Advanced Search

On The Procedures Of Qualified Providers Of Certification Services

Original Language Title: o postupech kvalifikovaných poskytovatelů certifikačních služeb

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
378/2006 Sb.



DECREE



of 19 December 2003. July 2006



on the procedures of qualified certification service providers,

requirements for electronic signature tools and requirements

data protection for creation of electronic tags (Decree on procedures

qualified providers of certification services)



Ministry of Informatics (hereinafter referred to as "the Ministry") determined in accordance with section 20

paragraph. 1, 2, 3 and 5 of the law No. 227/2000 Coll. on electronic signature and

amendments to certain other laws (the law on electronic signature), in

amended by Act No. 517/2002 Coll. and Act No. 440/2004 Coll. (hereinafter referred to as

the "Act"):



PART THE FIRST



GENERAL PROVISIONS



§ 1



The subject of the edit



(1) this Decree shall lay down the



and compliance with information obligations) to the method under section 6 (1). 1 (b). and), and (f))

(a). 3 of the Act, the eligibility requirements under section 6 (1). 1 (b). (b))

of the Act, the requirements for safe systems and safe tools according to § 6

paragraph. 1 (b). (c)), and (d)) of the Act, the method of storage of information and documentation

According to § 6 paragraph 1. 5 and 6 of the Act, and the manner in which compliance with these

requirements,



(b) to ensure the safety of the lists), pursuant to section 6a of paragraph 1. 1 (b). (e)), and

(f)) of the Act, specifying the date and time in accordance with § 6a of paragraph 1. 1 (b). g) of the Act,

the particulars of the measures pursuant to section 6a of paragraph 1. 1 (b). h) of the Act, a way of meeting the

information obligations in accordance with § 6a of paragraph 1. 1 (b). I) of the Act, the method of

protection and ensure the consistency of the data in accordance with § 6a of paragraph 1. 2 of the Act, the method of

revocation of the certificate pursuant to section 6a of paragraph 1. 3 and 4 of the law and the way in which

to meet these requirements,



(c) ensure the accuracy of the time) to the method when creating a qualified

a time stamp according to § 6b of the paragraph. 1 (b). (b)) of the Act, a way to ensure

consistent data according to § 6b of the paragraph. 1 (b). (c)) of the Act, the particulars of the measures

under section 6b of the paragraph. 1 (b). (d)) of the Act, a way of meeting the information

obligations under paragraph 6b of the paragraph. 1 (b). e) of the Act, and the way in which the

compliance with these requirements,



(d)) way to ensure practices that must support a means for

secure electronic signature creation data protection for building

electronic signatures in accordance with section 17 of the Act and the means for creating

electronic tags when protecting data for creating electronic

brands pursuant to section 17a of the Act, and the way to meet these requirements

illustrated by.



(2) this Ordinance has been notified in accordance with the directive of the European

Parliament and Council Directive 98/34/EC of 22 December 2004. June 1998 on the procedure for the provision of

information in the field of technical standards and regulations and of rules on services,

the information society, as amended by Directive 98/48/EC.



§ 2



The definition of some terms



For the purposes of this Ordinance, means the



and qualified system certificates) superiors qualified

system certificates that contain the data for electronic authentication

the tag corresponding to the data to create an electronic tag which

the provider indicates qualified certificates, issued by a qualified

system certificates, lists under section 6a of paragraph 1. 1 (b). (f)) of the Act, and

issued by the qualified time stamps,



(b)) a list of issued certificates list that has the requirements pursuant to §

6a paragraph 2. 1 (b). e) of the Act and meets the requirements of this order,



(c) the certificate revocation list) list that has the essentials

According to section 6a of paragraph 1. 1 (b). (f)) of the Act and meets the requirements of this order,



d) safety documentation file of documents, which the provider

established in accordance with this Decree and in which lays down the principles and

all of the procedures applied in the provision of qualified

certification services,



e) secure electronic signature tool from the cryptographic module,

which provider is used for the activities laid down by this Decree and

that meets the requirements of this order,



f) critical activities of the provider to receive requests for the revocation of the

certificates, certificate revocation, and the release of a list of invalid

certificates, and other activities that the provider determines when

risk analysis as a critical activity,



g) extraordinary event that threatens the provision of

qualified certification services and occurs mainly as a result

the failure of a trusted system, technical equipment, and or the occurrence of the

a factor that is not under the control of the provider,



h) uncertainty of the time of possible deviation of the meter from the world time

coordinated time in total with the uncertainty of the time.



PART TWO



HOW QUALIFIED CERTIFICATION SERVICE PROVIDERS AND PROTECTION

DATA FOR THE CREATION OF ELECTRONIC TAGS



HEAD FIRST



HOW PROVIDERS



§ 3



Requirements for secure systems



Systems in accordance with § 6 para. 1 (b). (c)), and (d)) of the Act (hereinafter referred to as "trusted

systems ') are safe and safety procedures, that these systems

support, it is sufficient if a qualified provider

certification services (hereinafter referred to as "provider")



and) uses trustworthy systems and procedures to meet the requirements of

the standard for these systems, which is mentioned in point 1 of annex 1 to this

the Decree, and the requirements of Czech technical standards referred to in sections 2 and

3 of annex 1 of this order; the requirements of those standards and the Bohemian

technical standards established for trusted systems used for

the issuance and management of qualified certificates shall apply mutatis mutandis for the

trusted systems used for the issuance and management of skilled

system certificates,



(b)) in the safety management of trusted systems follows the Czech

technical standards referred to in point 4 of the annex No. 1 of this Decree, and has

introduced and applied the information security management system according to the Czech

technical standards referred to in point 5 of Annex No. 1 of this Decree,



(c)) use spaces in which shall be ensured by the creation of qualified

certificate or qualified system certificates,

qualified time stamps, resources for creating

electronic signatures qualified certificate for invalidating or

qualified system certificates, creating lists

certificate revocation, any waste data for creating

electronic tags and their corresponding data for authentication

electronic tag provider, treatment by a qualified

the system certificate provider and create records of events

with these activities, secure as secure

the area of the category of "confidential" under a special legal regulation ^ 1) and is

handled by the documentation provided for in this regulation,



(d)) has the moment and continuously updated safety documentation



e) shall act in accordance with the principles and procedures laid down in the safety

documentation,



f) checks the safety compliance under this Ordinance,



g) carries out audits of the safety management system of information under this

the Decree.



