Ministério da Justiça (Ministry of Justice)
Regulatory Decree
Under the arrangements laid down in the legal regime that governs the validity, effectiveness and probative value of electronic documents, as well as the electronic signature and accreditation activity of certifying entities established in Portugal, comprised in Decree-Law no. 290-D/99, of 2 August, as amended by Decree-Law no. 62/2003, of 3 April, the present statutory instrument aims to approve the technical and security rules required of certifying entities that issue qualified certificates, and further to discipline some specific aspects regarding the accreditation of certifying entities.
In the pursuit of its activity, the certifying entity is expected to use processes, systems and products related to electronic signatures, in compliance with the standards comprised in the lists published in the Official Journal of the European Communities, pursuant to paragraph 5 of article 3 of Directive 1999/93/EC of the European Parliament and of the Council, of 13 December or, failing that, with the rules developed within the scope of the European Electronic Signature Standardisation Initiative (EESSI), for the support of the implementation of Directive 1999/93/EC of the European Parliament and of the Council, of 13 December, published by the European Telecommunications Standards Institute (ETSI), or by the European Committee for Standardization (Comité Européen de Normalisation, or CEN).
Clear rules on several accreditation services provided by the certifying entity are herein approved, services such as registration, issue, distribution, management of revocation, provision of secure signature-creation devices and chronological validation, as well as the respective subcontracting regime.
Moreover, specific standards regarding rights and obligations of the certifying entity and of requesters and holders of certificates are also provided for herein, the respective operational and management requisites being established, including special requirements as far as security, personnel policy, audits, activity termination and information archives are concerned.
In view of the fact that the scope of application of this statutory instrument comprises all certifying entities that issue qualified certificates, such entities being entitled to request an accreditation, some specific requirements are also provided for herein as regards the regulation of the reinforcement of guarantees required as to the probative value conferred to electronic signatures issued by accredited certifying entities.
Within this context and in the scope of the demonstration of technical and human means required of certifying entities that request accreditation of the accrediting authority, it is required that the prior assessment of the conformity of the processes and technical elements used in pursuing their activity with the established technical and security requirements, carried out by accredited bodies, is made, the accreditation provision being subject to the presentation of the respective assessment reports and conformity certificates.
Establishing the present statutory instrument requirements of an essentially technical nature, without prejudice to the technological neutrality undertaken by the legal regime laid down in Decree-Law no. 290-D/99 of 2 August, in its up-to-date version, the technical and security requirements herein established are based in the use of asymmetric cryptography (public key cryptography) as a support for electronic signatures.
The current solution as regards the regulation of the use of public key cryptography is without prejudice to the necessary revision of the standards of the present statutory instrument, where this is justified by the technology development that may take place in this field.
The National Security Authority was heard.
Therefore:
Pursuant to the provision of article 39 of Decree-Law no. 290-D/99 of 2 August, as amended by Decree-Law no. 62/2003, of 3 April, and under point c) of article 199 of the Constitution, the Government hereby decrees as follows:
CHAPTER I
General provisions
Article 1
Subject and scope
1 – The present statutory instrument governs Decree-Law no. 290-D/99 of 2 August, as amended by Decree-Law no. 62/2003, of 3 April.
2 – The present statutory instrument comprises, namely, technical and security standards applicable to certifying entities established in Portugal as regards the issue of qualified certificates intended for the general public.
Article 2
Technical rules
1 – In the pursuit of its activity, the certifying entity shall compulsorily use processes, systems and products related to electronic signatures in compliance with the provisions in this statutory instrument, as well as with the standards, specifications and further technical documents applicable according to the scope thereof, such as:
a) Those comprised in the lists published in the Official Journal of the European Communities, pursuant to paragraph 5 of article 3 of Directive 1999/93/EC of the European Parliament and of the Council, of 13 December, where they exist;
b) Those developed within the scope of the European Electronic Signature Standardisation Initiative (EESSI), for the support of the implementation of Directive 1999/93/EC of the European Parliament and of the Council of 13 December, published by the European Telecommunications Standards Institute (ETSI), or by the European Committee for Standardization (Comité Européen de Normalisation, or CEN), in matters regarding which no rules, specifications of other technical document provided for in the preceding point exist;
c) Others that are widely acknowledged as applicable to electronic signature products.
