all persons related to it, who require access to personal data. they include the Registration Offices as collaborating entities of eIDSL as a Certification Services Provider, whose mission is to carry out the identification and authentication of persons, registering their personal data for the Provider of Certification Services of eIDSL.

5.12. 2 Principles and norms of obligatory fulfillment

This section gathers all those to necessary aspects of obligatory fulfillment I believe that they respond to the sections established in article 8 of the Regulation of security measures for automated files that contain personal data.

5.12.3 Staff functions and obligations

This document, as well as any new version thereof, is known to all persons belonging to the eIDSL Certification Services Provider or who have an obligation to deal with such personal data. There are a series of clearly differentiated functions with regard to the personnel involved in the use and processing of the personal data of the File. of Users of EIT Systems, such as: File Manager, Security Manager, IT Security Personnel, Application Administrator, Application Users, Backup Operator, Security Auditor. These functions and, where appropriate, the persons who assume them, are defined in the “LOPD Security Document” section of the Introduction / Definitions section of this Certification Practices Statement.

5.12.4 Structure of the files with character data personnel and description of the information systems that deal with them The structure of the personal files used by the eIDSL Certification Services Provider is the one included in the EIT Systems Users File, which will be declared to the Spanish Agency of Data Protection. This structure is as follows: Identification data: NI / NIFName and surname Telephone, Address, Email address, Personal characteristics data: Signature verification data and certificate serial number, Commercial information data, Electronic address ( URL). In the Backup Policy of the Certification Services Provider, three different types of data have been defined, based on their copy and backup requirements. All the data treated by the Public Key Infrastructure have been classified in one of these “Types”. The Types that refer to personal data are the following: TYPE 1. Audit information: They show the functioning of the systems and application environments over time, and constitute evidences and traces of the actions that are being carried out and the applications that are executed. Therefore, it may contain information regarding personal data of its clients. TYPE 2. Personal data: Data associated with identified or identifiable individuals, whether considered private or public. TYPE 3. Keys: Basically, the keys are included in this category teachers of access to systems and application environments, critical keys of systems, administration keys and emergency users. Its use is occasional. The subsystems that have some type of implication in the treatment of the personal data are related and described in a summarized way as follows:

5.12.4.1 Subsystem of Management of Certificates.

Its mission is the creation of the Certificates of agreement. to the X.509 standard, where the Keys created by the key generation subsystem and other identifying data are introduced.

5.12.4.2 Subsystem of the Registry Office

It has as objective the identification and authentication of the Subscriber, where their personal data are registered to proceed to its sending, in encrypted form, to the Certification Services Provider eIDSL

5.12.4.3 Subsystem of Publication

Its mission is the management of the publication of the Directory of the eIDSL Certification Services Provider and the Revocation Lists.

5.12.4.4 Notification procedure

, management and response to incidentsThe personal data underlies Certificates, Structured according to the standardIn the event that the incident involves modifications, a corrective action is opened and executed by the staff responsible for the action. The main fields of an incident are: Name of the incident (brief description) Person who opens the incident , date of openingArea to which, in principle, the incident belongs PriorityType (generally corresponds to the Hardware / Software affected) Description (detailed description of the incident) Actions (actions taken to solve the incidentRegistration of people handling the incident

5.12.5 Procedures for backup copies and data recovery

The characteristics that have been defined for making backup copies take into account the following factors: Periodicity of the backup (frequency with which they must be made) Duration of backup copies ( time that copies should be kept) Type of backup (total or increme ntal) Storage (destination of backup copies) Encryption (Confidentiality endowment) Signed (Integrity and authenticity endowment) Specifically for Type 2 data, that is, personal data, the following characteristics have been defined: Periodicity of la backup: At least one daily copy of security and backup of these data will be made. Duration of backup copies: Backup copies will be stored for a period of seven working days. Backup type: Copies of backup will always be completed. Storage: Backup and backup copies will be stored in the high security fireproof file of the eIDSL Certification Services Provider. Encryption: The information will not be encrypted. Signed: The information will not be signed. Detailed information on these The classifications can be found in the eIDSL Certification Services Provider Security Plan. The Security Manual defines the people responsible for the copies, who can access them and to whom they should communicate in case of an incident. A greater level of detail about this process is described in the document on the copy security, backup and recovery policy. of the infrastructure called “Backup / recovery policy” .

