378/2006 Sb.
DECREE
of 19 December 2003. July 2006
on the procedures of qualified certification service providers,
requirements for electronic signature tools and requirements
data protection for creation of electronic tags (Decree on procedures
qualified providers of certification services)
Ministry of Informatics (hereinafter referred to as "the Ministry") determined in accordance with section 20
paragraph. 1, 2, 3 and 5 of the law No. 227/2000 Coll. on electronic signature and
amendments to certain other laws (the law on electronic signature), in
amended by Act No. 517/2002 Coll. and Act No. 440/2004 Coll. (hereinafter referred to as
the "Act"):
PART THE FIRST
GENERAL PROVISIONS
§ 1
The subject of the edit
(1) this Decree shall lay down the
and compliance with information obligations) to the method under section 6 (1). 1 (b). and), and (f))
(a). 3 of the Act, the eligibility requirements under section 6 (1). 1 (b). (b))
of the Act, the requirements for safe systems and safe tools according to § 6
paragraph. 1 (b). (c)), and (d)) of the Act, the method of storage of information and documentation
According to § 6 paragraph 1. 5 and 6 of the Act, and the manner in which compliance with these
requirements,
(b) to ensure the safety of the lists), pursuant to section 6a of paragraph 1. 1 (b). (e)), and
(f)) of the Act, specifying the date and time in accordance with § 6a of paragraph 1. 1 (b). g) of the Act,
the particulars of the measures pursuant to section 6a of paragraph 1. 1 (b). h) of the Act, a way of meeting the
information obligations in accordance with § 6a of paragraph 1. 1 (b). I) of the Act, the method of
protection and ensure the consistency of the data in accordance with § 6a of paragraph 1. 2 of the Act, the method of
revocation of the certificate pursuant to section 6a of paragraph 1. 3 and 4 of the law and the way in which
to meet these requirements,
(c) ensure the accuracy of the time) to the method when creating a qualified
a time stamp according to § 6b of the paragraph. 1 (b). (b)) of the Act, a way to ensure
consistent data according to § 6b of the paragraph. 1 (b). (c)) of the Act, the particulars of the measures
under section 6b of the paragraph. 1 (b). (d)) of the Act, a way of meeting the information
obligations under paragraph 6b of the paragraph. 1 (b). e) of the Act, and the way in which the
compliance with these requirements,
(d)) way to ensure practices that must support a means for
secure electronic signature creation data protection for building
electronic signatures in accordance with section 17 of the Act and the means for creating
electronic tags when protecting data for creating electronic
brands pursuant to section 17a of the Act, and the way to meet these requirements
illustrated by.
(2) this Ordinance has been notified in accordance with the directive of the European
Parliament and Council Directive 98/34/EC of 22 December 2004. June 1998 on the procedure for the provision of
information in the field of technical standards and regulations and of rules on services,
the information society, as amended by Directive 98/48/EC.
§ 2
The definition of some terms
For the purposes of this Ordinance, means the
and qualified system certificates) superiors qualified
system certificates that contain the data for electronic authentication
the tag corresponding to the data to create an electronic tag which
the provider indicates qualified certificates, issued by a qualified
system certificates, lists under section 6a of paragraph 1. 1 (b). (f)) of the Act, and
issued by the qualified time stamps,
(b)) a list of issued certificates list that has the requirements pursuant to §
6a paragraph 2. 1 (b). e) of the Act and meets the requirements of this order,
(c) the certificate revocation list) list that has the essentials
According to section 6a of paragraph 1. 1 (b). (f)) of the Act and meets the requirements of this order,
d) safety documentation file of documents, which the provider
established in accordance with this Decree and in which lays down the principles and
all of the procedures applied in the provision of qualified
certification services,
e) secure electronic signature tool from the cryptographic module,
which provider is used for the activities laid down by this Decree and
that meets the requirements of this order,
f) critical activities of the provider to receive requests for the revocation of the
certificates, certificate revocation, and the release of a list of invalid
certificates, and other activities that the provider determines when
risk analysis as a critical activity,
g) extraordinary event that threatens the provision of
qualified certification services and occurs mainly as a result
the failure of a trusted system, technical equipment, and or the occurrence of the
a factor that is not under the control of the provider,
h) uncertainty of the time of possible deviation of the meter from the world time
coordinated time in total with the uncertainty of the time.
PART TWO
HOW QUALIFIED CERTIFICATION SERVICE PROVIDERS AND PROTECTION
DATA FOR THE CREATION OF ELECTRONIC TAGS
HEAD FIRST
HOW PROVIDERS
§ 3
Requirements for secure systems
Systems in accordance with § 6 para. 1 (b). (c)), and (d)) of the Act (hereinafter referred to as "trusted
systems ') are safe and safety procedures, that these systems
support, it is sufficient if a qualified provider
certification services (hereinafter referred to as "provider")
and) uses trustworthy systems and procedures to meet the requirements of
the standard for these systems, which is mentioned in point 1 of annex 1 to this
the Decree, and the requirements of Czech technical standards referred to in sections 2 and
3 of annex 1 of this order; the requirements of those standards and the Bohemian
technical standards established for trusted systems used for
the issuance and management of qualified certificates shall apply mutatis mutandis for the
trusted systems used for the issuance and management of skilled
system certificates,
(b)) in the safety management of trusted systems follows the Czech
technical standards referred to in point 4 of the annex No. 1 of this Decree, and has
introduced and applied the information security management system according to the Czech
technical standards referred to in point 5 of Annex No. 1 of this Decree,
(c)) use spaces in which shall be ensured by the creation of qualified
certificate or qualified system certificates,
qualified time stamps, resources for creating
electronic signatures qualified certificate for invalidating or
qualified system certificates, creating lists
certificate revocation, any waste data for creating
electronic tags and their corresponding data for authentication
electronic tag provider, treatment by a qualified
the system certificate provider and create records of events
with these activities, secure as secure
the area of the category of "confidential" under a special legal regulation ^ 1) and is
handled by the documentation provided for in this regulation,
(d)) has the moment and continuously updated safety documentation
e) shall act in accordance with the principles and procedures laid down in the safety
documentation,
f) checks the safety compliance under this Ordinance,
g) carries out audits of the safety management system of information under this
the Decree.
