eID Interoperability for PEGS: Update of
Country Profiles study
Spain country profile
July 2009
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
This report / paper was prepared for the IDABC programme by:
Coordinated by: Hans Graux (time.lex), Florin Inte (Siemens), Jarkko Majava (Siemens), Eric
Meyvis (Siemens)
Contract No. 1, Framework contract ENTR/05/58-SECURITY, Specific contract N°12
Disclaimer
The views expressed in this document are purely those of the writer and may not, in any
circumstances, be interpreted as stating an official position of the European Commission.
The European Commission does not guarantee the accuracy of the information included in this
study, nor does it accept any responsibility for any use thereof.
Reference herein to any specific products, specifications, process, or service by trade name,
trademark, manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation, or favouring by the European Commission.
All care has been taken by the author to ensure that s/he has obtained, where necessary,
permission to use any parts of manuscripts including illustrations, maps, and graphs, on which
intellectual property rights already exist from the titular holder(s) of such rights or from her/his or
their legal representative.
This paper can be downloaded from the IDABC website:
http://europa.eu.int/idabc/
http://ec.europa.eu/idabc/en/document/6484
© European Communities, 2009
Reproduction is authorised, except for commercial purposes, provided the source is
acknowledged.
eIDM_II_ES Profile v 1 1 web format.doc
Page 2 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
Table of Contents
1
1.1
2
GLOSSARY
4
DEFINITIONS
4
INTRODUCTION
6
2.1
OVERVIEW OF THE MOST SIGNIFICANT EIDM SYSTEMS
6
2.2
BACKGROUND AND TRADITIONAL IDENTITY RESOURCES
2.2.1 EGOVERNMENT STRUCTURE AND ROLE OF EIDM
2.2.2 TRADITIONAL IDENTITY RESOURCES
7
7
10
2.3
EIDM FRAMEWORK
2.3.1 MAIN EGOVERNMENT POLICIES WITH REGARD TO EIDM
2.3.2 LEGAL FRAMEWORK
2.3.3 TECHNICAL ASPECTS
14
14
23
26
2.4
INTEROPERABILITY
31
2.5
EIDM
APPLICATIONS
2.5.1 EHEALTH
2.5.2 EJUSTICE
2.5.3 OTHER EID CARD APPLICATIONS
32
32
33
34
2.6
FUTURE TRENDS/EXPECTATIONS
35
2.7
ASSESSMENT
2.7.1 ADVANTAGES
2.7.2 DISADVANTAGES
36
37
38
eIDM_II_ES Profile v 1 1 web format.doc
Page 3 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
1 Glossary
1
1.1 Definitions
In the course of this report, a number of key notions are frequently referred to. To avoid any ambiguity,
the following definitions apply to these notions and should also be used by the correspondents.
o
o
o
Entity: anyone or anything that is characterised through the measurement of its attributes in an
eIDM system. This includes natural persons, legal persons and associations without legal
personality; it includes both nationals and non-nationals of any given country.
eIDM system: the organisational and technical infrastructure used for the definition,
designation and administration of identity attributes of entities. This Profile will only elaborate
on eIDM systems that are considered a key part of the national eIDM strategy. Decentralised
solutions (state/region/province/commune…) can be included in the scope of this Profile if they
are considered a key part of the national eIDM strategy.
eIDM token (or ‘token’): any hardware or software or combination thereof that contains
credentials, i.e. information attesting to the integrity of identity attributes. Examples include
smart cards/USB sticks/cell phones containing PKI certificates, …
o
Authentication: the corroboration of the claimed identity of an entity and a set of its observed
attributes. (i.e. the notion is used as a synonym of “entity authentication”).
o
Authorisation: the process of determining, by evaluation of applicable permissions, whether an
authenticated entity is allowed to have access to a particular resource.
o
o
o
Unique identifiers: an attribute or a set of attributes of an entity which uniquely identifies the
entity within a certain context. Examples may include national numbers, certificate numbers,
etc.
Official registers: data collections held and maintained by public authorities, in which the
identity attributes of a clearly defined subset of entities is managed, and to which a particular
legal of factual trust is attached (i.e. which are generally assumed to be correct). This includes
National Registers, tax registers, company registers, etc.
eGovernment application: any interactive public service using electronic means which is
offered entirely or partially by or on the authority of a public administration, for the mutual
benefit of the end user (which may include citizens, legal persons and/or other administrations)
and the public administration. Any form of electronic service (including stand-alone software,
web applications, and proprietary interfaces offered locally (e.g. at a local office counter using
1
Based on the Modinis Common Terminological Framework for Interoperable Electronic Identity
Management; see https://www.cosic.esat.kuleuven.be/modinis-idm/glossary/
eIDM_II_ES Profile v 1 1 web format.doc
Page 4 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
an electronic device)) can be considered an eGovernment application, provided that a certain
degree of interactivity is included. Interactivity requires that a transaction between the parties
must be involved; one-way communication by a public administration (such as the publication
of standardised forms on a website) does not suffice.
o
o
eSignature: data in electronic form which are attached to or logically associated with other
electronic data and which serve as a method of authentication with regard to this data, as
2
defined in the eSignatures Directive .
Advanced electronic signature: an electronic signature which meets the following
requirements, as defined in the eSignatures Directive:
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using means that the signatory can maintain under his sole control; and
(d) it is linked to the data to which it relates in such a manner that any subsequent change of
the data is detectable;
o
o
2
Qualified electronic signature: advanced electronic signatures which are based on a qualified
certificate and which are created by a secure-signature-creation device, as defined in the
eSignatures Directive.
Validation: the corroboration of whether an eSignature was valid at the time of signing.
See http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:EN:HTML
eIDM_II_ES Profile v 1 1 web format.doc
Page 5 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
2 Introduction
2.1 Overview of the most significant eIDM systems
The most important of the existing eIDM systems in Spain is the “DNI electrónico” or “DNI-e”
(electronic national identity card, hereinafter eID card) that includes technological innovations in the
eID card in order to increase the document’s security as well as its application field.
The eID card allows electronic authentication of the identity of a person in an irrefutable manner, and
allows the bearer to eSign documents, granting them a legal validity identical to the one provided by
the handwritten signature.3
The “Documento Nacional de Identidad”, commonly known as “DNI” (Spanish Identity Card, hereinafter
ID card), is the document that verifies the identity, the personal data that appears on it and the Spanish
nationality of its bearer.
Most part of the data that appear in the ID card (whether electronic or not) is evidenced in the Civil
Registry (at the Ministry of Justice), where the facts concerning persons civil status are inscribed.
The most important data appearing in the ID card is the personal number that is assigned by the Police
General Directorate. This number is evidenced in other documents granted by the Administration such
as the passport or the driving licence.
The ID card number must be presented in any request, registration or precise document for public or
private actions whenever it is necessary to provide evidence of the personal identity of the interested
party.
Apart from the eID card, there is also a broadly used system of PKI certificates issued by 15
commercial CSPs (both public and private), which can be used in a large number of eGovernment
applications for authentication services. The interoperability between these certificates (56 types issued
by the 15 CSPs) is guaranteed through the MAP multiPKI Validation Platform (called Platform @firma
v.5.0.).
Both the eID card and the commercial CSP certificates will be discussed in greater detail below.
On the other hand, information concerning companies appears in the Companies Registry, where the
actions relating to individual entrepreneurs and legal corporations are inscribed with the purpose of
3
See www.dnielectronico.es
eIDM_II_ES Profile v 1 1 web format.doc
Page 6 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
publishing them so that they may be known by the persons contracting with them. Legal entities can
also authenticate themselves electronically, as certain commercial CSPs issue certificates specifically
to legal entities, rather than natural persons.
All of these systems will be discussed in greater detail below.
From a practical perspective, usage and uptake can be summarised as follows4:
eIDM system
National eID card
Digital Certificate
Potential user base
Estimated at 40 million
(around 90% of the
population)
¿?
Actual penetration
+ 10.000.0000 on 20
March 2009 (around 25
% of the population,)
+ 4.2 million citizens
used a digital
certificate to interact
with Public Authorities
Actual use
No public statistics are
available; see
http://www.060.es/ for a
list of applications.
Formatted: Font color: Auto,
Not Highlight
No public statistics are
available
Deleted: Le podeis preguntar
a la Pôlicía
more than 1 million
transactions every
month are performed by
the national VA @firma
Formatted: Font color: Auto,
Not Highlight
2.2 Background and traditional identity resources
2.2.1 eGovernment structure and role of eIDM
Spain is today a regional state, and therefore the eGovernment structure at State level is very different
to the one at the regional level, where the 17 Spanish autonomous communities (regions) have their
own Government and therefore their own and different level and speed of development,
implementation and extent of the eGovernment applications.
As in other countries, in every level strong efforts are made in the field of electronic information
sharing, which is combined with the so called “unique counter” (ventanilla única), so that in the near
future all citizens will be able to handle their paperwork at any official Registry (state/regional/local) and
without needing to present any document that any Administrative body has already registered in its
electronic databases, as all Administration bodies will share information (e.g. the case of the renewal of
working authorisations, where the Social Security certifications are no more required, as civil servants
working at the Immigration Directorate have direct access to the Social Security database).
eGovernment, in particular horizontal integration, is driven by the following services:
4
Data obtained from www.red.es
eIDM_II_ES Profile v 1 1 web format.doc
Page 7 of 38
Deleted: ¿?
Formatted: Font color: Auto,
Not Highlight
Deleted: ¿?
Formatted: Font color: Auto,
Not Highlight
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
*
State eGovernment
eGovernment initiatives and applications are developed independently in every Ministry, and the new
Ministry of Presidency (before, those these matters were a competence of the Public Administrations
Ministry-MAP-) is responsible for steering the development and implementation of eGovernment in
Spain’s central state administration. These tasks are co-ordinated at state level by the Directorate
General of Impulse of the Electronic Administration (DG para el impulso de la administración
electrónica).
In addition, the Higher Council for Electronic Administration is in charge of leading, co-ordinating and
monitoring the implementation of eGovernment across central government and participates in the
Sectorial Committee of eGovernment, which is the technical organ in charge of eGovernment
cooperation among the three levels of Spanish Administration: state, regional (autonomous
communities) and local (municipalities).
