Certification centers

Electronic signature

Main article: Electronic signature

TC services

A credential center is a global directory service component responsible for managing user cryptographic keys. Public keys and other information about users are stored by certification centers in the form of digital certificates. The TC functions include:

• issuance of electronic signatures;
• provision of public keys (certificates) EDS to any interested parties;
• suspension of EDS, in case of their compromise;
• verification of the correct signature of electronic documents;
• analysis of conflict situations.

To obtain an EDS, you must contact the Certification Center or its representative office.

Certification centers in Russia

• "National Certification Center"
• TC "Electronic Express" (TC GARANT)
• MTS (Certification Center)
• TC "Tensor"
• CryptoStandart
• "InfoTeCS Internet Trust"
• Certification center of SKB Kontur
• TC of the Supreme Court
• State Duma TC
• TC of the Prosecutor General's Office
• TC Investigative Committee
• FAA "Russian Maritime Register of Shipping (RMRS)"
• Electronic Moscow Certification Center
• National Certification Center (NTC)
• LISSI-Soft
• ANC Certification Center
• E-Notary Certification Center
• IT & Com (Certification Center)
• TechnoKad-Certification Center

Chronicle

2024: Banks in Russia began to switch to domestic certification centers instead of Microsoft

In September 2024, Russian banks began to actively introduce domestic certification centers (CAs) in exchange for solutions from Microsoft. This step is related to the need to ensure the smooth operation of financial institutions in the context of possible restrictions on the part of foreign software suppliers.

According to Kommersant, Russian software developers have offered banks solutions that can issue certificates for working with various operating systems, primarily Windows and Linux. SafeTech announced the completion of a pilot project to install a CT in one of the Russian banks, and Aladdin Enterprise also presented a similar product.

𝓲

Unsplash

TCs play an important role in ensuring the security of banking operations by confirming the authenticity of participants in electronic interaction. This applies both to the bank's communication with customers through mobile applications, remote banking systems and ATMs, and the internal operations of a financial institution.

The transition to domestic CTs becomes especially relevant in light of the fact that by January 1, 2025, all systemically important credit organizations (SZKO) should switch to the use of Russian certificates. The rest of the banks, while able to continue using Microsoft CA, face the risk of Windows licenses ending.

SafeTech CEO Denis Kalemberg noted that the peculiarity of the implementation of CA in banks is the need to issue certificates for various types of equipment - servers, corporate networks, encryption modules, which requires support for various protocols.

Interest in domestic solutions is shown not only by banks, but also by brokers and insurance companies. Ingosstrakh Bank Information Technology Director Yevgeny Maskalev confirmed that the bank is considering the possibility of using a CT based on a Russian solution as part of the import substitution program.^[1]

2021: Electronic signature companies searched

In mid-April 2021, it became known about the searches that took place in Russian companies issuing electronic signatures. In particular, the operatives became interested in the Moscow LLC "ICSP-Group" and Yekaterinburg LLC "Solar," which, according to Kommersant, recently account for the most new signatures. Read more here.

2020: New requirements for certification centres

On May 21, 2020, it became known about a draft government decree prepared by the Ministry of Finance of the Russian Federation, which provides additional requirements for certification centers (CA) issuing a qualified electronic signature.

This document was sent by the First Deputy Minister of Finance Tatyana Nesterenko to the Ministry of Communications, the Federal Tax Service, the FSB and the ANO Digital Economy. Vedomosti got acquainted with a copy of the letter. 

Only the largest Russian banks will be able to issue a qualified electronic signature

From the decree of the Ministry of Finance, it follows that organizations with a banking license and branches, representative offices or structural divisions in at least 60% of Russian regions will be able to issue electronic signatures to legal entities and individual entrepreneurs. Sberbank and VTB meet this requirement. Alfa-Bank and Post Bank also have a developed branch network, but so far they do not have their own CAs.

Tinkoff Bank considers these requirements redundant, because they do not allow certification centers to serve customers remotely, and also come into conflict with the provisions of the law "On Electronic Signature."

