Key Benefits:
The Council of Ministers, at its meeting of 19 September 2014 and, on a proposal from the Vice-President of the Government and Minister of the Presidency and the Ministers of Finance and Public Administrations, of the Interior, Employment and Social Security and Industry, Energy and Tourism adopted an Agreement approving Cl@ve, a system of identification, authentication and common electronic signature for the entire State Administrative Public Sector that will allow the citizen to be electronically related to public services through a common platform, through the the use of pre-registered keys as a user of the same, as provided for in Article 13.2c) of Law 11/2007, of 22 June, on the electronic access of citizens to public services.
This Agreement, published by Order PRE/1838/2014 of 8 October 2014, determines in its fifth paragraph, "Technical Prescriptions", which corresponds to the Information and Communications Technologies Directorate of the State General Administration, establish by resolution, the Technical Prescriptions necessary for the development and application of the Cl@ve system, and determine the aspects that these prescriptions should include.
By virtue of the above, this Information and Communications Technology Directorate resolves:
First.
1. To approve the Technical Prescriptions necessary for the development and implementation of the Cl@ve system, in the terms of the Council of Ministers Agreement dated 19 September 2014, which is approved by Cl@ve, the common platform of the State Administrative Public Sector for the identification, authentication and electronic signature through the use of concerted keys, which are included as an annex.
2. Order your publication in the "Official State Gazette".
Second.
This Resolution enters into force from the day following its publication in the "Official State Gazette".
Madrid, December 14, 2015. -Director of Information and Communications Technologies, Domingo Javier Molina Moscoso.
TECHNICAL REQUIREMENTS FOR THE DEVELOPMENT AND APPLICATION OF THE CL@VE SYSTEM
Index
I. Object.
II. Scope of application.
III. The purpose of the Cl@ve system.
IV. Warranty levels, identification systems, and electronic document signing.
V. Entities in charge of the system, functions and guarantees provided by each.
VI. Adherence to the Cl@ve system.
VII. System for identification and imputation of costs.
Annex I. Registration procedures, system access and electronic signature of documents.
I. Object
The present Technical Prescriptions are intended to establish the necessary aspects for the development and application of the Cl@ve system, as well as to ensure its operation and interoperability.
II. Scope of application
The present Technical Prescriptions will apply to:
(a) The public bodies and bodies involved in the construction and implementation of the Cl@ve system and guarantors of their operation.
b) Public bodies and organs of the State Administrative Public Sector obliged to enable the Cl@ve system in all services and electronic procedures aimed at citizens.
c) Other Public Administrations that adhere to the system.
d) Private sector entities participating in the future as providers of electronic identification and signature systems integrated with Cl@ve.
III. Purpose of the Cl@ve system
Cl@ve is a system of Identification, Authentication and Electronic Signature for the entire State Administrative Public Sector, based on the use of concerted keys, as provided for in article 13.2.c) of the Law 11/2007, of June 22, electronic access of citizens to public services.
The Cl@ve system is aimed at Spanish and foreign citizens who meet the requirements set out in these Technical Prescriptions and provides two distinct forms of identification and authentication based on use key to the access of citizens to electronic services that make use of this system, complementing the current access systems through recognised DNI-e and electronic certificate.
For this purpose, the Cl@ve system will provide a user-friendly interface that allows the user to select any of the electronic identification and signature systems outlined in article 13.2 of Law 11/2007, of June 22.
Also, the Cl@ve system will allow the citizen access to the document signing service by means of electronic certificates hosted either locally (for example on his PC) or on devices connected to it (by example, in the DNI-e) as in centralized mode.
IV. Guarantee levels, identification systems, and electronic document signing
IV.1 User registry.
In order to guarantee an adequate level of quality in the identification and authentication that are carried out through the Cl@ve system, the use of this system requires a prior registration of the users. By means of such registration, the existence of a real natural person associated with the electronic identity that the system will use is verified, a set of personal data associated with that identity is obtained, and the user's consent is obtained for such personal data to be incorporated into the personal data file of the system and treated for the purpose with which it has been developed.
Spanish citizens with National Identity Document (DNI) and foreign citizens with Foreign Identity Card (TIE) or European Union Citizen's Certificate may be registered in Cl@ve. documents must be in force. The possibility of registration may be extended to Spanish citizens residing abroad without DNI in force, by enabling identity verification procedures equivalent to those established for citizens with DNI.
