Aspects related to the selection of identification and electronic signature mechanisms

The identification and electronic signature mechanisms that, in summary, can be used by interested parties are:

1. Qualified electronic signature certificates issued by providers included in the Trusted List of Certification Service Providers.
2. Qualified electronic certificates with electronic seals issued by providers included in the Trusted List of Certification Service Providers.
3. Any other system that the APs consider valid, as long as they have a prior registration of the user that allows their identity to be guaranteed.

With regard to this list, it is indicated that the acceptance -by the PA- of mechanisms based on qualified certificates (points 1 and 2 above) is mandatory in compliance with EU Regulation No. 910/2014 of the European Parliament and of the Council, of 23 July, on electronic identification and trust services (REIDAS); on the other hand, the acceptance of mechanisms based on prior user registration (point 3 above) is optional.

The National Security Scheme provides for three levels of security (low, medium and high) for electronic identification and signature mechanisms; at the same time, it also defines the basic principles and minimum requirements for assigning a security level to each mechanism.

In summary, the relationship between identification mechanisms and each security level is as follows:

• Low level: any identification mechanism supported by regulations, such as, for example, shared key systems based on prior user registration; the username and password is also a low-level identification mechanism, although it is only supported in specific cases.
• Medium level : that identification mechanism that requires, at least, the use of a second authentication factor, which consists of a one-time password.
• High level : that mechanism that meets the same requirements as for the medium level (the ENS does not establish additional measures).

Regarding electronic signature mechanisms, the relationship with security levels is as follows:

• Low level : any electronic signature mechanism accepted by current legislation.
• Medium level : that advanced electronic signature mechanism based on an electronic certificate that, in addition, must be qualified; in this sense, it is necessary to use algorithms and parameters authorized by the National Cryptological Center (or whatever is applicable).
• High level: that advanced electronic signature mechanism based on a qualified electronic certificate that also uses a second authentication factor for the activation of its private key.

Each AP must select the identification and signature mechanisms supported for each specific action.

Despite the above, the regulations do not define which electronic signature must be used for each case; it would have been useful if a law where, part of its subjective scope of application is the PAs, had made an effort to specify criteria for the selection of these mechanisms (especially for the municipal level).

To make this decision, the PA must assess aspects such as:

• The level of security required by your information systems.
• The type of credential admissible for the identification and electronic signature of the action in question.
• The level of risk acceptable for each action.
• The ENS requirements described above.
• Other aspects established in the specific regulations, if any.

So, which mechanism do I select for my procedure?

A good practice is one that allows finding a balance between security and usability and that, ultimately, allows citizens to interact electronically with PAs.

In this sense, opting for the low level of identification and signature as a mechanism "universally" accepted by all procedures of an AP (or most of them), implies:

• Make the requirements for electronic processing more flexible with guarantees and,
• Facilitate access for interested people to digital public services.

In any case, the AOC services allow user APs to select these mechanisms in an agile and simple way (expanded in the following section).

Finally, we mention the process of selecting the electronic identification and signature mechanisms carried out by the Generalitat of Catalonia, through Order VPD/93/2022, of April 28, which approves the Catalog of electronic identification and signature systems, and especially through Order PRE/158/2022, of June 30, which approves the Guide to the use of electronic identification and signature systems in the scope of the Administration of the Generalitat.

Thus, these two provisions establish, in general, the admission of all the mechanisms in the Catalogue to carry out all procedures and services within the scope of the Administration of the Generalitat; while the restrictions on the use of certain mechanisms are exceptional.

The Guide itself establishes the procedure to exempt the application of the general criterion and limit the use of some of the mechanisms for specific procedures. In this way, the possibility of limiting the use of some identification and signature mechanisms is envisaged, when the existence of the following risks is assessed (always, in relation to a specific procedure):

• Legal: when the possible existence of a risk is assessed that prevents guaranteeing the viability and legal security of the procedure, which originates from the lack of robustness of the identification or electronic signature systems; for example, possible fraud in the signing of the document or impersonation of the interested parties.
• Cybersecurity or data protection: when more restrictive specific measures are necessary due to the level of risk or classification of the information, the service (or procedure) or the possible processing of personal data of the service (or procedure) for which the identification or electronic signature system is intended to be used.

As mentioned, the regulations establish the security levels to be taken into account when configuring access to the procedure or process. However, given the absence of selection criteria for the mechanisms that help to specify it, especially at the municipal level, the following may be useful:

• Be a user of the AOC VALid service, because it allows you to validate your identity credentials and informs you about the level of security used.
• Adopt your own Protocol or Guide for electronic identification and signature where criteria for choice are established. If you are interested, you have a model for an Electronic Identification and Signature Protocol.

For more information, we refer you to the blog entry Selection of identification mechanisms and electronic signature .

The VALID Service allows the verification of the person's identity credentials (known as authentication), by virtue of the criteria and security levels provided for in the ENS.

In this way, the VALID user AP can select the identification and signature mechanisms supported for each procedure, in accordance with the provisions of the regulations: it supports identification with the idCAT Mòbil, Cl@ve and qualified certificates in processes and offers an electronic signature mechanism linked to the mechanism used.

That is, you can decide whether to accept all or only some of these mechanisms, and have different configurations to do so according to each specific need for electronic identification.

For more information, you can check out these posts:

• When should you use an identification system or a signature system? Use cases
• Electronic signature of invoices

RACES: art. 25
Law 39/2015: art. 9 to 11
ENS: Annex I (point 3), Annex II (point 4 4.2.5 Authentication mechanism (external users [op.acc.5]) and Annex II Point 5. Protection measures [mp] 5.7.3 Electronic signature [mp.info.3].

idCAT and VALID