§ 4



Safety documentation



(1) unless otherwise indicated, the fulfilment of the obligations laid down by law, and

the requirements laid down by this Decree shows the provider

through safety literature.



(2) safety documentation consists of the following documents:



and the policy for issuing) certification of qualified certificates,

If the service provider ensures



(b) the policy for issuing) certification of qualified system

certificates, unless the provider of this service ensures



(c) the policy for issuing) qualified time stamps, if

the provider of this service ensures



(d) the policy for issuing funds) for safe building

electronic signatures, if the supplier of this service ensures



e) certification policies for issuing superiors qualified

system certificates,



(f)) message to a user of the services referred to in points (a) to (d))), if

These service provider provides,



g) certification or other implementing directive implementing directive to

the services referred to in subparagraphs a) to (e)),



h) the overall security policy,



I) system security policy,



j) plan for crisis management and recovery plan,



to the provider, other documents) which is in the documents referred to in

the letters a to j) referenced) or that contain the detailed rules and

detailed procedures governing the provider ensures security

provided by a qualified certification services; from a security

documentation must be clear what procedures the provider applies when

ensure the security of the systems in accordance with § 6 para. 1 (b). (c)), and (d)) of the Act.



§ 5



Content security documentation



(1) the content of the policies pursuant to § 4 paragraph 2. 2 (a). a) to (d)) is always



and that policy) the establishment of a provider in the provision of

qualified certification services



(b) in the case of the issuance of qualified) certificates or qualified

system certificates description of the properties data for creating

electronic signatures or electronic data for creating brands and

the corresponding data for the validation of electronic signatures or data

for the verification of electronic tags, which creates the person requesting

issue of the certificate, or that creates a provider, and that is to be

the certificate was issued; cryptographic algorithms and their


parameters that can be used for this data, the

the Ministry on its notice board,



(c) in the case of extradition) qualified time stamps



1. cryptographic algorithms that can be used when creating

fingerprint data, to be marked by a qualified timestamp and

the parameters for these algorithms



2. the accuracy of the time in the time stamp in relation to world

coordinated time.



(2) the content of the messages to the user in accordance with § 4 para. 2 (a). (f))

for information about identifying the data provider and a basic overview of

the qualified certificate services and the usage.



(3) the content of the implementing directive under section 4 (4). 2 (a). (g)) is always

the procedures applied in the provision of provider

each qualified certification services.



(4) the content of the overall security policy according to section 4, paragraph 4. 2 (a). h)

always establish the objectives, and a description of how trusted systems security

provider and specify the principles and rules relating to the solution

safety in trusted systems and determine the powers and responsibilities

for the security solution.



(5) system security policy according to section 4, paragraph 4. 2 (a). I) is

processed on the basis of a risk analysis carried out related to the operation of

trusted systems. In the risk analysis provider defines the assets

These systems, the threats that Act on them, vulnerabilities of systems,

an estimate of the probability of occurrence of threats, their consequences, and specifies the

appropriate security measures.



(6) the content of the system security policy is always



and goal-setting for the protection) information



(b) determination of the means of ensuring safety),



c) determining the powers and responsibilities in the operation of the trusted

systems,



(d)) the rules and procedures specifically defining how management and protection

information technology, assets, information systems and method

the distribution of information within the trusted systems and other systems,

that have trusted binding systems



(e) applying the total security) policy in relation to

the operation of the trusted systems



(f) a description of the trusted systems), their internal, external and mutual

the links,



g) evaluation of the risk analysis and description of the security measures referred to in

paragraph 5,



h) way of spreading the time within the trusted systems

the provider provides the service of issuing qualified time

the stamps.



(7) plan for crisis management in accordance with § 4 para. 2 (a). (j))

contains the definition of the procedures that have been applied in the case of the occurrence of the

extraordinary events.



(8) the recovery plan referred to in section 4, paragraph 4. 2 (a). j) includes a strategy for

trusted systems, which need to be implemented for the



and maintaining the critical activities of the provider) in the shortest possible

over time,



(b) the proper function of trusted recovery) systems.



§ 6



The processing requirements of the safety documentation



(1) the structure of the certification policy according to section 4, paragraph 4. 2 (a). a), b) and (e))

and the implementing directive under section 4 (4). 2 (a). g) is given

in Appendix 2 of this order.



(2) for the structure of the entries listed in annex 2 of this order, which

When you handle the security documentation shall not be used, because the provider

the activity in question does not, this will be listed.



(3) when the total document processing security policy according to section 4

paragraph. 2 (a). (h)) and system security policy according to section 4, paragraph 4. 2

(a). I) proceed according to Czech technical standards referred

in paragraphs 4 and 6 of annex 1 of this order.



§ 7



Disclosure documents



(1) the provider exposes the documents referred to in section 4, paragraph 4. 2 (a). a) to

(d)), and (f)) in its entirety.



(2) the provider may publish the certification detailed directive or

other implementing directive under section 4 (4). 2 (a). (g)), to the extent that

does not compromise safety of the outsourced services.



(3) the publication provided for in paragraphs 1 and 2 means the disclosure of the way

allowing remote access and in areas where contact with the

to the user.



§ 8



Checking the safety match



(1) the objective of the security checks of conformity according to § 3 (b). (f)) is to verify that the



and the provider operates a trusted systems) in accordance with the law and with

This Decree,



(b)) the provider makes changes to the trusted systems in accordance with the

Security documentation provider with its parts

governing the management of change.



(2) safety matches are subject to inspection



and all trusted systems provider) (total control

safety compliance), or



(b)) all the changes referred to in paragraph 1 (b). (b)), that the provider has made

Since the implementation of previous security compliance checks, and their influence on

trusted systems provider, or verify that such

There have been changes (a partial review of the conformity of safety).



(3) the overall review of the safety match is carried out not later than 1

year from the commencement of the provision of qualified certification services and

Subsequently, at least after 4 years from the previous overall control

safety matches, and provided that during these 4 years,

partial inspections carried out safety matches, among which the elapsed

most 1 year and first took place within 1 year after total inspection

safety compliance.



(4) If the partial security checks are not carried out in

paragraph 2 (a). (b)), the total control of safety matches in

an interval of not more than 1 year.