There will be two modalities or levels of guarantee of registration associated with the form and guarantees that the citizen's communication of the registration information offers:
a) Basic level, in which the user registry data is provided by the citizen in a telematic manner, but without prior authentication using a recognized electronic certificate. Identification will be performed using data known to the citizen and the administration.
b) Advanced level, in which the data of the user registry is provided by the citizen, either in person in an office to a public employee enabled for the purpose, or, they are communicated in a telematic way, prior to authentication of the citizen by a recognized electronic certificate.
The level of warranty associated with the registration procedure used will be stored in the Cl@ve system, and may be used to select the valid identification modes for each procedure, in application of the principle of proportionality as provided for in Article 4 of Law 11/2007 of 22 June.
IV.2 Identification Modes.
The Cl@ve system will provide users with two electronic identification modes based on the use of concerted keys, each of which will provide two different levels of assurance in authentication:
c) Cl@ve occasional or Cl@ve PIN: Identification mode for access to the system where the password, limited to a single use, is made up of a key contributed by the user plus a code received on their device mobile and has very limited validity in time. It is oriented to users who access services sporadically.
The occasional Cl@ve-based access system can be called indistinctly Cl@ve PIN when it is displayed to system users to facilitate their identification and access.
d) Permanent Cl@ve: Identification mode for system access by means of an identifier (ID number or NIE of the user) and a password that must be guarded by the citizen. The validity of the password is durable in time, but not unlimited. Additionally, and when the type of processing requires it, the permanent Cl@ve identification mode will be able to provide a higher level of security in the authentication, for which it will require the use of a security verification The invention also relates to a single use code (OTP, "Once Time Password") and limited validity in the time sent to the user's mobile device. It is primarily intended for use by regular users.
Password security requirements for this system will be posted on the Cl@ve portal (www.clave.gob.es)
The user will be able to choose at the time of logging into the Cl@ve System which identification mode you prefer to use, depending on the limitations set by the electronic service provider integrated with Cl@ve as to the levels of guarantee required by the procedure or procedure to which you want to access.
IV.3 Electronic document signature.
The Cl@ve system will also allow access to electronic signature services, in particular, to electronic document signing services through centralized electronic certificates, all to the effect of their presentation. In the case of public administrations, where the signature by electronic certificates is required or accepted. The following considerations will be considered:
a) To be able to access the service, the user will have to request prior and expressly the issuance of the corresponding centralized electronic certificates that enable the signature by the platform Cl@ve.
(b) Centralised electronic certificates shall be issued with the same guarantees for the identification of the citizen's electronic DNI.
c) To make the request, and for subsequent access to the service, it will be necessary in any case that the user has registered in Advanced Level and has activated his/her Cl@ve permanent. In addition, the use of an additional security check shall be required at the time of identification by means of a single-use code and limited validity in the time to be sent to the registered user's mobile phone.
For these purposes, the provisions of Royal Decree 1553/2005 of 23 December 2005 governing the issue of the national identity card and its electronic signature certificates are applicable.
IV.4 Access point to the Cl@ve system.
To facilitate access to the identification and authentication services of the Cl@ve system, an electronic access point will be created from which the citizen can identify according to the different levels of guarantee provided for in these Technical Prescriptions. For this purpose, the access point will present a menu that will allow the user to choose the desired electronic identification mode of the options made available by the electronic service provider that supports the type of procedure or procedure that you want to perform, according to the levels of guarantee in the registration and authentication required by that procedure or procedure.
The access point will allow access to the identification and authentication services provided in the Cl@ve system, as well as, in the future, to other identification systems, including electronic identification systems European area eligible under the applicable European Union legislation. In addition, the service provider for the purposes of compliance with Article 13 of Law 11/2007 may choose to enable identification systems not based on complementary concerted keys to the Cl@ve system, or to enable access by means of The Cl@ve system to the means of identification provided for in Article 13.2 (a) and (b) of Law 11/2007, which must in any case include the electronic signature systems incorporated in the National Identity Document.
The various Electronic Offices of the Administration that require the use of an identification and authentication system as provided for in Article 13.2.c of Law 11/2007, of June 22, shall provide at least some of the identification systems by means of concerted keys that are integrated into the new Cl@ve platform.
