Circular 41/2017/TT-BTTTT use digital signatures for electronic documents by state agencies

CIRCULAR

Providing regulations on the use of digital signatures for electronic documents by state agencies

Pursuant to the Law on E-Transactions dated November 29, 2005;

Pursuant to the Law on Information Technology dated June 29, 2006;

The Government’s Decree No. 26/2007/ND-CP dated February 15, 2007, detailing the Law on E-Transactions regarding digital signatures and digital signature certification services, the Government’s Decree No. 106/2011/ND-CP dated November 23, 2011, amending and supplementing a number of articles of the Government’s Decree No. 26/2007/ND-CP dated February 15, 2007; the Government’s Decree No. 170/2013/ND-CP dated November 13, 2013, amending and supplementing a number of articles of the Government’s Decree No. 26/2007/ND-CP dated February 15, 2007, and the Government’s Decree No. 106/2011/ND-CP dated November 23, 2011;

Pursuant to the Government's Decree No. 64/2007/ND-CP dated April 10, 2007, on information technology application in state agencies' operations;

Pursuant to the Government’s Decree No. 01/2013/ND-CP dated January 3, 2013, detailing the implementation of a number of articles of the Law on Archives;

Pursuant to the Government's Decree No. 17/2017/ND-CP dated February 17, 2017, defining the functions, tasks, powers and organizational structure of the Ministry of Information and Communications;

The Minister of Information and Communication hereby promulgates the Circular providing regulations on the use of digital signatures for electronic documents by state agencies.

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

1. This Circular regulates the digital signing and verification of digital signatures given on electronic documents; technical and functional requirements of digital signature software, digital signature verification software for electronic documents in state agencies.

2. This Circular does not regulate the use of digital signatures for electronic documents containing information on the list of state secrets.

Article 2. Subjects of application

1. This Circular applies to agencies and organizations (including: ministries, ministerial-level agencies, Government-attached agencies, People's Committees at all levels, and non-business units funded by the state budget) and relevant organizations and individuals using digital signatures for electronic documents of state agencies.

2. Other agencies and organizations are encouraged to apply this Circular.

Article 3. Interpretation of terms

In this Circular, the terms below are construed as follows:

1. “Corporate digital certificate” means a digital certificate issued by a digital signature certification authority to the head of an agency or organization in accordance with law provisions.

2. “Private digital certificate” means a digital certificate issued by a digital signature certification authority to a person holding title in a state agency, a competent person of an agency or organization in accordance with law provisions on management and use of seals.

3. “Seal private key” means a private key corresponding to a corporate digital certificate.

4. “Private key” means a private key corresponding to a private digital certificate.

5. “Corporate digital signature” means a digital signature that is created when using a seal private key.

6. “Private digital signature” means a digital signature that is created when using a private key.

7. “Digital signature software” means a software that has a function to digitally sign an electronic document.

8. “Digital signature verification software” means a software that has a function to verify the validity of the digital signature on the electronic document.

9. “Authenticity of a digitally-signed document” means the identification of the individual or institutional signer of an electronic document by the digital signature thereto.

10. “Integrity of a digitally-signed document” means the fact that the content of an electronic document remains unchanged during the process of exchange, processing and storage after it is digitally signed.

11. “Online certificate status protocol” (OCSP) means a system providing the service that allows determining the current status of digital certificates.

12. “Private key storage device” means a physical device containing digital certificates and private keys of subscribers.

Article 4. Principles of using digital signatures for electronic documents

1. A digital signature must be affixed to the electronic document after digitally signing.

2. A digitally-signed document must ensure authenticity and integrity throughout the process of exchange, processing and storage of the digitally-signed document.

Article 5. Management of private key and seal private key

1. The person competent to give digital signature shall be responsible for securing the private key.

2. The head of an agency or organization shall be responsible for assigning a clerical staff to manage and use the seal private key according to regulations.

3. The device storing private key of a seal must be kept at the headquarter of the agency or organization in a safe manner.

Chapter II

REGULATIONS ON DIGITAL SIGNING AND VERIFICATION OF DIGITAL SIGNATURES GIVEN ON ELECTRONIC DOCUMENTS IN STATE AGENCIES

Article 6. Digital signing on electronic documents

1. The digital signing shall be made by digital signature software; the successful or unsuccessful digital signing of electronic documents shall be notified via the software.

