🏇🏼 ✍🏾 👨‍👨‍👦‍👦 Technological and regulatory support for digital trust services in the Russian Federation 🧚 🚫 ⚫️

The purpose of the article series is to review the regulatory, technical and regulatory conditions for organizing processes of building trust in a digital environment.

Issues of ensuring and developing a digital space of trustrelevant around the world. They are on the agenda and have been resolved to one degree or another since the 1980s, and in the Russian Federation, at least since the beginning of the 2000s, when Federal Law No. 1- On Electronic Digital Signatures was adopted. The most discussed issue at the level of regulators (the Ministry of Communications of Russia, the Federal Security Service of Russia, the Federal Tax Service of Russia), users and operators, when implementing processes of building trust in the digital environment, is the regulatory framework for ensuring the use of analogues of handwritten signatures - electronic signatures (E-signatures), electronic digital signatures (EDS) ), as a means of ensuring the validity of cross-border electronic document management. In 2018-2020, this discussion led to a significant modernization of federal legislation in the field of trust in the digital environment, namely, the appearance of Federal Law No. 476- of 27.12.2019, which introduced significant amendments to the Federal Law No. 63- dated 04/06/2011 “On Electronic Signature”. Hereinafter, mainly amendments to the trust services will be considered, united in 476- by the notion “trusted third party” (TPA).

In the legislation of the Russian Federation, this concept appeared with the signing of the international document “Treaty on the Eurasian Economic Union” (Signed in Astana on May 29, 2014), which defines issues of economic integration in the EAEU. The agreement contains Appendix No. 3 “Protocol on Information and Communication Technologies and Information Interaction within the Eurasian Economic Union”. This protocol is the legal basis for solving the problem of ensuring trust in cross-border documents with electronic signature through the use of TPA technology . Another feature of the Agreement is that it provides for the solution of this problem only for relations between authorities(G2G). In accordance with the “Strategy for the Development of a Cross-Border Confidence Space", approved by the decision of the EEC Board of September 27, 2016 No. 105 (hereinafter - the Strategy):

“Subjects of electronic interaction can also be government bodies of third states (their officials and employees), individuals and legal entities (representatives of legal entities), officials and employees of integration associations, international organizations, subject to the conclusion of relevant international treaties.”

At the second stage of the development of the cross-border space of trust (until 2020), it is envisaged:

“The possibility of electronic interaction between individuals and legal entities among themselves, as well as with state authorities of the member states when individuals and legal entities are in the territories of their states”.

Thus, the legal, organizational and technological conditions for ensuring trust in electronic signatures of legal entities and individuals within the EAEU cross-border trust space, in accordance with the Strategy, should be created in the EAEU already this year.

In the laws of the countries of the Eurasian Economic Union (EAEU), the provision of legal force, as a property of electronic documents, is based on guarantees of authenticity and integrity of documents. In this case, mainly *, to ensure the authenticity and integrity of electronic documents, cryptographic methods are used, and the legal foundations are laid down in international and national legislation. A significant number of countries-economic partners of the Russian Federation base their legislation on the legal significance of electronic documents on the 2001 UNCITRAL model law “On electronic signatures”, the technological basis of which is provided specifically for cryptographic electronic signature (digital signature) (Table 1).

List of countries whose legislation is based on the 2001 UNCITRAL Model Law on Electronic Signatures * 2

Thus, the task of organizing cross-border protected electronic legally significant interaction is reduced to agreeing between the participating countries differences in legal regulation (for example, requirements for the conditions for the use of cryptographic tools) and differences in the means and methods of ensuring the specified values of security.

For example, cryptographic tools are used to organize secure electronic document management in the EU and EAEU countries.

At the same time, many countries are developing their own cryptography, have their own standards of cryptographic algorithms used to create and verify electronic signatures (EDS) and their own mechanisms for implementing these algorithms (electronic signature tools and their analogues). * 3

In general, these solutions are incompatible with each other, i.e. An electronic document signed with an electronic signature based on cryptographic standards, for example, of the Republic of Belarus, cannot be verified using the electronic signature of the Republic of Kazakhstan and Russian electronic signature.

Let us further consider possible technological solutions to this problem.

Option 1: The most obvious solution in this situation, it would seem, is to use a common, uniform cryptographic standard for the participants in the information interaction for electronic signature procedures (Fig. 1).

In favor of this approach in the post-Soviet space, the presence of cryptographic standards of the CIS - GOST 34.310-2002."Information technology. Cryptographic information security. The processes of formation and verification of electronic digital signatures ” and GOST 34.311-95 “ Information technology. Cryptographic information security. The hash function. " At the same time, a significant number of countries use embedded in operating systems solutions based on US cryptographic developments.