2 – The accrediting authority shall publish, in a notice in the 2nd Series of the Diário da Repúbica, the list of references published in the Official Journal of the European Communities of the standards referred to in point a) of the preceding paragraph.
3 – The standards referred to in points b) and c) of paragraph 1 shall be approved by the accrediting authority, who shall publish the respective references in the 2nd Series of the Diário da Repúbica.
4 – The standards provided for in paragraph 1, regarding processes, systems and products, apply to:
a) Services and processes of certifying entities that concern the management of the public key infrastructure, the management of the information security and the management of the qualified certificate life circle;
b) Information systems used in the issue and management of qualified certificates;
c) Cryptographic modules for signature operations;
d) Applications for the creation and verification of signatures;
e) Secure signature-creation devices;
f) Chronological validation services.
5 – Where classified matters are concerned, the standards on security accreditation of classified matters and respective accreditation shall apply, under the responsibility of the National Security Authority.
Article 3
Assessment of conformity
1 – The conformity with the provision of the preceding paragraph of processes, systems and products related with qualified electronic signatures shall be certified by certification bodies accredited pursuant to the provision of article 37 of Decree-Law no. 290-D/99, of 2 August, where required by this statutory instrument.
2 – The assessment of conformity of qualified electronic signature products shall be carried out according to the common criteria for security verification and assessment as regards information technologies (Common Criteria for Information Technology Security Evaluation), ISO/IEC 15408, for the levels of security assessment and strength degree required by the standards, specifications an other technical documentation applicable pursuant to article 2.
3 – The certificate of conformity regarding product security shall compulsorily comprise:
a) The requirements which the certification applies to and the platform wherein tests were performed;
b) Algorithms and parameters used and respective period for which they are valid;
c) Level which products were tested for and respective strength degree.
4 – The conformity of applications for signature creation and verification and for chronological validation may also be demonstrated by means of the declaration of the respective product manufacturer.
5 – The declaration referred to in the preceding paragraph shall be issued according to the CEN’s guiding documents for assessment of conformity (EESSI Conformity Assessment Guidance), for the product under consideration, including the identification of the manufacturer, of the product, of the requirements which guarantee the conformity and of the provisions of the standard in regard of which such conformity exists.
Article 4
Subcontracting
1 – The certifying entity shall be responsible for all certification services provided by third parties the certifying entity itself subcontracted, namely services such as registration, issue, distribution, management of revocation, provision of secure signature-creation devices and chronological validation.
2 – The certifying entity may subcontract the provision of certification services and the supply of the respective elements, including the certificate issue service, provided that the key used to create certificates is identified at all times as belonging to the certifying entity, and that it holds full responsibility for the compliance with all requirements provided for in the present statutory instrument.
3 – The contract between the certifying entity and any service provider shall be compulsorily written, establishing the obligations of the parties and identifying the functions of the certifying entity provided by the subcontracted party.
CHAPTER II
Activity of the certifying entity
SECTION I
Certificate practise statement and policy
Article 5
Certificate practise statement
1 – The certifying entity shall issue a certificate practise statement, wherein shall be included the procedures used for the fulfilment of requirements identified in the certificate policies, with which all certification services provided shall comply, and which shall comprise the following particulars, among others:
a) Description of the certification structure;
b) Description of the operational infrastructure;
c) Procedures for the validation of the identity and other personal and professional data of requesters and certificate holders;
d) Operational procedures;
e) Physical, procedural and personnel security checks;
f) Provisions on the issue, use, updating, renewal, suspension and revocation of certificates;
g) Responsibilities and obligations of the requester, certificate holder, certifying entity and recipients;
h) Provisions on termination of activity;
i) Methods used for chronological validation;
j) Period of validity of the certificate practise statement.
2 – The certificate practise statement shall be revised periodically, once a year at the least, and it shall be available electronically at all times, for consultation by requesters, certificate holders and recipients.
Article 6
Certificate policy
1 – The certifying entity shall indicate in each certificate, by means of a unique identifier, the policy that establishes the terms, conditions and scope of use of the certificate and the requirements that must be included in the certificate practise statement.
2 – The certificate policy shall be electronically available at all times, for consultation by requesters, holders and recipients.