(5) check the safety match is carried out according to the requirements of the United

technical standards referred to in point 6 of Annex No. 1 of this order.



(6) the provider ensures security of the control report processing

of conformity, the content of which is



and subject safety) definition of conformity; in the case of total

safety control of the conformity of the definition of all trusted systems by

paragraph 2 (a). and) indicating the qualified certification services

that are provided through these systems, or in the case of

partial inspections of safety matches the definition of the changes referred to in paragraph 2

(a). (b)), that the provider has made since the implementation of the previous control

safety matches, and the definition of qualified certification services

that are provided by trusted systems, these

the changes affected,



b) unambiguous identification documentation, which was subject to inspection

safety compliance,



(c) a description of the checking of the safety) of conformity,



(d)) the name or names and surname of the person carrying out the inspection

safety compliance; This person can be with the provider in

employment relationship,



(e) a statement of the result of checks) the safety match, part of which is

a statement that the provider has trusted systems in the

accordance with paragraph 1.



(7) If, during a check of the safety match found that

the provider does not operate trustworthy systems in accordance with paragraph 1

(a). and does not change) or in trusted systems in accordance with the

paragraph 1 (b). (b)), it must be achieved by the axles, which

documented in the course of the same controls and safety compliance verified.



(8) the report on the control of safety compliance provider passes within 30 days

from their control of the Ministry.



§ 9



Audit of information security management system



(1) the objective of the audit of the information security management system according to section 3 (b).

(g)) is an objective and independent verification of the provider that is in the

trusted systems are introduced and applied a system provider

information security management according to Czech technical standards referred to in point

5 of annex 1 of this order.



(2) if the information security management system in the

trusted system certified for compliance with the Czech

technical standard referred to in point 5 of Annex No. 1 of this Decree, it is

the audit of the information security management system is considered

to be met.



(3) the auditing of the safety management system information

process according to the requirements of the standard referred to in point 7 of annex 1 to this

the Decree; the entity that the audit of the management system of information security

performs is in relation to an external, independent auditující

organisation in accordance with requirements of the standard referred to in point 7 of annex 1 to this

the Decree.



(4) the service provider shall provide the entity that the audit of the management system

information security carried out, always check the safety report

conformity according to § 8 para. 6 if it has already been implemented, and security

the documentation.



(5) the part of the report on the audit of information security management system is



and the definition of the subject of the audit system) information security management,

While the definition of the audit subject means the definition of qualified

certification services that are provided through the

trusted systems



b) unambiguous identification documentation, which was the subject of the audit system

information security management and provided by the provider entity,

the information security management system audit performed,



(c)) statement to the body which audits of the safety management system

information about the results of the audit carried out the safety management system


information, which includes a declaration of compliance with the requirements referred to in

paragraph 1.



(6) if in the course of the audit, the information security management system

indicate that the provider has not introduced and applied in the trusted

systems of information security management system in accordance with the requirements of

referred to in paragraph 1, must be achieved. Design of the axle

must be documented and verified by the audit.



(7) the provider shall ensure that the Declaration of the result of the audit system

information security management was published in a message for the user.



(8) the provider shall ensure that audits of the safety management system

the information was carried out before the start of the first qualifying

certificate services and then at least every 2 years.



§ 10



How to fulfil the information obligations



(1) the provider will fulfil the information obligation, by the documents referred to in

section 4, paragraph 4. 2 (a). a) to (d)), and (f))



and) If a legal person, the name or the name, legal form and registered office,

is a natural person, the name or names, surnames, place

business and identification number, if one has been assigned,



(b)) an indication of whether it is accredited by the Ministry,



(c) the exact conditions for the use of) qualified certification services

including any restrictions for their use set out

provider, terms of complaints and resolving disputes,



(d)), an indication of where and how his parent are available

qualified system certificates,



(e)) the manner in which secures the delivery of information to third parties pursuant to §

6a paragraph 2. 1 (b). even if the Act in question) by a qualified

Certificate Services provides, including contact details, which may

the third person used when asking for this information, and the maximum time

that may elapse between the request and the application of the provision of information,



f) the manner in which secures the delivery of information to third parties pursuant to §

6B of the paragraph. 1 (b). e) of the Act, if qualified in question

Certificate Services provides, including contact details, which may

the third person used when asking for this information, and the maximum time

that may elapse between the request and the application of the provision of this

information.



(2) the parent of the qualified system certificates referred to in paragraph 1

(a). (d)) shall be published at least two independent ways,

with at least one of these ways is the publication of the way

allowing remote access.



(3) If the provider has been accredited accreditation withdrawn,

the provider of this information without delay to the



and documents) in accordance with § 4 para. 2 (a). a) to (d)), and (f)) and publish the

manner allowing remote access,



(b)) shall be published in at least one nationally distributed journal

provided for in the documents referred to in section 4, paragraph 4. 2 (a). a) to (d)), and (f)),



(c)) shall communicate to the signer or indicating the persons who have valid

qualified certificates or qualified system certificates

issued by that provider by sending a message by e-mail

to an e-mail address, if these persons indicated in the application for release

the certificate.



(4) the information referred to in paragraph 3 (b). (b)), and (c)) is a communication that

qualified certificates issued by that provider cannot continue to

use in accordance with § 11 para. 1 of the Act and issued qualified system

You cannot continue to use certificates in accordance with § 11 para. 2 of the Act.



§ 11



Qualification requirements



The activities corresponding to the roles according to the safety requirements of the standard

for trusted systems that is listed in point 1 of annex 1 to this

the Ordinance, persons who can exercise the



and higher education) has received within an accredited bachelor's

or master's degree program and have at least 3 years experience in

information technology or secondary education and at least

5 years of experience in the field of information technology, of which at least

1 year in the field of the provision of certification services,



b) have knowledge of a public key infrastructure and information

safety.



§ 12



The method of storage of information and documentation and formalities and documents

records



(1) the information and documentation referred to in § 6 (1). 5 and 6 of the Act must be

procured, stored and processed, keeping the demonstrability of the

their origin, availability, integrity, authenticity and time

confidentiality.