But this approach contradicts the principle of national sovereignty, which determines the rationality of using electronic signature means certified according to national standards, and also determines the specificity of the legal basis for the use of electronic signature in different countries. The differences can be significant, starting with the terms, ending with the semantic content of the analogues of the handwritten signature. For these reasons, “option 1” cannot be considered as a universal solution for ensuring the recognition of a foreign electronic signature, especially in the Russian Federation.

Option 2:Another obvious solution, it would seem, should be an approach based on import / export of electronic signature means (CIP) of partners, mutual legal exchange of them, to equip national information systems and national users of foreign information systems (Fig. 2).

But this option has a large number of organizational and technical difficulties, and in addition does not solve the entire list of problems. First of all, electronic signatures are encryption (cryptographic) means, and their export and import have a number of significant restrictions that impede the implementation of this option. In accordance with the "Regulation on the Procedure for the Import into the Customs Territory of the Customs Union and the Export from the Customs Territory of the Customs Union of Encryption (Cryptographic) Means":

“Import and export of encryption means is carried out on the basis of one-time licenses issued by the authorized body of the state - a member of the customs union in whose territory the applicant is registered.”

In addition, a number of issues related to the use of electronic signature means require periodic maintenance by certification services providers (for example, certification authorities) that operate in accordance with the requirements of national laws and it is difficult to obtain such services outside the country of presence. Even when solving the problem of import-export of electronic signature means for a specific information system, when the system is scaled up, organizational problems arise again, since they require an instance of these funds, and each case of import or export requires a one-time license.

The technical features of this option include, as well, the need to equip all information systems and all suppliers with a full range of electronic signature tools, which at present, in addition to organizational difficulties, is complicated by the lack of compatibility when working on the same computer tool of the most common cryptographic information protection tools.

The legal disadvantages of this option include the fact that in this case the parties are not given the opportunity to obtain documentary evidence of the legitimacy of using a signature verification key certificate to sign a specific type of document in accordance with the legislation of the country of origin of the electronic document. As a result, each of the counterparties must make a decision on trust in an electronic document, without having sufficient legal grounds for this.

Thus, option 2, based on the export and import of CIPF, is not technological and is not applicable for mass use, for developing information systems and for information systems that require clear legal conditions for the use of electronic documents.

To implement a secure cross-border electronic legally significant document flow based on cryptographic tools, it is advisable to use other approaches that allow the implementation of essentially equivalent (on both sides of the border) levels of cryptographic protection of information flows and sufficient legal grounds for recognizing the legal force of electronic documents, i.e. methods provided by a sufficient regulatory framework.

Option 3: This is an option of a Trusted Third Party , which is implemented in accordance with three basic principles:

« » , ;
;
- « » , ()*4.

The scheme of interaction between the parties in the implementation of these basic principles is presented in Fig. 3.

In accordance with amendments introduced by Federal Law N 476- (“On Amendments to the Federal Law“ On Electronic Signatures ”and Article 1 of the Federal Law“ On the Protection of the Rights of Legal Entities and Individual Entrepreneurs in the Implementation of State Control (Supervision) and Municipal Control ” ) in Article 7:

«3. , , , , . , , , , ».

Thus, taking into account these provisions, the basis of the legal model of mutual recognition of cross-border electronic signatures should be international treaties of the Russian Federation. After these amendments enter into force (at the time of writing of this article, the entry into force is determined on July 1, 2020), we will monitor the emergence of such international treaties and analyze the work practices of these operators in solving this problem.

In the following articles of this series, we will try to consider other tasks related to electronic signature, which, in the light of the current legislation of the Russian Federation, can and will be assigned to a trusted third party.

* There are exceptions, in particular, the Federal Law of the Russian Federation No. 63-FZ dated 04/06/2011 provides for the possibility of using a non-cryptographic simple electronic signature, which in this material will not be considered as inapplicable to the applied tasks.

* 2 Based:

General Guidelines for Legislation in the Field of EP: A Brief Summary of Legislation and Enforcement by Country / Adobe Systems Incorporated 2016.
Global Cybersecurity Index and Cybersecurity Profiles. Report. ABI Research, commissioned by the ITU Cybersecurity Group. April 2015
Research group of companies “Gazyformservice” 2018-2020

* 3 The standards of the EAEU countries are based on common approaches, but at present, national implementation "towards" are incompatible.

*4A Trusted Third Party (TPA) is an organization or representative of an organization that provides one or more security services and is trusted by other entities regarding actions related to these security services. (ITU IT Recommendation X.842. Information technology - Security Techniques - Guidelines for the use and management of trusted third party services).

Sergey Anatolyevich Kiryushkin,
Ph.D., Advisor to the General Director of Gazinformservice LLC

Vladimir Nikolaevich Kustov,
Doctor of Engineering, Professor, Advisor to the General Director of UC GIS LLC

Technological and regulatory support for digital trust services in the Russian Federation

More articles: