Electronic signature for participation in procurement
As a tool, electronic signature (ES) is needed to participate in procurement (tenders), as well as for electronic document circulation. The electronic signature itself is not a “flash drive” or some specific item that is familiar to many of us, but electronic information that allows us to identify the identity of its owner when using electronic services.
What does this look like? A “key pair” is recorded on a specific carrier in the form of an ES key and a certificate of an ES verification key. And the “electronic signature” itself is created by the certificate holder at the time of signing the document.
Despite the fact that the protected media looks and looks like a flash drive, they have a special filling. In addition to microcircuits, this stuffing includes a specialized applet that provides the interaction of the OS with the contents of the media. A medium is issued with all of the specified contents in certification authorities (CAs). For most modern IT people, these concepts are well known in terms of obtaining and using Code Signing and SSL certificates.
Let's analyze the basic concepts associated with EP and CA.
What does CA do?
Certification centers issue to their customers: a) carriers containing a key pair; b) a set of documents to them (incl. safety guide); c) paper certificates.
TC also deals with:
- Identifying certificate holders.
- Verification of all documents and information submitted for the issuance of the certificate.
- Generation of certificates.
- Sending data about certificates and their owners in ESIA.
- Revocation of certificates issued (for example, in case of compromise).
Are all ES suitable for participation in procurement?
No, not all. You need to have that kind of electronic signature, which is provided for by current legislation. For purchases of 44-ФЗ and 223-ФЗ this is a reinforced qualified electronic signature. Certificates, with the help of which such ES are formed, are issued only in TC that are accredited by the Ministry of Communications. Relations in the use of electronic signatures are governed by Federal Law No. 63-FZ “On Electronic Signature”, which, among other things, contains requirements for the accreditation of certification centers and a description of the procedure for issuing certificates to such CAs. And on the website of the ministry itself you can find a list of all accredited CAs.
It is also important to note that commercial electronic trading platforms (ETP) and other information systems are entitled to establish their additional requirements for the composition of certificates. These requirements are additional extensions - OIDs. So if you need to apply your EA on any specific sites, it is better to immediately clarify with the CA the possibility of issuing a certificate for these sites.
What is written to the media?
The key pair is recorded on the carrier in the form of an electronic signature key and an electronic signature verification key certificate. Our CA, for example, additionally writes there another auto installer and specialized anti-rootkit, because the machines of many companies in Russia, alas, are affected by virus outbreaks and spyware. In addition, the media can be used as a regular USB flash drive for data storage. There you can immediately write instructions and other data. But this is already done optionally and individually.
Do EPs fit everything at once?
Not. Usually EP is used for something specific. But all the requirements of various information systems are well known by the CA, and as an option, you can get a “universal” certificate suitable for the widest possible range of different systems. So, if you plan to use your EA in a large number of different services with additional requirements, then it will be more profitable to purchase a “universal certificate”. For example, the price of such certificates in our UC .
Are they plug & play?
Almost. It may happen that everything starts right away, or it may happen that you have to “poshamanit” with a sysadmin. The key factor here is the understanding that the necessary certificate has been acquired, and that the site and the CA have normal support. Since we are interested in the fact that procurement participants on our site did not experience technical problems and errors, we have developed an auto-installer for our ES. We also have round the clock technical support.
What are the licenses for software to work with the certificate?
In general, the common name for software to work with a certificate is Cryptography Service Provider (CSP). It is an independent module that, using CryptoAPI functions, performs cryptographic operations at Microsoft. There are the following types of licenses for cryptographic provider:
- With reference to the user's workplace.
- Without reference to the workplace (the technology of the so-called built-in license).
A license to a crypto-provider with reference to the workplace often causes confusion among people who are not very familiar with the Internet, because you can work with such a certificate only from one computer. Our CA by default issues a certificate with an embedded license.
The company has changed the details. What to do?
Contact the CA. Due to the technical peculiarity of the certificate structure, it is not possible to change its contents, so you will have to make a request to change the data and receive a new certificate. You can record it on the same media that was used before. Remember to revoke your old certificate.
Is it possible to make a copy of ES keys?
Can. To do this, again, you need to contact the certification authority where the certificate was obtained, and ask for a backup copy of your key pair. In general, it is a good and useful practice to have a backup, because if, before the bidding itself, it turns out that your carrier has broken, for example, it will be possible to replace it with a backup version.
Certification centers differ from each other?
Yes. There are more than 400 of them in the whole country. At the dawn of the formation of this market, there were many questionable gray schemes. It is said that small CAs are still breaking the law, issuing certificates without identifying the owner. And this may subsequently emerge and haunt. In order to avoid misunderstandings, it is better to choose, after all, large CAs (accredited by the Ministry of Communications and Mass Media), which have long been working in the market. In general, everything is like with certification centers on the Internet.
EPs themselves are also different. There is a simple electronic signature that tritely confirms the fact that the signature was created by a specific person. Confirmation is done using any code or email.
There is also reinforced unqualified EP and enhanced qualified EP. Both types of these signatures are formed using cryptographic tools, but in the case of enhanced qualified electronic signature, it is also confirmed that the CA that issued the certificate is accredited by the Ministry of Communications and uses certified electronic signature tools.
A qualified electronic signature is considered to be equivalent to one's own handwriting without any additional conditions. A simple and unqualified ES acquire legal force if there are additional conditions, including when an additional agreement has been concluded between the participants of the electronic interaction.
How long does it take to get a certificate?
We have a certificate issued for three hours on an accelerated procedure (with a personal presence, that is, lay more time on the road). The usual procedure (taking into account the preparation of documents and payment of the invoice) takes about 1-2 working days.
At the end, say the patter: “PI with EG for ETP”. I hope that some of you will read this material and will no longer be afraid to be these “IP with electronic signature for ETP”. Well, ask your questions about EP, we will answer with colleagues from CA.