For this purpose, these Electronic Sites will have to be integrated with the Cl@ve system acting as service providers, automatically redirecting the citizen from the electronic headquarters to the Access Point of the system Cl@ve when the citizen wishes to carry out a procedure or procedure that requires a system of identification and authentication of the intended ones in the Cl@ve system. In this redirection, the entities must specify the level of guarantee in the authentication that requires the procedure or procedure to which the citizen wishes to access, and can optionally specify also the required level of quality in the registration. Once the identity verification by the entity responsible for the selected identification mode has been performed, the user will be automatically redirected to the point of origin, along with the result of the authentication, the data that allow the citizen to be unambiguously identified, and the levels of guarantees associated with that identity.
When the citizen has previously identified and authenticated an electronic service integrated with Cl@ve through the Access Point, from this Access Point you will be given the opportunity to access another electronic service. without the need to identify again, provided that the supplier of this second service allows it. This will mean that the citizen will not have to enter the identification data associated with his/her Cl@ve PIN or Cl@ve Permanente.
To ensure this integration with the Access Point of the Cl@ve system, the system user entities must follow the technical integration specifications defined by the entities responsible for the system. In order to facilitate this integration, a set of common components will be enabled, aimed at simplifying the handling of the request and response messages exchanged during the identification and authentication process, which the User entities may incorporate into their electronic services. These common specifications and components shall be published in the Technology Transfer Centre.
The transmission of information between the Access Point of the Cl@ve system and the integrated electronic venues will be protected according to best technical practices in order to ensure privacy, confidentiality and integrity. of that information. In this sense, the Access Point of the Cl@ve system will not store any data of a personal character, but only technical information not related to natural or legal persons, in order to guarantee, in the case of a incident, reconstruction, with the participation of the electronic service provider accessed by the user and the identification service provider of the identification mode chosen by the user, of the sequence of messages exchanged between the different actors in the system to determine the time when that incident occurred and their nature.
In the particular case of the electronic services offered by the verification service providers themselves of the identity of Cl@ve (AEAT and Social Security, initially), this redirection to the Access Point of the system Cl@ve may be replaced by a direct access and equivalent to the verification services of the identity of Cl@ve offered by that provider, provided that the electronic service does not require any other type of identification.
Additionally, to facilitate access to electronic signature services with centralized electronic certificates and to present citizens with a uniform system-wide signature mechanism, a set of common signature components to be integrated into the electronic venues requiring the electronic signature to be carried out in their formalities or procedures.
Annex I details the registration procedures in the Cl@ve system, access to the Cl@ve system and electronic signature of documents with centralized electronic certificates associated with the levels of guarantee of the system Cl@ve provided for in these Technical Prescriptions.
IV.5 Security.
The Cl@ve system and all the associated services will be implemented guaranteeing their operation in accordance with the principles of security, integrity, confidentiality, authenticity and non-repudiation provided for in Law 11/2007, of 22 June, in the National Security Scheme (ENS), regulated by Royal Decree 3/2010, of 8 January and under the Organic Law 15/1999, of 13 December, of Protection of Personal Data and its Implementing Regulation, approved by the Royal Decree 1720/2007 of 21 December.
V. Entities in charge of the system, functions and guarantees provided by each one
V. 1 User registry.
The State Tax Administration Agency (AEAT) will act as the main body responsible for the Cl@ve user registry system.
For such purposes, this body shall be responsible for the operation of the user registry systems described in these Technical Prescriptions, as well as the information systems, applications, organization and procedures used for the Cl@ve system in the user registry scope.
Initially, in order to provide a better service to citizens, they will be enabled and will have the means to perform user registry functions of the Cl@ve system, in addition to the network of offices of the AEAT, the managing entities of Social Security.
The Information and Communications Technology Directorate (DTIC) may agree to join the system of other bodies and agencies of the State Administrative Public Sector to act as a user registry office. Cl@ve in order to offer citizens new in-person registration points, as well as organs and public bodies belonging to other administrations.
By virtue of the above, it has been enabled to act as the front office of the Cl@ve system to the Network of Information and Attention Offices of the Delegations and Subdelegations of Government.
Bodies and bodies other than the AETs acting as registry offices shall have to comply with the requirements set out in the Resolution of 28 September 2015 of the Information Technology Directorate and the Communications that set the conditions for acting as the front office of the Cl@ve system.
The DTIC will maintain the relationship of registration offices of Cl@ve at the General Access Point http://administracion.gob.es.
