In the BOE of May 31, 2021, the regulation that covers the non-cryptographic electronic signature in the field of Justice has been published:
Resolution of May 26, 2021, of the General Secretariat for Innovation and Quality of the Public Justice Service, whereby Cl@veJusticia is enabled and its conditions of use are established, as a mechanism for identification and signature of the interested parties in the actions carried out through telematic presence with the judicial bodies and other bodies belonging to the Administration of Justice.
This Resolution is issued in order to provide greater legal certainty to the actions carried out by means of telematic presence between the interested party and the judicial bodies or other bodies belonging to the Administration of Justice, based on the provisions of Article 14 of Law 3/2020, of September 18, on procedural and organizational measures to address the COVID-19 in the field of the Administration of Justice.
Law 18/2011, of July 5, 2011, regulating the use of information and communication technologies in the Administration of Justice, includes the necessary aspects to comply with the procedural legislation regarding the use of new technologies; although, after the reform operated by Law 3/2020, of September 18, it is established, in articles 4. 2 f) and 6.2 d), within the rights of citizens and professionals in relation to the use of electronic means in judicial activity, that of “using the identification and signature systems established in Articles 9 and 10 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations”. In addition, specifically, in the case of professionals, it will be done “provided that such system identifies him/her univocally as a professional for any electronic procedure with the Administration under the terms established by the procedural laws».
Likewise, in Chapter II of Title III of the aforementioned Law 18/2011, Article 14, paragraph 2, on the forms of identification and authentication establishes that “without prejudice to the provisions of Articles 4 and 6 of this Law and in any case, strictly subject to the provisions of the procedural laws, citizens and professionals in the field of Justice may use the following electronic signature systems to relate with the Administration of Justice (…. ) c) Other electronic signature systems, such as the use of keys agreed in a previous registration as a user, the provision of information known by both parties or other non-cryptographic systems, under the terms and conditions to be determined in each case”.
In line with this, section 1 of article 23 of the aforementioned law provides that, “in those cases in which for the performance of any action by electronic means the identification or authentication of the citizen is required by means of any of the instruments provided for in article 14 of which he does not have, such identification or authentication shall be validly performed by an official by means of the use of the electronic signature system with which he is equipped.”
In view of the foregoing, attention must therefore be paid to the provisions of Articles 9 and 10 of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, which regulate, respectively, the identification systems of the interested parties in the procedure and the signature systems admitted in the Public Administrations and, which Law 18/2011, of July 5, includes in the area of the Administration of Justice.
El artículo 9 de la Ley 39/2015, de 1 de octubre, en su apartado 2, establece que «Los interesados podrán identificarse electrónicamente ante las Administraciones Públicas a través de los sistemas siguientes:
a) Systems based on qualified electronic certificates of electronic signature issued by providers included in the “Trusted List of Certification Service Providers”.
b) Systems based on qualified electronic certificates of electronic seal issued by providers included in the “Trusted List of Certification Service Providers”.
c) Agreed password systems and any other system that the Administrations consider valid under the terms and conditions to be established, provided that they have a prior registration as a user to guarantee their identity, subject to prior authorization by the General Secretariat for Digital Administration of the Ministry of Territorial Policy and Public Function, which may only be denied for reasons of public safety, subject to a binding report by the Secretary of State for Security of the Ministry of the Interior. The authorization must be issued within a maximum period of three months. Without prejudice to the obligation of the General State Administration to resolve in due time, the lack of resolution of the request for authorization will be understood to have a rejection effect”.
On the other hand, Article 10 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, lists the valid systems for signature purposes, which interested parties may use to relate with Public Administrations.
This provision expressly refers to the recognized or qualified and advanced electronic signature systems, based on recognized or qualified electronic certificates of electronic signature, to the recognized or qualified electronic seal and advanced electronic seal systems based on recognized or qualified electronic certificates of electronic seal and to any other system that the Public Administrations consider valid, under the terms and conditions to be established; it also includes the possibility of admitting the identification systems contemplated in the Law as signature systems.
In any case, all the admitted electronic signature systems must guarantee compliance with the requirements set forth in the first paragraph of article 10 of the aforementioned Law. That is, these systems must be able to prove the authenticity of the expression of the will and consent of the interested parties, as well as the integrity and unalterability of the document.
These electronic signature systems must be recognized as having legal effect and be in accordance with Article 25. 1 of Regulation (EU) N o 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, without prejudice to the provisions of Article 27 of the regulation itself “Electronic signatures in public services”.