In Spain, the Law for Electronic Access by Citizens to Public Administrations (LAECSP)5 obliges that all
public administration services will be offered online. In this way it requires the use of different channels
for eServices, and the right of citizens to choose between them without restrictions; including an
Internet access point in public offices on the street. Up to now, the single multi-channel access point
for all the current services; using or not electronic certificates is made via the 060 network: www.060.es
with 24x7 availability. It provides a full co-ordination of all services offered by the national, regional and
local administrations, without requiring the users to know which administration is providing them.
The main effort of state government is aimed to the use of the DNIe card , which is horizontally
coordinated by the “Oficina Técnica del DNI electrónico” (DNIe card Technical Office), which gives
detailed information at www.dnielectronico.es.
*
Regional Government
Regional eGovernment initiatives using electronic authentication systems are lead and coordinated by
the respective regional Administrations, where a specific body, department or entity is usually in charge
of its coordination. In some cases the information about eGovernment is split and not available at the
competent
All Spanish Regions (Autonomous Communities), have their own Internet Portal offering information to
citizens and companies, and providing eGovernment services using eSignature.
It is important to note here, in order to facilitate a proper comparison with other Member States, that
management of specific matters such as education or health have been transferred to the Spanish
Regions and only residual competences are kept by the State Government.
*
Local eGovernment
5
LAECSP Ley Para el Acceso Electrónico de los Ciudadanos a los Servicios Públicos. BOE 23-06-07
http://www.map.es/iniciativas/mejora_de_la_administracion_general_del_estado/moderniza/Administracion_Elec
tronica/parrafo/05/document_es/A27150-27166.pdf
eIDM_II_ES Profile v 1 1 web format.doc
Page 8 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
Local eGovernment initiatives are lead and coordinated by local authorities, mostly municipalities.
Unfortunately, the development degree for municipalities is even less than that for regional
eGovernment initiatives. Even so, there are also good examples as the Madrid City’s homepage, which
is in the top five places on the report “Digital Governance in Municipalities”
In Spain, the Plan Avanz@’s policy is to connect electronically all Spanish municipalities (more than
8.000), most of which do not yet have broadband access or public offices. This includes the eModel
Programme that finances projects in order to ensure that about 2010, all citizens will be able to
communicate electronically with the administrations, without discrimination due to geographic (or other)
reasons.
Most of the Spanish Municipalities are developing and testing projects for “Ciudades Digitales” (Digital
Cities) in order to transform fully their Local Governments to permit the citizens to have access to all
public services by using the municipalities’ web pages, with different sections addressed to citizens
(A2C), enterprises (A2B) and public officers (A2A) by means of their intranet.
The Higher Council for Electronic Administration takes care, among others, of computer co-operation
among Administrations and others entities like local ones. It promotes the collaboration and
cooperation among the Spanish Regions and municipalities, the use of telecommunications in the
Administration, the Security Policy and the improvements in quality and productivity in the information
services development.
National eGovernment Cooperation and Coordination6
As mentioned before, the Ministry of Presidency (hereinafter, MP) is the instance in charge of general
eGovernment cooperation and coordination.
In fact, for the period of 2006-2008 the MP it was approved the “Plan de Medidas 2006-2008 para la
mejora de la Administración” (Measures Plan to improve the Administration), with different initiatives to
modernise the Spanish Administration according to the citizens’ needs. It contains 16 measures of
different nature that will be progressively approved and implemented in the following two years.
Among the legislative initiatives the draft of an Electronic Administration Law is foreseen.
The MP also works to improve A2C services, and those A2A services that, thanks to the internal
modernisation of all Government Delegations located in all Spanish Regions will permit the
Administration to guarantee the accessibility of their A2C services by simplifying the processes and
administrative proceedings. These actions are included in the Plan “MAP en RED” (connected MAP).
Regarding the support given to municipalities, reinforcing the particular actions managed from the
regional Administrations, the MP has several projects of administrative modernisation at the Local
Administrations (eModel) consisting of a line of subsidies with which the MP will co-finance (with a
maximum representing a 50% of the execution) local projects aiming to modernize Local
6
Information extracted from the Report “European eGovernment Services (IDABC)” that has been
compared, updated and, in its case, adapted to the needs and requirements of this report.
eIDM_II_ES Profile v 1 1 web format.doc
Page 9 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
Administrations by using Information Technologies for the improvement of A2C services, proceedings
simplifications and improvement of technological infrastructures and communications.
Inside the MTP it is the Higher Council on eGovernment (“Consejo Superior de Administración
Electrónica”), which is the organ in charge of the preparation, elaboration, development and application
of the Government politic and strategy regarding the information technologies, as well as the boost and
implementation of the eGovernment within the State General Administration. In fact, this Higher
Council takes care, among others, of Computer cooperation among Administrations and entities,
Telecommunications use in the Administration, Security Policy and Applications for the powers
execution and Improvement on quality and productivity in the information services development.
The first of these functions implies the improvement of collaboration and cooperation with the Spanish
Regions and municipalities, especially for the activation of inter-administrative public services.
Therefore, its plenary organ maintains relations with the emerging organs in charge of cooperation
among the different administrations. It will also be responsible for the support of cooperation activities
of the State Administration before E.U. international organisations, and also with Latin America in the
context of information technologies and eAdministration, in collaboration with the Ministry of Foreign
Affairs and Cooperation.
This Higher Council also participates in the Sector Committee of eGovernment (Comité Sectorial de
Administración Electrónica), which is the technical organ in charge of cooperation among the three
levels of the Spanish Administration, state, regional and local, concerning eGovernment. Among
others, this Committee seeks to harmonize the use of eSignatures, to guarantee its interoperability and
to improvement the validation of certificates and eSignatures actually rendered by the MTP’s validation
platform, known as @firma.
The Sector Committee has also launched the Observatory on eGovernment, where all Regions
participate, trying to follow the advances of all Regions towards eGovernment, to have updated
information about all of them on this matter, and to launch recommendations aiming to accelerate their
internal modernisation and to balance their development.
The Higher Council also participates in several international activities such as the IDABC Programme
in order to guarantee interoperability of Pan European services of eGovernment, interoperability and
mutual recognition of the different national digital identities and eSignatures, the i2010 Action Plan and
several international groups on this matter.
2.2.2 Traditional identity resources
Organic Law 1/1992 of February 21 on Citizen Security Protection regulates the issuance of the
National Identity Card (commonly known in Spain as DNI, and also referred here as ID card).
The ID card is a personal and non-transferable document, and its bearer is obliged to its custody and
conservation; it has sufficient value of its own to attest to the identity and personal data of the bearer
that appears on it, as well as his Spanish nationality.
eIDM_II_ES Profile v 1 1 web format.doc
Page 10 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
Its procurement is compulsory for Spanish persons above fourteen who are resident in Spain or who,
living abroad, come to Spain for a period of more than six months. The cost charged to the citizens is
either is either 6,70 or 12,10€ €7.
It remains valid for a period of five or ten years, or indefinite, depending on the age of the person who
requests its issuance or renewal.
The identity card contains a number of data printed on it, specifically: photograph and signature of the
8
9
bearer, name(s) , and surnames , date of birth, gender, nationality, personal number (national register
number)10 and verification character corresponding to the Identification Tax Number11. On the back
side, it contains the place of birth, province-nation, parents’ name, residence, place of residence,
province, and nation in OCR-B letters for mechanical reading. Lastly, there is evidence of the
expiration date and the card number.
The national register number is a unique identification number for Spanish citizens, assigned to all
Spanish citizens in their national identity cards, and also appearing on the eID card and its microchip
(see below). In Spain the National Police is the public body in charge of issuing such identity cards.
To request the ID card, the physical presence of the interested person is required, as well as the
presentation of a literal birth certificate granted by the corresponding Civil Registry.
Birth is very important in the Spanish legal system because it determines the beginning of the
personality. As proof of birth, births are registered in the Civil Registry that verifies the fact, time and
place and the lineage. Once the inscription has taken place, the proof of birth can be provided through
literal certificates or through extracts issued by the Judge in charge of Civil Registries12.
The inscription takes place in the Civil Registry Office corresponding to the place where the birth took
place. If requested by the parents, the inscription may be managed in the Civil Registry Office of their
domicile, if it is different from the place of birth.
7
E.g. a citizen pays 6.70 EUR at first issuance or for replacement of an expired card; whereas 12.10
EUR is charged when a valid card is lost or stolen.
8
Specifically, one or two names.
9
The father’s first surname followed by the mother’s first surname
10
Each ID card is assigned a personal number that will serve as general personal numerical identifier.
11
The Tax Administration assigns a letter to each contributor which, together with the personal
number, conforms the Tax Identity Number, a number that must be consigned in all returns and
communications that are presented or maintained with the Tax Administration.
12
The Civil Registry Office is regulated in the Law of June 8, 1957, in Decree of November 14, 1958 wherein the
Ruling of the Law on Civil Registries is approved, and in Royal Decree 644/1990 of May 18 on the rules
regarding the Central Civil Registry Office.
eIDM_II_ES Profile v 1 1 web format.doc
Page 11 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
The Civil Registry Office is a file depending on the Ministry of Justice wherein the facts concerning the
civil status of persons are inscribed. The following facts are inscribed: birth, filiation, name and
surnames and any changes of these, the emancipation and adulthood age, the judicial modifications of
the persons’ capacity or that the latter have been declared insolvent, in bankruptcy or suspension of
payments, declarations of absence or death, nationality and neighbourhood, parental rights and duties,
guardianship and other legal representations, marriage and death.
Foreigners in the situation of legal residence in Spain are identified by a resident card called “Número
13
de Identificación de Extranjeros”, commonly known as “NIE” .
The NIE card14 is personal and non-transferable and attests to the legal residence of foreigners in
Spain, their identity and that they have been granted the corresponding authorisation or the recognised
right to stay in Spanish territory for more than three months.
For its issuance a prior government resolution is necessary granting the corresponding administrative
authorisation or, depending on the case, recognising the foreigner’s right to stay in Spanish territory.