§ 4
Safety documentation
(1) unless otherwise indicated, the fulfilment of the obligations laid down by law, and
the requirements laid down by this Decree shows the provider
through safety literature.
(2) safety documentation consists of the following documents:
and the policy for issuing) certification of qualified certificates,
If the service provider ensures
(b) the policy for issuing) certification of qualified system
certificates, unless the provider of this service ensures
(c) the policy for issuing) qualified time stamps, if
the provider of this service ensures
(d) the policy for issuing funds) for safe building
electronic signatures, if the supplier of this service ensures
e) certification policies for issuing superiors qualified
system certificates,
(f)) message to a user of the services referred to in points (a) to (d))), if
These service provider provides,
g) certification or other implementing directive implementing directive to
the services referred to in subparagraphs a) to (e)),
h) the overall security policy,
I) system security policy,
j) plan for crisis management and recovery plan,
to the provider, other documents) which is in the documents referred to in
the letters a to j) referenced) or that contain the detailed rules and
detailed procedures governing the provider ensures security
provided by a qualified certification services; from a security
documentation must be clear what procedures the provider applies when
ensure the security of the systems in accordance with § 6 para. 1 (b). (c)), and (d)) of the Act.
§ 5
Content security documentation
(1) the content of the policies pursuant to § 4 paragraph 2. 2 (a). a) to (d)) is always
and that policy) the establishment of a provider in the provision of
qualified certification services
(b) in the case of the issuance of qualified) certificates or qualified
system certificates description of the properties data for creating
electronic signatures or electronic data for creating brands and
the corresponding data for the validation of electronic signatures or data
for the verification of electronic tags, which creates the person requesting
issue of the certificate, or that creates a provider, and that is to be
the certificate was issued; cryptographic algorithms and their
parameters that can be used for this data, the
the Ministry on its notice board,
(c) in the case of extradition) qualified time stamps
1. cryptographic algorithms that can be used when creating
fingerprint data, to be marked by a qualified timestamp and
the parameters for these algorithms
2. the accuracy of the time in the time stamp in relation to world
coordinated time.
(2) the content of the messages to the user in accordance with § 4 para. 2 (a). (f))
for information about identifying the data provider and a basic overview of
the qualified certificate services and the usage.
(3) the content of the implementing directive under section 4 (4). 2 (a). (g)) is always
the procedures applied in the provision of provider
each qualified certification services.
(4) the content of the overall security policy according to section 4, paragraph 4. 2 (a). h)
always establish the objectives, and a description of how trusted systems security
provider and specify the principles and rules relating to the solution
safety in trusted systems and determine the powers and responsibilities
for the security solution.
(5) system security policy according to section 4, paragraph 4. 2 (a). I) is
processed on the basis of a risk analysis carried out related to the operation of
trusted systems. In the risk analysis provider defines the assets
These systems, the threats that Act on them, vulnerabilities of systems,
an estimate of the probability of occurrence of threats, their consequences, and specifies the
appropriate security measures.
(6) the content of the system security policy is always
and goal-setting for the protection) information
(b) determination of the means of ensuring safety),
c) determining the powers and responsibilities in the operation of the trusted
systems,
(d)) the rules and procedures specifically defining how management and protection
information technology, assets, information systems and method
the distribution of information within the trusted systems and other systems,
that have trusted binding systems
(e) applying the total security) policy in relation to
the operation of the trusted systems
(f) a description of the trusted systems), their internal, external and mutual
the links,
g) evaluation of the risk analysis and description of the security measures referred to in
paragraph 5,
h) way of spreading the time within the trusted systems
the provider provides the service of issuing qualified time
the stamps.
(7) plan for crisis management in accordance with § 4 para. 2 (a). (j))
contains the definition of the procedures that have been applied in the case of the occurrence of the
extraordinary events.
(8) the recovery plan referred to in section 4, paragraph 4. 2 (a). j) includes a strategy for
trusted systems, which need to be implemented for the
and maintaining the critical activities of the provider) in the shortest possible
over time,
(b) the proper function of trusted recovery) systems.
§ 6
The processing requirements of the safety documentation
(1) the structure of the certification policy according to section 4, paragraph 4. 2 (a). a), b) and (e))
and the implementing directive under section 4 (4). 2 (a). g) is given
in Appendix 2 of this order.
(2) for the structure of the entries listed in annex 2 of this order, which
When you handle the security documentation shall not be used, because the provider
the activity in question does not, this will be listed.
(3) when the total document processing security policy according to section 4
paragraph. 2 (a). (h)) and system security policy according to section 4, paragraph 4. 2
(a). I) proceed according to Czech technical standards referred
in paragraphs 4 and 6 of annex 1 of this order.
§ 7
Disclosure documents
(1) the provider exposes the documents referred to in section 4, paragraph 4. 2 (a). a) to
(d)), and (f)) in its entirety.
(2) the provider may publish the certification detailed directive or
other implementing directive under section 4 (4). 2 (a). (g)), to the extent that
does not compromise safety of the outsourced services.
(3) the publication provided for in paragraphs 1 and 2 means the disclosure of the way
allowing remote access and in areas where contact with the
to the user.
§ 8
Checking the safety match
(1) the objective of the security checks of conformity according to § 3 (b). (f)) is to verify that the
and the provider operates a trusted systems) in accordance with the law and with
This Decree,
(b)) the provider makes changes to the trusted systems in accordance with the
Security documentation provider with its parts
governing the management of change.
(2) safety matches are subject to inspection
and all trusted systems provider) (total control
safety compliance), or
(b)) all the changes referred to in paragraph 1 (b). (b)), that the provider has made
Since the implementation of previous security compliance checks, and their influence on
trusted systems provider, or verify that such
There have been changes (a partial review of the conformity of safety).
(3) the overall review of the safety match is carried out not later than 1
year from the commencement of the provision of qualified certification services and
Subsequently, at least after 4 years from the previous overall control
safety matches, and provided that during these 4 years,
partial inspections carried out safety matches, among which the elapsed
most 1 year and first took place within 1 year after total inspection
safety compliance.
(4) If the partial security checks are not carried out in
paragraph 2 (a). (b)), the total control of safety matches in
an interval of not more than 1 year.
(5) check the safety match is carried out according to the requirements of the United
technical standards referred to in point 6 of Annex No. 1 of this order.