SECTION II
Issue and management of keys
Article 7
Issue of certifying entity’s keys
The key pairs used by the certifying entity in the provision of certification services shall be created:
a) In a physically secure environment, according to the requirements established in the security plan provided for in article 27, by personnel complying with the requirements established in article 29;
b) Through the use of an algorithm and an appropriate key length, pursuant to the provision of article 11;
c) Through the use of a secure signature-creation device, certified under the terms of article 3;
d) By at least two workers present physically and jointly in the workplace.
Article 8
Management of certifying entity’s keys
1 – The certifying entity’s private keys shall be:
a) Maintained in a secure signature-creation device, certified under the terms of article 3;
b) Subject to a back-up copy, which shall be stored and replaced by authorized personnel and in a physically secure environment, according to the procedure described in the security plan, applying equal or higher protection conditions than those engaged for keys in use;
c) Unique and confidential during the creation and transmission thereof to a secure signature-creation device, and shall not be stored out of such device;
d) Used within secure physical areas according to the provisions established in the security plan;
e) Used within the period for which they are valid.
2 – The certifying entity shall not use the private keys used for the issue of certificates and revocation lists for other purposes.
3 – On expiry of the period of validity, the back-up copy of the private key shall be destroyed irreversibly or archived against reuse.
4 – As regards the management of owned keys, the certifying entity shall be responsible for:
a) Ensuring the integrity and authenticity of public keys and of any parameter related thereto during the distribution, as well as establishing a process that authenticates the origin thereof;
b) Maintaining an organized archive of public keys, on expiry of the period of validity thereof;
c) Ensuring the security and integrity of the cryptographic equipment during the service life thereof and that non-authorized personnel do not gain access thereto or alter it;
d) Ensuring that the private keys stored in the cryptographic equipment are destroyed after they are withdrawn from functioning;
e) Ensuring that the operations concerning management of private keys, handling of cryptographic devices and information regarding the state of suspension and/or revocation are performed simultaneously by at least two workers.
Article 9
Issue of owner keys
The certifying entity, in the issue of keys intended for owners, shall ensure that:
a) The owner’s key pair is created through the use of an appropriate cryptographic algorithm, pursuant to the provision of article 11;
b) The private key provided for signature creation to the owner is stored securely prior to the delivery thereof, making sure that the integrity thereof is not jeopardized;
c) The private key provided for signature creation to the owner is different from the key provided for use in other functions;
d) No back-up copy or archive copy of the owner’s private key for signature creation is made.
Article 10
Secure signature-creation devices
Where the certifying entity provides secure signature-creation devices, it shall ensure that:
a) The device is securely prepared, stored and distributed, and that it is certified pursuant to the provision in article 3;
b) In case there are activation data associated to the device, they shall be provided in separate.
Article 11
Cryptographic algorithms
The cryptographic algorithms used in the provision of certification services and respective associated parameters shall be:
a) Those comprised in the lists published in the Official Journal of the European Communities, pursuant to paragraph 5 of article 3 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December, where they exist;
b) Those comprised in technical specifications issued regarding algorithms and parameters, pursuant to point b) of paragraph 1 of article 2, where the list referred to in the preceding point has not been published.
SECTION III
Chronological validation
Article 12
Chronological validation service
1 – The certifying entity shall ensure that the date and time of certificate issue, suspension and revocation may be determined by means of services of chronological validation, which shall cryptographically link data to time values.
2 – The services of chronological validation shall ensure that:
a) The origin and validity of each request for chronological validation are determined;
b) The request uses a cryptographic algorithm acknowledged under the terms of article 11;
c) The time used is defined according to the Co-ordinated Universal Time (UTC) and certified by a national measurement institute, with an uncertainty degree below 100 milliseconds (ms);
d) Data included in the request are returned without any change;
e) The private key used in the signature of the chronological validation proof:
i) Is not used for other purposes;
ii) Is created through the use of an algorithm and an appropriate key length, acknowledged under the terms of article 11;
iii) Is created and stored in a cryptographic module, certified according to the provision of article 3;
f) Each chronological validation proof includes:
i) The certified time value;
ii) A unique identifier;
iii) A unique identifier of the adopted chronological certification policy;
iv) The degree of accurateness of the used time value, where it exceeds that indicated in the adopted policy;
g) The chronological validation shall be signed cryptographically before the reply to the request is rendered;
h) The proof of the chronological validation shall not include the identification of the entity that requested it.