The same opinion is shared by the President of the Association of Developers and Operators of Electronic Services Systems Yuri Malinin. According to him, in such a scenario, a maximum of two state banks will be able to issue CEPs.

There will be no competition, which will negatively affect the development of the IT industry, he concludes.

In addition, according to the draft of the Ministry of Finance, the CA should not be in the process of reorganization or liquidation. Also , he should not have arrears in the payment of taxes, fees, fines , etc. The decree should enter into force on July 1, 2020.

By May 21, 2020, about 500 certification centers accredited by the Ministry of Communications have the right to issue a qualified electronic signature. Most (95%) of such signatures are issued to legal entities, the rest to individuals.^[2]

2019

How amendments to the law on electronic signature changed the CA system

The State Duma adopted in the third reading a bill amending the federal law on electronic signature. We talk about the main changes^[3].

Procedure for issuing

Electronic digital signatures will be issued to legal entities by the certification centers of the Federal Tax Service, and credit institutions by the Central Bank of the Central Bank. Officials of government agencies and local governments and institutions subordinate to them, as well as notaries, will be able to get keys only in the certification centers of the Federal Treasury. Individuals will receive keys at accredited commercial certification centers.

Signature of legal entity

The following signatures will be used in legal relations of legal entities:

• CEP of a legal entity issued only to a legal entity for use in the automatic signing or verification of a signature in an electronic document.
• CEP of a legal entity issued to a manager.
• CEP of an individual with the inclusion of a power of attorney of a legal entity in a package of electronic documents when signed by a company employee. The power of attorney is signed the CAP of the legal entity, the organization which is released on the head. Power of attorney must be included.

Cloud signature

The accredited certification center will now be able to store the electronic signature key and use it on behalf of the certificate holder of this signature.

Accreditation of certification centers

• To obtain accreditation of the CA, the amount of capital must be at least 1 billion rubles or 500 million if there are branches in at least three quarters of the constituent entities of the Russian Federation.
• The CA must have at least 100 million rubles of insurance coverage.
• Accreditation will be provided for 3 years.

Applicant identification

Established methods of identifying the applicant for obtaining a certificate have appeared, including by providing information from a single biometric system.

Trusted Third Party

A new concept will appear in the law - a trusted third party. It will check the validity of the EP, the compliance of certificates and the powers of participants in electronic interaction, as well as document the results of such verification.

The State Duma introduces a state monopoly on the issuance of an electronic signature for legal entities

On November 8, 2019, it became known that the State Duma adopted in the first reading a bill amending the Law "On Electronic Signature." The document was developed by a number of senators and deputies and involves a serious reform of certification centers for electronic signatures.

The Law "On Electronic Signature" in force since 2011 introduces three types of signatures: simple, strengthened and qualified. A simple signature is any technology that the parties have agreed to use. The enhanced signature is the signature issued by the certification center.

A qualified signature is a signature issued by an accredited certification center. Accreditation is carried out by the Ministry of Communications. This kind of signature is recognized as an analogue of its own hand.

The bill adopted in the first reading increases the minimum amount of net assets of an accredited certification center from 7 million rubles. up to 1 billion rubles, and the minimum amount of financial support - from 30 million rubles. up to 200 million rubles. If the certification center has branches in at least two-thirds of Russian regions, then the minimum amount of net assets can be reduced to 500 million rubles.

The accreditation period of certification centers is reduced from five to three years. Administrative liability is introduced for violations in the work of technical certification centers. And for the deliberate actions of employees of certification centers, in addition to administrative, criminal liability is also introduced.

The requirements do not end there. Legal entities will be able to use only qualified electronic signatures issued by the certification center of the Federal Tax Service (FTS). In addition, when concluding transactions, qualified electronic signatures of individuals authorized to act on behalf of the relevant legal entities will be used.

In cases with credit institutions, non-bank financial institutions and payment systems, qualified electronic signatures issued by the certification center of the Central Bank will be used. In cases with state and local authorities, as well as their officials, qualified electronic signatures issued by the certification center of the Federal Treasury will be used.

That is, in fact, the state introduces a monopoly on the issuance of electronic signatures to legal entities. If the bill is approved, the norm on the mandatory receipt of signatures in the certification centers of the Federal Tax Service and the Central Bank will enter into force in two years.

Certificates of qualified electronic signatures and accreditation of certification centers issued before the publication of this law will be valid until the end of their validity, but not more than two years. The government supported the proposed bill.

At the same time, the bill adopted by the State Duma in the first reading provides the possibility of using a cloud electronic signature. To this end, certification centers will be able to store verification keys for electronic signatures and, on behalf of their owners, create electronic signatures with their help.

The concept of a trusted third party is also introduced. She will verify the authenticity of the electronic signature in electronic documents at a particular time and verify the authenticity of electronic signatures issued abroad. Trusted third parties will have to be accredited by the Ministry of Telecom and Mass Communications. It is expected that about 20 such persons will appear in Russia.

In this regard, another concept is introduced - the mark of trusted time. This is reliable information in electronic form about the date and time of signing an electronic document with an electronic signature, created and verified by a trusted third party, certification center or information system operator^[4].

2017

The Ministry of Telecom and Mass Communications submitted to the Government a bill on verification of the powers of a person using an electronic signature

On September 12, 2017, Roman Kuznetsov, Director of the Legal Department of the Ministry of Communications and Mass Media of the Russian Federation, spoke about the activities of the ministry to create a single space of trust in electronic signatures and plans to regulate this area.

More than 400 large and small certification centers operate in Russia, of which more than 200 are commercial organizations. According to Roman Kuznetsov, the market is competitive: prices for services are determined by the balance of supply and demand and are not yet regulated by anyone.

The Ministry of Communications of Russia has developed and submitted to the Government of the Russian Federation a draft federal law, which contains provisions aimed at regulating the procedures for establishing and verifying the powers of a person using an electronic signature in various information systems, as well as ensuring the reliability of face identification using services that provide electronic interaction.

The mechanisms for confirming the powers of persons applying to state information systems proposed by the bill meet modern business processes. The adoption and implementation of the bill will allow departments to refuse to use additional powers in qualified certificates.

It is possible to create a single space of trust and otherwise, which provides for the complete centralization of the procedures and mechanisms for creating and issuing keys and certificates of enhanced qualified electronic signature, the use of up to five trusted state certification centers, as well as the transfer of procedures for creating and issuing a qualified certificate to the category of public services. This will lead to an increase in public confidence in electronic document management, which will be ensured by guarantees from the state. The procedure for creating and issuing an electronic signature will be unified, and the service fee will become unified as a state duty. At the same time, the possibility of committing a very popular type of fraud - fraudulent actions in order to transfer pension savings of these persons to non-state pension funds will be excluded.

"We plan to amend the legislation governing relations in the field of electronic signature regarding the grounds for refusing accreditation of the certification center, the accreditation of which was previously terminated ahead of schedule due to non-compliance with the requirements of the legislation, within a certain period of time. The interval of 3-5 years is considered. The basis for refusal can also be a similar head of the certification center with no accreditation, or similar employees authorized in the certification center with no accreditation to perform the functions of creating and issuing qualified certificates. This will allow cleaning the market of accredited certification centers from unscrupulous participants, "said Roman Kuznetsov

The bills are at various stages of readiness, some of them have already been submitted to the Government of the Russian Federation.

Central Bank and Ministry of Economic Development against state monopoly on the issuance of UKEP

The Ministry of Economic Development and Trade prepared in July 2017 a negative opinion on the amendments to the law "On Electronic Signature" developed by the Ministry of Telecom and Mass Communications, which are supposed to transfer the functions of issuing an enhanced qualified electronic signature (UKEP) from private companies to the state, follows from the data posted on the federal portal of draft regulatory legal ^[5].

Economic Development of Russia notes the inexpediency of adopting the proposed regulation due to the significant amount of budget expenditures, the presence of administrative and other risks that could negatively affect the development of the market for the creation and issuance of qualified certificates, electronic signature verification keys, as well as related sectors of the economy," the conclusion says, signed by Deputy Minister of Economic Development Savva Shipov.