(6) the provider ensures security of the control report processing
of conformity, the content of which is
and subject safety) definition of conformity; in the case of total
safety control of the conformity of the definition of all trusted systems by
paragraph 2 (a). and) indicating the qualified certification services
that are provided through these systems, or in the case of
partial inspections of safety matches the definition of the changes referred to in paragraph 2
(a). (b)), that the provider has made since the implementation of the previous control
safety matches, and the definition of qualified certification services
that are provided by trusted systems, these
the changes affected,
b) unambiguous identification documentation, which was subject to inspection
safety compliance,
(c) a description of the checking of the safety) of conformity,
(d)) the name or names and surname of the person carrying out the inspection
safety compliance; This person can be with the provider in
employment relationship,
(e) a statement of the result of checks) the safety match, part of which is
a statement that the provider has trusted systems in the
accordance with paragraph 1.
(7) If, during a check of the safety match found that
the provider does not operate trustworthy systems in accordance with paragraph 1
(a). and does not change) or in trusted systems in accordance with the
paragraph 1 (b). (b)), it must be achieved by the axles, which
documented in the course of the same controls and safety compliance verified.
(8) the report on the control of safety compliance provider passes within 30 days
from their control of the Ministry.
§ 9
Audit of information security management system
(1) the objective of the audit of the information security management system according to section 3 (b).
(g)) is an objective and independent verification of the provider that is in the
trusted systems are introduced and applied a system provider
information security management according to Czech technical standards referred to in point
5 of annex 1 of this order.
(2) if the information security management system in the
trusted system certified for compliance with the Czech
technical standard referred to in point 5 of Annex No. 1 of this Decree, it is
the audit of the information security management system is considered
to be met.
(3) the auditing of the safety management system information
process according to the requirements of the standard referred to in point 7 of annex 1 to this
the Decree; the entity that the audit of the management system of information security
performs is in relation to an external, independent auditující
organisation in accordance with requirements of the standard referred to in point 7 of annex 1 to this
the Decree.
(4) the service provider shall provide the entity that the audit of the management system
information security carried out, always check the safety report
conformity according to § 8 para. 6 if it has already been implemented, and security
the documentation.
(5) the part of the report on the audit of information security management system is
and the definition of the subject of the audit system) information security management,
While the definition of the audit subject means the definition of qualified
certification services that are provided through the
trusted systems
b) unambiguous identification documentation, which was the subject of the audit system
information security management and provided by the provider entity,
the information security management system audit performed,
(c)) statement to the body which audits of the safety management system
information about the results of the audit carried out the safety management system
information, which includes a declaration of compliance with the requirements referred to in
paragraph 1.
(6) if in the course of the audit, the information security management system
indicate that the provider has not introduced and applied in the trusted
systems of information security management system in accordance with the requirements of
referred to in paragraph 1, must be achieved. Design of the axle
must be documented and verified by the audit.
(7) the provider shall ensure that the Declaration of the result of the audit system
information security management was published in a message for the user.
(8) the provider shall ensure that audits of the safety management system
the information was carried out before the start of the first qualifying
certificate services and then at least every 2 years.
§ 10
How to fulfil the information obligations
(1) the provider will fulfil the information obligation, by the documents referred to in
section 4, paragraph 4. 2 (a). a) to (d)), and (f))
and) If a legal person, the name or the name, legal form and registered office,
is a natural person, the name or names, surnames, place
business and identification number, if one has been assigned,
(b)) an indication of whether it is accredited by the Ministry,
(c) the exact conditions for the use of) qualified certification services
including any restrictions for their use set out
provider, terms of complaints and resolving disputes,
(d)), an indication of where and how his parent are available
qualified system certificates,
(e)) the manner in which secures the delivery of information to third parties pursuant to §
6a paragraph 2. 1 (b). even if the Act in question) by a qualified
Certificate Services provides, including contact details, which may
the third person used when asking for this information, and the maximum time
that may elapse between the request and the application of the provision of information,
f) the manner in which secures the delivery of information to third parties pursuant to §
6B of the paragraph. 1 (b). e) of the Act, if qualified in question
Certificate Services provides, including contact details, which may
the third person used when asking for this information, and the maximum time
that may elapse between the request and the application of the provision of this
information.
(2) the parent of the qualified system certificates referred to in paragraph 1
(a). (d)) shall be published at least two independent ways,
with at least one of these ways is the publication of the way
allowing remote access.
(3) If the provider has been accredited accreditation withdrawn,
the provider of this information without delay to the
and documents) in accordance with § 4 para. 2 (a). a) to (d)), and (f)) and publish the
manner allowing remote access,
(b)) shall be published in at least one nationally distributed journal
provided for in the documents referred to in section 4, paragraph 4. 2 (a). a) to (d)), and (f)),
(c)) shall communicate to the signer or indicating the persons who have valid
qualified certificates or qualified system certificates
issued by that provider by sending a message by e-mail
to an e-mail address, if these persons indicated in the application for release
the certificate.
(4) the information referred to in paragraph 3 (b). (b)), and (c)) is a communication that
qualified certificates issued by that provider cannot continue to
use in accordance with § 11 para. 1 of the Act and issued qualified system
You cannot continue to use certificates in accordance with § 11 para. 2 of the Act.
§ 11
Qualification requirements
The activities corresponding to the roles according to the safety requirements of the standard
for trusted systems that is listed in point 1 of annex 1 to this
the Ordinance, persons who can exercise the
and higher education) has received within an accredited bachelor's
or master's degree program and have at least 3 years experience in
information technology or secondary education and at least
5 years of experience in the field of information technology, of which at least
1 year in the field of the provision of certification services,
b) have knowledge of a public key infrastructure and information
safety.
§ 12
The method of storage of information and documentation and formalities and documents
records
(1) the information and documentation referred to in § 6 (1). 5 and 6 of the Act must be
procured, stored and processed, keeping the demonstrability of the
their origin, availability, integrity, authenticity and time
confidentiality.