5.12.6 Access control

You only have access to the data according to the profile assigned and provided that such access is necessary for the performance of the different functions. For example, the Registry Office must provide the access control requirements to the information system of the eIDSL Certification Services Provider to the registrars, providing them with the level of access to carry out the registration function. Access control based on profiles: using the identity or profile of the user of the system, which requests an access, together with the requested access mode. Access is allowed provided that the identified user requests an access mode that has been previously authorized; otherwise, it will be denied. The File Manager has established mechanisms to prevent a user from accessing data of a personal nature with rights other than those permitted and to prevent the repeated attempt of unauthorized access to the information system.

5.12.7 Regime work outside the premises of the file location

All work on personal data is carried out in the eIDSL work center as Certification Services Provider. As mentioned in the previous section, the registration function is carried out performed at the Registration Offices by duly authorized persons.

5.12.8 Temporary files

The software available for the processing of personnel data necessary to create an electronic certificate according to the X.509 standard generates temporary files (log files) that are duly guarded before the need of trazabilidad of the installation by the activity of provider of servi Certification in compliance with the Electronic Signature Law 59/2003, of December 19. In any case, these files have the same level of security as the declared file and therefore the same security controls are applied to them.

5.12.9 Media management

The computer supports that contain personal data are diligently identified, being able to identify the type of information they contain. They are also stored in a place of restricted access to authorized personnel and guarded by security personnel.

In the event that there is an output of a computer medium containing personal data outside the work center of the eIDSL Certification Services Provider, it may only be authorized by the File Manager.

The destruction of supports is done after lowering the support of the “backup application” (application of backup and backup) (which acts as an inventory of media) and consists of the physical destruction of the support (removal of the magnetic tape from its container and crushed it).

There is a support entry registration system that allows you to directly or indirectly know:

The type of support.

The date and time of entry.

The sender.

The number of supports.

The type of information it contains.

The way of sending.

The person responsible for receiving the information, which in any case is duly authorized by the File Manager

Likewise, there is a system of registration of exit of supports, which allows directly or indirectly to know:

The type of support.

The date and time of departure.

The recipient.

The number of supports.

The type of information it contains.

The way of sending.

The person responsible for the delivery, which in any case is duly authorized by the File Manager.

When a support is to be discarded or reused, the procedure foreseen to prevent any subsequent recovery of the information stored in it will be followed. This procedure will be followed before the support in the Inventory is downloaded.

When the supports are going to leave the premises where the files are located as a consequence of maintenance operations, the necessary measures will be taken to prevent any undue recovery of the information stored in them.

5.12.10 Audit

In order to comply with all the aspects indicated in the LOPD, an audit will be carried out to verify compliance with the rules and instructions indicated in this document. This audit will be carried out at least once every two (2) years.

This audit report refers to the adequacy of the standards and instructions indicated in this document, identifying the weaknesses and proposing the pertinent corrective actions. Likewise, the report includes the data, facts and observations on which the report is based, as well as the proposed recommendations.

5.12.11 Logical Access

There are several types of logical access to the file:

Access with user and passwords (passwords): access in which a user of the application searches for the Public Key of a Subscriber based on the identification data of the same (“serial number” of the Certificate, “common name”, etc.).

Privileged access to the Directory or database, where all personal data are stored. To perform this type of access, it is necessary to register in the application, in accordance with the provisions of the security regulations of the Certification Services Provider of

The parameters that are configured and that include what is required by the LOPD Regulation are those described below:

Each user identifies with the application with a username, which is unique to each person.