The document also notes that the regulation proposed by the Ministry of Telecom and Mass Communications may lead to the liquidation of the market for services for issuing UKEP as such, together with the loss of all the infrastructure created, the closure of relevant organizations, the dismissal of qualified employees of certification centers. "The centralization of the mechanism for issuing UKEP, the transfer of the issuance of UKEP to the category of public services, the increased size of the state duty for issuing UKEP will prevent the widespread dissemination of modern electronic document management technologies among citizens and legal entities, which does not meet the goals of informatization of the economy, will lead to complication of the procedure for interaction between economic entities and the state," the document says.

Experts oppose state monopoly on the issuance of a qualified electronic signature

The Ministry of Communications is going to limit the number of certification centers that have the right to issue a qualified electronic signature to two government agencies. The corresponding bill was introduced at the beginning of 2017 by the department. The explanation to it says that accredited certification centers commit numerous violations, which causes distrust of them from users. The initiative of the Ministry of Communications is designed to establish uniform standards for the provision of services^[6].

More than 440 certification centers (CA) and 5,000 electronic signature points have been opened in Russia, in which at least 15 thousand highly qualified specialists work. Existing CTs annually bring the budget at least ₽6,5 billion in taxes. The cost of a qualified electronic signature (CEP) for individuals starts from ₽1400. In addition to its issuance, CTs offer a number of services, for example, software that allows you to sign electronic documents and send them to departments.

According to the participants of the round table "Sphere of electronic services of the Russian Federation. Ways of Development and Threats, "conducted by CNews together with the ROSEU Association on April 20, 2017, a new initiative of the Ministry of Communications undermines confidence in the regulator, contributes to reducing competition and, as a result, deteriorating the quality of services of certification centers. Already 2 years after the entry into force of the amendments proposed by the Ministry of Telecom and Mass Communications, 15 thousand people will be thrown into the labor market. The cost of the state to create new infrastructure will be at least ₽5 billion. In addition, the explanatory note to the bill says that the cost of KEP will increase to ₽2500.

To solve existing problems on the market, by-laws are required that determine the procedure for the operation of the TC, control over their activities and responsibility for violation of the law. Regulatory acts on the use of authorized certificates and electronic signatures should also be developed. In addition, experts expressed their wishes to optimize the legislation regulating the use of KEP as a cryptographic means, and simplify the process of using CIPF in the mass segment. The certificate registry itself must be available in order to verify the legitimacy of the data presented. Also, the TC should get access to the SMEV to check the information when issuing the CEP.

2016: The Ministry of Telecom and Mass Communications received the authority to establish the requirements for the work of accredited certification centers

On July 8, 2016, the provision of the Law "On Electronic Signature" entered into force, which provided Ministry of Digital Development, Communications and Mass Media Russia the authority to establish the requirements for the work of accredited certification centers. The ministry approved the requirements for the centers. In 2016, the Ministry of Telecom and Mass Communications of Russia also had the opportunity to check accredited certification centers both in a planned manner and in an unscheduled manner at the request of citizens. As part of this work, several certification centers were deprived of accreditation due to violations committed by them.

2013: Plan of TC connection to SMEV

The Subcommittee on the Use of IT in the Provision of Public Services, which will be held at the White House on November 28, 2013, plans to approve the connection of information systems of a number of certification centers (CA) to the infrastructure. e-government This is stated in the agenda of the subcommittee, which he got acquainted with. CNews

It is planned to connect TC Tensor"," CryptoStandart"," "InfoTeCS Internet Trust," SKB Kontur"," TC of the Supreme Court,,, State Dumas, State Offices of Public Prosecutor Investigative Committee as well as FAA "[Russian Maritime Register of Shipping]]."

"The CAs were on the list as they applied to join the infrastructure. Based on order 1382, they have such a right, "the Ministry of Communications told CNews.

The purpose of the connection is to verify the information submitted by the applicant when issuing an electronic signature certificate (EP), the ministry added.