2. Digital signing on electronic documents

a) In case where the laws require the competent persons to give digital signatures given on electronic documents, through digital signature software, such persons shall use the private key to digitally sign on the electronic document;

b) In case where the laws require agencies or organizations to give digital signatures given on electronic documents, through digital signature software, the clerical staff assigned to use the seal private keys of such agencies or organizations shall digitally sign the electronic document;

3. Information about the digital signatures of competent persons, agencies or organizations shall be displayed on electronic documents in accordance with Ministry of Home Affairs’ regulations.

4. Information about the persons competent to give digital signatures, agencies or organizations giving digital signatures digital signatures shall be managed in the database accompanying the digital signature software. The information managed is prescribed in Clause 4, Article 1 of the Government's Decree No. 106/2011/ND-CP dated November 23, 2011.

Article 7. Verification of digital signatures given on electronic documents

1. The verification of a digital signature given on electronic document shall be carried out as follows:

a) Decrypting the digital signature with the corresponding public key;

b) Verifying and checking the information of the signer on the digital certificate attached to the electronic document; the checking and verification of the signer information shall comply with Article 8 of this Circular;

c) Checking the integrity of the digitally-signed document.

2. The digital signature on the electronic document shall be considered valid when the information verification result shows that the signer’s digital certificate at the signing time is still valid, the digital signature is created by the private key corresponding to the public key on digital certificate, and the integrity of the electronic document is ensured.

3. Information about the individual or institutional signers on electronic documents must be managed in the database accompanying the digital signature verification software. The information managed is prescribed in Clause 4, Article 1 of the Government's Decree No. 106/2011/ND-CP dated November 23, 2011.

Article 8. Checking the validity of digital certificates

1. The validity of a digital certificate at the signing time shall be checked following the steps below:

a) Checking the validity of the digital certificate by using the certificate revocation list (CRL) published at the signing time or checking the validity of a digital certificate by using online certificate status protocol (OCSP);

b) When verifying a digital certificate of an individual signer on an electronic document, it is required to check the root digital signature certification authority.

2. A digital certificate shall be considered valid if it fully satisfies the following criteria:

a) Remaining valid at the signing time;

b) Being consistent with the digital certificate’s scope of use and the signer’s legal liability;

c) The digital certificate is still active at the time of digital signing.

3. The digital certificate shall be considered invalid if it fails to meet any of the criteria mentioned in Clause 2 of this Article.

Article 9. Archived information attached to digitally-signed document

1. Archived information attached to digitally-signed document includes:

a) With regard to an outgoing document:

- The signer’s digital certificate at the signing time;

- The certificate revocation list at the signing time by the digital signature certification authority;

- Certification rules of digital signature certification authority at the signing time;

- Information about the signer’s liability;

- Certification of valid time stamp at the signing time.

b) With regard to incoming documents:

- Digital certificates corresponding to digital signatures given on incoming documents;

- The certificate revocation list (CRL) at the signing time of the digital signature certification authority;

- Certification rules of the digital signature certification authority at the signing time;

- Information about the signer’s liability;

- Certification of valid time stamp at the time of receipt.

3. Archived information attached to the electronic document shall be managed by digital signature software, digital signature verification software appropriate to the storage period of the electronic document according to regulations.

Article 10. Cancellation of archived information attached to digitally-signed document

1. The archived information attached to digitally-signed document shall be cancelled together with the electronic document.

2. The cancellation of archived information attached to digitally-signed document must not affect other electronic documents while ensuring the ordinary operations of the system.

3. The cancellation of an archived information attached to digitally-signed document shall be carried out using a software.

Chapter III

TECHNICAL AND FUNCTIONAL REQUIREMENTS FOR DIGITAL SIGNATURE SOFTWARE AND DIGITAL SIGNATURE VERIFICATION SOFTWARE

Article 11. Technical and functional requirements for digital signature software

Digital signature software refers to an independent software or a software module that satisfies the following requirements:

1. Satisfying the technical standards and regulations prescribed in Appendices attached to this Circular;

2. Having function of digital signing on electronic documents in accordance with Clauses 2, 3 and 4, Article 6 of this Circular;

3. Having function of checking the validity of digital certificates prescribed in Article 8 of this Circular;

4. Having the function of managing archived information attached to digitally-signed documents prescribed in Article 9 of this Circular;

5. Having the function of cancelling archived information attached to digitally-signed documents prescribed in Article 10 of this Circular;

6. Having the function of sending notification (by words/by symbols) to the signer of the successful or unsuccessful digital signing;

7. Supporting the installation and integration of root digital certificate of the digital signature certification authority to digitally sign documents into the digital signature software to check the validity of the digital certificate on electronic documents;