An exception is made for E.U. nationals, as no previous administrative resolution is required for them
when they apply for their resident card.
There is also a Central Registry of Foreigners that depends on the Police General Directorate, where
residence permits granted to foreigners are inscribed15.
The resident card has a period of validity identical to the one granted by the residence authorisation or
the resolution recognising the right that justifies its issuance.
Foreigners staying in Spanish territory have the right and the obligation to keep the documentation that
verifies their identity, issued by the competent authorities of their country of origin or the country where
they come from.
At present, all foreign citizens holders of a NIE can obtain a Spanish qualified certificate as
authentication means in order to make on-line transactions with the Spanish Administration. The
foreigners identity card requires prior identification before the Certification Service Provider that issues
the qualified certificates (so called “certificado reconocido”), as the principal and safest authentication
means in Spain, based on a PKI solution. Such electronic certificates have the same legal validity and
technical characteristic as the ones issued to Spanish nationals by any of the Certification Service
Providers authorised by the Ministry of Industry, Tourism and Commerce.
13
Information obtained at www.mir.es.
14
Organic Law 4/2000 of January 11 on the rights and liberties of foreigners in Spain and their social integration,
modified by Organic Law 8/2000 of December 22 and Royal Decree 864/2001 of July 20, whereby the Ruling for
the execution of Organic Law 4/2000 of January 11 is approved, on rights and liberties of foreigners in Spain and
their social integration, modified by Organic Law 8/2000 of December 22.
15
Article 60 of Royal Decree 864/2001 lists the actions that may be inscribed in the Foreign Registry Office.
eIDM_II_ES Profile v 1 1 web format.doc
Page 12 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
The Spanish Government is planning to provide all resident foreigners in Spain with a similar document
to the electronic DNI (Spanish eID card), also based on PKI solutions, on smart cards. The introduction
of this document, known as “NIE electrónico” or “NIE-e” (electronic Foreigners Identity Card) will allow
its bearers to automatically obtain an electronic authentication mean with electronic signature (the
same as the DNI-e for Spanish nationals).
In Spain, the incorporation of companies requires the granting of a public writ before a Notary, which
determines the moment of its incorporation and therefore, its capacity to legally operate in trade.
After the incorporation, its inscription in the Companies Registry is mandatory after having paid the
respective taxes and after obtaining the Identification Tax Number (called “Código de Identificación
Fiscal”, commonly known as “CIF”, similar to the VAT no.), with identifying nature16.
The purpose of the Companies Registry17 is to obtain full security and transparency in mercantile
business, so that it is possible to know the legal situation of entrepreneurs, without information about
other circumstances that are not directly related with the entrepreneurs as operators in the mercantile
business.
In this file both individual entrepreneurs18 and organised corporations are inscribed. It is a public
registrar and therefore, it may be consulted by citizens interested in any information relating to the
situation of a company (its partners, managers or legal representatives, bylaws, etc.) or individual
entrepreneurs.
Concerning individual entrepreneurs, basically the entrepreneur’s identity and his company and the
general powers granted to specific persons to act on behalf of the company are inscribed, as well as
their modification, annulment and substitution. There are other details regarding transactions which
can also be inscribed19.
In the case of companies20, its incorporation, designation and termination of administrators/managers,
liquidators and auditors, general powers and delegation of faculties must be inscribed, as well as their
modification, revocation and substitution.
16
Royal Decree 1041/90 of Declarations on census of entrepreneurs and professionals of July 27,
17
Royal Decree 1784/1996 of July 19, wherein the Rules for Companies Registries are approved.
18
The inscription of natural persons in this Registry is due to their condition of businessmen or entrepreneurs.
19
See Article 87 of the Ruling of Companies Registry
20
Information obtained at www.dnielectronico.es.
eIDM_II_ES Profile v 1 1 web format.doc
Page 13 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
2.3 eIDM framework
2.3.1 Main eGovernment policies with regard to eIDM
21
2.3.1.1 Main eID tokens
Two tokens will be discussed in greater detail below, due to the their importance for Spanish elDM
policies: the national elD card and qualifed Digital Certificates from public and commercial CAs
The national eID card
Although it is still too early to say, the introduction in Spain of the eID card is aimed at providing the
necessary impulse to bring electronic authentication and electronic signatures into the mainstream of
the eGovernment services. It is intended to be a key enabler for electronic authentication, next to the
use of commercial PKI certificates, as outlined below.
The implementation of the national eID card commenced at Burgos (Castilla-Leon Region) in March,
2006.
In March 2009, more than 10.000.000 eID cards had already been issued, in its gradual
implementation, in 138 cities belonging to 49 Spanish provinces By the end of 2009, it is estimated that
about 14,000,000 eID cards shall have been issued.
The main innovation of the eID card is that it includes a small integrated circuit (chip), capable to
securely save information and to process it internally.
In order to incorporate this chip, the ID card changes its traditional support (plastified cardboard) to a
plastic material card that has new and better security measures. The support card of the eID is made
of polycarbonate, a resistant material of high quality and durability that allows the printing of data with
destructive laser, in order to make it impossible to falsify the impression.
In the electronic chip the following bearer’s data are stored: filiation details, digitalized image of the
photograph, digitalized image of the handwritten signature, digital fingerprint, advanced certificate of
authentication and signature, electronic certificate of the issuing authority and PIN codes for each
electronic certificate.
Its dimensions are identical to the traditional ID card and its size coincides with the credit cards that are
commonly used.
As mentioned before, the chip of the document contains two types of certificates: the authentication
certificate and the signature certificate.
21
Information obtained at www.dnielectronico.es
eIDM_II_ES Profile v 1 1 web format.doc
Page 14 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
The authentication certificate has the purpose of electronically guaranteeing the citizen’s identity when
effecting an on-line transaction. With this certificate, the bearer may prove his identity before anyone
because he possesses the certificate of identity and the PIN code associated with it.
This certificate must be used solely and exclusively for authentication systems (confirmation of identity)
and for safe access to information systems (by means of the establishment of private and confidential
channels with the servers). Based on the authentication of this certificate, the certification service
providers must not give access to personal information or request signatures on procedures or
documents.
This certificate may also be used as a means of authentication recognised by private entities, without
the latter being obliged to make a strong investment in the organisation and maintenance of a
registration infrastructure.
The signature certificate allows the citizens to eSign procedures or documents, allowing the
substitution of the handwritten signature with the electronic one based on the relationships of the
citizen with third parties22.
The activation of the eID card is not automatic as it requires the precise system to unblock the
conditions of access by means of the personal code of access (PIN) and/or the impression of
fingerprints (biometrics).
Only Spanish citizens can obtain the eID card (DNI-e). The Royal Decree 1553/2005 of December
23rd, regarding the issuing of the national identity card, its certificates of authenticity and eSignature
(http://www.dnielectronico.es/marco_legal/RD_1553_2005.html) confirms that the Police General
Directorate is the department (belonging to the Interior Ministry) to exercise all competences of
management, direction, organisation, development or administration of all matters concerned to the
issuance or performance of ID cards, including the electronic ones. In practice, the role of VA has been
delegated to the MAP (Ministry of Public Administration) and the FNMT (the Mint).
As stated above, the issuance of electronic resident cards (NIE-e) is also planned for resident
foreigners in Spain.
Public and Commercial PKI certificates
Apart from the eID card certificates, other PKI certificates continue to be used in parallel with the eID
card. Certificates recognised for this purpose are eCertificates provided by a certification service
provider that has satisfied special legal requirements (similar to the ones established by Directive
1999/93/EC). Regarding the financial resources to bear the risk of liability for damages, in Spain
certification service providers (CSP) are obliged to subscribe a civil liability insurance of at least
3.000.000,00 Euros.
22
Articles 3, 4 and 15.2 of eSignature Law.
eIDM_II_ES Profile v 1 1 web format.doc
Page 15 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
It is important to mention that under the eSignature Law, CSPs that provide certification services do not
need an administrative authorisation (in compliance with the eSignature Directive guidelines).
Therefore, any new CSP willing to provide certification services is only obliged to notify it to the Ministry
of Industry, Tourism and Commerce by giving identification data; and then the Ministry will verify
compliance with the eSignature Law. After the checking is concluded succesfully, the CSP is included
in the list published at its website: http://www.mityc.es/DGDSI/Servicios/FirmaElectronica/Prestadores/.
CAs is obliged to publish their Declaration of Certification Practices and any of the documents recorded
in article 19 of the eSignature Law:
> Declaration in which they will detail the obligations that they commit to comply.
> The declaration of certification practices will be at public disposal, easily accessible, at least
by electronic means, and for free.
> The declaration of certification practices will be considered as a security document.
In those documents the CAs give a series of technical and legal guarantees about the management
and conservation of their certificates and the corresponding authentication services.
2.3.1.2 Main elDM registers
In Spain, three types of “persons” need identification to interact with Public Administration services:
Nationals
As DNIe is compulsory, when requested for the first time, the physical presence of the person is
required, as well as the presentation of a birth certificate granted by the corresponding Civil Registry23.
The Civil Registry stores date of birth, parents, name and surnames and any changes of these data,
the judicial modifications of the persons' capacity, if he/she is insolvent, in bankruptcy or suspension of
payments; declarations of absence or death, nationality and neighborhood, parental rights and duties,
guardianship and other legal representations, marriage and death.
The use of the DNI is a habit in Spanish society, but there is much ignorance regarding the possibilities
offered by the electronic identification of the DNIe.
Non-Nationals
Non-national residents have a legal framework that regulates their identification and other issues24.
23
CRO The Civil Registry Office is regulated in the Law of June 8, 1957, in Decree of November 14, 1958. “Real
Decreto 644/1990, de 18 de mayo, por el que se dictan normas relativas al Registro civil Central. BOE. Boletín Oficial del Estado - vLex”; http://vlex.com/vid/18142232.