3 – The data concerning the creation and management of keys used for chronological validation, including data related to time certification carried out by a national measurement institute, shall be registered and stored for a minimum period of 20 years.
SECTION IV
Qualified certificates
Article 13
Request
1 – The certifying entity shall ensure that the request for a certificate issue is accomplished either through an electronic document, bearing a qualified electronic signature, or through a document written on paper, bearing an autographed signature, and moreover that such request is in accordance with the provisions of articles 14 and 15.
2 – The certifying entity shall verify the identity of the requester, by legally recognised means, and where the request is submitted for others, it shall check whether or not the requester possesses sufficient powers for the referred submission.
Article 14
Request for the issue of a natural person certificate
1 – The request for a certificate issue, where it is applied for by a natural person shown as the certificate holder, shall comprise, among others, the following elements:
a) Full name;
b) Identification of a pseudonym to be shown as certificate holder, where appropriate;
c) ID number, date and issuing entity, or any other particular that enables a clear identification;
d) Home address and other means of contact;
e) Provision for a specific attribute, regarding the intended use of the certificate;
f) Indication as to possible limitations on the scope of use of the certificate, as well as on the value of transactions for which the certificate can be used;
g) Additional information relating to the powers of representation, to professional qualifications or other attributes.
2 – Where the request for certificate issue is applied for by other than the natural person shown as the certificate holder, it shall comprise, in addition to the particulars referred to in the preceding paragraph, the following particulars concerning the requester, depending on whether it is submitted by a natural person or a legal person:
a) Name or legal name;
b) ID number, date and issuing entity, or any other particular that enables a clear identification, or legal person number;
c) Residence or office address;
d) Object, name of representatives of social bodies and of other persons entitled to undertake commitments, and registration number at the trade register;
e) Home address and other means of contact.
3 – The natural person shown as certificate holder shall explicitly authorize the request for the inclusion in the certificate of his personal data.
4 – In the situation provided for in paragraph 2 of the present article, the request shall also attach the declaration of the natural person shown as certificate holder, undertaking to fulfil obligations as certificate holder.
Article 15
Request for the issue of a legal person certificate
1 - The request for a certificate issue, where it is applied for by a legal person shown as the certificate holder, shall be subscribed by the legal representatives thereof, and shall comprise, among others, the following particulars:
a) Legal name;
b) Legal person number, office address, object, name of representatives of social bodies and of other persons entitled to undertake commitments, and registration number at the trade register;
c) Full name, ID number and any other particular that enables the clear identification of natural persons authorized to represent it by law or by the statutes thereof;
d) Address and other means of contact;
e) Indication as to possible limitations on the scope of use of the certificate, as well as on the value of transactions for which the certificate can be used;
f) Provision for a specific attribute, regarding the intended use of the certificate;
g) Additional information relating to the powers of representation, to professional qualifications or other attributes.
2 - Where the request for certificate issue is applied for by other than the legal person shown as the certificate holder, the provisions of points a) to e) of paragraph 2 and paragraph 4 of article 14 shall apply, in addition to the provision of the preceding paragraph.
Article 16
Registration
1 – The certifying entity shall receive the request, validate the data thereof and carry out the registration.
2 – The registration shall include:
a) The identification of the entity that received the request;
b) Data comprised in the request;
c) Supporting documents attached to the request;
d) The description of methods used to verify the product;
e) The identification of the contract referred to in article 25;
f) Additional valuable information concerning the use of the certificate.
3 – The data included in the registration shall not be used for other purposes than those necessary for the use of the certificate.
4 – The certifying entity shall store in archive the data comprised in the registration, the supporting documents thereof and a copy of the contract, for a minimum period of 20 years.
Article 17
Issue
1 – The certifying entity shall ensure that, in the course of the issue process, the registration data regarding the certificate holder are dealt with securely and that the public key included in the certificate is connected to the corresponding private key of the holder.
2 – The certifying entity shall grant each certificate holder a unique identifier, to be used as far as the certificate is concerned.
3 – The certifying entity shall ensure the protection of the confidentiality and integrity of registration data in all issue procedures.
4 – The period of validity of the certificate shall not exceed that of the algorithms used and respective parameters.
5 – The period of validity of the supplementary certificate shall not exceed that of the certificate to which it is connected.