(2) the provider through safety literature demonstrates that the
and has identified all types) information and documentation according to § 6
paragraph. 5 and 6 of the Act, which holds and the form in which they are kept,
(b)) has identified the location where information and documentation
(c)) has established procedures for the retention of information and documentation, and for
manipulation of stored information and documentation so that the
ensure verifiability of their origin, the availability, integrity, time
authenticity and confidentiality, in accordance with the requirements of the Act and this order,
(d)) has established procedures for the storage of information and documentation, so that
the stored information and documentation has been able to demonstrate in the statutory period after
termination of validity of the certificate, to which information and documentation
apply,
(e) the liability of employees), or other individuals,
to ensure the retention of information and documentation, in compliance with the
procedures referred to in subparagraph (c)),
(f)), the way will be loaded with information and documentation
After a period of 10 years.
(3) if the provider stores the information and documentation referred to in § 6 (1).
5 and 6 of the Act after the expiry of 10 years, through the safety
documentation shows that
and) has end that information and documentation
kept,
(b) has established requirements) the storage and handling of information and
Similarly, the documentation referred to in paragraph 2.
section 13 of the
The particulars of the measures against misuse and forgery of certificates
(1) the provider can have data for creating electronic tags
designed for labelling qualified certificates issued and
qualified system certificates used only for marking
These certificates and for the labelling of the certificate revocation list.
(2) the provider ensures, in accordance with the requirements of the standard for
trusted systems that is listed in section 1 of annex 1 to this
the Decree,
and data management) in accordance with paragraph 1 in the course of their life cycle,
b) data management for authentication of their electronic tags to the respective
the data referred to in paragraph 1 in the course of their life cycle,
(c) the creation of qualified certificates) and qualified system
certificates.
(3) the activities referred to in paragraph 2
and may perform exclusively physical) persons who are for this activity
intended by the provider,
(b)) must be carried out according to the procedures laid down by the certification detailed
directive,
(c)) must be exercised in accordance with the system security policy.
(4) the provider is obliged to date for the creation of electronic tags
referred to in paragraph 1 after the end of their life cycle to destroy; about
minuted that contains
and a description of how to destroy data),
(b) destruction of data, date)
(c)) date of acquisition of registration,
(d)) the name or the name and signature of the person designated
provider to destroy data.
(5) for the marking referred to in paragraph 1 the provider uses the secure
cryptographic module.
(6) in the case of abuse or reasonable fears of abuse of its data
in accordance with paragraph 1 the provider without delay
and tombstones) qualified certificate that was this
data released
b) invalidating the certificate that was indicated by the data,
(c) a certificate that is revoked) was indicated by the data for creating
electronic tags, to which has been issued with the certificate referred to in subparagraph (b)),
(d) use of data) terminates in accordance with paragraph 1.
(7) If a provider of invalidating the qualified certificate
in accordance with paragraph 6 (a). and without delay)
and publish information about invalidation) of this certificate, indicating the
because of the revocation of the way allowing remote access, on the premises,
where contact with the user, and in at least one nationally
a distributed journal established in the policy, pursuant to section 4, paragraph 4. 2 (a). and)
to (d)),
(b) the signer or indicating) informs the person that they have a valid
qualified certificates or qualified system certificates
issued by that provider, for the revocation of certificates
by sending a message via electronic mail to the electronic
address, if these persons indicated in the application for the issuance of the certificate;
part of this information is the reason for the termination of the parent
qualified system certificate provider
(c) inform the Ministry about invalidation) of this certificate, indicating the
because of the tombstone.
§ 14
How to ensure the safety of the lists
(1) the list of issued certificates is safe, if the individual
certificate in this list to ensure integrity.
(2) the provider indicates an issued certificate revocation lists
electronic tags creation data pursuant to § 13 para. 1 and
via the secure cryptographic module.
§ 15
How to determine the date and time of issue or revocation of the certificate
(1) an indication of the date and time, indicating the hours, minutes, and seconds when it is
qualified certificate or qualified certificate
invalidated, and an indication of the date and time of the release of a list of invalid
certificates, which is a record of the certificate zneplatněném is identified,
are included in the data for the revocation of the certificate in the list
certificate revocation; other data are in the case of a qualified
at least certificate certificate number in accordance with § 12 para. 1 (b). (g))
law, and in the case of a qualified system certificate for at least
number of the certificate referred to in section 12a (e). (f)) of the Act.
(2) a statement referred to in paragraph 1 and the indication of the date and time of issue of the certificate are
part of the records of the events according to § 12 para. 2 (a). (b)).
(3) the trusted time synchronization systems with a coordinated universal
time must meet the requirements of the standard for trusted systems
that is listed in point 1 of annex 1 of this order.
section 16 of the
Data protection method used by the user
The provider protects electronic signature creation data, if it is
creates for the signer, and ensures the consistency of the data by
the requirements of the standard for trusted systems, which is mentioned in point 1
Annex No 1 of this order; the requirements of this standard specified for
protection of electronic signature creation data that the provider
creates for the signer, shall apply by analogy for data protection for
the creation of electronic tags, if the provider is created for
indicating the person.
§ 17
How certificate revocation
Provider in ensuring the invalidating of qualified certificates
or qualified system certificates
and continuous applications) provides for the revocation of qualified
certificate or qualified system certificates, at least
two independent ways,
(b)) ensures that safety requirements for invalidating
qualified certificates according to requirements of the standard for trustworthy
systems that is listed in section 1 of annex 1 of this order; the requirements of the
This standard established for the invalidating of qualified
certificates shall apply mutatis mutandis for the invalidating of qualified
system certificates.
section 18
How to ensure the accuracy of the determination of the time when you create a qualified
time stamps
(1) the provider may specify the time when you create a qualified
time stamps use only timekeeping, which is established on the
world time coordinated and has a provider about available appropriate
the technical documentation.
(2) the Timekeeping is eligible to ensure the accuracy of the determination of the time according to the
of this order, if it meets the following conditions:
and) making under paragraph 1 is repeated at intervals that are
determined by the provider on the basis of the type of measuring instrument of the time,
analysis of the effects of uncertainty on the declared time and reliability
linking to the world coordinated time,
(b)) is in sync with coordinated universal time, including
synchronization in the event of a leap second,
(c)) is protected against threats that could change its technical or
the metrological characteristics provided by establishing (a)).
§ 19
How to ensure the consistency of the data in a qualified time stamps and
the particulars of measures against counterfeiting qualified time stamps
(1) the provider can have data for creating electronic tags
designed for labelling qualified time stamps issued
used only for this purpose.
