Argentine

Décret No. 427/98 signé par le Président le 16 avril 1998.

 

IN VIEW OF Decree Nbr. 660 of June 24th 1996, Decree Nbr. 998 of August 30th 1996, and the Civil Service Administration Secretariat of the Ministerial Chiefs of Cabinet's Resolution Nbr. 45 of March 17th 1997, and

CONSIDERING THAT:

The need to improve the National Public Administration's activities through the adaptation of its data recording systems -tending to the elimination of the use of paper and the automation of its administrative circuits- would merit the introduction of the latest technologies such as those related to digital signatures, which provide higher guarantees than holograph signatures.

The Civil Service Administration Secretariat of the Ministerial Chiefs of Cabinet's Resolution Nbr. 45 of March 17th 1997 can be considered a milestone in the pursuit of this objective, since it authorizes the use of this technology in all the National Public Sector.

It is considered necessary to promote the use of the digital signature technology throughout the National Public Sector, to which end a high-level resolution would be required.

The proposed technology has already been included in the legislation of other countries, with positive results both in the private and public sectors.

If the implementation is carried out according to the procedures described in the attached annex, the digital signature mechanism complies with the Ònon-repudiationÓ condition, which provides positive proof of a person's having signed a digital document, and that this document was not altered after the signature was recorded.

It is essential to establish a Digital Signature Infrastructure for the National Public Sector, with the aim of creating the conditions necessary for the reliable use of the digitally subscribed document.

This regulation's aim is to provide a valid alternative to holograph signatures for the National Public Sector.

Due to the degree of specialization provided for by Article 49 of Law Nbr. 11,672 (t.o. 1997), it is considered advisable that the Auditing Institution functions should be allotted to the National Accountant General's Office, reporting to the Budget Undersecretary's Office of the Finance Secretariat of the Ministry of Economy, Public Works and Services.

The resolutions in the present regulation complement those in Decree Nbr. 333 of February 19th 1985 and its corresponding alterations.

Due to its characteristics, it is deemed advisable and necessary to authorize the use of the digital signature technology for a limited term. This will allow the evaluation of its functionality in the various jurisdictions, as well as the degree of reliability and security of the system.

Due to the above circumstances, the Implementing Authority will prepare a report on the results of the use of the digital signature. On the basis of its conclusions, the Executive will receive a recommendation from the Ministerial Chiefs of Cabinet regarding the proposed final regulation of the matter.

For identical reasons, the Ministerial Chiefs of Cabinet are granted the authority to extend -one single time- the term set down in Article 1 of the present Decree.

The present measures are taken in accordance with the authority granted by Article 99 Clause 1 of the Argentine Constitution.

Therefore,

THE PRESIDENT OF THE ARGENTINE REPUBLIC
DECREES THAT:

ARTICLE 1: The use of digital signatures is authorized for TWO (2) years counting from the publishing of the procedures manuals and the standards referred to in article 6 of this Decree. This technology will be used for the implementation of the internal activities of the National Public Sector which do not individually and directly generate legal effects, and will be used according to the conditions established in the Digital Signature Infrastructure for the National Public Sector attached to this document as Annex I. Under the present Decree the digital signature will have the same value as the holograph signature, as long as the precautions in Annex I have been complied with, and only within the scope defined in article 3.

ARTICLE 2: The vocabulary in this regulation will be defined in accordance to the Glossary attached to this document as Annex II.

ARTICLE 3: The provisions in this Decree will apply to all the National Public Sector which includes both centralized and decentralized administration, the autarchic entities, the state-owned companies, government partnerships, public limited companies where the government is a majority shareholder, state-owned banks and financial institutions, and any other body in which the government or its decentralized institutions have a controlling interest.

ARTICLE 4: According to their resources, the National Public Sector institutions should provide the necessary means to spread the use of the digital signature technology in the shortest time possible.

ARTICLE 5: The relationship between a public key -one of the pair of keys that allows the verification of a digital signature- and its holder will be guaranteed by a public key certificate issued by a Licensed Certification Authority . The requirements and conditions for the life-cycle and validity of the public key certificates (issuing, acceptance, revocation, expiration, and other contingencies of the procedure), as well as the conditions for the operation of the Licensed Certification Authorities which comprise the Digital Signature Infrastructure for the National Public Sector, are established in the aforementioned Annex I.