Every user to authenticate must enter a password, which only the user who wants to authenticate should know. Each user is responsible for their password and should not share it with any other.

Groups of people who can access with the same user and password have not been created, nor are there generic users. Generic accounts that are created for tests or similar are deleted immediately after performing those tests.

Each user is free to change their password if they think it may be compromised, but they must have used it for at least one day. Notwithstanding the foregoing, the user has the obligation not to use the same password for a period exceeding three (3) years.

When a user identifies and authenticates more than three times in an erroneous way, the system blocks the account of said user.

There is a control mechanism: the Events Registry, in charge of storing, among other information, all the accesses to the different components of the infrastructure

5.12.12 Access to systems

Only duly authorized personnel have access to the eID systems where the information systems with personal data are located, that is, the control panel of the production and development environments of the Certification Services Provider eonsL.To access these dashboards there is an authentication system for certificates and a security perimeter system with firewalls and demilitarized zones (DMZs) of the first level.

5.12.13 Tests with real data

The tests in the development of the applications that deal with the EIT File, they are not made with real data. The different applications that require access to said file are made with load of test data.

5.12.14 Review process

The section “LOPD Security Document” has been compiled to comply with Regulation of security measures for automated files that contain personal data. The document will be kept up-to-date. All modifications that occur as a result of improvements or adaptation by legal regulations will be incorporated into the Document.

5.13 Intellectual and Industrial Property

LOSL is the exclusive owner of all rights, including exploitation rights, over the secure Directory of Certificates and Revocation Lists in the terms indicated in the Revised Text of the Intellectual Property Law approved by Royal Legislative Decree 1 / 1996, of April 12 (Intellectual Property Law), including the sui generis right recognized in article 133 of the aforementioned Law. Consequently, access to the Certified Directories of Certificates is allowed to the members of the Electronic Community legitimized for this, any reproduction, public communication, distribution, transformation or reordering is prohibited, except when expressly authorized by eIDSL or by law. It is also forbidden to extract and / or reuse all or a substantial part of the content, either considered as such from a quantitative or qualitative perspective, as well as its completion in a repeated or systematic way. SIIDS maintains all rights, title and participation over all intellectual and industrial property rights and know-how related to this Certification Practices Statement, the services it provides, and the computer or hardware programs that is used in said provision of services. It is forbidden the reproduction or copy even for private use of the information that can be considered as Software or Database in accordance with the current legislation in the matter of Intellectual Property, as well as its public communication or available to third parties. Any extraction and / or reuse of all or a substantial part of the contents or of the databases that eIDSL makes available to Subscribers or User Entities is prohibited.

6 Order of Priority

The different Particular Certification Practices that are part of the annexes of this Certification Practices Declaration, will prevail in what corresponds with a particular character and referred to their types of Certificates, on the provisions of the main body of this Declaration of Certification. Certification Practices

7 Applicable law, interpretation and competent jurisdiction

The Declaration of Certification Practices will be governed by the provisions of the Laws of the Kingdom of Spain.

The members of The Electronic Community accept that any litigation, discrepancy, question or claim resulting from the execution or interpretation of this Declaration of Certification Practices or related to it, directly or indirectly, will be resolved in accordance with the provisions of the corresponding contracts. and / or agreements, in the terms provided in the bylaws of the Entity. Likewise, arbitration clauses may be agreed upon, subject to approval by the competent bodies of the eIDSL, in accordance with the provisions of the applicable legislation.

8 Modification of the declaration of certification practices

All information, systems, procedures, both qualitatively and quantitatively, terms, amounts, forms and, in general, any issues expressed in this Declaration, may be modified or deleted by eIDSL, without the need for compliance of members of the Electronic Community. eIDSL assumes the commitment to inform of the changes produced through the systems established in the applicable legislation and web address of the entity.

Members of the Electronic Community are required to regularly check the Certification Practices Statement, requesting as much information as they consider appropriate to the eIDSL.