6 – The certifying entity shall maintain the registration of issued certificates from the date of the respective issue and during the validity period thereof, and shall store them for a minimum of 20 years following that period’s expiry.
7 – The certifying entity shall only issue a certificate for a legal person where it has conditions to ensure that the signature creation, through a signature-creation device, requires the intervention of natural persons that, by law or statutes, represent the legal person who holds the certificate.
Article 18
Contents and format
1 – The qualified certificate includes, among others, the following information:
a) Name or legal name of the signatory and other particulars necessary to a clear identification thereof, or a pseudonym clearly identified as such;
b) Name and other particulars necessary to a clear identification of natural persons that represent the certificate holder, by law or statutes, where it is a legal person;
c) Name and advanced electronic signature of the certifying entity, and well as the indication of the country wherein it is established;
d) Signature verification data corresponding to the certificate holder’s signature creation data;
e) Serial number;
f) Date of beginning of validity and expiry date;
g) Identifiers of algorithms used for verification of certificate holder’s and certifying entity’s signatures;
h) Indication as to possible limitations on the scope of use of the certificate, as well as on the value of transactions for which the certificate can be used;
i) Provision for a specific attribute of the signatory, regarding the intended use of the certificate;
j) Indication that the certificate is issued as a qualified certificate;
l) Additional information relating to the powers of representation, to professional qualifications or other attributes, declaring this information to be unconfirmed, where appropriate.
2 – Where a supplementary certificate exists, the connection thereof with the certificate to which it relates shall be ensured, the following information being compulsorily included in the supplementary certificate:
a) Indication that such certificate is a supplementary certificate;
b) Reference to the certificate whereupon it is based;
c) Designation of algorithms used for the certification of the certifying entity’s signature;
d) Serial number of the supplementary certificate;
e) Identification of the certifying entity and of the country wherein it is established;
f) Additional information relating to the powers of representation, to professional qualifications or other attributes, declaring this information to be unconfirmed, where appropriate;
g) Advanced electronic signature of the certifying entity.
3 – The format of certificates shall comply with the technical specifications issued by ETSI or equivalent specifications, acknowledged pursuant to article 2.
4 – The certifying entity shall ensure the mechanisms necessary in order to establish a certification hierarchy and acknowledge issued certificates.
Article 19
Distribution
In the distribution of certificates, the certifying entity shall make use of secure systems that enable the storage thereof and availability for verification purposes, ensuring that:
a) The certificate is fully available to the certificate holder to whom it was issued;
b) The certificate is only available to the public with the certificate holder’s consent;
c) The recipient is transmitted the conditions undertaken, namely:
i) To verify in each communication or transaction the validity, suspension or revocation of the certificate;
ii) To verify whether the certificate is used according to the conditions issued by the certifying entity.
Article 20
Renewal and updating
As regards certificate renewal or updating for reasons of change of attributes of the certificate holder, the certifying entity shall:
a) Verify whether all information used to evidence the identification and attributes of the certificate holder remains valid;
b) Notify the certificate holder beforehand all the alterations of terms and conditions regarding the certificate issue;
c) Ensure that the signature keys are updated prior to their expiry date and that the public keys related thereto ensure at the least the same degree of security granted to the initial certificate;
d) Ensure that the issue of a new certificate, that makes use of a previously certified public key, is only carried out where the cryptographic security of that key is ensured during the period of validity of the new certificate.
Article 21
Revocation and suspension
The certifying entity shall use the revocation and suspension procedures pursuant to the provision of article 30 of Decree-Law no. 290-D/99 of 2 August, and to the certificate practise statement thereof, and shall ensure that:
a) The requests and information on suspension and revocation are processed as soon as they are received, the period between receiving and publishing the new state not exceeding twenty-four hours;
b) The certificate is suspended only in the course of the period of time defined in the security plan, which shall not exceed three working days, and that, upon the expiry of that period, where the suspension has not been lifted, the certificate is revoked with effects as from the date of suspension;
c) The alterations regarding the state of validity of the certificate are notified to the holder thereof;
d) A revoked certificate is not reused;
e) An updating service concerning the state of suspension and revocation of certificates is available at all times.