ARTICLE 6: The Civil Service Administration Secretariat, reporting to the Ministerial Chiefs of Cabinet, will be the Implementing Authority for the present Decree. It will also have the power to prepare the procedures manuals for the Licensed Certification Authorities and of the Auditing and Licensing Institutions, and the technological standards to be applied to the keys. These should be prepared within no more than ONE HUNDRED AND EIGHTY (180) consecutive days, and should be state-of-the-art. The National Public Sector institutions must report periodically to the Implementing Authority regarding the applications they make of the technology authorized by the present Decree (the periods will be established by the Authority).

ARTICLE 7: As regards the activities under the scope of article 1, the present Decree constitutes an alternative to the pertinent stipulations in Decree Nbr. 333 of February 19th 1985 and its modifications

ARTICLE 8: The Civil Service Administration Secretariat of the Ministerial Chiefs of Cabinet will carry out the functions of Licensing Institution, with the scope defined in Annex I of the present Decree.

ARTICLE 9: The National Accountant General's Office, reporting to the Budget Undersecretary's Office of the Finance Secretariat of the Ministry of Economy, Public Works and Services will undertake the functions of Auditing Institution, in accordance with what is established in Annex I of the present Decree.

ARTICLE 10: ONE HUNDRED AND EIGHTY (180) consecutive days before the expiration of the term established in article 1, the Implementing Authority appointed in article 6 of the present Decree should prepare and send a report to the Ministerial Chiefs of Cabinet regarding the results rendered by the application of the authorized system in the various jurisdictions. The Ministerial Chiefs of Cabinet will study the document and send to the Executive the proposed final regulation on the matter.

ARTICLE 11: The Ministerial Chiefs of Cabinet are accorded the power to approve one single extension of the term established in article 1 of the present Decree.

ARTICLE 12: To be communicated, published, delivered to the National Official Records Department, and filed.

 

 

DIGITAL SIGNATURE INFRASTRUCTURE FOR
THE NATIONAL PUBLIC SECTOR

LICENSING INSTITUTION

Functions:

1. Grants the licenses for the accreditation of the certification authorities, and issues the corresponding PUBLIC KEY CERTIFICATES, which allow the VERIFICATION OF THE DIGITAL SIGNATURES on the CERTIFICATES that these issue;

2. Turns down license requests from certification authority applicants which do not fulfill the necessary requirements;

3. Revokes the licenses of those LICENSED CERTIFICATION AUTHORITIES which cease to comply with the necessary requirements;

4. Verifies that the LICENSED CERTIFICATION AUTHORITIES use TECHNICALLY TRUSTWORTHY SYSTEMS;

5. Studies and approves the procedures manual, the security plan, and the shutdown plan submitted by the certification authorities;

6. Agrees with the Auditing Institution on the auditing plan for the LICENSED CERTIFICATION AUTHORITIES;

7. Orders ex-officio audits;

8. Solves the individual conflicts that may arise between the SUBSCRIBER of the CERTIFICATE and the LICENSED CERTIFICATION AUTHORITY that issues the said certificate;

9. Solves any contingencies that affect the DIGITAL SIGNATURE INFRASTRUCTURE.

Duties:

In its condition as CERTIFICATE SUBSCRIBER and certification authority, the LICENSING INSTITUTION has identical obligations to those of the LICENSED CERTIFICATION AUTHORITIES. In addition, it also must:

1. Refrain from generating, demanding, or gaining knowledge by any other means of the PRIVATE KEY of any SUBSCRIBER whose CERTIFICATE it issues;

2. Control its own PRIVATE KEY and avoid its disclosure;

3. Revoke its own PUBLIC KEY CERTIFICATE if its PRIVATE KEY is compromised;

4. Allow permanent public access to the PUBLIC KEY CERTIFICATES it has issued to the LICENSED CERTIFICATION AUTHORITIES, and also to the LIST OF REVOKED CERTIFICATES, through publicly accessible telecommunications links. This also applies to the information regarding addresses and telephone numbers for the LICENSED CERTIFICATION AUTHORITIES;

5. Allow access to its operating office to the authorized officials from the AUDITING INSTITUTION, providing them with all the necessary information and any assistance required;