9 Resolution of conflicts in the cases of provision of certification services and electronic signature on own certificates

eIDSL, if there is no legal prohibition, may perform its activity as a provider on its own electronic certificates when in the development of other purposes other than certification services, validation actions and / or other services with the different members of the Electronic Community are necessary.

In the event of a declared conflict of interest between eIDSL and other members of the Electronic Community, for the aforementioned activity, eIDSL will send the necessary technical elements and protocols to another service provider for the validation and other services that may be necessary.

ANNEX I. PARTICULAR CERTIFICATION PRACTICES OF PHYSICAL PERSON IDENTITY CERTIFICATES

10 Annex I. Particular Certification Practices for Individual Identity Certificates

The present annex brings cause and forms an integral part of the Declaration of Certification Practices of eIDSL.

In particular, the paragraph “Definitions” of the Introduction of the main body of the Declaration of Certification Practices should be kept in mind for the purpose of interpreting this annex.

These particular Certification Practices define the set of practices adopted by eIDSL as a Provider of Certification Services for the lifecycle management of the Physical Person Identity Certificates, issued under the eIDSL Certification Certificate Policy.

10.1 type of individual identity certificate

The Individuals Identity Certificate, also known as the eIDSL User Certificate, is the electronic certification issued by eIDSL that links your Subscriber with Signature Verification Data and confirms your identity. This Certificate is issued as a Certificate based on the criteria established for such in the Electronic Signature Law (Law 59/2003), both in relation to the Certification Services Provider and the generation of Signature Creation Data. to the content of the Certificate itself.

10.2 Lifecycle Management of the Physical Person Identity Certificate

Here are defined those aspects that, although they have already been pointed out in the main body of the Certification Practices Statement of which this annex forms part, they cover certain specialties that need a greater level of detail.

10.2.1 Certificate Application

The following describes the application procedure by which the personal data of an Applicant is taken, their identity is verified and their contract is formalized for the subsequent issuance of a Certificate of identity of an individual once the pertinent validations have been made.

These activities will be carried out by the Registration Offices established by the User Organizations with which eIDSL has signed the corresponding agreement and other Offices that collaborate in the idenification in accordance with applicable regulations.

10.2.2 Confirmation of personal identity Confirmation can be made as follows:

10.2.2.1 Face-to-face verification Face-to-face verification can be carried out before eIDSL or before any Registry Office with which it has signed an agreement . In both cases the appearance will be carried out according to the current criterion of eIDSL, in order that it is homogeneous in all cases. In this act the Applicant will provide the data that is required and will prove his personal identity. The Registry Office Verify that the documents submitted meet all the requirements to confirm the identity of the Applicant. The applicant’s identity will not be indispensable if the signature on the application for issuing a Certificate has been legitimated in the presence of a notary, or if a certificate renewal is requested, in accordance with the provisions of the section “Renewal of certificates” of this Certification Practices Statement.

10.2.2.2 Telematic verificationIt may be carried out the identification of the subscribers through the electronic telematic identification service, referred to by the Policies of the Electronic Identification Service referred to by Annex II of this document.

10.2.3 Sending information to eIDSL Once the identity of the Applicant has been confirmed and the application contract signed by the Applicant and the Registration Office, the latter will proceed to validate the data and send them. This transmission of information to eIDSL will be done through secure communications established for this purpose between the Registry Office and eIDSL.

10.2.4 Issuance of the Certificate of natural person Once received in eIDSL the Subscriber’s personal data will proceed to issue the Certificate. Issuance of Certificates implies the generation of electronic documents that confirm the identity of the Applicant, through the means adopted by eID or by the Registry Offices, as well as their correspondence with the associated Public Key. The issuance of eIDSL Certificates can only be done by it, in its capacity as Certification Services Provider, and there is no other entity or organization with the capacity to issue them. EIDSL, through its electronic signature, authenticates the Certificates and confirms the identity of its Subscribers. On the other hand, and in order to avoid manipulation of the information contained in the Certificates, eIDSL will use cryptographic mechanisms that provide the Certificate with authenticity and integrity. eIDSL will in no case include in a Certificate information other than the here shown, or circumstances, specific attributes of the signatories or economic limits other than those set forth in the following sections. In any case eIDSL will act diligently to: Verify that the Certificate Applicant uses the Private Key corresponding to the Public Key linked to the identity of the Subscriber thereof. For this, eIDSL will check the correspondence between the private key and the public key. To obtain that the information included in the Certificate is based on the information provided by the Applicant. Do not ignore notorious facts that may affect the reliability of the Certificate. (distinctive name) assigned in the Certificate is unique in the entire Public Key Infrastructure of eIDSL.