(2) the provider ensures the issuance of qualified time stamps,
including the implementation of mechanisms that will ensure that data in the electronic
the form, which are the subject of applications for qualified time
stamps, clearly correspond to the data in electronic form contained
in a qualified time stamp, issued in accordance
and with the requirements of the standard for) trusted systems that is listed in the
point 1 of annex 1 of this order, and
(b)) with the requirements of the Czech technical standards referred to in point 3 of annex 1 to this
the Decree.
(3) the provider shall be specified in the policy for issuing time stamps
the uncertainty of the time of the inserted into a timestamp. Uncertainty
time may not exceed 1 second.
(4) in the case of the occurrence of the event that affects the safety release
qualified time stamp or as to the accuracy of the time
It is inserted into it, the provider
and immediately breaks the issue) qualified time stamps, and to
the time when the condition and restored in accordance with the procedures laid down in the schedule for
crisis management and in the recovery plan,
(b) publish information about this) events in a way allowing remote
access,
(c) inform without delay) this event entities with which it has
concluded contractual relations, which may be affected by this event,
(d)) shall notify the Ministry of information of this event.
(5) If an event referred to in paragraph 4 has an effect on already issued by qualified
time stamps, and as a result, you cannot rely on them, the provider
shall publish without delay the information about this event also in at least one
nationally distributed journal specified in the policy for issuing
qualified time stamps; included in this notification are data
on the basis of which it is possible to determine which issued qualified time
the stamp was affected by this event.
(6) in the management of the data referred to in paragraph 1 the provider shall proceed as
When you manage data for labelling qualified certificates issued and
qualified system certificates according to § 13 para. 2 to 6.
(7) the world coordinated time-scale Prediction time takes place
in areas that are secure as secure area
the category of "confidential" under a special legal regulation ^ 1).
(8) the acquisition, storage and processing of documentation and information
related to the issuance of qualified time stamps the provider
proceed in accordance with § 12, and types of recorded events are
specified by the Czech technical standard referred to in point 3 of Annex No. 1
of this order.
section 20
Secure cryptographic module
(1) a cryptographic module that uses the provider for the activities
laid down by law and the provisions of this Decree and that satisfies the safety
the requirements for these modules as set out
and the standard for trustworthy) systems, which is mentioned in point 1
Annex No 1 of this order, or
(b)) in the standard, which is listed in item 11 or 12 of annex 1 to this
the Ordinance, at least for level 3,
from the cryptographic module is thread-safe.
(2) the safety procedures that secure cryptographic module support,
It is sufficient if
These procedures meet) safety requirements for these modules
in the standard for trusted systems that is listed in point 1 of the annex
# 1 of this order,
(b)) the module is used only for marking issued by qualified
certificates of qualified system certificates, list
certificate revocation or for labelling qualified time
stamps,
(c)) is to deploy and use the module in accordance with the technical documentation
the manufacturer or supplier,
(d)) the module is located and used in areas that are secure
Similarly to the secure area of the category "confidential" under the Special
legal regulation ^ 1).
(3) compliance with the requirements laid down in paragraph 1 (b). and) shall be evidenced by
proof of completion of the evaluation and certification of safe
cryptographic module according to the requirements of the standard for these modules,
that is set out in point 8 of Annex No. 1 of this Ordinance, or by
the requirements of the standard for these modules, which is mentioned in point 9 of annex
# 1 of this order.
(4) compliance with the requirements laid down in paragraph 1 (b). (b)) shall be evidenced by
the proof of the result safe according to the cryptographic module
paragraph 1 (b). (b)) and the proof of conformity assessment pursuant to § 9 para. 2
(a). (f)) of the Act.
(5) compliance with the requirements laid down in paragraph 2 shall be accompanied by
through
and safety documentation)
(b)) detailed description of the functions and the technical documentation of the safe
cryptographic module to the extent necessary for its acquisition.
(6) if the document referred to in paragraph 3 or paragraph 4, expired and
the provider is able to provide to the time the replacement of cryptographic
the safe from the cryptographic module the safety of its functions on the
the same level, which ensures in time before the expiry of the document
the module may be used, provided that the
and) without undue delay shall apply the measures which reasonably eliminates the
risks, on the basis of which the following documents are no longer valid,
(b)) in the risk analysis is risk status, such as when the document referred to in
paragraph 3 or paragraph 4, expired,
c) plan for crisis management shall determine the measures
the provider shall apply in order to ensure the required safety of its functions,
(d)) shall ensure that the implementation of the measures referred to in subparagraph (c)) was controlled,
to be able at any time to find out that these measures are not applied
or are not applied in full, and immediately remediate,
(e)) will launch its acquisition of secure cryptographic module.
section 21
Resources for creating secure electronic signatures
(1) the provider shall ensure that the means for safe building
of electronic signatures issued by,
and meet the requirements of these) the resources provided for the standard for these
resources, which is listed in section 10 of annex 1 of this order,
(b) should the assessed according to compliance) § 9 para. 2 (a). (f)) of the Act,
(c)) have been prepared and transmitted to the user by the provider in accordance with the
safety and functional requirements of the standard for trusted systems
that is listed in point 1 of annex 1 of this order,
(d)) have been prepared and transmitted to the user by the provider in accordance with the
technical and user documentation of its manufacturer or supplier.
(2) compliance with the requirements referred to in paragraph 1 (b). a), (c)) and (d)) shall be evidenced by
proof of completion of) the evaluation and certification of the device as
standard for secure electronic signature creation,
that is listed in section 10 of annex 1 of this order,
b) safety documentation,
c) detailed description of the functions and the technical and user documentation
evaluated the resource; user documentation must be in Czech
language.
THE HEAD OF THE SECOND
THE DATA PROTECTION REQUIREMENTS FOR THE CREATION OF ELECTRONIC TAGS
section 22
(1) Labelling data for creating electronic tags must be immediately
discontinued in the event of a failure of proper function of the device for creating
electronic tags or in case of failure of the features of the application that
It is being used; in the labelling may continue at a time when they are
resource and application listed in the proper state.
(2) the marking of data for creating electronic tags must be
immediately terminated in case of abuse or reasonable fear of
the abuse of these data.
(3) to indicate that a person creates and keeps track of events
associated with any management resources for creating
electronic tags and create an electronic data tag
that are stored in them, in the course of their entire life cycle.