Thus, and in application of the provisions of Law 18/2011, of July 5, which welcomes articles 9 and 10 of Law 39/2015, of October 1, and, specifically, paragraph 3 of article 10 that would empower the Administration of Justice to admit the identification systems contemplated in this Law as a signature system when they allow accrediting the authenticity of the expression of the will and consent of the interested parties, provided that it is so provided by the regulatory regulations; with this resolution we proceed to validate the use of the Cl@veJusticia system in the proceedings with telematic presence of the interested party, indicating the requirements that must be met, not only for this purpose, but also to ensure the integrity and unalterability of the signed data, as well as the requirements to verify that such act was carried out.
Therefore, the bases are laid for the use of identification systems based on the Cl@veJusticia platform, for the identification of the interested party and, where required, the execution of the signature, in the procedural acts before the judicial bodies and other bodies belonging to the Administration of Justice.
It is important to emphasize that the use of the Cl@veJusticia system requires the user to be registered in Cl@ve, with Cl@vePIN of the AEAT, so that the procedure for electronic identification and signature based on Cl@veJusticia, with the conditions established by this Resolution, has all the necessary guarantees offered by the ecosystem itself established through the current regulations.
This therefore includes the two fundamental processes based on the identification itself through Cl@vePIN, the identification of the interested party itself, and the non-cryptographic signature, with the conditions established in the Resolution of July 14, 2017, of the General Secretariat of Digital Administration, which establishes the conditions for the use of non-cryptographic electronic signature, in the relations of interested parties with the administrative bodies of the General State Administration and its public bodies.
For this reason, it has been decided to establish this non-cryptographic signature system, simple for the citizen, with a system of sufficient security, traceability and integrity measures for the procedures that make use of it, but without the need to remember or have an active password or a centralized electronic certificate.
It is also appropriate to use this system when, although an electronic certificate has been used in the identification process, a local electronic signature with said certificate is not required, in order to avoid problems with browser, Java virtual machine and operating system version compatibility restrictions.
Consequently, the purpose of this Resolution is to establish the criteria for use and technical conditions for the implementation of non-cryptographic electronic signature systems, provided for in Article 10.2.c) of Law 39/2015, of October 1, which will be considered valid for signature purposes in the General State Administration and its public bodies, as well as in those other Public Administrations that adopt these criteria and technical conditions.
Therefore, by virtue of the foregoing, in exercise of the powers assigned to it in Article 3 of Royal Decree 453/2020, of March 10, which develops the basic organizational structure of the Ministry of Justice, this General Secretariat for the Innovation and Quality of the Public Justice Service has resolved to adopt the following provisions.
Approve the use and conditions of use of Cl@veJusticia, as a non-cryptographic electronic identification and signature system for the purposes of identification and signature of interested parties, in actions carried out by telematic presence, with judicial bodies and other bodies belonging to the Administration of Justice, in accordance with articles 4.2 f), 6.2 d), 14 and 23 of Law 18/2011, of July 5, in relation to articles 9 and 10 of Law 39/2015, of October 1, which are included as an annex to this resolution.
This Resolution becomes effective as of the day following its publication in the “Official Gazette of the State”.
Madrid, May 26, 2021 -The Secretary General for Innovation and Quality of the Public Justice Service, Francisco de Borja Vargues Valencia.
Terms and conditions of use of Cl@veJusticia as a non-cryptographic electronic identification and signature system for the identification and signature of interested parties, in actions carried out by telematic presence, with judicial bodies and other bodies belonging to the Administration of Justice.
The purpose of these terms and conditions is to determine the circumstances under which Cl@veJusticia is valid as an electronic identification and signature system not based on electronic certificates for the identification and signature of interested parties in relations with judicial bodies and other bodies belonging to the Administration of Justice, in accordance with articles 4.2 f), 6.2 d), 14 and 23 of Law 18/2011, of July 5, in relation to articles 9 and 10 of Law 39/2015, of October 1, when these are carried out by means of telematic presence.
II. Scope of application
The present terms and conditions shall apply to the actions carried out by telematic presence of the interested parties with the judicial bodies and other bodies dependent on Justice, which enable Cl@veJusticia as a system of identification and non-cryptographic electronic signature intended to be used by the interested parties in their relations with them.
III. Criteria for the use of non-cryptographic electronic signature systems.
The national security scheme (hereinafter ENS), regulated by Royal Decree 3/2010, of January 8, and amended by Royal Decree 951/2015, of October 23, amending Royal Decree 3/2010, of January 8, which regulates the national security scheme in the field of electronic administration, constitutes the legal framework that allows defining and establishing the measures to ensure the security of systems, data, communications and electronic services, allowing interested parties and Public Administrations to exercise their rights and fulfill their duties through these means.