SECTION V
Rights and obligations
Article 22
Obligation of information
In the pursue of its activities, the certifying entity shall disclose the following information:
a) Price of services provided;
b) Certificate practise statement;
c) Terms, conditions and scope of use of the their certificates;
d) A means of communication, available at all times, through which the request for a certificate suspension or revocation may be submitted;
e) Indication that the registered information, necessary to the use of the certificate, is not used for other purposes;
f) Period of time during which it shall store in the information provided by the requester as well as the information regarding the use of the respective certificates;
g) Indication that, in case of termination of activity, the information referred to in the preceding point is transferred to another entity, under the law;
h) The means used for resolution of disputes;
i) Legislation applicable to the certification activity;
j) Registration number of certifying entities conferred by the accrediting authority;
l) Accreditation date and number, where accredited.
Article 23
Obligations of the certificate holder
The certificate holder shall take the necessary measures to avoid damage to third parties and to preserve the confidentiality of information transmitted, and shall undertake to:
a) Use cryptographic keys within the limitations imposed by the respective certificate policy;
b) Ensure the secrecy of the private key;
c) Use an algorithm and key length pursuant to article 11, where he creates his own keys;
d) Use a secure signature-creation device, where required by the certificate policy;
e) Create keys within the secure signature-creation device, where required by the certificate policy;
f) Immediately notify the certifying entity in case of loss of control of private key, or where the information comprised in the certificate is inaccurate or has been altered, during the period of validity of the certificate.
Article 24
Obligations of the requester
1 – The obligations of the requester acting in his own name are the obligations of the certificate holder, referred to in the preceding article.
2 – Whoever requests a certificate for others shall be responsible for informing the certificate holder as to the terms and conditions of use of the certificates, as well as to the consequences of the respective non-compliance.
Article 25
Contract
1 – The contract between the certifying entity and the requester shall be written in a clear and accessible language, in a physical and long-lasting medium, signed by the parties with a qualified electronic signature, as regards an electronic document, or with an autographed signature, as regards a document written on paper.
2 – The clauses of the contract between the certifying entity and the requester shall comprise:
a) The obligations of the certifying entity resulting from the provisions of points a), c), h) and i) of article 22;
b) The obligations of the requester referred to in the preceding article.
3 – The contract between the certifying entity and the requester shall be registered and stored by the certifying entity for a minimum period of 20 years.
CHAPTER III
Operational and management requisites
Article 26
Implementation of security
1 – The certifying entity shall ensure that the facilities, procedures, personnel, equipment and products comply with all security standards applicable to the pursuit of their activity, and shall undertake namely to:
a) Possess a security plan implemented pursuant to the ISO/IEC 17799 international standard;
b) Use reliable systems and products, protected against modifications;
c) Engage a security auditor;
d) Elaborate reports of incidents occurred due to security or operation failures, timely prompting the respective remedial action.
2 – The certifying entity shall ensure that the procedures used to guarantee the levels of operational, physical and system security, according to the adopted standards, are documented, implemented and updated, and shall maintain an inventory of goods with the respective classification, in order to characterize the protection needs thereof.
3 – The National Security Authority shall carry out the assessment of the certifying entity’s security prior to the beginning of activity thereof, where classified matters are involved.
Article 27
Security plan
1 – The security plan shall comprise at the least:
a) Description of the organization and function structure and of the certification activity;
b) Specification of procedures concerning assessment and guarantee of good repute and technical ability of the personnel in duties;
c) Specification of requirements on physical, logical and operational security;
d) Requirements on information availability, including redundancy of systems and contingency plans;
e) Indication of the maximum period of time necessary to update the state of revocation and/or suspension of certificates;
f) Indication of the maximum period of time a certificate may remain in the state of suspension;
g) Requirements on information protection, including a distinction of the different security levels and access profiles implemented;
h) Definition of functions that confer access to certification acts and instruments, respective security requisites and access profiles;
i) Description of used electronic signature products and identification of the respective conformity certifications;
j) Description and assessment of other security risks;
l) Indication of the responsible persons for the implementation thereof;
m) Indication of the established regular revision process.
2 – Where classified matters are involved, the security plan shall obtain the approval of the National Security Authority.