(2) the provider through safety literature demonstrates that the



and has identified all types) information and documentation according to § 6

paragraph. 5 and 6 of the Act, which holds and the form in which they are kept,



(b)) has identified the location where information and documentation



(c)) has established procedures for the retention of information and documentation, and for

manipulation of stored information and documentation so that the

ensure verifiability of their origin, the availability, integrity, time

authenticity and confidentiality, in accordance with the requirements of the Act and this order,



(d)) has established procedures for the storage of information and documentation, so that

the stored information and documentation has been able to demonstrate in the statutory period after

termination of validity of the certificate, to which information and documentation

apply,



(e) the liability of employees), or other individuals,

to ensure the retention of information and documentation, in compliance with the

procedures referred to in subparagraph (c)),



(f)), the way will be loaded with information and documentation

After a period of 10 years.



(3) if the provider stores the information and documentation referred to in § 6 (1).

5 and 6 of the Act after the expiry of 10 years, through the safety

documentation shows that



and) has end that information and documentation

kept,



(b) has established requirements) the storage and handling of information and

Similarly, the documentation referred to in paragraph 2.



section 13 of the



The particulars of the measures against misuse and forgery of certificates



(1) the provider can have data for creating electronic tags

designed for labelling qualified certificates issued and

qualified system certificates used only for marking

These certificates and for the labelling of the certificate revocation list.



(2) the provider ensures, in accordance with the requirements of the standard for

trusted systems that is listed in section 1 of annex 1 to this

the Decree,



and data management) in accordance with paragraph 1 in the course of their life cycle,



b) data management for authentication of their electronic tags to the respective

the data referred to in paragraph 1 in the course of their life cycle,



(c) the creation of qualified certificates) and qualified system

certificates.



(3) the activities referred to in paragraph 2



and may perform exclusively physical) persons who are for this activity

intended by the provider,



(b)) must be carried out according to the procedures laid down by the certification detailed

directive,



(c)) must be exercised in accordance with the system security policy.



(4) the provider is obliged to date for the creation of electronic tags

referred to in paragraph 1 after the end of their life cycle to destroy; about

minuted that contains



and a description of how to destroy data),



(b) destruction of data, date)



(c)) date of acquisition of registration,



(d)) the name or the name and signature of the person designated

provider to destroy data.



(5) for the marking referred to in paragraph 1 the provider uses the secure

cryptographic module.



(6) in the case of abuse or reasonable fears of abuse of its data

in accordance with paragraph 1 the provider without delay



and tombstones) qualified certificate that was this

data released



b) invalidating the certificate that was indicated by the data,



(c) a certificate that is revoked) was indicated by the data for creating

electronic tags, to which has been issued with the certificate referred to in subparagraph (b)),



(d) use of data) terminates in accordance with paragraph 1.



(7) If a provider of invalidating the qualified certificate

in accordance with paragraph 6 (a). and without delay)



and publish information about invalidation) of this certificate, indicating the

because of the revocation of the way allowing remote access, on the premises,

where contact with the user, and in at least one nationally

a distributed journal established in the policy, pursuant to section 4, paragraph 4. 2 (a). and)

to (d)),



(b) the signer or indicating) informs the person that they have a valid

qualified certificates or qualified system certificates

issued by that provider, for the revocation of certificates

by sending a message via electronic mail to the electronic

address, if these persons indicated in the application for the issuance of the certificate;

part of this information is the reason for the termination of the parent

qualified system certificate provider



(c) inform the Ministry about invalidation) of this certificate, indicating the

because of the tombstone.



§ 14



How to ensure the safety of the lists



(1) the list of issued certificates is safe, if the individual

certificate in this list to ensure integrity.



(2) the provider indicates an issued certificate revocation lists

electronic tags creation data pursuant to § 13 para. 1 and

via the secure cryptographic module.



§ 15



How to determine the date and time of issue or revocation of the certificate




(1) an indication of the date and time, indicating the hours, minutes, and seconds when it is

qualified certificate or qualified certificate

invalidated, and an indication of the date and time of the release of a list of invalid

certificates, which is a record of the certificate zneplatněném is identified,

are included in the data for the revocation of the certificate in the list

certificate revocation; other data are in the case of a qualified

at least certificate certificate number in accordance with § 12 para. 1 (b). (g))

law, and in the case of a qualified system certificate for at least

number of the certificate referred to in section 12a (e). (f)) of the Act.



(2) a statement referred to in paragraph 1 and the indication of the date and time of issue of the certificate are

part of the records of the events according to § 12 para. 2 (a). (b)).



(3) the trusted time synchronization systems with a coordinated universal

time must meet the requirements of the standard for trusted systems

that is listed in point 1 of annex 1 of this order.



section 16 of the



Data protection method used by the user



The provider protects electronic signature creation data, if it is

creates for the signer, and ensures the consistency of the data by

the requirements of the standard for trusted systems, which is mentioned in point 1

Annex No 1 of this order; the requirements of this standard specified for

protection of electronic signature creation data that the provider

creates for the signer, shall apply by analogy for data protection for

the creation of electronic tags, if the provider is created for

indicating the person.



§ 17



How certificate revocation



Provider in ensuring the invalidating of qualified certificates

or qualified system certificates



and continuous applications) provides for the revocation of qualified

certificate or qualified system certificates, at least

two independent ways,



(b)) ensures that safety requirements for invalidating

qualified certificates according to requirements of the standard for trustworthy

systems that is listed in section 1 of annex 1 of this order; the requirements of the

This standard established for the invalidating of qualified

certificates shall apply mutatis mutandis for the invalidating of qualified

system certificates.



section 18



How to ensure the accuracy of the determination of the time when you create a qualified

time stamps



(1) the provider may specify the time when you create a qualified

time stamps use only timekeeping, which is established on the

world time coordinated and has a provider about available appropriate

the technical documentation.



(2) the Timekeeping is eligible to ensure the accuracy of the determination of the time according to the

of this order, if it meets the following conditions:



and) making under paragraph 1 is repeated at intervals that are

determined by the provider on the basis of the type of measuring instrument of the time,

analysis of the effects of uncertainty on the declared time and reliability

linking to the world coordinated time,



(b)) is in sync with coordinated universal time, including

synchronization in the event of a leap second,



(c)) is protected against threats that could change its technical or

the metrological characteristics provided by establishing (a)).



§ 19



How to ensure the consistency of the data in a qualified time stamps and

the particulars of measures against counterfeiting qualified time stamps



(1) the provider can have data for creating electronic tags

designed for labelling qualified time stamps issued

used only for this purpose.