V. 2 The occasional Cl@ve identification mode (Cl@ve PIN).
The AEAT will act as the lead agency responsible for the occasional Cl@ve-based access system.
For such purposes, the AETA shall be the entity responsible for performing the user identification and authentication functions in this identification mode, providing the necessary means for this.
Accordingly, the AETs will be responsible for the operation of the occasional Cl@ve-based access system described in these Technical Prescriptions as well as information systems, applications, organization and procedures. used for the Cl@ve system in the scope of the occasional Cl@ve identification mode.
V. 3 Permanent Cl@ve Identification Mode
Social Security Information Management (GISS) will act as a body responsible for the operation of the access system based on permanent Cl@ve.
To this end, the GISS will be the entity responsible for performing the functions of identification and authentication of users in this mode of identification, providing the necessary means for this, among which is a replicated copy of the Cl@ve system user file, which is required to verify the identity and access guarantees.
Consequently, the GISS will be responsible for the operation of the permanent Cl@ve-based access system described in these Technical Prescriptions, as well as the information systems, applications, organization and procedures used for the Cl@ve system in the scope of the permanent Cl@ve identification mode.
V. 4 Emission of centralized electronic certificates for signature using the Cl@ve platform.
The entity responsible for carrying out the functions of issuing and guarding centralized electronic certificates of users for signature by the platform Cl@ve will be, in the exercise of its competences, the Directorate General of the Police (DGP), according to the Organic Law 2/1986, of 13 March, of Forces and Bodies of Security and Royal Decree 1553/2005, of 23 December, which regulates the issue of the National Identity Document and its signature certificates electronic.
To perform these functions, the DGP will use the Public Key Infrastructure corresponding to the currently existing electronic DNI.
The DGP, in the exercise of its powers, is responsible for the operation of the issuing and custody service of centralized electronic user certificates, acting as a trusted service provider according to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing the Directive 1999 /93/EC, and in accordance with the principles of security, integrity, confidentiality, authenticity and non-repudiation provided for in Law 59/2003 of December 19, electronic signature, and in Law 11/2007, of June 22, of Electronic Access of Citizens to Public Services.
V. 5 Managing centralized electronic certificates for signature using the Cl@ve platform.
The entity responsible for performing the centralized user-centralized electronic certificate management and storage functions for the Cl@ve system will be the DGP.
This body will be enabled and will have the means to perform the described certificate management and storage functions. You will also have a replicated copy of the indicated electronic certificate file.
The GISS will act as a provider of signature services with a centralized electronic certificate, for which it will have a backup of that information stored and managed by the DGP necessary for the signature. Such information shall be subject to the following requirements:
a) the security of the duplicate data sets is at the same level as for the original data sets;
b) the number of duplicate data sets does not exceed the minimum required to ensure service continuity.
The DGP is responsible for the operation of the certificate management and storage service described in these Technical Prescriptions, as well as information systems, applications, organization and procedures used for this service.
V. 6 Signature of electronic documents using centralized electronic certificates.
The entity responsible for managing the electronic signature creation environment, on behalf of the signatory, of electronic documents using centralised electronic certificates will be the GISS which will act as the responsible body for this service, in union with the DGP. For such purposes, both entities shall be empowered and shall have the necessary means to perform such electronic document signature functions.
Accordingly, both bodies will be responsible for the operation of the electronic document signing service by means of centralised electronic certificates as described in these Technical Prescriptions, as well as the information systems, applications, organization, and procedures used for this service.
V. 7 Access point to the Cl@ve system.
The entity responsible for performing the functions corresponding to the provision of the access point to the Cl@ve system, to develop the common components to facilitate integration with this access point, and to develop the Common signature components for access to the signature service through centralised electronic certificates shall be the DTIC.
The DTIC will be responsible for the operation of the access point to the Cl@ve system, common components to facilitate integration with this access point and common signature components for access to the service signature by means of centralised electronic certificates described in these Technical Prescriptions, as well as of the information systems, applications, organisation and procedures used for the Cl@ve system in the area of the access point and the common integration components.
V. 8 High Availability Warranty.
The agencies responsible for the operation of the different subsystems that make up Cl@ve will establish a system of high availability of the service offered.
V. 9 Assurance assurance of the electronic signature creation environment.
The bodies responsible for the operation of the different subsystems that make up Cl@ve will implement specific safety procedures in management and administration, and will use reliable systems and products, including secure electronic communication channels to ensure that the electronic signature creation environment is reliable and is used under the sole control of the signer.