Article 28
Contingency plan
1 – In order to deal with possible disasters or incidents that may jeopardise the normal functioning as to the provision of certification services, the certifying entity shall implement a contingency plan comprising:
a) The possibility of adulteration or non-authorized access to private keys of the certifying entity;
b) A planning that ensures that operations are resumed within a period of time previously defined;
c) The means through which requesters, certificate holders, recipients and other certifying entities with which there are agreements are informed of any event that jeopardizes the secure use of certificates and of the state of revocation;
d) The maintaining of integrity and authenticity of information regarding the state of revocation.
2 – The certifying entity shall ensure that the services concerning certificate distribution, revocation and state of revocation are available at all times in case of accident, as well as procedures that enable the continuation of services in alternative recovery systems, and shall guarantee that the migration from primary systems to the recovery systems does not jeopardize the system security.
3 - Where classified matters are involved, the contingency plan shall obtain the approval of the National Security Authority.
Article 29
Personnel policy
1 – The certifying entity shall adopt rules for the selection and recruitment of its personnel that reinforce and comply with the provisions on security required for the pursuit of its activity, and shall namely:
a) Employ specialized personnel with specific knowledge in electronic signature technology and knowledge in security behaviour, for functions concerning public key infrastructure management;
b) Ensure that all personnel performing functions related to certification procedures is not subject to any conflict of interests that may put their impartiality at risk;
c) Ensure that functions related with certification processes are not performed by persons in a situation that indicates lack of good repute;
d) Ensure that at least the following posts and functions necessary to the operation of systems are comprised in the scope of its organization structure:
i) System administrator: authorized to install, configure and maintain the systems, holding controlled access to security-related configurations;
ii) System operator: responsible person for the daily operation of systems, authorized to carry out security copies and to restore information;
iii) Security administrator: responsible person for the management and implementation of security standards and practises;
iv) Registration administrator: responsible person for the approval of certificate issue, suspension and revocation;
v) System auditor: authorized to monitor archives concerning system activity.
2 – The posts or functions referred to in subpoints i), iii) and v) of point d) of the preceding paragraph shall not be performed by the same person.
3 - Where classified matters are involved, the personnel policy shall obtain the approval of the National Security Authority.
Article 30
Audits
1 – The security auditor shall be a natural or legal person, independent from the certifying entity, of acknowledged good repute, experience and qualifications evidenced in the area of information security, in the performance of security audits and in the use of the ISO/IEC 17799 standard, dully accredited by the National Security Authority.
2 – The certifying entity shall prove by means of the annual security audit report, carried out by an accredited security auditor, that it has accomplished an assessment of risks and identified and implemented the controls necessary to information security.
3 – Security audits shall be performed having regard to the ISO/IEC 17799 standard, and the respective audit report shall be submitted to the accrediting authority up to 31 March of each civil year.
4 – The security auditor shall ensure that the members of his team do not act in a partial or discriminatory way and have not provided the certifying entity with consulting services in the three previous years nor maintain with it any other business agreements or ties.
5 – In case of subcontracting, the auditor shall:
a) Give the certifying entity advance notice of the fact and obtain from it the agreement thereto;
b) Ensure that a written contract is elaborated, which clearly identifies the subcontracting functions and wherein the obligations between the parties are established, namely as regards confidentiality and independence of commercial or other interests, as well as the non-existence of any kind of ties with the certifying entity the audit of which is being carried out;
c) Ensure that it is able to prove the technical skills, good repute and impartiality of the subcontracted entity, as well as its security accreditation by the National Security Authority, where it is legally required, and that it complies with the provision of the preceding paragraph;
d) Take full responsibility for the subcontracted work and the final audit report.
Article 31
Termination of activity
1 – In case of termination of activity, the certifying entity shall ensure the continuity of information regarding certification processes, and in particular the maintenance of the archive of information necessary to the supply of means of proof in court trials, pursuant to the following article.
2 – Prior to terminating its activity, the certifying entity shall:
a) Notify the termination of activity pursuant to the provisions in paragraphs 1 and 2 of article 27 of Decree-Law no. 290-D/99, of 2 August;
b) Notify the termination of activity to the National Security Authority for the purposes of cancellation of security accreditations;
c) Terminate all business relationships with third parties authorized to act in its behalf, in the performance of functions concerning issue of certificates;
d) Destroy or prevent permanently the use of private keys;
e) Ensure that the entity whereto all documentation is to be transferred undertakes to store it during the legally required period of time.