Ruling of the Law on Civil Registries, Royal Decree 644/1990 of May 18 on the rules regarding the Central Civil
Registry Office. “Ley de 8 de junio de 1957, sobre el Registro Civil.”;
http://noticias.juridicas.com/base_datos/Privado/lrc.html
eIDM_II_ES Profile v 1 1 web format.doc
Page 16 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
They are identified by a resident card with a number “Número de Identificación de Extranjeros”,
commonly known as “NIE” on an identification card “Tarjeta de Residente”. This card attests the legal
residence of foreigners in Spain, their identity and that they have been granted the corresponding
authorisation or the recognised right to stay in Spanish territory for more than three months. An
exception is made for E.U. nationals, as no previous administrative resolution is required for them
when applying for their resident card. EU-foreigners staying in Spanish territory have this right, but also
have the obligation to bear a document that proves their identity, issued by the competent authorities of
their country of origin or the country where they come from.
At present, foreign citizens, holders of a NIE card can obtain an electronic qualified certificate as an
authentication means in order to make on-line transactions with the Spanish Administration. The
foreigner’s identity card requires prior identification before a Certification Service Provider can issue
the qualified certificates (so called "certificado reconocido"), based on a PKI solution. Such electronic
certificates are issued by the FNMT and others, for purposes of tax declarations. Another example of
this type of certificate is the idCAT, that can be issued to foreign citizens This is a qualified certificate
based on software issued by CATCert that can be used for different kinds of procedures within the
public administrations.
More information on regulations about non-nationals can be obtained at Interior Ministry
http://www.mir.es/SGACAVT/extranje/normativa_basica.html
Entrepreneurs / Corporations
In Spain, establishing a company requires the granting of a public statement witnessed by a Notary,
25
which determines the moment of its constitution, and therefore, its capacity to operate legally in trade
24
Ruling of the Law on Civil Registries, Royal Decree 644/1990 of May 18 on the rules regarding the
Central Civil Registry Office. “Ley de 8 de junio de 1957, sobre el Registro Civil.”;
http://noticias.juridicas.com/base_datos/Privado/lrc.html
Royal Decree for Ruling the execution of Organic Law 4/2000 of January .“REAL DECRETO 864/2001, de 20 de
julio, por el que se aprueba el Reglamento de ejecución de la Ley Orgánica 4/2000, de 11 de enero, sobre
derechos y libertades de los extranjeros en España y su integración social, reformada por Ley Orgánica 8/2000,
de 22 de diciembre.”; http://www.boe.es/boe/dias/2001/07/21/pdfs/A26552-26603.pdf. Article 60
lists the actions that may be inscribed in the Foreign Registry Office
EX1 On rights and liberties of foreigners in Spain and their social integration, modified “Ley Orgánica
8/2000, de 22 de diciembre, de reforma de la Ley Orgánica 4/2000, de 11 de enero, sobre derechos y libertades
de los extranjeros en España y su integración social.”; http://noticias.juridicas.com/base_datos/Admin/lo82000.html
25
Declarations on census of entrepreneurs and professionals “Real Decreto 1041/1990, de 27 de julio, por el
cual se regulan las declaraciones censales que han de presentar a efectos fiscales los empresarios, los
profesionales y otros obligados tributarios. (Vigente hasta el 1 de septiembre de 2003)”;
http://noticias.juridicas.com/base_datos/Derogadas/r2-rd1041- 1990.html.
eIDM_II_ES Profile v 1 1 web format.doc
Page 17 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
26
Afterwards, its inscription in the Companies Registry is mandatory and after having paid the
respective taxes, the company should obtain a Tax Identification Number (called "Código de
Identificación Fiscal", commonly known as "CIF", similar to the VAT no.), with identifying nature. At this
moment, after being registered this way, companies are from that moment legal persons The purpose
of the Companies Registry is to obtain full security and transparency in mercantile business, so that it
is possible to know the legal situation of entrepreneurs. In this file, both individual entrepreneurs and
society companies (mostly Limited and Anonymous Societies) are inscribed. It is a public registry and
therefore, it may be consulted by citizens or individual entrepreneurs interested in any information
relating to the situation of a company: its partners, managers or legal representatives, bylaws, etc.
2.3.1.3 Authentication policies
27
Recently, there has been a proposal on assurance levels for eID credentials depending on some
conditions and had been established three levels: basic, medium, high
The following table summarizes the above mentioned situation for Spain that will be reflected in the
National Security Framework.
26
Rules for Companies Registries “Real Decreto 1784/1996, de 19 de julio, por el que se aprueba el
Reglamento del Registro Mercantil.”; http://noticias.juridicas.com/base_datos/Privado/rd1784- 1996.html..
27
Information provided by Miguel Álvarez Rodríguez (MP)
eIDM_II_ES Profile v 1 1 web format.doc
Page 18 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
Authenticatio
Description
Registration of
Authentication
identity
method
n level
Basic
Level(1)
Applications
None or according to Authentication by
Specific public or private
authentication mechanism:
private entity
Knowledge that takes
services of relative
passwords, physical or logic
information about
place inserting a user
importance such as e-mail
tokens.
user.
name and a password services, banking or
- This level will admit any
If passwords are to be used basic
or a digital certificate
quality assurance rules must be
applied
specific requests Note: this
level can only be used by
certain groups of
applications and is not
Authentication tokens either
suitable for international
hardware, software or any other
usage.
combination will have to take into
account security issues:
Authentication factors or
credentials are exclusively under
user control
The user is conscious upon
receiving the credential of the
duties that must follows, particularly
diligence custody and inform
quickly after losing or
compromised credentials.
Authentication factors or
credentials will be change
accordingly to the periodicity
established in the Organization
Policy regarding to the security
level of the accessed system
Authentication factors or
credentials are to be discarded
when the entity that them
represents leaves the organization
that stand for.
.
eIDM_II_ES Profile v 1 1 web format.doc
Page 19 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
Medium (Level If possible, password should be
Request must be
Advanced electronic
Specific public or private
2)
issued online but
signature Qualified
services of relative
avoided. I they are to be used,
strongest policies should be applied Physical and in
Electronic Certificates importance such as e-mail
as for example quality of the
presence identity is
(QEC). It is
password and frequently renewal.
required to obtain the responsibility of the
jobs, transportation or
user’s certificate.
specific requests
The usage of other authentication
application owner to
services, banking medical,
permit more or less
mechanism should be
rigid authentication
recommended; for example
methods. Usually,
personalized physical tokens, logic
certificates are issued
tokens
on software or
hardware tokens.
High (Levelk3)
Authenticator factors or credentials
Physical and in
Qualified Electronic
Highly confidential and very
will be suspended alter a
presence identity is
Signature Advanced
personal services such as
established inactivity period
required to obtain the Electronic Signatures
access to personal
user’s certificate.
information stored by the
Use of passwords will not be
based on Qualified
According to a legal Electronic Certificates Administration: work
allowed
regulation
(QEC) Level 4 only can resume, medical history,
Personalized Physical devices are
be obtained using
tax payment, money
to be used
SSCD
transactions etc.
Algorithm used in physical devices
tokens must be accredited by
Centro Criptológico Nacional
Whenever possible certified
product must be chosen
2.3.1.4 Mandates and authorisations
The launch of the electronic national identity card has been complemented by the creation of a
28
multiPKI Validation Platform supported by MTP that provides freely eSignature and eCertificate
validation services to eGovernment services (currently there are about 180 available services using the
platform). It is this platform which binds the authentication services of the national eID card and
28
More detailed information at: http://www.dnielectronico.es/seccion_aapp/platform.html
eIDM_II_ES Profile v 1 1 web format.doc
Page 20 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
commercial PKI certificates together, and which allows application owners to use both identification
solutions.
The MTP multiPKI Validation Platform (called Platform @firma v.5.0.) validates electronic certificates
and eSignatures issued by the main Certification Authorities of the country, including the eID Card
Certification Authority, and also provides time-stamping services and an eSignature program that
allows citizens to eSign documents in various eSignature standards locally before being submitted over
the Internet. The service is offered to eGovernment applications of all public administrations (state,
regional and local). The platform has been built up on open source and open standards.
Currently this Platform supports 12 certification services providers29 and 98 types of eCertificates.
a) Public Providers of Certification Services
•
DGP (Dirección General de la Policía – Police General Directorate):
http://www.dnielectronico.es/
•
FNMT-CERES (Fábrica Nacional de Moneda y Timbre – Royal Mint):
http://www.cert.fnmt.es/
•
CATCert (Agència Catalana de Certificació – Catalonian CA ):
http://www.catcert.net/web/cat/inici/home.jsp
•
ACCV (Autoritat de Certificació de la Comunitat Valenciana – Valencian CA):
http://www.accv.es/default_default.htm
•
IZENPE (Basque CA): http://www.izenpe.com/s15-5218/es/
b) Private Providers of Certification Services
•
AC Camerfirma (Commerce Chamber): http://www.camerfirma.com/
•
ANF AC (Asociación Nacional de Fabricantes - Autoridad de Certificación):
http://www.tradise.com/tradise/
•
ANCERT (Agencia Notarial de Certificación-Notaries): http://www.ancert.com/
•
Firma Profesional: http://www.firmaprofesional.com/bienvenida.htm
•
ACA (Autoridad de Certificación de la Abogacía-Lawyers):
http://www.cgae.es/especial/acaredabogacia/acaredabogacia.htm
•
Banesto (Banco Nacional Español de Crédito - Bank): http://ca.banesto.es/
•
SCR- Servicio de Certificación de los Registradores (CA of the Land Registres):
http://www.scregistradores.com/index.html
The following Certificate Authority is supported by @firma in its testing environment but will be offered
soon in production:
29
The list of authorities is available at http://www.dnielectronico.es/seccion_aapp/rel_autoridades.html
eIDM_II_ES Profile v 1 1 web format.doc
Page 21 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
•
Cartao de Cidadao (CA of the Portuguese eID card): http://www.cartaodecidadao.pt/
For the implementation of the Point of Single Contact derived from the transposition of the Services
Directive, it will be incorporated soon other MS qualified CAs once the Trusted List of CSP per MS are
issued and available by the end of the year
@firma requires a signed agreement with a CA before installing the CA in the production environment
in addition to be recognized as a qualified CA by the Supervisory Authority in Spain (Ministry of
Industry) according to the eSignature Directive 1999/93/EC. When agreements are obtained, these
may immediately be installed in the production environment. The agreement establishes a minimum
SLA that needs to be met by the CA in relation to the validation services offered to @firma30
The Platform also provides an eSignature client for its use by citizens in the Administrations Portals31.