VI. Adherence to the Cl@ve system
The scope of the Cl@ve system can be extended to other public administrations, by formalizing a convention with the Ministry of Finance and Public Administrations. That convention shall lay down the technical, economic and organisational conditions of application to other public administrations which shall, where appropriate, supplement those laid down in these Technical Prescriptions.
VII. System for the identification and allocation of costs
In order to ensure the sustainability of the Cl@ve system, mechanisms will be implemented to identify and eventually impute the maintenance and operating costs of the system to the different user entities, based on the effective use of the same by those entities.
To do this, the DTIC will take a census of the entities integrated with the Access Point of the Cl@ve system, so that only the entities included in the census can make use of it. Each identification and authentication request received by the Access Point shall be associated with a user entity through the issuing entity identifier to be included in those requests, leaving a trace in the activity log of the system. Such traces, which shall contain for each request the issuing entity, the result and the mode of identification used, shall be treated to determine the effective use of the system performed by each entity and therefore for perform cost imputation.
Also, for electronic document signing functions using centralized electronic certificates, entities participating in the provision of the service, GISS and DGP, will implement an identification system and cost allocation to the previous one, based on a census of entities integrated with the signature system and an activity register in which the traces of the signature requests will be stored using centralised electronic certificates received.
ANNEX I
Log procedures, system access, and electronic document signing
The procedures initially provided for in relation to the user registry, as well as access to the electronic document system and signature, are described below. These procedures may be adapted according to the needs and evolution of the Cl@ve system for better delivery of service to citizens.
Updated procedures information can be found at www.clave.gob.es.
1. High-log procedures.
There will be three distinct registration procedures in the Cl@ve system: telematic registration without a recognized electronic certificate, telematic registration with electronic DNI or a recognized electronic certificate, and registration in-person.
1.1 Telematic registry without a recognized electronic certificate.
This record mode corresponds to a Basic Record Warranty Level.
This registration procedure is initiated by the citizen's request to the entity responsible for the Registry, or at the request of the Registry without prior request, using for this initial identification of the citizen and the entity is known to be a citizen. Once the identity has been verified, it shall be sent to the postal address of the citizen who is on the entity responsible for registering an invitation letter to the Cl@ve system, including a secure verification code (CSV).
Once the letter is received, the citizen can access the registration application at Cl@ve, where they are requested the personal data necessary to complete the registration, as well as the CSV code of the issued communication. As an additional security measure at the time of registration, a verification data known to the citizen and the entity will also be requested.
As a response, an electronically signed acknowledgment is issued by the system with a CSV that includes the data provided, and will include the activation code associated with the record.
1.2 Telematic registration with electronic DNI or recognized electronic certificate.
This record mode corresponds to an Advanced Record Warranty Level
Citizens with a recognized electronic certificate or DNIE will be able to formalize the registration in the Cl@ve system through a web application without the need to go to any office.
The citizen will access the Cl@ve telematics registration point and identify with their recognized certificate or DNIE. The application of registration shall take the certificate of the citizen's identification data and shall verify them against those appearing in his identity card. Since the data relating to the DNI will be taken as certain for incorporation into the register, if the DNI and certificate data do not exactly match, the citizen will be informed of this discrepancy in order to make the corrections. relevant to the information provided.
You will then be asked for the other data needed for the registration, including your mobile phone number and email address and you will sign this application with your certificate, including selecting the where you declare that you have read and agree to the terms and conditions of use.
You will be given a system-signed acknowledgment with the data provided, which will include the activation code associated with the record. The system shall inform the user of the usefulness of the activation code and the importance of its preservation shall be recalculated in order to be used as an authentication factor in the event of password forgetfulness.
1.3 In-person recording.
This record mode corresponds to an Advanced Record Warranty Level
The citizen will be able to register in person at any of the authorized registration offices of the Cl@ve system. These offices will have a registration application that will allow them, once the citizen has been identified with a public employee, to formalize the registration. In order to ensure the user's strict control of the means of identification used in the system, the face-to-face registration will not be allowed to be performed by one person representing another.
The in-person registration process will be performed in accordance with the Resolution of the Information and Communications Technologies Directorate establishing the conditions for acting as an office of The Cl@ve system presential record.
1.4 Welcome to the Cl@ve system.
Once the record is completed in Cl@ve in any of the modes described above, the citizen will receive, in the phone number you just registered, a welcome SMS to the system.
From receipt of that SMS, the registered citizen can already use the Cl@ve PIN system and access the password activation systems of the permanent Cl@ve system.
1.5 Advanced level of record warranty.
Certain Electronic Administration services require that the record in Cl@ve be performed with an advanced level of warranty of record, that is, in-person or in a telematic manner with electronic DNI or certificate Recognized electronic.
Citizens registered in Cl@ve in a telematic form with an invitation letter with a secure verification code (CSV), and which therefore only have a basic level of guarantee of registration, will be able to request to obtain the advanced level by customizing in the registry offices or by accessing through DNIe or recognized electronic certificate to the registration systems of Cl@ve.
1.6 Treatment of the procedure of discharge of an already registered telephone number.
The treatment described below is common to the three high procedures described above.
For security reasons, the system requires that a telephone number be assigned to a single citizen of the Cl@ve system. In case a citizen attempts to register with a phone that is already released on the system assigned to another registered user, this procedure will be followed to complete the registration:
1. The detected situation will be explained to the citizen and an SMS will be sent with a single-use code to the mobile phone number that is intended to be registered so that the user, or in his case the public employee who attends the face-to-face registration, will contribute to at the same time to demonstrate that the citizen is the holder of the telephone.
2. The system will check the validity of the single-use code provided and in the case of being correct the registration will be completed and the telephone number will be revoked to the user who had previously assigned it. Otherwise the registration process cannot be completed.
3. The user whose telephone number has been revoked in application of this procedure will not cause a low in the Cl@ve system, but will not be able to make an effective use of it. If the user tries to access the system he will be informed that his/her user has been revoked for security reasons in order to guarantee a unique association with the mobile phone number, and will be invited to correct this incident by contributing a new telephone number using the procedure set for this purpose.
4. For the exclusive purposes of informing the user that their telephone number has been revoked in application of this procedure, the system may use any of the contact details included in the Registration Database to communicate this information to the user. impact and that it can proceed to remedy it, if any.
2. Low-log procedures.
Three low procedures will be enabled on the Cl@ve system:
2.1 Low-for-waiver procedure.
The citizen can waive the use of the Cl@ve system at any time, even if it has not been discharged into the system.
The waiver can be carried out on the www.clave.gob.es portal, identifying itself to it and choosing the user's options to give up the system. In this case, the system must first display a warning screen to inform the user that it will no longer be able to access the system and that if it subsequently wants to be discharged, it must proceed back to the registration procedure as a user. If the citizen confirms this screen, the system will mark the user as being discharged by resignation. You will be able to make this request using DNIE or a recognized electronic certificate or in an in-person office. If the registration has been performed at the basic level, by letter of invitation, the waiver may also be processed by the CSV code included in it.
If a citizen resigns from the system, their centralized electronic certificate will be revoked, and their electronic access will be disabled by both the Cl@ve PIN and the Permanent Cl@ve to the services of identification, authentication, and electronic signature Cl@ve.
2.2 Trade revocation procedure.
The Cl@ve system will be able to manage the revocation of registered users on the system when circumstances are present that put the security of the system at risk, such as fraudulent or unfair use of the system or when produces a substantial modification of the identification data used in the register, such as the change of the name or surname in its identity card or the nationalisation or expulsion of foreigners.
To the exclusive effects of informing the user that has been revoked in application of this procedure, the system may use any of the contact details included in the Database of Registration to communicate this information to the user. incident.
Revocation can only result in a new discharge when the circumstances that prompted the revocation have been changed.
The effects of the revocation will be the same as those of the waiver, so that your centralized electronic certificate will be revoked, if any, and your electronic access will be disabled by either Cl@ve PIN or by Cl@ve Permanent to the identification, authentication and electronic signature services of Cl@ve.
2.3 Death Low Procedure.
The Cl@ve system will automatically and automatically manage the low number of deceased users on record. The effects of death leave will be the same as those of the waiver: the user's centralized electronic certificate will be revoked, if any, and your electronic access will be disabled by either Cl@ve PIN or by Cl@ve Permanent to the identification, authentication and electronic signature services of Cl@ve.