Certification centers that are on the list for approval will be able to use the infrastructure of the interdepartmental electronic interaction system (SMEV) to receive information from government agencies, said Nikita Baranov, project manager for the Services of the Certification Center at SKB Kontur, CNews.

According to him, this decision will very significantly affect the practice of the CA.

At this time, in order to issue a certificate, the CA, according to the law, is obliged to receive a number of documents from the applicant.

"For example, an individual should be provided with at least a passport, SNILS and TIN certificate, and for a legal entity the list is supplemented by a Unified State Register of Legal Entities, OGRN certificate and constituent documents," Baranov explains. - The further legal status of all documents signed by the EP depends on the correctness of the CA actions, and these may be contracts for very large amounts. Therefore, the CC is obliged to make sure that all documents provided are originals, create copies of all documents provided and organize their storage. "

For the user, this creates problems with the collection of documents, for the CA - with their verification and storage, adds Baranov: "All this taking into account the large territorial distribution."

"Connecting to SMEV will help, firstly, in the fact that we can collect some of the documents electronically directly in the relevant department. Secondly, we will be able to check the validity of the data online with confirmation of government agencies. And thirdly, we will not have to make and store copies of documents, "he says

All this, according to the representative of SKB Kontur, "will lead to a significant acceleration and hanging of the reliability of the release procedure and, at the same time, to an increase in the convenience of users."

The process of connecting the TC to the SMEV, according to Nikita Baranov, can take about six months: "Technical implementation is needed - the creation, testing and commissioning of modules that send requests and receive answers (for example, checking a passport to the FMS)"^[7].

2012: Order of the FSB on the requirements for electronic signatures and CA

On February 17, 2012, an order of the FSB of the Russian Federation of December 27, 2011 No. 796 "On Approval of Requirements for Electronic Signatures and Requirements for Means of the Certification Center" was published. Earlier, an order dated December 27, 2011 No. 795 "On Approval of Requirements for the Form of a Qualified Certificate of the Electronic Signature Verification Key" appeared.

In accordance with the new norms, when signing a document, the signing means must show the electronic document to the person who signs it, wait for confirmation from this person, and after signing it, show him that the signature has been created. When verifying the signature, the tool must show an electronic document, as well as information on amending the signed document and indicate the person who signed it.

The format of a qualified certificate differs significantly from the format of EDS certificates that are issued at that time (in accordance with federal law No. FZ-1). For example, a qualified certificate must include the name of the electronic signature and certification center tools used to generate the signature key and verification key (private and public keys, respectively), as well as to create the certificate itself.

Compared to EDS certificates, the method of representing the authority of the certificate holder has changed. At the request of the owner, any information confirmed by the relevant documents could be included in the EDS certificate, and non-standard details (for example, the insured's registration number) can be included in the qualified certificate only if the requirements for their purpose and location in the certificate are defined in the documents provided to confirm the compliance of the means of the certification center with the requirements of the FSB.

2011

Rostelecom has begun to create a network of certification centers

Rostelecom began in April 2011 to create a network of certification centers that form a "single space of trust," in which each resident of Russia will be able to obtain his electronic digital signature. By the end of 2011, the company plans to open 80 such centers, which will be created on the basis of sales and customer service centers in various regions of Russia.

The first CTs for obtaining EP by citizens opened in Moscow

The first certification centers in which citizens can receive an electronic signature opened in Moscow in April 2011. This will require a personal presence and passport of a citizen. A signature, which is encrypted information in the form of a file, in the presence of the applicant will be recorded on a certified electronic medium (electronic card or flash drive). The signature itself is free, but the cost of the carrier will have to be paid. The Ministry of Telecom and Mass Communications suggests that obtaining a qualified electronic signature will cost a citizen about 300 rubles. As the director of the legal department of the ministry, Andrei Tikhomirov, emphasized, obtaining an electronic signature is a purely voluntary matter. He also added that the citizen is responsible for the safety of the electronic signature, recalling that in case of loss or theft, the signature can be blocked and then restored through the same certification centers.^[8]

Notes