Article 23 of the
(1) if there are data for creating electronic tags used to
labelling of data messages under section 11 (1) 2 of the Act may be
created, stored and used in cryptographic resource
for creating electronic brands (hereinafter referred to as "cryptographic
resource ") and may not be used for any purpose other than the creation of
electronic tags.
(2) If a cryptographic means referred to in paragraph 1 is not
a cryptographic module that meets the requirements set out in section 20 (2).
1 this order may be imposed solely in it
and for the creation of electronic data) brands,
(b)) data and applications necessary for the use of the data referred to in point I)
labelling of data messages and to transfer data to create an electronic
brands on other cryptographic means.
(3) a cryptographic means referred to in paragraph 2 may only be used
for
and) to create and save data and applications referred to in paragraph 2,
(b)) create an electronic tag.
(4) If a cryptographic means a cryptographic module that
It meets the requirements set out in section 20 (2). 1 of this order, it may
be created, saved, and used different data and applications, if the
the basis of a risk analysis, in which the risk was evaluated,
such use is not excluded.
(5) If a cryptographic resource enables you to transfer data for creating
electronic tags to another cryptographic resource must be
This method of transmission is trustworthy; cryptographic resource on which
data is transmitted, shall comply with the requirements of paragraphs 2 and 3, or
of paragraph 4.
section 24
(1) identifying the person who indicates the data messages under section 11 (1) 2
the law is a way to ensure the procedures that support
cryptographic data protection resources for creating electronic
brands through the internal directive, always
and for any handling) These cryptographic devices, in
during their entire life cycle, including the procedures for their
their use,
(b)) for the determination of persons for any permissions handling
cryptographic means,
(c)) for the safety of the environment in which they are used,
including upon the occurrence of an extraordinary event that may compromise their
the protection.
(2) a person referred to in paragraph 1 introduces the people that handle
with cryptographic means, with the procedures referred to in paragraph 1 to the extent
to the extent necessary for the performance of their duties.
(3) identifying the person continuously checks the correctness of the procedures referred to in
paragraphs 1 and 2 and under section 22 and 23 and in the event of the detection of deficiencies
the adoption of measures to eliminate them.
PART THREE
FINAL PROVISIONS
§ 25
Transitional provisions
(1) providers who are not accredited by the Ministry and the who
started providing qualified certification services, and
providers who have been granted accreditation for the activity
an accredited provider to the effective date of this order,
the provision of qualified certification services shall be in accordance with the
This Decree within 12 months from the date of publication of this order. In this
the period will follow the existing legal providers
regulations.
(2) if the supplier provides at least one qualified
the Certificate Services service to the effective date of this order, shall ensure the implementation of
the first audit of the information security management system within 2 years from the date of
entry into force of this Decree.
section 26
Regulation (EEC)
Repeals the Decree 366/2001 Coll. on the clarification of the conditions laid down in
articles 6 and 17 of the law on electronic signature and the refinements to the
electronic signature tools.
section 27 of the
The effectiveness of the
This Decree shall enter into force on the fifteenth day after its publication with the
exception of the provisions of section 22 to 24, which will become effective the first day of
the third calendar month following the date of its publication.
Minister:
Ing. Bérová born in r.
Č. 1
LIST OF NORMS AND STANDARDS
1. CWA 14167-1-Security Requirements for Trustworthy Systems Managing
Certificates for Electronic Signatures-Part 1: System Security
Requirements.
2. ETSI TS 101 456 CSN-electronic signatures and infrastructures;
Requirements for the CA issuing qualified procedures
certificates.
3. the ETSI TS 102 023 CSN-electronic signatures and infrastructures;
Requirements for timestamp authorities procedures.
4. ISO/IEC 17799-information technology-a set of procedures for
management of information security.
5. the CSN BS 7799-2-information security management system-
Specification with guidance for use.
6. ČSN ISO/IEC TR 13335-information technology-guidelines for the management of
IT security 1-3.
7. EN ISO 19011-guidelines for auditing management system
the quality and/or environmental management system.
8.14167-2-Cryptographic module of the CWA for CSP signing operations with
backup-Protection profile-CMCSOB PP.
9.14167-4-Cryptographic module of the CWA for CSP signing operations-
Protection profile-CMCSO PP.