3. Data modification procedures in the registry.
The following log data modification procedures will be enabled:
3.1 Mobile number modification procedure.
If the citizen wishes to modify the mobile number that he notified during the registration, he/she must go back to a registration office where he/she will be updated, after identification with his DNI, TIE or Certificate of Citizen of the European Union, the mobile phone number in the database and will provide you with a new registration code for future operations, having to sign the corresponding acceptance document again. You can also do the operation on a telematic basis, if the user has a recognized electronic certificate or DNIE.
In the event that the new mobile number is already discharged into the system, the procedure of high a previously described mobile number will be applied.
The mobile number modification procedure does not imply the revocation of the citizen's centralized electronic certificate or the deactivation of its user and access password.
3.2 Other data modification procedure.
The user registered on the system can modify other data associated with the registry, except for the DNI number and the first and last names.
These modifications may be done by telematically on the www.clave.gob.es portal or at one of the registry offices.
The modification procedure for this data will not generate a new activation code even if the condition acceptance document, where the new data declared by the citizen will be included.
4. Method of using the Cl@ve PIN.
In the occasional Cl@ve Identification Mode, the user will contribute the first part of their key and receive a code on their mobile device, of very limited validity in time, which together make up the code of access.
To strengthen the security of the identification and authentication system, the access code (Cl@ve PIN) is divided into two parts:
• Access key: the user defines the user each time a Cl@ve PIN is requested. It doesn't have to always be the same.
• PIN: sends the Cl@ve system to the user's mobile when requesting it.
So that the junction of both data conforms to the Access Code.
Access Code (Cl@ve PIN) = Access Key + PIN.
This system allows the citizen to have control over a portion of the access code so that it is the user who defines it each time it requests a PIN. As an additional security measure, this code is never clearly sent to the Cl@ve system. In this way, it is achieved that, even if someone else could have access to these messages, they could not impersonate the user because they would be missing the part of the code that the user defines.
The following procedures are defined for obtaining and using the Cl@ve PIN system:
4.1 Getting Cl@ve PIN procedure.
To obtain a PIN in the Cl@ve system, the applicant must access the occasional Cl@ve management portal, where you will need to enter your user Cl@ve (ID number or NIE), contrast information known to both parties, choose an access key, which does not need to be always the same, and request a new PIN. As a result, the Cl@ve system will send a code to the registered mobile phone with which the user can complete authentication.
4.2 Cl@ve PIN usage procedure.
To complete the authentication on the system, the user must enter their user Cl@ve (DNI or NIE) and their access code formed by the key selected at the time of obtaining and the PIN received on their mobile phone.
If the requestor mistakenly introduces the access code more times than allowed, for security reasons, access will be blocked temporarily.
The validity of the PIN is as follows:
• Temporary Validity: The PIN that has been received on the mobile phone must be used to complete access to the system before 10 minutes. After that time, if you have not reached Cl@ve, you will need to request a new PIN.
• Number of uses: The PIN is configured as a single-use key (OTP), so it is ensured that whenever an authentication is requested with the Cl@ve PIN, the user is forced to start the process of requesting a new PIN to be able to authenticate in that session.
• Session: Once identified by the Cl@ve PIN, you can access the services that are allowed by Cl@ve until the Electronic Headquarters disconnect occurs or the browser is closed.
5. Password activation and management procedures.
The following procedures are defined regarding the activation of user accounts on the Cl@ve system and password management:
5.1 Activation procedure.
For the activation of the user account on the Cl@ve system, necessary to be able to use the permanent method of identification of the Cl@ve, the applicant will have to access the portal www.clave.gob.es, where he will have to enter his The user identifier Cl@ve (DNI or NIE), its email address, and the activation code that was supplied to you in the record. If they are correct, the system will send a message to the mobile with a single-use code that the user will need to enter into the system and, once checked, will allow you to enter the password you prefer to later access Cl@ve, complying with the defined minimum security features.
If the applicant mistakenly introduces the activation code more times than allowed, the activation code will be blocked for security reasons and the generation of a new one will be specified.
5.2 Password change procedure.
Users ' passwords will expire within the deadline determined by the system security policy, which will be communicated on the www.clave.gob.es portal. In any case, the user can change the password at any time. To do this you will access the system with your user and password and within the user options you will choose to change password. You will enter the new password and the system will send you a single-use code to the mobile to confirm the operation.
This operation can also be performed by accessing DNIe or recognized certificate, in which case the single-use code will not be required.