(2) the provider ensures the issuance of qualified time stamps,

including the implementation of mechanisms that will ensure that data in the electronic

the form, which are the subject of applications for qualified time

stamps, clearly correspond to the data in electronic form contained

in a qualified time stamp, issued in accordance



and with the requirements of the standard for) trusted systems that is listed in the

point 1 of annex 1 of this order, and



(b)) with the requirements of the Czech technical standards referred to in point 3 of annex 1 to this

the Decree.



(3) the provider shall be specified in the policy for issuing time stamps

the uncertainty of the time of the inserted into a timestamp. Uncertainty

time may not exceed 1 second.



(4) in the case of the occurrence of the event that affects the safety release

qualified time stamp or as to the accuracy of the time

It is inserted into it, the provider



and immediately breaks the issue) qualified time stamps, and to

the time when the condition and restored in accordance with the procedures laid down in the schedule for

crisis management and in the recovery plan,



(b) publish information about this) events in a way allowing remote

access,



(c) inform without delay) this event entities with which it has

concluded contractual relations, which may be affected by this event,



(d)) shall notify the Ministry of information of this event.



(5) If an event referred to in paragraph 4 has an effect on already issued by qualified

time stamps, and as a result, you cannot rely on them, the provider

shall publish without delay the information about this event also in at least one

nationally distributed journal specified in the policy for issuing

qualified time stamps; included in this notification are data

on the basis of which it is possible to determine which issued qualified time

the stamp was affected by this event.



(6) in the management of the data referred to in paragraph 1 the provider shall proceed as

When you manage data for labelling qualified certificates issued and

qualified system certificates according to § 13 para. 2 to 6.



(7) the world coordinated time-scale Prediction time takes place

in areas that are secure as secure area

the category of "confidential" under a special legal regulation ^ 1).



(8) the acquisition, storage and processing of documentation and information

related to the issuance of qualified time stamps the provider

proceed in accordance with § 12, and types of recorded events are

specified by the Czech technical standard referred to in point 3 of Annex No. 1

of this order.



section 20



Secure cryptographic module



(1) a cryptographic module that uses the provider for the activities

laid down by law and the provisions of this Decree and that satisfies the safety

the requirements for these modules as set out



and the standard for trustworthy) systems, which is mentioned in point 1

Annex No 1 of this order, or



(b)) in the standard, which is listed in item 11 or 12 of annex 1 to this

the Ordinance, at least for level 3,



from the cryptographic module is thread-safe.



(2) the safety procedures that secure cryptographic module support,

It is sufficient if



These procedures meet) safety requirements for these modules

in the standard for trusted systems that is listed in point 1 of the annex

# 1 of this order,



(b)) the module is used only for marking issued by qualified

certificates of qualified system certificates, list

certificate revocation or for labelling qualified time

stamps,



(c)) is to deploy and use the module in accordance with the technical documentation

the manufacturer or supplier,



(d)) the module is located and used in areas that are secure

Similarly to the secure area of the category "confidential" under the Special

legal regulation ^ 1).



(3) compliance with the requirements laid down in paragraph 1 (b). and) shall be evidenced by

proof of completion of the evaluation and certification of safe

cryptographic module according to the requirements of the standard for these modules,

that is set out in point 8 of Annex No. 1 of this Ordinance, or by

the requirements of the standard for these modules, which is mentioned in point 9 of annex

# 1 of this order.



(4) compliance with the requirements laid down in paragraph 1 (b). (b)) shall be evidenced by

the proof of the result safe according to the cryptographic module

paragraph 1 (b). (b)) and the proof of conformity assessment pursuant to § 9 para. 2

(a). (f)) of the Act.



(5) compliance with the requirements laid down in paragraph 2 shall be accompanied by

through



and safety documentation)



(b)) detailed description of the functions and the technical documentation of the safe

cryptographic module to the extent necessary for its acquisition.



(6) if the document referred to in paragraph 3 or paragraph 4, expired and

the provider is able to provide to the time the replacement of cryptographic

the safe from the cryptographic module the safety of its functions on the

the same level, which ensures in time before the expiry of the document

the module may be used, provided that the



and) without undue delay shall apply the measures which reasonably eliminates the

risks, on the basis of which the following documents are no longer valid,



(b)) in the risk analysis is risk status, such as when the document referred to in

paragraph 3 or paragraph 4, expired,



c) plan for crisis management shall determine the measures

the provider shall apply in order to ensure the required safety of its functions,



(d)) shall ensure that the implementation of the measures referred to in subparagraph (c)) was controlled,

to be able at any time to find out that these measures are not applied

or are not applied in full, and immediately remediate,




(e)) will launch its acquisition of secure cryptographic module.



section 21



Resources for creating secure electronic signatures



(1) the provider shall ensure that the means for safe building

of electronic signatures issued by,



and meet the requirements of these) the resources provided for the standard for these

resources, which is listed in section 10 of annex 1 of this order,



(b) should the assessed according to compliance) § 9 para. 2 (a). (f)) of the Act,



(c)) have been prepared and transmitted to the user by the provider in accordance with the

safety and functional requirements of the standard for trusted systems

that is listed in point 1 of annex 1 of this order,



(d)) have been prepared and transmitted to the user by the provider in accordance with the

technical and user documentation of its manufacturer or supplier.



(2) compliance with the requirements referred to in paragraph 1 (b). a), (c)) and (d)) shall be evidenced by



proof of completion of) the evaluation and certification of the device as

standard for secure electronic signature creation,

that is listed in section 10 of annex 1 of this order,



b) safety documentation,



c) detailed description of the functions and the technical and user documentation

evaluated the resource; user documentation must be in Czech

language.



THE HEAD OF THE SECOND



THE DATA PROTECTION REQUIREMENTS FOR THE CREATION OF ELECTRONIC TAGS



section 22



(1) Labelling data for creating electronic tags must be immediately

discontinued in the event of a failure of proper function of the device for creating

electronic tags or in case of failure of the features of the application that

It is being used; in the labelling may continue at a time when they are

resource and application listed in the proper state.



(2) the marking of data for creating electronic tags must be

immediately terminated in case of abuse or reasonable fear of

the abuse of these data.