This way, through standard interoperable interface of callings to services (web services technologies),
the public entities immediately incorporate the most recognised certificates of the country (the eID card
among them) to their services of eGovernment and offer eSignature to citizens in various formats or
international standards which are validated by the Platform.
Despite this, it remains the responsibility of the application owner to permit more or less rigid
authentication methods (user code or security token, SW recognised electronic certificates, HW, or in
the strictest case only the eID card itself). In some cases, sector regulation related to the service using
the eGovernment application requires the use of recognised eSignatures for online transactions when
this is required for making petitions or for presenting letters to the Public Administration in person.
There is an increasing tendency within the Spanish Administration to require identification by
eCertificates in their online transactions. However, it is required by law that the new eID card be
admitted by all eGovernment services for authentication and eSignature purposes, so that all Spanish
citizens are entitled to use those certificates in their transactions with all the existing eGovernment
services. Thus, the eID card is likely to become a standard solution for electronic authentication.
Full information is contained in the document “Declaración de certificados de @firma” (Declaration on
@firma
certificates),
issued
on
July
2008:
http://www.dnielectronico.es/seccion_aapp/FirmaV5p0_DPV_F20080526_V8_3.pdf, where 3 groups of
certificates, widely used by citizens/enterprises within their relation with public Administrations, are
classified, according to their nature: certificates related to natural persons, corporate persons or
components.
•
•
•
30
Natural Persons (NP) Certificates, directed to citizens or individuals as a way of eIdentification on
the Internet, which allow the creation of recognised eSignatures.
Corporate Persons or entities (CP) certificates, usually issued to the company’s legal
representative (or person empowered to Law on behalf of the company), recognised in many
eGovernment applications for the signature of administrative procedures.
SW Certificates or components for coded SSL, for machines or automated processes where
online petitions or answers have to be eSigned; for the creation of safe channels for the data
Information provided by Miguel Alvarez Rodríguez (MTP)
31
Additional information about the role of the Platform has been provided by Miguel Álvarez Rodríguez
(MTP). See footnote 21.
eIDM_II_ES Profile v 1 1 web format.doc
Page 22 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
exchanging between the server and citizen (e.g. applications of online Registry). This type of
certificate is not recognised yet (SW based certificates are free for citizens in most cases).
2.3.1.5 Biometrics and mobile identification
The national DNIe card allows the biometric verification of the identity of its bearer although this
function will only be available at controlled points of access. The system uses the fingerprint of the user
for his identity, and to do so, it uses the Match on Card algorithm.
Mobile eSignature solutions in Spain are not used yet in Spanish eGovernment applications even
though the private sector has started comercialising it in collaboration with the Royal Mint (eg.
Telefónica and Vodafone), offering the Mobile eSignature to citizens, corporations and the public
administrations.
2.3.2 Legal framework
The applicable legal framework is established by the following rules:
•
Directive 1999/93/CE of the European Parliament and the Council, of 13 December 1999 on a
Community framework for electronic signatures.
•
Law 59/2003 of December 19, on Electronic Signature (hereinafter, eSignature Law)
•
Organic Law 15/1999, of December 13, on the Personal Data Protection
•
Royal Decree 1553/2005, of December 23, ruling the national identity card and its eSignature
certificates.
•
Law 11/2007, of June 13, of Electronic Access of the Citizens to the Public Services –
LAECSP- (Ley Para el Acceso Electrónico de los Ciudadanos a los Servicios Públicos. BOE
23-06-07)
The eSignature Law was enacted to incorporate certain innovations regarding Royal Decree-law
14/1999 of September 17 that already regulated eSignature, such as the “recognised” eSignature
(Spanish equivalent to the qualified signature), and to determine the basic ruling framework of the eID
card, expressing its two most characteristic aspects (verifying the identity of its bearer in any
administrative procedure and allowing the eSignature of documents), remitting itself to the specific
ruling concerning the peculiarities of its legal system32.
On the other hand, Organic Law 15/1999, of December 13, on Personal Data Protection, which aims
“to guarantee and protect, in everything that concerns the handling of personal data, the public liberties
and fundamental rights of natural persons, and especially their honour and personal and family
intimacy”, and is also applicable to all those agents that intervene in the creation of the eSignature or
other electronic identity documents and need to deal with personal data.
32
Preliminary recitals of eSignature Law.
eIDM_II_ES Profile v 1 1 web format.doc
Page 23 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
Lastly, Royal Decree 1553/2005 of December 23, whereby the national identity document and its
certificates of eSignatures is regulated, specifies the basic rules on the issuance of normal and
electronic identity documents as well as the regulation of rules on issuance and validity of electronic
certificates.
The main electronic identity system is the eID card which is compulsory for persons over 14 years. As
indicated previously, the issuance of the eID card began in 2006, and therefore a certain period of time
will elapse before all Spanish citizens have the eID card.
There are other electronic means of identity that allow citizens and corporations to access to different
electronic administration services, most notably the commercial CSP certificates discussed above.
These however are of course voluntary means.
The eID card distinguishes between signature and identity functionality because it serves to
electronically and undoubtedly verify the identity of the person, as well as to eSign documents with a
legal value equal to the one provided by the handwritten signature.
Citizens are informed of the advantages of the eID card by means of general information campaigns,
by means of the information provided at the moment of issuing the electronic ID card and through
information that is available on the web page specifically created to provide information about this
instrument.
Concerning the security of the data, the eSignature Law refers to the general rules. However, article
17 of eSignature Law indicates a series of obligations for providers of certification services such as
“they may only gather personal data directly from the signers or with their prior consent”, and that “the
data required shall exclusively be the data necessary for the issuance and maintenance of the
electronic certificate and the rendering of other services related to eSignatures, and not being able to
be considered with different purposes without the express consent of the signer.”
Although at present the electronic identity systems are only being used by public organisations, they
have been designed so that they may also be used by private parties. Many online services that are
currently provided by private groups shall substitute their authentication systems for the eID card.
E-Signatures may be used by legal persons. Article 7 of the eSignature Law indicates that “electronic
certificates of legal persons, their administrators, legal and voluntary representatives with sufficient
faculties for these effects may be requested.”
This same article prescribes that “electronic certificates of legal persons shall not affect the system of
organic or voluntary representation that is regulated by civil or commercial legislation applicable to
each legal person”.
It also indicates that “the custody of data on the creation of signatures associated to each eCertificate
of legal persons shall be the responsibility of the requesting physical person, whose identity shall be
included in the eCertificate.”
eIDM_II_ES Profile v 1 1 web format.doc
Page 24 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
Lastly, it prescribes that “actions or contracts shall be understood as having been effected by legal
persons” if they have been eSigned within the limits foreseen in the rule.
The LAECSP Law of Electronic Access of the Citizens to the Public Services promotes the use of
Information Technologies and Communications in the relationships among Public Administrations and
citizens, thus improving the services and reducing the digital gap breach.
The LAECSP references through all its extension that the systems, the data, the communications and
services, which are operated by Public Administrations should fulfil the guarantees of security,
confidentiality, integrity, etc. Especially, it stresses several direct references to the LOPD.
In their Second Chapter, it regulates the way of identification, authentication and electronic signature,
both for citizens and Administrations. It also enables DNIe as general means for relationships between
citizens and Public Administrations; but, also admits the existence of other recognised electronic
certificates systems that must be accepted and recognised by any Public Administration in accordance
with LFE on articles 15 and 21. Also, these alternative electronic signature systems might use
previously registered concerted keys, shared secrets, or other non cryptographic systems, under the
terms and conditions that are determined in each case (usually automated administrative processes).
This means that there would be coexistence of strong authentication with authentication by knowledge
mechanisms like userid / password.
It is evident that this law creates a multilevel legal framework for electronic identity and digital signature
in relations among citizens and public administrations, and among several administrations. If advanced
signatures are used instead of the recognised one, then the public body need to inform about the
admitted advanced signature systems. That means that a public administration can choose to ask for a
simple electronic signature (for example a password) or an advanced electronic signature.
Article 23 enables a person acting as a representative for a natural or legal person by means of
specific conditions.
In addition, Article 15.3 of the LAECSP settles down that the Public Administrations will admit the
electronic certificates issued to entities without legal personality, as foreseen in LFE, in the terms that
will be determined in future regulations.
At the moment, various types of digital certificates exist (DNIe, Civil servants certificate, public
administrations certificate, etc) and there is no definition for a normalised structure of data to store this
information. Thus, no common method of extraction of the identity information exists, neither exact
rules that allow decomposing this information in its concrete elements. But, as foreseen by Law, these
Qualified Certificates can include some additional requirements on their extension while not affecting
their interoperability. Thus, this type of certificates, its extensions and how data is stored, is going to be
standardised and endorsed with the development of the “Additional Conditions”.
eIDM_II_ES Profile v 1 1 web format.doc
Page 25 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
2.3.3 Technical aspects
Actually in Spain, two types of authentication mechanisms are being used.
One of them, whose main example is the national eID card, is based on a PKI infrastructure with a
cryptographic card containing an intelligent chip (http://www.dnielectronico.es/Guia Basica/descrip
fisica.html). Apart from the national eID card, this system can also be used by the aforementioned
commercial CSPs if they choose to issue smart cards containing their certificates.
The other system is authentication by means of electronic certificate based only on software elements
such as the one offered, for example, by the Fábrica Nacional de Moneda y Timbre (the Spanish Royal
Mint, hereinafter, FNMT) (http://www.cert.fnmt.es/content/pages_std/html/aplications/ayudam.htm).
At present there is no difference between the on-line services offered for both types of authentication
systems, although it is true that as an official identity method before authorities, only the ID card is valid
but electronically any QC could be used for eID
33
Both the physical card used by the national eID card as well as other smart cards used for other
certificates (for example, like the one issued by the Royal Mint) use format ID-1 (credit card type)
(http://www.dnielectronico.es/seccion_integradores/Tarjeta:Soporte.html).