10.2.4.1 Composition of the distinctive name (DN) of the Subscriber With the personal data of the Applicant collected during the process of applying for the Certificate, it is proceeded to compose the distinctive name (DN) of the Applicant according to the X.500 standard, ensuring that the name makes sense and does not lead to ambiguities. The use of pseudonyms is not contemplated as a form of identification of the Subscriber. The DN for a Subscriber is composed of the following elements: DNºCN, OU, OU, OU, O, CEl attribute set OU, OU, OU, O, C represents the branch of the directory in which the entry corresponding to the Subscriber in question is located. The CN attribute contains the identification data of the Subscriber which, in the case of the Physical Person Identity Certificates, will follow the following syntax: CN = NAME a1 a2 n – NIF 12345678 WHERE: NAME and NIF are labels [1]

n, a1 and a2 are the names, first and second surnames of the Subscriber respectively [2] 12345678A is their corresponding NIF [3].

[1] Labels are always capitalized and separated from the value by a blank space. The pairs

<label, value> are separated from each other with a blank space, a hyphen and a blank space (“

– “)

[2] With all its characters in uppercase, except the letter eñe, which will always be in lowercase. Symbols (commas, hyphens, etc.) or accented characters will not be included.

[3] Subscriber’s NIF = 8 digits + 1 capital letter, without any separation between them. In the case of a Subscriber’s NIF occupies less than 8 figures, zeros will be included at the beginning of the number until the 8 figures are completed.

Once the distinctive name (DN) that will identify the Subscriber is created, the corresponding entry is created in the directory, ensuring that the distinctive name is unique throughout the Public Key Infrastructure of the Certification Services Provider.

10.2.4.2 Composition of Subscriber’s alternative identity

The alternative identity of the Subscriber, as contemplated in the present typology of Certificates, contains the same information as the CN, distributed in a series of attributes, so that it is easier to obtain the personal data of the Subscriber of the Certificate. The subjectAltName extension defined in X.509 version 3 is used to provide this information.

Within this extension, the directoryName subfield will be used to include a set of attributes defined by CSL, which include information about the Subscriber in question, following the following criteria:

Tipo Certificado Información Atributo eIDSL OID (*)
Persona Física (1) Nombre eIDSLNombre eIDSLoid.1.1
Primer apellido eIDSLApellido1 eIDSLoid.1.2
Segundo apellido eIDSLApellido2 eIDSLoid.1.3
NIF eIDSLNif eIDSLoid.1.4

[1] On the other hand, in addition to the directoryName subfield of the subjectAltName extension, in the event that an email address has been provided by the Subscriber during the application process for issuing the Certificate, it will be included in subfield rfc822Name.

10.2.4.3 Profile of the Physical Person Identity Certificate

The format of the Physical Person Identity Certificate issued by eIDSL under the Certificate Certification Policy of eIDSL, in accordance with the ITU-T X.509 version 3 standard and in accordance with the legally applicable regulations on Certificates, contains the following fields:

Field O.I.D Value

Basic Fields

Version 2 (X.509 v3)

SerialNumber Certificate serial number. [one]

Issuer C = ES, O = CSL, OU = eIDSL CA

Validity [2]

Subject The distinctive name of the Subscriber. [3]

SubjectPublicKeyInfo RsaEncryption, Public Key. [4]

SignatureAlgIdentifier Algorithm identifier of the electronic signature used. [5]