(3) to indicate that a person creates and keeps track of events

associated with any management resources for creating

electronic tags and create an electronic data tag

that are stored in them, in the course of their entire life cycle.



Article 23 of the



(1) if there are data for creating electronic tags used to

labelling of data messages under section 11 (1) 2 of the Act may be

created, stored and used in cryptographic resource

for creating electronic brands (hereinafter referred to as "cryptographic

resource ") and may not be used for any purpose other than the creation of

electronic tags.



(2) If a cryptographic means referred to in paragraph 1 is not

a cryptographic module that meets the requirements set out in section 20 (2).

1 this order may be imposed solely in it



and for the creation of electronic data) brands,



(b)) data and applications necessary for the use of the data referred to in point I)

labelling of data messages and to transfer data to create an electronic

brands on other cryptographic means.



(3) a cryptographic means referred to in paragraph 2 may only be used

for



and) to create and save data and applications referred to in paragraph 2,



(b)) create an electronic tag.



(4) If a cryptographic means a cryptographic module that

It meets the requirements set out in section 20 (2). 1 of this order, it may

be created, saved, and used different data and applications, if the

the basis of a risk analysis, in which the risk was evaluated,

such use is not excluded.



(5) If a cryptographic resource enables you to transfer data for creating

electronic tags to another cryptographic resource must be

This method of transmission is trustworthy; cryptographic resource on which

data is transmitted, shall comply with the requirements of paragraphs 2 and 3, or

of paragraph 4.



section 24



(1) identifying the person who indicates the data messages under section 11 (1) 2

the law is a way to ensure the procedures that support

cryptographic data protection resources for creating electronic

brands through the internal directive, always



and for any handling) These cryptographic devices, in

during their entire life cycle, including the procedures for their

their use,



(b)) for the determination of persons for any permissions handling

cryptographic means,



(c)) for the safety of the environment in which they are used,

including upon the occurrence of an extraordinary event that may compromise their

the protection.



(2) a person referred to in paragraph 1 introduces the people that handle

with cryptographic means, with the procedures referred to in paragraph 1 to the extent

to the extent necessary for the performance of their duties.



(3) identifying the person continuously checks the correctness of the procedures referred to in

paragraphs 1 and 2 and under section 22 and 23 and in the event of the detection of deficiencies

the adoption of measures to eliminate them.



PART THREE



FINAL PROVISIONS



§ 25



Transitional provisions



(1) providers who are not accredited by the Ministry and the who

started providing qualified certification services, and

providers who have been granted accreditation for the activity

an accredited provider to the effective date of this order,

the provision of qualified certification services shall be in accordance with the

This Decree within 12 months from the date of publication of this order. In this

the period will follow the existing legal providers

regulations.



(2) if the supplier provides at least one qualified

the Certificate Services service to the effective date of this order, shall ensure the implementation of

the first audit of the information security management system within 2 years from the date of

entry into force of this Decree.



section 26



Regulation (EEC)



Repeals the Decree 366/2001 Coll. on the clarification of the conditions laid down in

articles 6 and 17 of the law on electronic signature and the refinements to the

electronic signature tools.



section 27 of the



The effectiveness of the



This Decree shall enter into force on the fifteenth day after its publication with the

exception of the provisions of section 22 to 24, which will become effective the first day of

the third calendar month following the date of its publication.



Minister:



Ing. Bérová born in r.



Č. 1



LIST OF NORMS AND STANDARDS



1. CWA 14167-1-Security Requirements for Trustworthy Systems Managing

Certificates for Electronic Signatures-Part 1: System Security

Requirements.



2. ETSI TS 101 456 CSN-electronic signatures and infrastructures;

Requirements for the CA issuing qualified procedures

certificates.



3. the ETSI TS 102 023 CSN-electronic signatures and infrastructures;

Requirements for timestamp authorities procedures.



4. ISO/IEC 17799-information technology-a set of procedures for

management of information security.



5. the CSN BS 7799-2-information security management system-

Specification with guidance for use.



6. ČSN ISO/IEC TR 13335-information technology-guidelines for the management of

IT security 1-3.



7. EN ISO 19011-guidelines for auditing management system

the quality and/or environmental management system.



8.14167-2-Cryptographic module of the CWA for CSP signing operations with

backup-Protection profile-CMCSOB PP.



9.14167-4-Cryptographic module of the CWA for CSP signing operations-

Protection profile-CMCSO PP.



10. CWA 14169-Secure signature-creation devices "EAL 4 +".



11. FIPS PUB 140-1-Security Requirements for Cryptographic Modules.



12. FIPS PUB 140-2-Security Requirements for Cryptographic Modules.



Č. 2



THE STRUCTURE OF THE CERTIFICATION POLICIES AND IMPLEMENTING DIRECTIVE



1. introduction



1.1 Overview



1.2 name and unambiguous identification of the document



1.3 Participating entities



1.3.1 certification authority ("CA")



1.3.2 registration authorities ("RA")



1.3.3. The holders of qualified certificates and signing or

indicate the persons who have applied for the issue of a qualified certificate

or a qualified system certificate (the certificate), and

to whom the certificate was issued



1.3.4 relying parties



1.3.5. Other participating entities



1.4 certificate usage



1.4.1 use of certificate Admissible



1.4.2 certificate use Restrictions



1.5 Policy Management



1.5.1 Organization administering the certificate policy or certificate

implementing directive



1.5.2 contact person or organizations, who manage the certification policy

certification an implementing directive



1.5.3. The body responsible for deciding on the compliance procedures of the provider

with the procedures of other certification service providers



1.5.4. The procedures for the approval of compliance under 1.5.3



1.6 Overview of used terms and abbreviations



2. the responsibility for the publication and storage of information and documentation



2.1 Storage information and documentation



2.2 publication of information and documentation



2.3 frequency of publication of information



2.4 control access to individual storage types



3. Identification and authentication



3.1 Naming



3.1.1 types of names



3.1.2 the request on významovost names



3.1.3 Anonymity and using the pseudonym



3.1.4 Rules for interpreting various name forms



3.1.5 Uniqueness of names



3.1.6 the trade marks



3.2 Initial identity validation



3.2.1 verification of compliance data, IE. to verify whether a person has the

electronic signature-creation data corresponding to the data for


authentication of electronic signatures or electronic creation data

the tag corresponding to the authentication of electronic data tags



3.2.2 verifying the identity of the legal person or organizational units of the State