6. Publish its own PUBLIC KEY CERTIFICATE in the Official Newsletter and in TWO (2) national circulation newspapers during THREE (3) consecutive days starting on the certificate's issue date;

7. Revoke the CERTIFICATES issued to the LICENSED CERTIFICATION AUTHORITIES which have incurred in license-revocation causes or which have shut down;

8. Revoke the CERTIFICATES issued to the LICENSED CERTIFICATION AUTHORITIES when the keys contained in them have ceased to be TECHNICALLY TRUSTWORTHY;

9. Supervise the implementation of the shutdown plan for the LICENSED CERTIFICATION AUTHORITIES which abandon their functions;

10. Record the applications submitted, together with a detail of the action taken in each case.

 

AUDITING INSTITUTION

Functions:

1. Periodically audits the LICENSING INSTITUTION and the LICENSED CERTIFICATION AUTHORITIES;

2. Audits the certification authorities prior to the award of their licenses;

3. Agrees with the LICENSING INSTITUTION on the auditing plan for the LICENSED CERTIFICATION AUTHORITIES;

4. Audits the LICENSED CERTIFICATION AUTHORITIES at the request of the LICENSING INSTITUTION;

5. Controls compliance with the suggestions made in the audits.

Duties:

The AUDITING INSTITUTION must:

1. Use appropriate auditing techniques in its evaluations;

2. Evaluate the reliability and quality of the systems used, the integrity, confidentiality, and availability of the data as well as the compliance with the specifications included in the procedures manual and the security plan approved by the LICENSING INSTITUTION;

3. Verify that TRUSTWORTHY SYSTEMS are used;

4. Issue audit reports with the findings, conclusions, and recommendations in each case;

5. Follow-up on the audits in order to determine whether the audited institution has implemented the corrective actions suggested in the recommendations;

6. Issue reports with the conclusions for the audit follow-ups;

7. Take part in the contingency plan simulations;

8. Copy the LICENSING INSTITUTION on all audit reports issued.

 

LICENSED CERTIFICATION AUTHORITY

Functions:

1. Issues PUBLIC KEY CERTIFICATES;

In order to issue these PUBLIC KEY CERTIFICATES, the LICENSED CERTIFICATION AUTHORITY must:

a) receive a PUBLIC KEY CERTIFICATE issue request from the prospective subscriber, which must be digitally signed with the appropriate PRIVATE KEY;

b) positively verify all the identification information for the applicant -which must always be included on the CERTIFICATE- and any other information, which must be verified according to the LICENSED CERTIFICATION AUTHORITY's procedures manual. These verifications must be performed according to the stipulations in the said manual;

c) assign correlative numbers to the issued CERTIFICATES;

d) keep a copy of all CERTIFICATES issued, also stating the issue date;

The LICENSED CERTIFICATION AUTHORITY can choose to include non-verified information on the CERTIFICATE, but must state this situation clearly.

2. Revokes PUBLIC KEY CERTIFICATES;

The LICENSED CERTIFICATION AUTHORITY will revoke the PUBLIC KEY CERTIFICATES it has issued when:

a) the SUBSCRIBER requests it; or

b) a THIRD PARTY requests it; or

c) if it were to determine that a CERTIFICATE was issued on the basis of false information, which should have been verified at the moment of issue; or

d) if it were to determine that the PUBLIC KEYS contained on the CERTIFICATES have ceased to be TECHNICALLY TRUSTWORTHY; or

e) if it were to shut down and not transfer the CERTIFICATES it had issued to another LICENSED CERTIFICATION AUTHORITY;

The revocation must state the moment when it is applied, and cannot be retroactive or take effect in the future. The revoked CERTIFICATE must be immediately included in the LIST OF REVOKED CERTIFICATES, and this list must be signed by the LICENSED CERTIFICATION AUTHORITY. This list must be permanently available to the public through publicly accesible telecommunications links.

The LICENSED CERTIFICATION AUTHORITY must issue a proof of the revocation for the petitioner.