5.3 Password reset procedure.
This procedure will be necessary if the citizen forgets his or her password or is blocked when the maximum number of failed attempts to enter it occurs. In this case, a new password must be set.
To reset the password, the citizen will access the system with their user and select the "password reset" option. The system will ask you for the activation code that was delivered to you in the registration process and must match the one that consists of the database. If correct, the system will send a security code to the citizen's mobile code, which you must enter to reset the password.
5.4 Activation code recovery procedure.
If the user wants to reset the password and does not have the activation code, he/she can obtain a new activation code by going to a registration or telematically authenticating office by electronic certificate recognized or DNIE or by the Cl@ve PIN. This operation does not require the issue of the acceptance document since the citizen is not declaring any new data.
6. Certificate and electronic signature management procedures.
The following procedures apply in relation to centralized electronic certificates for signature.
6.1 Emission procedure for centralized certificates for signature with the Cl@ve platform.
Once the user has registered on the system with advanced level of registration guarantee, has activated his/her Cl@ve Permanent, and has expressly requested the issuance of his centralized electronic certificates for signature using the Cl@ve platform, this issue will be performed the first time the citizen accesses the signature procedure with the Cl@ve system.
The system will inform the citizen that it will issue its certificate, as well as the security guarantees offered by the Administration for custody and access to it, and will generate its private key and the store in the system in a protected manner, so as to ensure, with a high level of confidence, its use under the sole control of its holder.
The generation of the certificates must be in accordance with the requirements that the law marks with respect to the maximum allowed periods since the citizen made the face-to-face registration.
6.2 Signature procedure with centralized electronic certificate.
The electronic signature procedure with a centralized electronic certificate will ensure that access to the signature creation data associated with the certificate is only carried out by the certificate holder, so that it can be used You must have previously authenticated the citizen by means of two authentication factors: the partner identifier of Cl@ve with your password of the permanent Cl@ve, and a single-use code (OTP) sent by SMS to your mobile.
6.3 Renewal procedure for centralized electronic certificates.
The renewal of the centralized certificates for signature by the Cl@ve platform can be carried out automatically as long as the requirements that the law marks with respect to the maximum deadlines are met allowed since the citizen made the face-to-face registration. Otherwise, in order to renew your certificate, the citizen will need to be in a registry office to be provided with a new activation code and can be reactivated by the user and his/her certificates.
Auto-refresh will occur when the citizen becomes available to sign, authenticated to access his signature key and is detected at that time that his certificate is expired or next to expire, up to 2 months before the expiry date of its validity. In this case, the Cl@ve system will automatically issue and store the new certificates by revoking the old ones, according to the current regulations on recognized electronic certificates.
In any case, the system shall inform the citizen that the automatic renewal of its certificates has been carried out and shall inform it of the new period of validity of the certificates, as well as of the fact that the previous certificates have revoked, specifying the reasons and the date and time when the certificate will be left without effect.
6.4 Revocation procedure.
The revocation of the citizen's centralized electronic certificates will take effect in the event of a voluntary resignation or withdrawal of the citizen in the system, in the case of death due to death and in the case of revocation of the trade in access to the system carried out by the Administration in the circumstances to be determined.
After a certificate is revoked, the system will ensure that it cannot be used from that point on during a signature process.
The system may also allow, with the necessary guarantees, that the citizen himself can request both in-person and telematic the exclusive revocation of his signature electronic certificate centralized, without the need to unsubscribe to the Cl@ve system. The revocation must be documented, so in any of these procedures the citizen must sign the request for resignation or revocation, either with a recognized electronic certificate or in a handwritten form.
7. Procedures for incorporating records from other censuses.
As established by the Agreement of the Council of Ministers of creation of Cl@ve, to incorporate the Census Cl@ve users registered in other systems of identification, authentication and signature that exist before the own agreement, the express consent of the citizen must be requested.
In any case, the incorporation procedures will ensure that in these censuses the necessary requirements have been met in order to be able to assign the level of guarantee of registration and the system of identification and authentication corresponding to the Cl@ve system. The procedure must also allow the accuracy and accuracy of the data provided from the other censuses to be verified and the user will be asked to provide the additional data necessary to complete the registration, all maintaining the same warranties that apply to the high user procedure on the Cl@ve system.
The censuses of the AATT system PIN24H and the user-password system of Social Security will be integrated into a first phase. In any case, the incorporation of records from other censuses will require the authorization of the DTIC.