The main information concerning the Spanish national eID card is contained at a Basic Reference
Guide, issued on June 2006 by the Technical Commission to support the implementation of the eID
card is available at http://www.dnielectronico.es/PDFs/Guia_de_referencia_basica_v1.0.pdf. The eID
card uses contact ICs, with ISO 7816-3 compatible access and with an EEPROM size of 34 Kb for data
(http://www.enielectronico.es/PDFst19w134.pdfP).
The electronic certificate on the card used by the eID card and by other smart cards incorporate
cryptographic capacities
(http://www.dnielectronico.es/seccion_integradores/espec_uno.html,
(http://www.cert.fnmt.es/index.php?cha=cit&sec=tech_support&page=85).
The cards used for the national eID card and the Royal Mint use the standard PKCS#15
(http://www.dnielectronico.es/oficina_prensa/imagenes/060315/dossier_maquetado_final.pdf
(Http://www.cert.fnmt.es/index.php?cha=cit&sec=tech_support&page=85).
The cards used for the national eID card also follows other standards: ETSI TS 102 042,ETSI TS 101
456, ETSI TS 101 862, CWA 14167, CWA 14172, CWA 14.890
(http://www.dnielectronico.es/seccion_integradores/estandares.html).
33
Other types of QC are perfectly valid as to eID (though they might only generate an advance eSIg
instead of a QS).
eIDM_II_ES Profile v 1 1 web format.doc
Page 26 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
The cards used for the national eID card and the Royal Mint follow the standards PKCS#11, CSP and
API PC/SC
(http://www.dnielectronico.es/como_utilizar_el_dnie/ and
(http://www.cert.fnmt.es/index.php?cha=cit&sec=tech_support&page=85).
The hierarchy concerning the PKI of the national eID card consists of a two-layered model:
-
-
A first level where the Root CA (“AC Raiz”) is located, representing a confidence key point for
all the system. This way, all natural, corporate, public or private persons will recognize the
effectiveness of the eID card for vouching the identity. This AC only issues certificates for itself
and its AC Subordinates. It will only be operating during the realisation of operations for which
it is established and the dependant Police General Directorate exercises these functions.
A second level constituted by the CA subordinated to the Root CA (“AC Subordinada”) that will
issue the identification and signing certificates included in the eID card.
http://www.dnielectronico.es/seccion_integradores/certs.html.
The following entities take part in the management of the eID card:
-
-
-
-
-
The Police General Directorate, as competent organ to issue and manage the eID card;
The Authority approving the policies, as a PKI Executive Committee responsible for the
elaboration and updating of the Declaration Draft about Certification and Practice Policies, as
abovementioned; and the organ that will study the possibility of an external CA inter-acting with
the PKI of the eID card or the provision of validation services by third parties.
Certification Authorities (CA), as outlined below:
o
a Root CA that only issues certificates for itself and its subordinated CAs.
Certifications of Root CA : http://www.dnielectronico.es/certs/Acraiz.crt
o
3 subordinated CAs that issue certificates for eID card holders. Certifications of
34
subordinated CAs: http://www.dnielectronico.es/certs/AXXX.crt
Registry Authorities: constituted by all offices that issue the national ID card, that will assist the
CA in all proceedings related to citizens concerning their identification, registry or
authentication, guaranteeing the correct assignment of keys to the applicant.
Validation Authorities (VA): that will check the certificates’ current status by using the OSCP:
http://ocsp.dnielectronico.es, which shows to any third party its present status to an Accepting
Party, without asking them to access the published CRLs. Initially only the MP (Ministry of
Presidency through @firma) and the FNMT (the Mint) will act as VA on behalf of the Police
Department.
Accepting Party: any person or entity, different to the holder, that accepts and trust on the
certificates contained in the eID card.
Not all Public Administrations offering online transactions have already adapted them from a technical
35
point of view so as to also accept the new eID card . Some organisms such as the Tax Agency have
34
XXX is the 3 digits numeric identifier of the subordinated CA
eIDM_II_ES Profile v 1 1 web format.doc
Page 27 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
leaded the launch of new services of easy management by citizens (e.g. tax declarations by natural
persons), initially based on eSignatures, which are also now compatible with eID cards.
The standard for the publication of certificates is Online Certificate Status Protocol (OCSP), according
to which, an OCSP customer sends a request on the status of the certificate to the Validation Authority
who, after consulting its database, offers – via http – an answer on the certificate status
(http://www.dnielectronico.es/Autoridades_de_Validacion/).
As a method for revocation, certificate revocation lists (CRL) are used
(http://www.dnielectronico.es/Autoriddes_de_Validacion/).
The electronic identity system in Spain is based on a centralised registry in the Police General
Directorate (Ministry of Internal Affairs), and it is in its office for issuing the eID card where the
certificates of Spanish citizens are registered
(http://www.dnielectronico.es/obtencion_del_dnie/doc_acep_080506.pdf).
The eID card system is not based on Liberty alliance, WS Star, or SAML.
Presently in Spain, all Public Administrations offer e-Administration services that rely on users’
certificates. The connection between a citizen and an entity (public or private) is established as
follows:
35
•
The citizen makes a request for an authenticated security connection.
•
The Public Organism (or Private Entity) creates an authenticated message and sends it to the
citizen.
•
The citizen verifies the validity of the service certificate offered.
•
The code for the session and its cipher is generated with the public code of the Public
Organism (or Private Entity).
•
The message for the exchange of codes is constructed.
•
The citizen introduces the eID card in the reader and, with the electronic authentication
certificate, validates the codes exchange message.
•
The private channel is established.
Full list available at: http://www.dnielectronico.es/servicios_disponibles/
eIDM_II_ES Profile v 1 1 web format.doc
Page 28 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
•
The Public Organism (or Private Entity) verifies the message to open the session.
•
The Public Organism (or Private Entity) verifies in the Validation Authority the validation status
of the Citizen’s Authentication Certificate.
•
A secure channel is established and the SSL tunnel is closed.
As is reflected in the previous outline, the authentication process between both parts to establish a
secure channel requires the use of two certificates. On one hand, a Certificate from the Public
Organism (or Private Entity): this certificate, associated to the Organism or Entity’s server, guarantees
that the citizen is connecting with the mentioned organism and not to another. The certificate used by
the Organism or Entity is in no case issued by the DGP or the Ministry of Internal Affairs. The veracity
of this certificate must be guaranteed by a Certification Authority other than the Police General
Directorate, and subject to eSignature Law in the framework of obligations applicable to the providers
of certification services.
On the other hand, the citizen uses his own authentication certificate, in order to be identified before
the organism (or Private Entity). In this manner, the Organism (or Private Entity) may determine the
identity of the citizen to offer a personalised service. The veracity of this certificate shall be determined
by the Police General Directorate in the case of the eID card
(http://www.dnielectronico.es/Guia_Basica/uso_dnie.html).
The description of the fields of the signature certificate is contained in the table below. Please not that
in the Spanish case there is a difference between the Citizen Signature Certificate (CSC) and the
Citizen Authentication Certificate (CAC). As their technical description is almost the same, differences
will be directly highlighted along the table36.
e-ID citizen Signature Certificate (CSC) / Authentication Certificate (CAC)
Base Certificate
OID
Include Critical
Value
X
SHA256 with RSA Encryption
SHA1 with RSA Encryption
X
Issuing CA Signature
Certificate
SignatureAlgorithm
Algorithm
SignatureValue
Fixed
TBSCertificate
Version
X
Standard X.509 v3
SerialNumber
X
Not sequencial
Signature
X
SHA1 with RSA Encryption37
(Note SHA256 WITH RSA Encryption is
forseen for citizen certificates by 2009)
NotBefore
X
Key Genenration Process Date/Time
NotAfter
X
Key Genenration Process Date/Time + 30
Validity
36
37
Information extracted from the report “European eGovernment Services (IDABC)”.
SHA256 with RSA Encryption is foreseen for citizen certificates by 2009.
eIDM_II_ES Profile v 1 1 web format.doc
Page 29 of 38
Dynamic
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
months
SubjectPublicKeyInfo
X
RSA Encryption – Key length: 2048 bits
Issuer
CountryName
{ id-at-6 }
X
ES
CommonName
{ id-at-3 }
X
CA DNIE XXX38
Fixed
Organization
X
Dirección General de la Policía
Fixed
Organizational Unit
X
DNIE
Fixed
YES
ES
Fixed
YES
CSC: 1st Surname 2nd Surname,
GivenName (signature)
CAC: 1st Surname 2nd Surname,
GivenName (autentication)
Dynamic
Subject
Fixed
Required
countryName
{ id-at-6 }
CommonName
{ id-at-3 }
X
Surname
{ id-at-4 }
X
YES
provided by RRN
Dynamic
GivenName
{ id-at-42 }
X
YES
provided by RRN
Dynamic
SerialNumber
{ id-at-5 }
X
YES
Citizen ID number, including letter39
Dynamic
Standard Extensions
OID
Include Critical
Value
CertificatePolicies
{id-ce 32}
X
N/a
policyIdentifier
FALSE
X
CSC: 2.16.724.1.2.2.2.3
CAC: 2.16.724.1.2.2.2.4.
Fixed
X
http://www.dnielectronico.es/dpc
Fixed
X
id-etsi-qcs-QcCompliance
id-etsi-qcs-QcSSCD
policyQualifierrs
policyQualifierId
{ id-qt-1 }
Qualifier
Qualified Certificate
Statement
qcStatement
{ id-etsi-qcs 1 }
KeyUsage
{id-ce 15}
X
TRUE
N/a
Digital Signature
X
TRUE
CSC : 0
CAC : 1
NonRepudiation
(Content Commitment)
X
TRUE
CSC : 1
CAC: 0
Key Encipherment
X
TRUE
0
Data Encipherment
X
TRUE
0
Key Agreement
X
TRUE
0
Key Certificate Signature
X
TRUE
0
CRL Signature
X
TRUE
0
KeyIdentifiers
X
FALSE
AuthorityKeyIdentifier
X
FALSE
Application of SHA-1 Hash on CA PKI
Subject Key Identifier
X
FALSE
Application of SHA-1 Hash on Subject PKI
CRLDistributionPoints
distributionPoint
{id-ce 35}
{id-ce 31}
X
FALSE
FALSE
It will not be used
FullName
NetscapeCertType
38
XXX= number that identifies the issuer CA
39
The letter is a control digit used in Spain so as to avoid transcription errors.
eIDM_II_ES Profile v 1 1 web format.doc
Page 30 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
Subject info
X
Biometric info
X
Personal data info
2.16.724.1.2.2.3.1.