3. Optionally, it can supply DIGITAL TIME STAMPING.

Duties:

In addition to the duties arising from its condition as SUBSCRIBER to its CERTIFICATE issued by the LICENSING INSTITUTION, the LICENSED CERTIFICATION AUTHORITY must also:

1. Refrain from generating, demanding, or gaining knowledge by any other means of the PRIVATE KEY of a SUBSCRIBER;

2. Control its own PRIVATE KEY and avoid its disclosure;

3. Immediately request the revocation of its own CERTIFICATE if its PRIVATE KEY has been compromised;

4. Request that the LICENSING INSTITUTION revoke its CERTIFICATE when the PUBLIC KEY contained in it has ceased to be TECHNICALLY TRUSTWORTHY;

5. Immediately report to the LICENSING INSTITUTION regarding any change in the information contained in its CERTIFICATE, or regarding any other significant event which might affect the information contained in it;

6. Use a TECHNICALLY TRUSTWORTHY system;

7. Inform the applicant regarding the necessary precautions he is obliged to adopt in order to create secure DIGITAL SIGNATURES and to reliably VERIFY them, and also informs him regarding the obligations he assumes by becoming a SUBSCRIBER to a PUBLIC KEY CERTIFICATE;

8. Collect only the personal data regarding the SUBSCRIBER that is absolutely necessary and useful for issuing the CERTIFICATE; the SUBSCRIBER is free to supply additional information if he so desires. All information collected which is not included in the CERTIFICATE will be dealt with in a confidential manner by the LICENSED CERTIFICATION AUTHORITY;

9. Provide the SUBSCRIBER of a CERTIFICATE issued by the LICENSED CERTIFICATION AUTHORITY with all the information regarding the processing of the CERTIFICATE;

10. Keep the support documentation of issued CERTIFICATES for TEN (10) years counting from the date of expiration or revocation;

11. Allow permanent public access to the CERTIFICATES it has issued and to the LIST OF REVOKED CERTIFICATES through publicly accessible telecommunications links;

12. Publish its address and telephone numbers;

13. Allow access to its operating office to the authorized officials from the AUDITING INSTITUTION, providing them with all the necessary information and any assistance required;

14. Record the applications submitted, together with a detail of the action taken in each case.

Shutdown:

The CERTIFICATES issued by a LICENSED CERTIFICATION AUTHORITY which shuts down will be revoked as of the date and time it effectively ceases to operate, unless they are transferred to another LICENSED CERTIFICATION AUTHORITY. The LICENSED CERTIFICATION AUTHORITY will publish the date and time it will cease to operate for THREE (3) consecutive days in the Official Newsletter; this date may not be sooner than NINETY (90) consecutive days after the last publishing date. The LICENSING INSTITUTION must also be individually notified.

When CERTIFICATES have been issued to persons outside the National Public Sector, the LICENSED CERTIFICATION AUTHORITY will also publish its shutdown notification for THREE (3) consecutive days in one or more newspapers with national coverage.

The LICENSED CERTIFICATION AUTHORITY may use additional means to communicate its shutdown to the SUBSCRIBERS of CERTIFICATES which do not belong to the National Public Sector.

If the CERTIFICATES are transferred to another LICENSED CERTIFICATION AUTHORITY, all related documentation must be transferred as well.

Requirements to obtain a certification authority license:

The certification authority that wishes to obtain a license must :

1. Submit an application;

2. Have the clearance of the AUDITING INSTITUTION;

3. Submit a procedures manual, a security plan, and a shutdown plan, as well as a detail of the technical components to be used, which must all be approved by the LICENSING INSTITUTION;

4. Use technically qualified staff for its certification activities. This staff may not be included under the disqualifying criteria for holding jobs within the National Public Sector;

5. Submit any other information relevant to the licensing process that may be requested by the LICENSING INSTITUTION.

 

SUBSCRIBER OF A PUBLIC KEY CERTIFICATE

Duties:

The SUBSCRIBER of a PUBLIC KEY CERTIFICATE must:

1. Supply all the information requested by the LICENSED CERTIFICATION AUTHORITY. This information will have the value of a sworn statement;

2. Control his PRIVATE KEY and avoid its disclosure;

3. Immediately inform the LICENSED CERTIFICATION AUTHORITY regarding any circumstance that may have compromised his PRIVATE KEY;

4. Request that the LICENSING INSTITUTION revoke its CERTIFICATE when the PUBLIC KEY contained in it has ceased to be TECHNICALLY TRUSTWORTHY;

5. Immediately report to the LICENSED CERTIFICATION AUTHORITY regarding any change in the information contained in the CERTIFICATE which has already been verified.