The implementation of a non-cryptographic electronic signature system must comply with the ENS to guarantee the security of data and services, as an instrument capable of allowing verification of the authenticity of the origin and integrity of the information, providing the basis to avoid repudiation.
The ENS establishes the need to categorize information systems, being the category of an information system, in terms of security, the one that allows to modulate the balance between the importance of the information it handles, the services it provides and the security effort required, according to the risks to which it is exposed, under the principle of proportionality.
In application of this standard, Cl@veJusticia can be used as a categorized identification system with the same level of security offered by Cl@vePIN of the AEAT, which acts at all times as the generator, storage and custodian of the evidence of the identification process.
In this sense, all associated systems that rely on the Cl@veJusticia system for the execution of non-cryptographic electronic signatures must have the security measures implemented at the level established in the risk analysis of each system and associated processes.
The use of Cl@veJusticia with Cl@vePIN must therefore be adapted to the required level of identification.
Substantial or high levels are also established as the only valid levels for identification by means of Cl@veJusticia(Cl@vePIN) in interactions with judicial bodies and other bodies belonging to the Administration of Justice, in accordance with articles 4.2 f), 6. 2 d), 14 and 23 of Law 18/2011, of July 5, in relation to articles 9 and 10 of Law 39/2015, of October 1, when these are carried out through telematic presence, for the realization of non-cryptographic electronic signature, which derives in the requirement of a registration in Cl@vePIN of the interested parties at the equivalent levels.
The determination of one level or the other will be derived from the information system on which the evidence resulting from the telematic interaction will be collected, the effects of which will correspond to the procedural or administrative actions collected in the former.
IV. Performance Guarantee
For all purposes, the use of Cl@veJusticia, as a system of electronic identification and signature, in the actions carried out before the Administration of Justice, by means of telematic presence, has all the necessary guarantees, having all the effects that the procedural act or procedure entails according to the applicable procedural or administrative regulations.
The information systems in which the evidence of the interaction between the interested party and the official by telematic means is recorded shall offer the guarantees of authenticity and integrity of any exchange carried out, and shall conserve the electronic evidence by means of cryptographic signature systems or equivalent, in such a way as to ensure its unalterability and authenticity.
All exchanges of information and documentation will be validated by the official who is carrying out the action by telematic presence, so that the incorporation of the documentation, if applicable, to the management system, will be carried out in accordance with the guarantees of authenticity and integrity of the information system that, if applicable, apply.
The body responsible for the procedure will issue a proof of signature stamped with its electronic seal.
V. General procedure for the accreditation of the authenticity of the expression of the will and consent of the interested party.
To prove the authenticity of the expression of the will and consent of the interested party will be required:
1. The entire process by means of telematic interaction must have sufficient continuity in the interaction by telematic means and must therefore guarantee a correct bidirectional transmission of audio and video, if applicable.
Therefore, in the event of problems that could alter the result of an identification based on ClaveJusticia, re-identification must be carried out by means of this system.
2. A prior authentication of the interested party, carried out through the Cl@veJusticia platform, at the time of the manifestation of the will contained in the procedural act.
The identification and authentication of the interested party must be done, in any case, through the Cl@veJusticia platform, which uses Cl@vePIN, of the AEAT, a system of identification, authentication and electronic signature based on agreed keys, common to the entire state administrative public sector, approved by Agreement of the Council of Ministers of September 19, 2014.
Such authentication of the interested party with the Cl@veJusticia system, immediately prior to the act of signing, must be done with a substantial or high level of authentication quality.
3. Prior verification by the interested party of the data to be signed.
These data will be obtained from the information provided by the official to the interested party in the attention through telematic presence, as well as from the electronic documents that, eventually, he/she may present in the procedure.
The interested party must be aware of the data to be signed, so a recapitulation must be made by the official in an understandable language that will include, in turn, the document-act prepared by the system and subsequently delivered to the interested party as proof of the signature and the interaction carried out.
4. Explicit action on the part of the interested party to manifest consent and expression of consent and willingness to sign.
The applications that make use of this signature system, adjusted to the criteria of use and technical conditions of this Resolution, must expressly require the expression of consent and the will of the interested party to sign in the procedure, by including sentences that make them unequivocally clear, and the requirement of explicit actions of acceptance by the interested party (for example, by means of a checkbox next to the text.
“You, Mr/Mrs [Name of Interested Party], with DNI/NIE [Number], on the date and time of the recording of this act, consent to the following request:
- Main data of the procedure/procedure, explained in understandable language for the citizen.
- “And I request for this, as a guarantee of the basic electronic signature carried out remotely, to proceed to the secure identification of my person through Cl@vePIN.”