8. Giving the time stamp at the time of digital signing.

Article 12. Technical and functional requirements for digital signature verification software

Digital signature verification software refers to an independent software or a software module with functions to verify digital signatures given on electronic documents that satisfies the following requirements:

1. Satisfying the technical standards and regulations prescribed in Appendices attached to this Circular;

2. Having function of verifying digital signatures given on electronic documents in accordance with Clauses 1, 2 and 3, Article 7 of this Circular;

3. Having the function of managing archived information attached to digitally-signed documents prescribed in Article 9 of this Circular;

4. Having the function of cancelling the information attached to digitally-signed documents prescribed in Article 10 of this Circular;

5. Supporting the installation and integration of root digital certificate of the digital signature certification authority to digitally sign documents into the digital signature verification software to check the validity of the digital certificate on electronic documents;

6. Having the function of sending notification of the result of checking whether the digital signature is valid or invalid to the inspector;

7. Giving the time stamp at the time of receiving incoming documents.

Chapter IV

IMPLEMENTATION ORGANIZATION

Article 13. Responsibilities of the digital signature certification authority

1. To fully and accurately store, update and publish the following information on the digital signature certification authority’s website and such website must be available 24/7 (to assist in checking the validity of digital signatures given on electronic documents)

a) Information related to the suspension and revocation of digital certificates and revoked digital certificates of the subscribers;

b) Information related to the subscribers’ digital certificates, the list of valid and invalid digital certificates;

c) Certification rules of the digital signature certification authority.

2. To disclose technical specifications (both documentation and toolkit) related to the digital signature certification authority and digital signature standards; to provide the root digital certificates of the digital signature certification authority to software developers to integrate into the digital signature verification software.

3. To encourage the digital signature certification authority to provide online certificate status protocol (OCSP).

4. To provide time stamping service.

Article 14. Responsibilities of agencies and organizations using digital signatures for electronic documents

1. To apply digital signature software and digital signature verification software as prescribed in Articles 11 and 12 of this Circular.

2. To deploy the network connection under Clause 3, Article 8 of the Government's Decree No. 64/2007/ND-CP dated April 10, 2007, ensuring safety, security and high availability.

3. To organize and manage software products (according to their versions) with the functions of digital signing, digital signature verification, storing information attached to digitally-signed documents corresponding to technical regulations and standards to which the software supports to ensure the availability, compatibility and security in the process of using stored digitally-signed documents.

Article 15. Responsibilities of heads of agencies and organizations using digital signatures

1. To perform the responsibilities of the head prescribed in Clause 1, Article 8 of the Government's Decree No. 64/2007/ND-CP dated April 10, 2007.

2. To regularly check to ensure that the management and use of digital signatures and digital certificates at their agencies or organizations comply with this Circular and other relevant regulations.

3. To make requests for issuance, revocation and suspension of private and corporate digital certificates under the management, based on professional requirements and requirements for information security in e-transactions.

4. Upon the request to convert a stored digitally signed electronic document to a new text file format (for information security reasons or because of hardware or software obsolescence), a plan must be developed and approved by a specialized agency in charge of information technology, ensuring compatibility and validation of digital signatures.

Article 16. Transitional provisions

Within 12 months from the effective date of this Circular, agencies and organizations using software with digital signing and digital signature verification functions that have not satisfy technical requirements and functions specified in this Circular shall upgrade and supplement digital signature software and digital signature verification software in accordance with regulations.

Article 17. Implementation provisions

1. The National Electronic Authentication Center (NEAC) shall assume the prime responsible for, and cooperate with the Department of Legal Affairs and relevant units in, providing guidance and technical assistance for the implementation of this Circular.

2. The provincial-level Departments of Information and Communications, the units in charge of information technology of ministries, ministerial-level agencies and government-attached agencies shall:

a) Disseminate the implementation of this Circular;

b) Report to the Ministry of Information and Communications (via National Electronic Authentication Center) of the use of digital signatures for electronic documents at agencies or organizations on an annual basis.

Article 18. Effect

1. This Circular takes effect from February 5, 2018.

2. The Chief of Office, Director of National Electronic Authentication Center, and relevant agencies, organizations and individuals shall implement this Circular.

4. Any difficulties arising in the course of implementation should be reported to the Ministry of Information and Communications (the National Electronic Authentication Center) for consideration and settlement./.

APPENDIX

List of standards applicable to digital signatures and format of digitally-signed documents
(Attached to Circular No. 41/2017/TT-BTTTT dated December 19, 2017 of the Ministry of Information and Communications)