 

PUBLIC KEY CERTIFICATES

Contents of the PUBLIC KEY CERTIFICATE:

As a minimum, the PUBLIC KEY CERTIFICATE will contain the following information:

1. Name of the SUBSCRIBER of the CERTIFICATE;

2. Type and number of the identification document of the SUBSCRIBER of the CERTIFICATE, or license number in the case of CERTIFICATES issued to LICENSED CERTIFICATION AUTHORITIES;

3. PUBLIC KEY used by the SUBSCRIBER;

4. Name of the algorithm that must be used with the PUBLIC KEY contained in it;

5. Serial number of the CERTIFICATE;

6. VALIDITY PERIOD for the CERTIFICATE;

7. Name of the LICENSED CERTIFICATION AUTHORITY issuing the CERTIFICATE;

8. DIGITAL SIGNATURE of the LICENSED CERTIFICATION AUTHORITY issuing the CERTIFICATE, identifying the algorithms used;

9. Any other data relevant to the use of the CERTIFICATE, explained in the procedures manual of the issuing LICENSED CERTIFICATION AUTHORITY.

Validity conditions for the PUBLIC KEY CERTIFICATE:

The PUBLIC KEY CERTIFICATE is valid only if:

1. It has been issued by a LICENSED CERTIFICATION AUTHORITY;

2. It has not been revoked;

3. It has not expired.

 

 

GLOSSARY

LICENSED CERTIFICATION AUTHORITY:

Administrative institution that issues PUBLIC KEY CERTIFICATES.

CERTIFICATE or PUBLIC KEY CERTIFICATE:

DIGITAL DOCUMENT issued and digitally signed by a LICENSED CERTIFICATION AUTHORITY, which links a PUBLIC KEY to its SUBSCRIBER during the VALIDITY PERIOD of the CERTIFICATE, and which also serves as positive proof within the National Public Sector as to the authenticity of its contents.

PRIVATE KEY:

In an ASYMMETRIC CRYPTOSYSTEM, it is the key used to sign digitally.

PUBLIC KEY:

In an ASYMMETRIC CRYPTOSYSTEM, it is the key used to verify a DIGITAL SIGNATURE.

NON-COMPUTER FEASIBLE:

Expression applied to those computer-assisted mathematical calculations that due to the time and computing resources they require, exceed the capacity currently available.

TO CORRESPOND:

Expression used when referring to a certain KEY PAIR, which denotes one key belongs in the said pair.

ASYMMETRIC CRYPTOSYSTEM:

Algorithm that uses a KEY PAIR -a PRIVATE KEY for signing digitally, and its corresponding PUBLIC KEY which verifies that DIGITAL SIGNATURE. For the purposes of this Decree, it is understood that the ASYMMETRIC CRYPTOSYSTEM must be TECHNICALLY TRUSTWORTHY.

HASH RESULT:

The fixed-length bit sequence that results from a HASH RESULT FUNCTION, after processing a DIGITAL DOCUMENT.

DIGITAL DOCUMENT:

Digital representation of actions, facts, or legally relevant data.

SIGNED DIGITAL DOCUMENT:

A DIGITAL DOCUMENT to which a DIGITAL SIGNATURE has been applied.

TO ISSUE A CERTIFICATE:

The creation of a CERTIFICATE by a LICENSED CERTIFICATION AUTHORITY.

AUDITING INSTITUTION:

Administrative institution in charge of auditing the activities of the LICENSING INSTITUTION and the LICENSED CERTIFICATION AUTHORITIES.

LICENSING INSTITUTION:

Administrative institution in charge of granting licenses to the certification authorities and of supervising the activities of the LICENSED CERTIFICATION AUTHORITIES.

DIGITAL SIGNATURE:

It is the result of the transformation of a DIGITAL DOCUMENT through the use of an ASYMMETRIC CRYPTOSYSTEM and a HASH RESULT, in such a way that a person that has the initial DIGITAL DOCUMENT and the PUBLIC KEY of the signer can positively determine whether:

1. The transformation took place through the use of the PRIVATE KEY that corresponds with the PUBLIC KEY of the signer;

2. The DIGITAL DOCUMENT has been otherwise modified since the transformation took place.

The combination of these two requirements determines its NON-REPUDIATION and INTEGRITY.