Subject Directory attributes
FALSE
Hash of biographic data (printed data on eID
card) SHA256/SHA1
X
Date of Birth
Private Extensions
OID
Include Critical
AuthorityInfoAccess
{id-pe 1}
X
accessMethod
{ id-ad-2 }
accessLocation
accessMethod
Hash of biometric data SHA256/SHA1
X
X
Value
FALSE
OCSP http://ocsp.dnie.es
Root CA http://www.dnie.es/certs/Acraiz.crt
{ id-ad-1 }
accessLocation
All the entities implied (the Origin Certification Authority, the Subordinate Certification Authorities and
the accepting Third Parties) share information by means of Certificate Revocation Lists (CRL)
(http://www.dnieledtonico.es/PDFs/politicas_de_certificacion.pdf).
The national eID card allows the biometric verification of the identity of its bearer although this function
will only be available at controlled points of access. The system uses the fingerprint of the user for his
identity, and to do so, it uses the Match on Card algorithm
(http://www.dnielectronico.es/PDFs/Guia_de_referencia_basica_y1.0.pdf).
2.4 Interoperability
In the light of the interoperability framework, there are two services specially dedicated to
interoperability in the context of eGovernment at national and European level:
- Esquema Nacional de Interoperabilidad (National Interoperability Scheme): It provides criteria
and interoperability recommendations for the public services, so as to avoid internal Spanish
interoperability difficulties.
- Proyecto Stork (Stork Project): Spain participates in this project of acceptance of eID and
similar identifiers in eGovernment services of other European Administrations.
Platform @firma contemplates the specifications of compatibility with the European Union, its
organisms and institutions. The platform @firma will soon recognise Certification Authorities (CAs)
from other member states, such as the Portuguese eID card, and at medium term will incorporate all
the foreign qualified CAs included in the MS Trust Services Status List (TSL) as part of the obligation
derived of the transposition of the Services Directive (in addition to the CAs to be incorporated in the
Stork project for a large scale pilot on eID). This approach would change if it was decided the creation
of a central VA in Europe in charge of cross-border validation services, or if other Member States
would establish a national VA to which it was necessary to make requests and referral cross-border
validations40
40
Information provided by Miguel Álvarez Rodríguez, (Dirección General para el Impulso de la
Administración Electrónica. Ministerio de Presidencia), as national expert on eSignatures at IDABC).
eIDM_II_ES Profile v 1 1 web format.doc
Page 31 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
At present, non-Spanish residents, holders of a NIE card can obtain an electronic certificate as an
authentication means to make on-line transactions with the Spanish Administration. The foreigner’s
identity card requires prior identification before a Certification Service Provider can issue the qualified
certificates (so called "certificado reconocido"), based on a PKI solution. Such electronic certificates
are essentially issued for taxes declarations. At regional level, in Catalonia the idCAT can be issued to
foreign citizens, as a qualified certificate based on software issued by CATCert that can be used for
different of procedures within the public administrations.
2.5 eIDM Applications
This section will provide a short overview of key applications for the eIDM systems.
2.5.1 eHealth
41
Spain takes the lead in Europe in eHealth services development. All citizens are part of the national
Health System and have their e-Health Card; it was foreseen that by the end of 2008, the health cards
of all Spanish regions would be fully interoperable.
General framework
42
According to the study “The ICT in the National Health System. On line health” , all Spanish Regions
have worked hard for the automation of the health centers and services, gradually incorporating in the
past 15 years telemedicine solutions or computing systems for the health management. Today, homehospitalization or electronic prescriptions are already functioning in the Spanish NHS.
Deleted: (PDTE.
COMPLETAR CON INFO.
ESTUDIO CRISTINA)¶
Deleted: ¶
Formatted: No bullets or
numbering
Deleted: ¶
The plan to interconnect the
regional health systems has
already installed 60,000 PCs in
more than 6,200 health
centers, benefiting 33.5 million
people and 252,941 medical
staff.¶
B
Deleted: ill
The Spanish government has launched in these past years two plans looking for the boost of the
eGovernment services in Spain, which contain specific provisions concerning eHealth:
43
Plan Avanza I and II : Its first part, approved in October 2005, included in the strategic axis of
boost to the R&D&I governmental strategy through the “Ingenio Programm 2010”, aiming to
accelerate the development of the Knowledge Society by modernizing the public services and
promoting the expansion of the broadband infrastructures.
44
Plan on the Quality of the National Health System (NHS) : the main objective of this plan it to
response to the challenges proposed by the NHS, in order to provide assistance at the highest
quality. In the last 15 years, the Regional health services which formed part of the NHS, have put
a deep emphasis, among their action, on the ICTs, converging in 5 general action lines:
o
A trusted system of users identification: Individual Health Card.
41
Information obtained from the Plan Avanza: http://www.planavanza.es/NR/rdonlyres/EAF9F73DDF3B-4955-8CCD-F5AA38642A1F/0/TheInformationSocietyinSpain.pdf
42
Published on 2008 by the National Observatory on Telecommunications and Information Society (ONTSI) at
http://observatorio.red.es/sanidad/articles/id/3032/las-tic-el-sistema-nacional-salud.html
43
Plan website: http://www.planavanza.es/ This plan is jointly developed by the Ministry of Industry,
Tourism and Commerce and Red.es. Report (in English) of March 2009, on the Plan Avanza II
http://www.planavanza.es/NR/rdonlyres/EAF9F73D-DF3B-4955-8CCD-F5AA38642A1F/0/TheInformationSocietyinSpain.pdf
44
Website of the Plan: http://www.msc.es/organizacion/sns/planCalidadSNS/#o4. Link to the Health on-line strategy:
http://www.msc.es/organizacion/sns/planCalidadSNS/tic_pnc01.htm. Very recently it has been lunched a blog on
this Plan, see http://blog.plandecalidadsns.es/216/transparencia/actualizacion-banco-de-datos-agencia-decalidad-del-sns/
eIDM_II_ES Profile v 1 1 web format.doc
Page 32 of 38
Deleted: Services: on-line
medical appointments,
compatibility and mobility of
clinic history, e-prescription…
Formatted: Underline
Formatted: English (U.S.)
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
o
o
o
Computing all medical registries of each user or patient: Patient Medical Record.
A system that will support and will relate all the proceedings handed in order to build an
effective pharmaceutical attendance for users and patients: prescription, authorisation,
provision.
Mechanisms that will speed up the appointments of users with the GP or pediatricians of
AP and the specialists of their area: Tele-appointment (“Telecita”) and devices of diagnosis
or distance treatments avoiding displacements: Telemedicine (“Telemedicina”).
Patient’s records / electronic prescription framework
45
Concerning the possible uses of the Patient’s Record , the professionals of the centre where the
diagnosis or the treatment are made need to have access to the Patient’s record in order to provide an
opportune assistance. In this sense, it is foreseen a compatibility system permitting the use of these
records in all the Spanish attendance centres: Law 16/2003, of 28 May, of Cohesion and Quality of the
46
NHS mentions that the Ministry of Health and Social Policy will lay out the electronic mechanisms of
exchange of medical information and health state, as previously agreed with the CCAA.
Law 29/2006 of Guaranteed and Rational Use of Medicines and Sanitary Products47 contains specific
stipulations on the medical and hospital prescriptions and mentions that the Government will set up the
general framework of the minimum requirements to be accomplished by the medical prescriptions
issued or edited in a computing device, so that they can be used by all citizens with right to get the
NHS pharmaceutical prescription48.
Even though the medicines’ prescription is one of the NHS services, its management has been
transferred to the 17 Spanish Regions. But the Cohesion and Quality Law 16/03 confers the
Ministry the competence of guaranteeing the interoperability and circulation of electronic
prescription’s data through the healthcare Intranet.
Formatted: Indent: Left: 1,27
cm, No bullets or numbering
49
2.5.2 eJustice
* Al state level, in the field of the Justice Administration the application LexNET, is used for the secure
delivery of information and notifications by e-mail, providing maximum security and reliability thanks to
the use of a qualified signature, permits communication from judiciary organs as well as the
presentation of documents to those organs.
Among its possibilities, the application comprehends: Presentation of documents and attachments to
the judiciary organ; Delivery of notifications from the judiciary organ; Issue of acknowledgment of
receipts; Authenticated and secure access through a web navigator; Access through Web Services;
45
The action line of the NHS Plan, called Patient’s Digital Record (“Historia clínica digital”), is fully available at:
http://www.msc.es/organizacion/sns/planCalidadSNS/tic02.htm
46
Text of the Law: http://www.060.es/te_ayudamos_a/legislacion/disposiciones/26568-ides-idweb.html
47
Text of the Law: http://www.060.es/te_ayudamos_a/legislacion/disposiciones/35257_LEG-ides-idweb.html
48
The action line of the NHS Plan, called “Receta electrónica” (electronic prescription) is available at:
http://www.msc.es/organizacion/sns/planCalidadSNS/tic03.htm
49
Idem
eIDM_II_ES Profile v 1 1 web format.doc
Page 33 of 38
Formatted: Indent: Left: 0
cm
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
User files management ; Search and follow up of messages; Users and profiles management by the
system administrators.
At present, not only the public officers from judiciary organs, but also Public Prosecutors, Lawyers,
Solicitors, Social Graduates, State legal representatives and organs or institutions from the State
Administration that usually have relations with the Administration of Justice are admitted as users that
benefit from the electronic communication services available through this application, together with
Property Registrars.
* The “Plan of modernization of the Justice Administration” (which, among others, includes this
application) seeks the boost on the use of new technologies in the procedural management systems
present at the justice offices, making easier the performance of their tasks, as indispensable
requirement to reach quality in the attention to citizens.
