The entity responsible for issuing and guarding centralized electronic certificates of users of the Cl@ve System will, in the exercise of its competences, be the General Directorate of the Police (DGP), in accordance with Organic Law 2/1986, of 13 March, of Forces and Bodies of Security and Royal Decree 1553/2005, of 23 December, which regulates the issuance of electronic certificates.
To perform these functions, the PGD uses the Public Key Infrastructure corresponding to the currently existing ID.
The PGD, in the exercise of its powers, acts as a provider of trustworthy services in accordance with Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, and in accordance with the principles of security, integrity, confidentiality,
The issuance of a centralised signature certificate to the citizen may be carried out by means of two procedures: an automated one, to be carried out at the time of the first signature and a manual in which the holder may request the issuance of the certificate voluntarily.
In any case, the system will inform the citizen that his certificate will be issued and will ask him at that time to generate his keys.
The creation data shall comply with the following safeguards:
Confidentiality
They will only appear once in practice.
There shall be reasonable assurance that signature creation data may not be found by deduction.
The firm will be protected safely from counterfeiting through the technology available at the moment.
The legitimate signatory should be able to protect his signature creation data from their use by others.
The data to be signed shall not be altered and shall be shown to the signatory before signature.
In any case, the creation of the certificates must be made in accordance with the requirements that the law sets with respect to the maximum allowed periods since the citizen made the personal registration.
The Social Security Information Technology Administration (GISS) will act as a provider of signature services with a centralised electronic certificate, for which it will have the support of the information stored and managed by the PGD needed for the signature.
On a first screen we will choose the password:
Then we will complete the issuance of the centralized signature certificate by writing it in this section:
The Cl@ve system will allow access to electronic signature services, in particular to electronic document signing services by means of centralised electronic certificates, all for submission to the public administrations in those formalities where the signature by electronic certificates is required or admitted. The following considerations shall be taken into account:
In order to be able to access the service, the user must first and expressly request the issuance of their centralised electronic certificates corresponding to the document used for registration at Cl@ve for centralised signature.
In order to make the request, and for subsequent access to the service, it will be necessary in any case that the user has registered at Advanced Level and has activated his permanent Cl@ve. In addition, the use of an additional safety check using a single use code and limited validity will be required at the time of identification for the time to be sent to the mobile phone of the registered user.
For this purpose, the provisions of Royal Decree 1553/2005 of 23 December 2005 regulating the issuance of the national identity card and its electronic signature certificates apply.
In any centralised electronic signature process, it must be ensured that access to this key can only be made by the holder of the key, so that for its use, the citizen must have been authenticated beforehand by a minimum of 2 authentication factors, such as his access password and a single use code (OTP) sent by SMS to his mobile.
In order to adapt the use of Cl@ve Firma certificates to the requirements of the eIDAS Regulation, which requires that in order to use recognized electronic certificates, in this case to sign, the renewal of the registration must be ensured with guarantees of High registration level (also called advanced level registration). In particular, these guarantees require face-to-face or telematic registration using the Electronic ID ID, as other electronic certificates cannot guarantee that this requirement has been met.
In order to accommodate this requirement, a new option has been added in the Cl@ve Registry application that allows to perform the Renewal of registration at high level under the conditions laid down in the eIDAS Regulation. In this way, a citizen will be able to go to a Registration Office to request the renewal of his registration and the Registrar will have to use this new option. The citizen will also be able to access the Cl@ve registration option with their electronic ID and perform this renewal process.
How does the citizen know that this renewal should take place?
This change only affects citizens registered in Cl@ve and using the service of Cl@ve Firma. When a citizen is going to make an electronic signature with Cl@ve Firma, if he does not meet the requirement of 5 years from the last time he was physically present in a registration office or used the electronic ID to perform a performance in the Registry Cl@ve, he will be informed that in order to be able to use Cl@ve Firma, he must perform this process of renewal of the registration in Cl@ve.
The citizen may waive the use of the Cl@ve system at any time, even if it has not been discharged.
The waiver may be carried out on the portal www.clave.gob.es, identifying himself before him and choosing in the user options the renunciation of the system. You will be able to make this request using ID or recognised electronic certificate or in person in an office. (https://clave.gob.es/registro/renuncia.html)
If a citizen renounces the system, his centralized certificate, if any, will be revoked and his electronic access will be disabled both by Cl@ve PIN and by Cl@ve Permanente to the services of identification, authentication and electronic signature Cl@ve.
The resignation must be documented, so in any of these procedures the citizen must sign the request for resignation, either with an electronic certificate (including his centralized certificate before being revoked) or in a handwritten form in an office of Cl@ve.
The Cl@ve system may manage the ex officio revocation of registered users in the system where circumstances endanger the security of the system, such as fraudulent or unfair use of the system or where there is a substantial modification of the identification data used in the registry.
For the exclusive purpose of informing the user that has been revoked pursuant to this procedure, the system may use one of the contact data included in the Registry Database to communicate this incidence to the user.
The revocation may only result in a new discharge when the circumstances that led to it have been changed.
The effects of the revocation shall be the same as those of the renunciation.
The revocation of centralised certificates shall be effected ex officio by the Administration in the circumstances to be determined.
Once a certificate has been revoked, the system shall ensure that it cannot be used under any circumstances during a signature process.
The Cl@ve system will automatically and automatically manage the loss of registered and registered deceased users. The effects of death leave shall be the same as those of resignation.