HASH RESULT FUNCTION:

It is a mathematical function that transforms a DIGITAL DOCUMENT into a fixed-length bit sequence called a HASH RESULT, in such a way that:

1. The same fixed-length bit sequence is obtained every time that this function is calculated for the same DIGITAL DOCUMENT;

2. It is NON-COMPUTER FEASIBLE to infer or reconstruct a DIGITAL DOCUMENT from its HASH RESULT;

3. It is NON-COMPUTER FEASIBLE to find two different DIGITAL DOCUMENTS that produce the same HASH RESULT.

INTEGRITY:

Condition of a DIGITAL DOCUMENT that has not been altered in any way.

LIST OF REVOKED CERTIFICATES:

It is the list published by the LICENSED CERTIFICATION AUTHORITY of the PUBLIC KEY CERTIFICATES issued by it that have ceased to be valid before their expiration date through a revocation.

NON-REPUDIATION:

Characteristic of the DIGITAL SIGNATURE, whereby its author cannot disown a DIGITAL DOCUMENT that has been digitally signed by him.

KEY PAIR:

A PRIVATE KEY and its corresponding PUBLIC KEY in an ASYMMETRIC CRYPTOSYSTEM, where the PUBLIC KEY can verify a DIGITAL SIGNATURE created by the PRIVATE KEY.

VALIDITY PERIOD (of a CERTIFICATE):

Period during which the SUBSCRIBER may sign DIGITAL DOCUMENTS by using the PRIVATE KEY corresponding to the PUBLIC KEY contained in the CERTIFICATE, in such a way that the DIGITAL SIGNATURE cannot be repudiated.

The VALIDITY PERIOD of a CERTIFICATE begins at the date and time it was issued by the LICENSED CERTIFICATION AUTHORITY, or at a later date and time if it should be so specified on the CERTIFICATE, and ends at the date and time of its expiration or revocation.

REVOCATION OF A CERTIFICATE:

Act that permanently annuls a CERTIFICATE from a certain date onwards, including it in the LIST OF REVOKED CERTIFICATES.

DIGITAL TIME STAMP:

Action through which the LICENSED CERTIFICATION AUTHORITY adds the date, time, minutes, and seconds of its intervention (as a minimum) to a DIGITAL DOCUMENT or to its HASH RESULT. The information resulting from the above process is digitally signed by the LICENSED CERTIFICATION AUTHORITY.

TRUSTWORTHY SYSTEM:

Involves hardware, software, and related procedures which:

1. Are reasonably secure from intrusion and misuse;

2. Provide a reasonable level of availability, reliability, confidentiality, and correct operation;

3. Are reasonably suited to performing their specific functions;

4. Comply with the generally accepted security requirements.

SUBSCRIBER:

Is a person who:

1. Has a CERTIFICATE issued in his name;

2. Is the holder of the PRIVATE KEY that corresponds with the PUBLIC KEY included in the said CERTIFICATE.

TECHNICALLY TRUSTWORTHY:

Expression used to denote those TRUSTWORTHY SYSTEMS that comply with the technological standards which the Civil Service Administration Secretariat of the Ministerial Chiefs of Cabinet may publish to this end.

THIRD PARTY:

Any person or entity which has a subjective right or legitimate interest.

VERIFICATION OF A DIGITAL SIGNATURE:

As relates to a DIGITAL DOCUMENT, its DIGITAL SIGNATURE, the corresponding PUBLIC KEY CERTIFICATE, and the LIST OF REVOKED CERTIFICATES, the VERIFICATION OF A DIGITAL SIGNATURE is the positive determination of the following facts:

1. That the DIGITAL DOCUMENT was digitally signed with the PRIVATE KEY corresponding with the PUBLIC KEY included in the CERTIFICATE;

2. That the DIGITAL DOCUMENT has not been otherwise modified since it was digitally signed.

For those documents whose nature might demand the certification of a definite date, or if this should be desirable due to its effects, there can be an additional determination that the document was digitally signed during the VALIDITY PERIOD of the corresponding CERTIFICATE.