10. CWA 14169-Secure signature-creation devices "EAL 4 +".
11. FIPS PUB 140-1-Security Requirements for Cryptographic Modules.
12. FIPS PUB 140-2-Security Requirements for Cryptographic Modules.
Č. 2
THE STRUCTURE OF THE CERTIFICATION POLICIES AND IMPLEMENTING DIRECTIVE
1. introduction
1.1 Overview
1.2 name and unambiguous identification of the document
1.3 Participating entities
1.3.1 certification authority ("CA")
1.3.2 registration authorities ("RA")
1.3.3. The holders of qualified certificates and signing or
indicate the persons who have applied for the issue of a qualified certificate
or a qualified system certificate (the certificate), and
to whom the certificate was issued
1.3.4 relying parties
1.3.5. Other participating entities
1.4 certificate usage
1.4.1 use of certificate Admissible
1.4.2 certificate use Restrictions
1.5 Policy Management
1.5.1 Organization administering the certificate policy or certificate
implementing directive
1.5.2 contact person or organizations, who manage the certification policy
certification an implementing directive
1.5.3. The body responsible for deciding on the compliance procedures of the provider
with the procedures of other certification service providers
1.5.4. The procedures for the approval of compliance under 1.5.3
1.6 Overview of used terms and abbreviations
2. the responsibility for the publication and storage of information and documentation
2.1 Storage information and documentation
2.2 publication of information and documentation
2.3 frequency of publication of information
2.4 control access to individual storage types
3. Identification and authentication
3.1 Naming
3.1.1 types of names
3.1.2 the request on významovost names
3.1.3 Anonymity and using the pseudonym
3.1.4 Rules for interpreting various name forms
3.1.5 Uniqueness of names
3.1.6 the trade marks
3.2 Initial identity validation
3.2.1 verification of compliance data, IE. to verify whether a person has the
electronic signature-creation data corresponding to the data for
authentication of electronic signatures or electronic creation data
the tag corresponding to the authentication of electronic data tags
3.2.2 verifying the identity of the legal person or organizational units of the State
3.2.3 verifying the identity of the natural person
3.2.4 Unverified information that applies to the holder of the certificate or
signing or indicating that the person
3.2.5 Authentication of specific rights
3.2.6 Criteria for interoperability
3.3 identification and authentication when you handle requests for data exchange
for the verification of the electronic signature or authentication data
electronic tags in the certificate
3.3.1 identification and authentication during a routine exchange of data for creating
electronic signatures or electronic data for creating brands and
the corresponding electronic signature or authentication data the data for
authentication electronic tags ("data matching")
3.3.2 identification and authentication when replacing a pair of data after the revocation of the
certificate
3.4 identification and authentication for revocation requests
certificate
4. The requirements for the certificate life cycle
4.1 application for issue of a certificate
4.1.1 the bodies authorised to lodge an application for issue of a certificate
4.1.2 the registration process and the responsibilities of the provider and the requester
4.2 Processing certificate requests
4.2.1. Identification and authentication
4.2.2. Acceptance or rejection of the application for a certificate
4.2.3 the certificate request processing time
4.3. the issue of the certificate
4.3.1 Acts in the course of issuing CA certificate
4.3.2 the notice of issue of the certificate, the holder of the certificate signer
or indicating that the person
4.4 Acceptance of the issued certificate
4.4.1 tasks connected with the taking over certificate
4.4.2 publication of certificates issued by the provider
4.4.3 notice of issue of the certificate, to other entities
4.5 use of paired data, and certificate
4.5.1 use of electronic signature creation data or data for
create an electronic tag and a holder of the certificate,
signing or indicating that the person
4.5.2 use of electronic signature-verification-data or data for
electronic tags and certificate authentication, the relying party
4.6 certificate renewal
4.6.1 the conditions for renewing a certificate
4.6.2 Bodies eligible for certificate renewal
4.6.3 the certificate renewal request processing
4.6.4 the notice of issue of the certificate, the holder of the certificate renewed
signing or indicating that the person
4.6.5 tasks connected with the takeover of the renewed certificate
4.6.6 the publication issued by the renewed certificates provider
4.6.7 the notice of issue of the renewed certificate to other entities
2.9 data exchange for e-signature authentication or data for
authentication of electronic tags in the certificate
4.7.1 the conditions for the exchange of data for the validation of electronic signatures, or
data for the verification of electronic tags in the certificate
4.7.2 the competent bodies should exchange data for authentication
electronic signature or electronic authentication data tags in the
certificate
4.7.3 processing the request to the authentication of electronic data interchange for
data for the verification of signatures or electronic tags
4.7.4 notification of issue of the certificate with the exchanged data for authentication
electronic signatures or electronic verification marks
signing or indicating that the person
4.7.5 tasks connected with the taking over of the certificate with the exchanged data for
authentication of electronic signatures or electronic verification
brands
4.7.6. The publication of certificates issued with the exchanged data for authentication
electronic signatures or electronic verification marks
4.7.7. The notice of issue of the certificate with the exchanged data for authentication
electronic signatures or electronic verification marks
other entities
4.8 data in the certificate Change
4.8.1. The conditions for the amendment of the particulars in the certificate
4.8.2 Bodies authorized to request a change to the data in the certificate
4.8.3 the change request processing information in the certificate
4.8.4 the notice of issue of the certificate with the changed data signing
or indicating that the person
4.8.5 tasks connected with the taking over of the certificate with the changed data
4.8.6 the publication of certificates issued with the changed data
4.8.7 the notice of issue of the certificate with the changed data to other entities
4.9 the tombstone and the suspension of the certificate
4.9.1 the conditions for revocation of the certificate
4.9.2 the bodies competent to apply for revocation of the certificate
4.9.3 the certificate revocation request
4.9.4 the grace period the certificate revocation request
4.9.5 the maximum time for which the provider must implement the requirement
on the revocation of the certificate
4.9.6 the obligations of relying party to verify that he was not
invalid certificate
4.9.7. Periodicity of the issuance of the certificate revocation list
4.9.8 the maximum delay in issuing the certificate revocation list
4.9.9. Authentication option status of certificate online ("OCSP")
4.9.10 certificate while validating the Statute Requirements online
4.9.11 other forms of revocation notification
4.9.12 Any differences the procedure in case of invalidation of compromise
electronic signature creation data or data for creating
electronic tags
4.9.13 conditions for the suspension of the certificate
4.9.14 bodies competent to request suspension of the certificate
4.9.15 requests for suspension of the certificate
4.9.16 limitation on the suspension of the certificate
4.10. Services related to the status of a certificate authentication
4.10.1 Operational characteristics
4.10.2 service availability
4.10.3 other characteristics status of certificate services
4.11 the termination of the provision of services for the holder of the certificate, signer
or indicating that the person
4.12 the Safekeeping of data for creating electronic signatures or data for
the creation of electronic tags for trusted third parties and their
restoration
4.12.1 policy and procedures for safekeeping and restoring data for creating
electronic signature creation data or electronic tags
4.12.2. Policy and procedures for encapsulating and restoring the encryption
the key for the session
5. Management, operational and physical security
5.1 physical security
5.1.1 the location and design of the
5.1.2 physical access
5.1.3 power and air conditioning
5.1.4. Effects of water
5.1.5 fire prevention measures and the protection of
5.1.6 media storage
5.1.7 waste disposal
5.1.8 Backups outside the building
5.2 process safety
5.2.1 trusted roles
5.2.2 number of persons required to ensure the individual activities
5.2.3 identification and authentication for each role
5.2.4 Roles requiring separation of duties
5.3 Personnel Security
5.3.1 Requirements on qualifications, experience and integrity
5.3.2. the assessment of the reliability of the people
5.3.3. the requirements for the preparation for the performance of the role, initial training
5.3.4 Requirements and frequency of training
5.3.5 Periodicity and sequence of rotation of staff between the different roles
5.3.6 sanctions for unauthorized actions of employees
5.3.7 independent contractor requirements (vendor)
5.3.8 documentation provided to employees
3.4 Audit records (logs)
5.4.1 types of event recorded
5.4.2 frequency of processing records
5.4.3 retention period of audit records
5.4.4 Protection of audit records
5.4.5 backup procedures for the audit of records
5.4.6 audit collection system records (internal or external)
5.4.7 notification of event procedure to the body that caused it
5.4.8 Vulnerability Assessments
5.5 storage of information and documentation
5.5.1 types of information and documentation, to be kept
5.5.2 retain stored information and documentation
5.5.3 storage security of stored information and documentation
5.5.4 the procedures to back up stored information and documentation
5.5.5 requirements for using the time stamps in the storage of information
and documentation
5.5.6 the collection system of stored information and documentation
(internal or external)
5.5.7 Procedures to obtain and verify information and retained
documentation
5.6 data exchange for verification of electronic tags in the underlying
qualified system certificate provider
5.7 disaster recovery or the possibility
5.7.1 procedure in case of an incident and compromise
5.7.2 the corruption of computing resources, software and/or data
5.7.3 Procedure when data being compromised for the creation of electronic tags
provider
5.7.4 the ability to recover after a disaster
5.8 cessation of activities of a CA or RA
6. Technical safety
6.1 data generation and installation ".
6.1.1. a pair of data Generation
6.1.2. To pass data for creating electronic signatures or data for
create an electronic tag or signing indicating person
6.1.3 pass data for authentication of electronic signatures or data for
verification of the certification services provider electronic tags
6.1.4. the provision of data for the validation of electronic signatures or data for
authentication of electronic certification authority which draws with markers
Parties
6.1.5. The length of the matched data
6.1.6 parameters of data Generation for authentication of electronic signatures
data for authentication or electronic tags and checking the quality of the
6.1.7. the restrictions on the use of data for authentication of electronic signatures, or
data for the verification of electronic tags
6.2 protection of data for creating electronic signatures or data for
the creation of electronic tags and security of cryptographic modules
6.2.1 standards for cryptographic modules, and terms of use
6.2.2 Sharing Secrets
6.2.3. Storage of data for creating electronic signatures or data for
the creation of electronic tags
6.2.4 data backup for creating electronic signatures or data for
the creation of electronic tags
6.2.5 storage of data for creating electronic signatures or data for
the creation of electronic tags
6.2.6 Transfer data for creating electronic tags to
a cryptographic module or of cryptographic module
6.2.7 save data for creating electronic tags in cryptographic
module
6.2.8 How to activate electronic signature creation data or
data for the creation of electronic tags
6.2.9 to deactivate the electronic signature creation data
or data for creating electronic tags
Repeat the procedure for the destruction of the electronic signature creation data or
data for the creation of electronic tags
6.2.11 cryptographic module Rating
6.3 other aspects of the administration of the matched data
6.3.1. Retention of data for the validation of electronic signatures or data for
authentication of electronic tags
6.3.2. The maximum period of validity of a certificate issued from a signer or
indicate the person and matched data
6.4 Activation data
6.4.1 activation data generation and installation
6.4.2 activation data Protection
6.4.3 other aspects of activation data
6.5 computer security
6.5.1 Specific computer security technical requirements
6.5.2 computer security Rating
6.6 Safety life cycle
6.6.1 system development Management
6.6.2 security management Controls
6.6.3 life cycle security management
6.7 network security
6.8 time stamps
7. the certificate profiles, certificate revocation list and OCSP
7.1 certificate profile
7.1.1 version number
7.1.2 certificate Extension items in the
7.1.3 Object identifiers ("OID") algorithms
7.1.4 ways to write names and names
7.1.5 name Constraints and names
7.1.6 certificate policy OID
7.1.7 Expansion entry "Policy Constraints"
7.1.8 syntax and semantics policy qualifiers item expansion
"Policy Qualifiers"
7.1.9 How to write a critical expansion of the item "Certificate Policies"
7.2 the certificate revocation list Profile
7.2.1 version number
7.2.2. The expansion of the certificate revocation list items and records in a
certificate revocation list
7.3 OCSP Profile
7.3.1 version number
7.3.2 the OCSP Extension items
8. Evaluation of compliance and other reviews
8.1 Frequency or circumstances of assessment for design reviews
8.2 Identity and qualifications of assessor
8.3 assessor's relationship to the rated entity
5.2 Rated area
5.3 the procedure in the event of deficiencies
8.6 communication of results of the evaluation
9. other business and Legal Affairs
5.7 Fees
9.1.1 Fees for the issue or renewal of the certificate
9.1.2 fees for access to the certificate to the list of issued certificates
9.1.3 fees for information about the status of the certificate or a revocation of the
certificate
9.1.4 charges for other services
9.1.5 any other provisions relating to fees (including reimbursements)
9.2 financial responsibility
9.2.1 Cover insurance
9.2.2 for more assets and guarantees
9.2.3 insurance or warranty coverage for end users
9.3 Sensitivity business information
9.3.1. the Enumeration of sensitive information
9.3.2 Information outside of sensitive information
9.3.3 responsibility for protection of sensitive information
5.8 privacy policy
9.4.1 privacy policy
9.4.2. Personal data
9.4.3 Information not considered sensitive
9.4.4 responsibility for protection of personal data
9.4.5 Notice about the use of confidential information and consent to the use
sensitive information
9.4.6 Provide sensitive information for judicial or administrative purposes
9.4.7 Other circumstances of disclosure of personal data
9.5 intellectual property rights
9.6. Representation and warranties
9.6.1 the representation and warranties CA
Representation and warranties 9.6.2 RA
Representation and warranties 9.6.3 of the holder of the certificate, signer, or
denoting persons
9.6.4 representation and relying party guarantee
9.6.5 Representation and warranties of other participating entities
6.0 Disclaimer of warranties
6.1 limitation of liability
6.2 responsibility for the damage compensation
9.10. term, termination
9.10.1 validity period
9.10.2 termination
9.10.3. Consequences of termination and continuation of the obligations
9.11 Communication between stakeholders
9.12 Amendments
9.12.1 Procedure for amendments
9.12.2. Procedure for notification of changes
9.12.3 Circumstances in which OID must be changed
9.13 dispute resolution
9.14 governing law
9.15 Compliance with legal regulations
9.16. Other provisions
9.16.1 framework agreement
9.16.2 the cession of rights
9.16.3 Severability of provisions
9.16.4 Disclaimer
9.16.5 majeure
9.17 other measures
1) Decree No. 528/2005 Coll. on physical safety and certification
technical means.