3.2.3 verifying the identity of the natural person



3.2.4 Unverified information that applies to the holder of the certificate or

signing or indicating that the person



3.2.5 Authentication of specific rights



3.2.6 Criteria for interoperability



3.3 identification and authentication when you handle requests for data exchange

for the verification of the electronic signature or authentication data

electronic tags in the certificate



3.3.1 identification and authentication during a routine exchange of data for creating

electronic signatures or electronic data for creating brands and

the corresponding electronic signature or authentication data the data for

authentication electronic tags ("data matching")



3.3.2 identification and authentication when replacing a pair of data after the revocation of the

certificate



3.4 identification and authentication for revocation requests

certificate



4. The requirements for the certificate life cycle



4.1 application for issue of a certificate



4.1.1 the bodies authorised to lodge an application for issue of a certificate



4.1.2 the registration process and the responsibilities of the provider and the requester



4.2 Processing certificate requests



4.2.1. Identification and authentication



4.2.2. Acceptance or rejection of the application for a certificate



4.2.3 the certificate request processing time



4.3. the issue of the certificate



4.3.1 Acts in the course of issuing CA certificate



4.3.2 the notice of issue of the certificate, the holder of the certificate signer

or indicating that the person



4.4 Acceptance of the issued certificate



4.4.1 tasks connected with the taking over certificate



4.4.2 publication of certificates issued by the provider



4.4.3 notice of issue of the certificate, to other entities



4.5 use of paired data, and certificate



4.5.1 use of electronic signature creation data or data for

create an electronic tag and a holder of the certificate,

signing or indicating that the person



4.5.2 use of electronic signature-verification-data or data for

electronic tags and certificate authentication, the relying party



4.6 certificate renewal



4.6.1 the conditions for renewing a certificate



4.6.2 Bodies eligible for certificate renewal



4.6.3 the certificate renewal request processing



4.6.4 the notice of issue of the certificate, the holder of the certificate renewed

signing or indicating that the person



4.6.5 tasks connected with the takeover of the renewed certificate



4.6.6 the publication issued by the renewed certificates provider



4.6.7 the notice of issue of the renewed certificate to other entities



2.9 data exchange for e-signature authentication or data for

authentication of electronic tags in the certificate



4.7.1 the conditions for the exchange of data for the validation of electronic signatures, or

data for the verification of electronic tags in the certificate



4.7.2 the competent bodies should exchange data for authentication

electronic signature or electronic authentication data tags in the

certificate



4.7.3 processing the request to the authentication of electronic data interchange for

data for the verification of signatures or electronic tags



4.7.4 notification of issue of the certificate with the exchanged data for authentication

electronic signatures or electronic verification marks

signing or indicating that the person



4.7.5 tasks connected with the taking over of the certificate with the exchanged data for

authentication of electronic signatures or electronic verification

brands



4.7.6. The publication of certificates issued with the exchanged data for authentication

electronic signatures or electronic verification marks



4.7.7. The notice of issue of the certificate with the exchanged data for authentication

electronic signatures or electronic verification marks

other entities



4.8 data in the certificate Change



4.8.1. The conditions for the amendment of the particulars in the certificate



4.8.2 Bodies authorized to request a change to the data in the certificate



4.8.3 the change request processing information in the certificate



4.8.4 the notice of issue of the certificate with the changed data signing

or indicating that the person



4.8.5 tasks connected with the taking over of the certificate with the changed data



4.8.6 the publication of certificates issued with the changed data



4.8.7 the notice of issue of the certificate with the changed data to other entities



4.9 the tombstone and the suspension of the certificate



4.9.1 the conditions for revocation of the certificate



4.9.2 the bodies competent to apply for revocation of the certificate



4.9.3 the certificate revocation request



4.9.4 the grace period the certificate revocation request



4.9.5 the maximum time for which the provider must implement the requirement

on the revocation of the certificate



4.9.6 the obligations of relying party to verify that he was not

invalid certificate



4.9.7. Periodicity of the issuance of the certificate revocation list



4.9.8 the maximum delay in issuing the certificate revocation list



4.9.9. Authentication option status of certificate online ("OCSP")



4.9.10 certificate while validating the Statute Requirements online



4.9.11 other forms of revocation notification



4.9.12 Any differences the procedure in case of invalidation of compromise

electronic signature creation data or data for creating

electronic tags



4.9.13 conditions for the suspension of the certificate



4.9.14 bodies competent to request suspension of the certificate



4.9.15 requests for suspension of the certificate



4.9.16 limitation on the suspension of the certificate



4.10. Services related to the status of a certificate authentication



4.10.1 Operational characteristics



4.10.2 service availability



4.10.3 other characteristics status of certificate services



4.11 the termination of the provision of services for the holder of the certificate, signer

or indicating that the person



4.12 the Safekeeping of data for creating electronic signatures or data for

the creation of electronic tags for trusted third parties and their

restoration



4.12.1 policy and procedures for safekeeping and restoring data for creating

electronic signature creation data or electronic tags



4.12.2. Policy and procedures for encapsulating and restoring the encryption

the key for the session



5. Management, operational and physical security



5.1 physical security



5.1.1 the location and design of the



5.1.2 physical access



5.1.3 power and air conditioning



5.1.4. Effects of water



5.1.5 fire prevention measures and the protection of



5.1.6 media storage



5.1.7 waste disposal



5.1.8 Backups outside the building



5.2 process safety



5.2.1 trusted roles



5.2.2 number of persons required to ensure the individual activities



5.2.3 identification and authentication for each role



5.2.4 Roles requiring separation of duties



5.3 Personnel Security



5.3.1 Requirements on qualifications, experience and integrity



5.3.2. the assessment of the reliability of the people



5.3.3. the requirements for the preparation for the performance of the role, initial training



5.3.4 Requirements and frequency of training



5.3.5 Periodicity and sequence of rotation of staff between the different roles



5.3.6 sanctions for unauthorized actions of employees



5.3.7 independent contractor requirements (vendor)



5.3.8 documentation provided to employees



3.4 Audit records (logs)



5.4.1 types of event recorded



5.4.2 frequency of processing records



5.4.3 retention period of audit records



5.4.4 Protection of audit records



5.4.5 backup procedures for the audit of records



5.4.6 audit collection system records (internal or external)