In order to carry out the signature operation itself, the authentication of the citizen will be requested again through Cl@veJusticia by direct action of the official, which will provide the necessary guarantees of authenticity, traceability, availability, integrity and non-repudiation, in addition to other guarantees established in the following points.
VI. Guarantees in the signing process
In order to guarantee the non-repudiation of the signature by the citizen, the signature system must accredit the link between the expression of the will and the data signed with the same person. For this purpose, the authentication of the citizen shall be requested again at the time of signing, by direct action of the official.
Likewise, the guarantee of non-repudiation requires that the signature system ensures adequate traceability in the event that it is necessary to audit a particular signature operation, for which it will obtain, for each signature and therefore for each authentication process, the following information:
- Date and time of authentication.
- Name and surname of the interested party.
- NIF/NIE of the interested party.
- Identity provider used (electronic certificate, Cl@vePIN, Cl@veJusticia or Cl@vePermanente) and identification
- security level (substantial or high).
- Authentication result (successful or failed).
- Response returned and signed by the Cl@veJusticia platform.
- Date and time of signature.
- Secure digest of the signed data, with a hash algorithm that meets the specifications of the national security scheme.
- Recording of the telematic interaction.
- If applicable, information on the data exchanged during the interaction.
- Technical information on the quality of the telematic interaction.
- Activity of the civil servant and the citizen on the interaction spaces common to the participants of the telematic interaction.
- Date and time of start and end of the interaction
- Identity of the official
In case there is more than one participant in the telematic interaction, when applicable for signature purposes, this set of evidences must be kept for each one of them, reflecting the order of signature legally required by the procedure.
This information must be safeguarded with full guarantees using cryptographic or analogous techniques to ensure its unalterability over time, and the unalterability of the time at which it was generated.
In addition, a document shall be formed, in the form of a record, which shall provide a summary of the above data, with references to the evidence, which shall be stamped with a qualified or recognized electronic certificate of agency seal, to which shall be added a time stamp made with a qualified certificate and issued by a supervised time stamping provider, and shall be stored by the information system associated with the electronic procedure for which the signature is required, as evidence of the verification of the identity prior to the act of signing, linked to the signed data.
VII. Management of authentication evidences
Although the signature system will provide the information systems associated with the electronic procedure requiring the signature with the authentication information linked to the signature, it may sometimes be necessary, for auditing purposes, to retrieve the complete evidence of the authentication process.
Cl@veJusticia will collect all interactions with the AEAT’s Cl@veJusticia base information system, cl@vePIN, and will store them in accordance with the established ENS high level technical conditions.
When using the Cl@veJusticia system as an identification and authentication mechanism, the evidence of the base information system does not reside in the signature system itself, but in the systems of the AEAT’s Cl@vePIN integrated identification service providers, although it is collected in the Cl@veJusticia system, a user of the former.
In order for the providers of such identification services to be able to retrieve the evidence necessary to accredit the completion of the prior identification and authentication linked to the completion of a signature in the system, the authentication information stored as evidence of the prior verification of identity in the information systems associated with the administrative procedure requiring the signature, as described in section VI.1, shall be provided to such providers.
For this purpose, identification service providers shall safeguard such evidence for a minimum period of five years. The request for certification of such evidence shall be made in accordance with the procedure and conditions to be published on the e-Government portal.
VIII. Proof of signature
In the signature process, the interested party will be provided with an electronic evidence record containing all the digital evidence of the performance of the act by telematic presence, which will be a legible document, in accordance with the technical standard of interoperability of the standards catalog and preferably in PDF format, and which must meet these requirements:
- Guarantee the authenticity of the issuing body by means of an electronic seal with the seal certificate of the issuing body or of the system itself, in PAdES format in the case that the supporting document is in PDF format.
- Contain the data of the signatory and, in the case that the signed document has passed through an entry Registry, the identifying data of its inscription in the Registry.
- Contain the data to be expressly signed by the interested party. If an electronic document has been attached, a reference to it shall be included.
- To guarantee the instant in which the signature was made, by means of a time stamp of the voucher, made with a qualified certificate and issued by a supervised time stamping provider.
- Guarantee the authenticity of the proof of signature by including a secure verification code (CSV) in the proof of signature, and guaranteeing that this proof can be consulted online by means of a CSV matching system whose address is included in the proof of signature itself.
Alternatively, the authenticity of the issuing body and of the proof of signature may be guaranteed by means of documents with electronic sealing of the proof in PAdES format (in the event that the proof is in PDF format) and, if applicable, with the use of a secure verification code (CSV) of the proof. This circular shall take effect from the moment it is signed.