2.5.3 Other eID card applications
*Public sector applications
At present most relevant eIDM applications are developed by the public Administration. From
September 2006 onwards, private citizens can use more than 250 eServices that require the use of
eSignature.
All services accessible with the eID card are available and listed at:
http://www.dnielectronico.es/servicios_disponibles/.
This web site includes services within the
•
State General Administration. See complete list at
http://www.dnielectronico.es/servicios_disponibles/serv_disp_age.html
•
Regional Administrations. Operational services offered by each Region, available at
http://www.dnielectronico.es/servicios_disponibles/serv_disp_ccaa.html
•
Local Administration . There are already 16 municipalities and 6 provincial entities
(“diputaciones”) using it in their online applications (see full list at
http://www.dnielectronico.es/servicios_disponibles/serv_disp_adm_loc.html
Some organisms such as the Tax Agency (AEAT)50 have led the introduction of these services based
on eSignature and therefore the most significant efforts have been focused so as to guarantee the
interoperability of the existent services with the eID card, including applications (payment of taxes,
requests of information, notifications,…)
There are many applications in the public sector, mostly related to data access in different public
registries and to realize certain on-line transactions in the same way and with the same legal effects
than the off line proceedings.
50
Complete list of e-services already using the eID card offered by the Tax Agency is available at
http://www.dnielectronico.es/servicios_disponibles/age_trib.html
eIDM_II_ES Profile v 1 1 web format.doc
Page 34 of 38
Deleted: At the end of 2008,
1,895 computers had been
installed in Magistrates´ Courts.¶
The number of computerized
Magistrates´Courts amounted
to 1,331.¶
More than 51,000 Registrar
Books have been digitalized
until the end of 2008 and over
34,2 million pages. Around
180.000 pages are digitalized
every day.¶
130 prisons are equipped with
computer rooms and 6.632
PCs for training inmates and
staff in ICT, and have improved
communication with the exterior
by installing videoconference
rooms.¶
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
* Private sector applications
Although in an early stage, private sector has seen in the eID card new business opportunities and is
now developing new electronic services based on this eIDM system.
> In this sense, some banking organizations allow their clients to identify themselves and to make
consultations with their DNI-e when they are providing financial services by Internet:
- In the short-term, the DNI-e is already being used to sign banking operations as well to
contract on line products or financial services (www.bancosabadell.com).
-
Another banking institutions (Caja Madrid……etc) already allows its clients to be identified by
their DNI-e when they require financial services on line. This entity is also adapting now its
cash machines in order to let its clients to use their DNI-e instead of the traditional banking
cards. (https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login).
-
Podéis completar la información
con otra entidades
http://www.dnielectronico.es/servicios_disponibles/serv_disp_priv.html)
-
SANITAS también admite el uso del DNIe para sus afiliados
-
-
bancarias
(
ver
La DGP ha elaborado en colaboración con INTECO y el CCN unos perfiles de protección del
DNIe para que se desarrollen aplicaciones de DNIe en plataformas tecnológicas punteras
como el TDT, cajeros automaticos, dispositivos móviles
El Ministerio de la Presidencia, dentro de los servicios que se ofrecen en la Autoridad de
Validación @firma, pone a disposición de todas las AAPP nacionales de manera gratuita, un
componente de firma o Applet. Este programa permite identificarse y firmar a los ciudadanos
usando por ejemplo el DNIe
> Finally, Cisco Company has developed a system that will allow the users to be identified in Virtual
Private Networks with their DNI-e. This system allows the users to connect on-line with their
companies or organizations using the DNI-e.
2.6 Future trends/expectations
The Spanish Administration is presently focused on the issuance of the DNI-e, the eID card that will
become the main eIDM system in Spain.
This system is compatible with the eSignature certificates that many citizens and corporations already
use.
The public Administration is encouraging the electronic services that need electronic
authentication. At the State Administration there are many ministerial departments that are now making
a significant effort to generalise electronic communications, and in some cases to establish them as
the only communication channel with the citizens.
On the other hand, the State Administration is obliged to employ, as much as possible, systems that
guarantee the compatibility of the instruments of eSignatures included in the eID card with different
equipment and products of eSignature that are generally accepted in Spain.
eIDM_II_ES Profile v 1 1 web format.doc
Page 35 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
In addition to the abovementioned, for their electronic identification and the authentication of the
eDocuments that they issue, the public administrations will soon use the following electronic
certificates X.509 v.3 forseen in the recent Law 11/2007 of 22 June, on electronic access to public
services by the citizens:
•
Certificates of electronic “site”: systems of eSignature based on the use of secure device
certificates or equivalent medium that permit to identify the electronic site and its holder, as
well as the establishment of a secure communication with it (art. 17 Law 11/2007).
- Use: Secure connection of citizens to official web pages (sites) and authentication.
They are not valid eSignature transactions.
•
Electronic stamping for the automated proceedings based on electronic certificates or
verification secure codes (art. 18 Law 11/2007).
- Use: Exchange of data among administrations, system identification or
authentication, application or web service, interoperability of eDocuments, automated
electronic file, signature and federation, legalization and electronic copies, etcetera.
•
Certificates of public employees: eSignature of employees of the public administrations,
that identifies its holder mentioning his category, and the public body or administration (art.
19 Law 11/2007).
- Use: Labor competences, authentication and advanced or qualified eSignature
before the citizens, for citizens representation, or as organ holder.
These three types of certificates are considered as qualified certificates, and therefore the certification
services providers (CSPs) issuing them should always follow the terms of the Law 59/2003, of 19
51
December, on eSignature (hereinafter, eSignature Law) for this purposes
Finally, the Online service Valide (Validate: http://www.ctt.map.es/web/cache/offonce/proyectos/valide)
allows for certificates validation, and also to check and issue eSignatures. This service will be offered
soon over the Internet to all the citizens of the country.
2.7 Assessment52
The Spanish law foresees mainly a model of two types of electronic identification DNIe and public and
private CSP Qualified Certificates. Though, it there could be some others particular cases restricted to
specific and limited conditions that are not going to be taken into account.
The DNIe, a customized SSCD cryptographic smartcard, common criteria certified EAL4+, whose
usage is segregated by means of two types of certificates (X.509 v3): authentication and signature
ones. So, it distinguishes between identity and signature functionality
The first one has identification quality effects (authentication of the person) thus serving to
electronically and undoubtedly verify the identity, ONLY, of the natural person. The second one allows
proving signatory's identity, the holder's data and the integrity of the documents signed (and the
authentication of data); equalling the electronic signature to the hand-written one. Both are general
means for relationships between citizens and Public Administrations and everyone else.
51
“Ley 59/2003 de 19 de Diciembre, de firma electrónica”. Text of the Law, available at
http://www.060.es/te_ayudamos_a/legislacion/disposiciones/28147-ides-idweb.html
52
Information provided by Miguel Álvarez Rodríguez, (DG para el Impulso de la Administración
Electrónica. MP)
eIDM_II_ES Profile v 1 1 web format.doc
Page 36 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
The DNIe card is unblocked by a personal identification number that is commonly used as
authentication by knowledge mechanism in real and electronic world. The certificates contain
specifically regulated data. In case it would be necessary to obtain additional data, they might be
collected from the user himself or attribute providers; of course, taking into account legal restrictions.
Reflecting the segregated usage of the certificates, the underlying Public Key Infrastructure
architecture adopted for the electronic DNI has separated the functions of Validation Authority and
Certification Authority, in order to isolate the validation of an electronic certificate versus the identity
and data of the holder.
The stored Certificates in the DNIe chip have an expiration date of thirty months after issuing or start of
validity, but limited to the expiration of the card.
The Qualified Certificates issued by public and private CSPs have to be accepted and recognized in
identification procedures by any Public Administration according to the Law. They can be emitted to
anyone: natural persons, legal person o persons without legal entity, and for any other of the
endorsed usage. It is worth mentioning that for legal persons and their general powers granted exist
a necessity to verify this status accurately.
At the moment, various types of digital certificates exist and there is no definition for a normalized
structure of data to store this information. Thus, no common method of extraction of the identity
information exists, neither exact rules that allow decomposing this information in its concrete
elements. But, as foreseen by Law, these Qualified Certificates can include some additional
requirements on their extension while not affecting their interoperability. Thus, this type of certificates,
its extensions and how data is stored, is going to be standardized and endorsed with the development
of the “Additional Conditions”.
Spanish certificates can be supported on different types of tokens: software, smartcards, crypto-cards.
In general, in both cases there are several Authorities that will validate the different certificates’ current
status by using OSCP or CRLs:
The Spanish approach has a number of advantages and disadvantages, which can be briefly
summarised as follows.
2.7.1 Advantages
•
With the eID card citizens will have a very useful means of identification that will allow
them to consult personal data, to fulfil procedures or negotiations, or to access different
public and private electronic services, providing the highest degree of confidentiality and
security on the Internet, and identifies the parties in their on-line transactions.
•
All Spanish citizens will have an eID card (DNI-E) because its issuance is compulsory.
The obtainment of the document will imply the obtainment of information regarding the
electronic means of identification and their possibilities.
•
Today there are many citizens that are not using any other means of electronic
identification, and are not using any on-line electronic services because of their ignorance
regarding the operation of these systems. The national eID card might encourage them to
start using on-line services in a secure way
•
Corporations should develop different services based on the identification and eSignature,
so that they may enliven the commercial relationship with their customers. These services
eIDM_II_ES Profile v 1 1 web format.doc
Page 37 of 38
eIDM Update Study
Framework contract ENTR/05/58-SECURITY, SC N°12 - Country Profile
July 2009
will be offered with maximum security. From the corporative and commercial point of view,
the eID card becomes a fundamental tool in relationships with the private sector.
2.7.2 Disadvantages
•
Although it is already planned, the Spanish Administration has not developed yet, in
general, eIDM systems for foreigners, although foreigners holding a resident card (NIE)
may obtain electronic certificates in order to interact with the Administration. However,
since the Ministry of Presidency is taking part in the Stork project, some eGOV services of
the country will start accepting foreign eID mechanisms to identify foreigners
•
There is much social ignorance regarding the possibilities offered by the electronic
identification means.
eIDM_II_ES Profile v 1 1 web format.doc
Page 38 of 38