5.4.7 notification of event procedure to the body that caused it



5.4.8 Vulnerability Assessments



5.5 storage of information and documentation



5.5.1 types of information and documentation, to be kept



5.5.2 retain stored information and documentation



5.5.3 storage security of stored information and documentation



5.5.4 the procedures to back up stored information and documentation



5.5.5 requirements for using the time stamps in the storage of information

and documentation



5.5.6 the collection system of stored information and documentation

(internal or external)



5.5.7 Procedures to obtain and verify information and retained

documentation



5.6 data exchange for verification of electronic tags in the underlying

qualified system certificate provider



5.7 disaster recovery or the possibility



5.7.1 procedure in case of an incident and compromise



5.7.2 the corruption of computing resources, software and/or data



5.7.3 Procedure when data being compromised for the creation of electronic tags

provider



5.7.4 the ability to recover after a disaster



5.8 cessation of activities of a CA or RA



6. Technical safety



6.1 data generation and installation ".



6.1.1. a pair of data Generation



6.1.2. To pass data for creating electronic signatures or data for

create an electronic tag or signing indicating person



6.1.3 pass data for authentication of electronic signatures or data for

verification of the certification services provider electronic tags




6.1.4. the provision of data for the validation of electronic signatures or data for

authentication of electronic certification authority which draws with markers

Parties



6.1.5. The length of the matched data



6.1.6 parameters of data Generation for authentication of electronic signatures

data for authentication or electronic tags and checking the quality of the



6.1.7. the restrictions on the use of data for authentication of electronic signatures, or

data for the verification of electronic tags



6.2 protection of data for creating electronic signatures or data for

the creation of electronic tags and security of cryptographic modules



6.2.1 standards for cryptographic modules, and terms of use



6.2.2 Sharing Secrets



6.2.3. Storage of data for creating electronic signatures or data for

the creation of electronic tags



6.2.4 data backup for creating electronic signatures or data for

the creation of electronic tags



6.2.5 storage of data for creating electronic signatures or data for

the creation of electronic tags



6.2.6 Transfer data for creating electronic tags to

a cryptographic module or of cryptographic module



6.2.7 save data for creating electronic tags in cryptographic

module



6.2.8 How to activate electronic signature creation data or

data for the creation of electronic tags



6.2.9 to deactivate the electronic signature creation data

or data for creating electronic tags



Repeat the procedure for the destruction of the electronic signature creation data or

data for the creation of electronic tags



6.2.11 cryptographic module Rating



6.3 other aspects of the administration of the matched data



6.3.1. Retention of data for the validation of electronic signatures or data for

authentication of electronic tags



6.3.2. The maximum period of validity of a certificate issued from a signer or

indicate the person and matched data



6.4 Activation data



6.4.1 activation data generation and installation



6.4.2 activation data Protection



6.4.3 other aspects of activation data



6.5 computer security



6.5.1 Specific computer security technical requirements



6.5.2 computer security Rating



6.6 Safety life cycle



6.6.1 system development Management



6.6.2 security management Controls



6.6.3 life cycle security management



6.7 network security



6.8 time stamps



7. the certificate profiles, certificate revocation list and OCSP



7.1 certificate profile



7.1.1 version number



7.1.2 certificate Extension items in the



7.1.3 Object identifiers ("OID") algorithms



7.1.4 ways to write names and names



7.1.5 name Constraints and names



7.1.6 certificate policy OID



7.1.7 Expansion entry "Policy Constraints"



7.1.8 syntax and semantics policy qualifiers item expansion

"Policy Qualifiers"



7.1.9 How to write a critical expansion of the item "Certificate Policies"



7.2 the certificate revocation list Profile



7.2.1 version number



7.2.2. The expansion of the certificate revocation list items and records in a

certificate revocation list



7.3 OCSP Profile



7.3.1 version number



7.3.2 the OCSP Extension items



8. Evaluation of compliance and other reviews



8.1 Frequency or circumstances of assessment for design reviews



8.2 Identity and qualifications of assessor



8.3 assessor's relationship to the rated entity



5.2 Rated area



5.3 the procedure in the event of deficiencies



8.6 communication of results of the evaluation



9. other business and Legal Affairs



5.7 Fees



9.1.1 Fees for the issue or renewal of the certificate



9.1.2 fees for access to the certificate to the list of issued certificates



9.1.3 fees for information about the status of the certificate or a revocation of the

certificate



9.1.4 charges for other services



9.1.5 any other provisions relating to fees (including reimbursements)



9.2 financial responsibility



9.2.1 Cover insurance



9.2.2 for more assets and guarantees



9.2.3 insurance or warranty coverage for end users



9.3 Sensitivity business information



9.3.1. the Enumeration of sensitive information



9.3.2 Information outside of sensitive information



9.3.3 responsibility for protection of sensitive information



5.8 privacy policy



9.4.1 privacy policy



9.4.2. Personal data



9.4.3 Information not considered sensitive



9.4.4 responsibility for protection of personal data



9.4.5 Notice about the use of confidential information and consent to the use

sensitive information



9.4.6 Provide sensitive information for judicial or administrative purposes



9.4.7 Other circumstances of disclosure of personal data



9.5 intellectual property rights



9.6. Representation and warranties



9.6.1 the representation and warranties CA



Representation and warranties 9.6.2 RA



Representation and warranties 9.6.3 of the holder of the certificate, signer, or

denoting persons



9.6.4 representation and relying party guarantee



9.6.5 Representation and warranties of other participating entities



6.0 Disclaimer of warranties



6.1 limitation of liability



6.2 responsibility for the damage compensation



9.10. term, termination



9.10.1 validity period



9.10.2 termination



9.10.3. Consequences of termination and continuation of the obligations



9.11 Communication between stakeholders



9.12 Amendments



9.12.1 Procedure for amendments



9.12.2. Procedure for notification of changes



9.12.3 Circumstances in which OID must be changed



9.13 dispute resolution



9.14 governing law



9.15 Compliance with legal regulations



9.16. Other provisions



9.16.1 framework agreement



9.16.2 the cession of rights



9.16.3 Severability of provisions



9.16.4 Disclaimer



9.16.5 majeure



9.17 other measures



1) Decree No. 528/2005 Coll. on physical safety and certification

technical means.