Article 32
Archive of information
1 – The documentation on the functioning of certification services, including malfunctioning, special operational situations and information on registration, shall be maintained in an electronic file and stored for a minimum period of 20 years.
2 – For the purposes of the preceding paragraph, the certifying entity shall ensure:
a) The confidentiality and integrity of information stored in archive, concerning qualified certificates;
b) That the date and precise time of events concerning key and certificate management is registered;
c) That all events documented in the certificate practise statement are registered in such a way that it is not possible to alter or destroy it;
d) The archive of information on events regarding:
i) Registration, including alterations;
ii) Life circle of the certifying entity’ key pair and of all certificate holder’s keys managed by the certifying entity;
iii) Life circle of qualified certificates;
iv) Life circle of keys created by supplied secure devices;
v) Supply of secure signature-creation devices;
vi) Requests regarding certificate revocation.
3 – The documentation comprised in the electronic file shall be certified by means of a qualified electronic signature with chronological validation.
4 – The certifying entity shall maintain in manual files all documents concerning business relationships established with requesters, evidence of identity and powers of representation and business relationships established with subcontracted entities and documents related to good repute and professional qualification of persons performing functions connected with certification services.
5 – The documentation referred to in the preceding paragraph shall be stored for a minimum period of 20 years.
CHAPTER IV
Accreditation
Article 33
Accreditation of certifying entities
1 – Certifying entities that present guarantees of compliance with all technical and security requirements referred to in the present statutory instrument and in Decree-Law no. 290-D/99 of 2 August, as well as of use in its certification operations concerning qualified electronic signatures, of processes, systems and products assessed and certified pursuant to article 3, may request accreditation, or renewal thereof, in the appropriate form, rendered available by the accrediting authority, attaching thereto the documents referred to in article 13 of Decree-Law no. 290-D/99 of 2 August.
2 – Where the request is submitted in a document written on paper, it shall be handed in directly or sent by registered mail; where it is submitted electronically, the electronic document shall bear a qualified electronic signature. The documents to be attached thereto shall be submitted to the accrediting authority within three days following the submission of the request.
3 – The documents referred to in paragraph 1, which have been already submitted to the accrediting authority for purposes of registration by certifying entities and maintain their validity, may be replaced by a statement of the certifying entity, declaring that such documents have not been altered after being submitted.
4 – The accreditation request, or renewal request, shall also attach certified copies, written in Portuguese or attaching a legalized translation thereto, of conformity certificates and assessment reports referred to in paragraph 1.
Article 34
Accredited certifying entities
Accredited certifying entities, in addition to the compliance with the all provisions applicable to certifying entities that issue qualified certificates, shall:
a) Inform requesters of the legal effects conferred to a qualified electronic signature and of the probative value of documents bearing such a signature, as well as of the need to re-sign documents where the documents are necessary, in the signed form, for a period of time exceeding the validity of algorithms and associated parameters used in the signature creation and verification;
b) Guarantee that the reference to the accreditation is included in the issued qualified certificates or notified in another appropriate way;
c) Ensure, within working hours, three hours at the most in order to update revocation lists as from the entry of the respective information, ensuring that outside working hours appropriate measures are taken so that a request for the revocation of a qualified certificate is registered by means of an automated device that enables the automatic and immediate suspension of the certificate;
d) Ensure that a continuous interruption of revocation services exceeding thirty minutes, during normal working hours is documented as malfunctioning.
Article 35
Long-term document security
The new signature referred to in point a) of the preceding article shall be created with the appropriate algorithms and associated parameters and shall include prior signatures, as well as a chronological validation.
Article 36
Publicizing
The accrediting authority shall ensure that the information on the identification of accredited certifying entities is available at all times for the electronic consultation by the general public.
Checked and approved in the Council of Ministers of 12 May 2004. – José Manuel Durão Barroso – Maria Manuela Dias Ferreira Leite – Maria Teresa Pinto Basto Gouveia - Maria Celeste Ferreira Lopes Cardona – José Luís Fazenda Arnaut Duarte – Maria da Graça Martins da Silva Carvalho.
Promulgated on 22 June 2004.
Let it be published.
The President of the Republic, Jorge Sampaio.
Counter-signed on 24 June 2004.
The Prime Minister, José Manuel Durão Barroso.