 TaxCert Taxonomy of the Certificate [6]

Standard extensions

KeyUsage 2.5.29.15 [7]

PrivateKeyUsageperiod 2.5.29.16 The same as Validity

SubjectAltName 2.5.29.17 [8]

CertificatePolicies 2.5.29.32 Certification Policy [9]

CRLDistributionPoints 2.5.29.31 Cn = CRLnnn, c = ES, or = eIDSL, OU = eIDSL User [10]

AuthorityKeyIdentifier 2.5.29.35 Key Identifier of the Certification Services Provider

SubjectKeyIdentifier 2.5.29.14 Subscriber Key Identifier

BasicConstraints 2.5.29.19 Basic restrictions. Final Entity

Private Extensions

NetscapeCertType 2.16.840.1.113730.1 [11]

QCStatement 1.3.6.1.5.5.7.1.3 [12]

eIDSLTypeCertificate 1.3.6.1.4.1.5734.1.33 [13]

Where:

[1] SerialNumber: Identification number for the unique Certificate within the infrastructure of the Certification Services Provider.

[2] Validity: Period of validity of the Certificate as shown in section “II.2.5 Period of validity of the Certificate” of this annex.

[3] Subject: Identification of the Certificate Subscriber. Its composition has been detailed previously in this section.

[4] SubjectPublicKeyInfo: It is the Public Key that the Subscriber generated in the pre-application phase of issuing the Certificate.

[5] TaxCert: Identification of the Taxonomy of the Certificate according to the attributes and methods used for the identification of the subscriber

[6] SignatureAlgIdentifier: Identification of the algorithm used to perform the electronic Signature of the Certificate. The algorithm used is SHA1WithRSAEncryption being the length of the key used of 2048 bits.

[6] KeyUsage: Valid values ​​for the use of the Password. It is not marked as critical.

Take the values ​​{digitalSignature, keyEncipherment}.

[7] SubjectAltName: Alternative Subscriber Identity. It is not marked as critical.

Its concrete composition has been detailed previously in this section.

[8] Certification Policies applicable to the Certificate: It is not marked as critical.

Its content is that shown to

Warning text = Certificate issued according to current legislation. Use

limited to the Electronic Community for a maximum value of € 100 except for exceptions in CPD.

Contact Electronic IDentification SL Avenida Monte Igueldo, 2, Third Floor 28053, Madrid-Spain.

Policy Location:

DPC: Declaración de Prácticas de Certificación

[9] CRLDistributionPoint: The specific point of distribution of the Revocation Lists, is generated by the Certification Services Provider at the same moment that it proceeds to the generation of the Certificate. It is not marked as critical.

[10] NetscapeCertType: Type of certificate according to Netscape. It is not marked as critical.

Take the values ​​{sSLCLIENT, sMIME}.

[11] QCStatement: It is not marked as critical. It contains an express indication that the Certificate has been issued as a Recognized Certificate and the monetary use limit (€ 100) using the OIDs stipulated in the regulations in force. Its content is shown below:

QcEuLimitValue (: € 100

[12] CSLTypeCertificate: It is not marked as critical.

A textual indication of the type of Certificate is included, which for the Physical Person Identity Certificate is:

“PHYSICAL PERSON”

10.2.4.4 Publication of the Individual Identity Certificate

Once the Certificate has been generated by the Certification Services Provider, it will be published in the Directory, specifically in the entry corresponding to the distinctive name of the Subscriber, as defined in the section “Issuance of the Certificate” of this annex.

If in the application process the Applicant provided an email address, a communication of the disposition of their Certificate will be sent to them for their use.

10.2.5 Period of validity of the Individual Identity Certificate

The period of validity of the Physical Person Identity Certificates issued by eIDSL will be five (5) years counted from the moment of issuance of the Certificate, as long as their validity does not expire due to the causes and procedures set forth in section “Termination of the validity of the Certificate” of the Declaration of Certification Practices.

10.2.6 Revocation of the Individual Identity Certificate

The revocation of Certificates implies, in addition to its termination, the termination of the legal relationship with eIDSL that was maintained in this regard.

The revocation of a Personal Identity Certificate may be requested by the entities described in the section “Revocation of Certificates” of the Certification Practices Statement in the terms and conditions expressed therein. See also the section “Extinction validity of certificates”.

The following describes the procedure by which the personal data of an Applicant is taken, its identity is confirmed and the request for revocation of a Certificate by a legitimate interested party is formalized. Causes admitted for the revocation of a Certificate are those set forth in the section “Causes of revocation of Certificates” of the Declaration of Certification Practices. Likewise, the provisions of the last paragraph of the section are recalled in relation to the request for certificates, with another in force in favor of the same owner and belonging to the same Issuance Law.

These activities will be carried out by the Registration Offices established by the User Entities with which eIDSL has subscribed the corresponding agreement or telematically, if it is in possession of the Certificate and its corresponding Signature Creation Data.

10.2.6.1 If the  The petitioner is not in possession of the Certificate, or does not have the rest of the necessary tools to request the revocation telematically. In this case, he may request the revocation of the Certificate by going to a Registry Office to identify himself. Once your identity is proven, the petitioner must sign the application form for revocation of the Certificate presented to him / her. This model will correspond to that shown in section “II.5 Form models” of this annex. Subsequently, the Registration Offices will transmit the records processed to eIDSL so that it may revoke the Certificate. Once eIDSL has proceeded to revoke the Certificate, the corresponding Revocation List will be published in the secure Directory indicating the serial number of the certificate. Certificate revoked, the date and time the revocation was made and the reason for revocation.

10.2.7 Suspension of the Individual’s Certificate of IdentityThe suspension of Certificates leaves the Certificate without effect for a period of time and under certain conditions. The suspension of the Certificates may be requested by the entities described in the section “Suspension of Certificates” of the Certification Practices Statement in the terms and conditions expressed therein. The procedure by which the data is taken is described below. personal, your identity is confirmed, and in your case the suspension of a Certificate by a legitimate interested party. Causes admitted for the suspension of a Certificate are those set out in the section “Causes of suspension of Certificates” of the Certification Practices Statement. These activities will be carried out by the Registration Offices, implemented by the User Entities with which eIDSL has subscribed the corresponding agreement, or telematically, if it is in possession of the Certificate and of its corresponding Signature Creation Data.eIDSL will suspend the Certificate provisionally for a period of ninety (90) days, after which the Certificate will be extinguished through its direct revocation by the eIDSL Certification Services Provider, unless the suspension has been lifted by the Subscriber. Notwithstanding the foregoing, the deadline for the suspension of the Certificate may be altered depending on the judicial or administrative procedures that could affect it. If during the period of suspension of the Certificate it expires or its revocation is requested, the same consequences will occur. that for Certificates not suspended, that would be affected by cases of expiration or revocation.

10.2.8 Cancellation of the suspension of the Identity Certificate of a natural person They may request the Cancellation of the suspension of the Certificates issued by eIDSL the Subscribers, provided that , prior to this request for Cancellation of the suspension, keep the Certificate and its Private Key, and this request is made during the ninety (90) days following its suspension. The appearance will be taken before the Registry Office according to the current criteria of eIDSL, so that it is homogeneous in all cases. this act the Applicant will provide the data that is required and prove their personal identity, following the procedure described above for the request for issuance of the Identity Certificate of a natural person.The applicant’s identity will not be essential if the signature on the request for removal suspension of the Certificate has been legitimated in the presence of a notary. The personal data of the Applicant, once validated by the Registry Office, will be sent to eIDSL through secure communications established for this purpose between the Registry Office and the eIDSL. Once the data validated by the Registry Office of the request to lift the suspension, eIDSL will proceed to remove this Certificate from the Revocation List, not making any technical action on the Certificate in question.

10.2.9 Renewal of the Individual’s Identity Certificate. the renewal of the Certificates issued by eI DSL the Subscribers, provided that at the time of the request they have a valid Certificate and their associated Signature Creation Data and that request is made during the sixty (60) days prior to its expiration (in this sense see section “Expiration” of the main body of this Certification Practices Statement). Once the Certificates have been renewed, their validity shall be the same as that expressed in the section “Period of validity of the Certificate” of this annex. has proceeded to renew it will remain valid until it expires. In case of requesting the revocation of the Certificate, eIDSL will proceed to revoke both Certificates.

The renewal procedure is associated with the generation of a new pair of cryptographic keys. The petitioner must connect to the corresponding address with access to the eID platform and follow the steps “Renew Certificate”. The procedure established does not require the request of the petitioner, since that you will be electronically identified through the use of your Signature Creation Data. Both the application process and obtaining the Certificate will be done electronically, in any case requiring the generation by the petitioner of an electronic Signature Recognized of the renewal application document, although it is indicated that the telematic renewal of the Certificate can only be made when the maximum term of 5 years has not been exceeded since the identification and physical identification of the Subscriber established by the Electronic Signature Law 59/2003, of December 19, in article 13.4.The use of Certificates renewed is subject to the same general and specific conditions in force at each moment and established for the type of renewed Certificate. In this regard, the provisions of the section “Modification of the Certification Practices Statement” must be borne in mind.

10.2.10Checking the status of the Individual’s Certificate of IdentityThe Certificate Subscriber and the User Entities belonging to the Electronic Community may carry out the verification of the status of a Certificate in the form and conditions that are expressed in the sections “Procedures for consulting the status of Certificates” and “Validation Service for Certificates through OCSP” of the Certification Practices Statement.

10.3 Termination of eIDSL in its activity as a Certification Services Provider This circumstance and its consequences are described in the section “Cessation of the activity of the Certification Services Provider”, of the Certification Practices Statement.

10.4 Obligations, guarantees and liability of the partiesThe obligations, guarantees and responsibilities of the parties involved in the issuance and use of the Certificates issued by eIDSL in its work as a Provider of Certification Services are reflected in the sections “Obligations and Guarantees of the Parties” and “Responsibility of the Parties” of the Declaration of Certification Practices of which this annex forms part. The obligations, guarantees and responsibility of the parties, may be subject to particular regulation in the corresponding agreements and contracts.

10.5 Limits on the use of identity certificates of natural personsTo be able to use Certificates in a diligent way when relying on electronically signed documents based on them, must previously be part of the Electronic Community, and acquire the status of User Entity, with the purpose that they can be provided by eIDSL the services of verification of validity of the different certificates. Outside the Electronic Community, you should not rely on a Certificate or an electronic Signature that is based on a Certificate not issued under the Certificate Certification Policy of eIDSL. In any case, if this confidence is produced by a third party, coverage of this Certification Practices Statement will not be obtained, and there will be no legitimacy to claim or take legal action against eIDSL for damages, damages or conflicts arising from the use or trust in a Certificate. In addition, even within the scope of the Electronic Community, this type of Certificates can not be used, by person or entity other than eIDSL, to: Sign another certificate. Sign software or components. Generate time stamps for Electronic dating procedures. Perform services for free or onerous, such as for example would be: Provide services OCSP.Generar Revocation Lists. Perform notification services. Perform economic transactions exceeding € 100, except that: One of the intervening parties is a User Entity of Public Law; oMedie express and written authorization of eIDSL to do so and, in that case, under the conditions established in said authorization and / or corresponding contract.11 Annex II. Practices of the electronic identification serviceThe Practices of the electronic identification service are accessible here

Uso de cookies

Este sitio web utiliza cookies para que usted tenga la mejor experiencia de usuario. Si continúa navegando está dando su consentimiento para la aceptación de las mencionadas cookies y la aceptación de nuestra política de cookies, pinche el enlace para mayor información.

ACEPTAR
Aviso de cookies