Turkey: Amendment To The Regulation On The Procedures And Principles Regarding The Implementation Of The Electronic Signature Law

Amendment to The Regulation on The Procedures and Principles Regarding The Implementation of The Electronic Signature Law

Regulation amending the Procedures and Principles regarding the Electronic Signature Law Implementation was published in the Official Gazette on October 15, 2021.

The title of the third section of the regulation has been changed as "Certification Process, Uploading, Renewing and Cancellation of Qualified Electronic Certificates on the Identity Card," and new provisions which come after Article 13 have been added. Added provisions:

Article 13/A

– Electronic Certificate Service Provider ("ECSP") will be able to upload to the identity card different electronic certificates which use remote qualified electronic certificates and similar certificate infrastructure.

– ECSP will be able to upload the remote qualified electronic certificate to the identity card, renew and revoke it over Authentication Service Provider ("ASP") by using its role and secure communication certificates or by providing secure communication directly with Card Access Device ("CAD") in accordance with Electronic Authentication System ("EAS") standards and EAS regulation along with taking all necessary software and hardware measures so that private keys do not come out of the device and there is no data leak.

– Via its website, ECSP can receive the preliminary application of the request for uploading the qualified electronic certificate to the applicant's identity card. If this application is approved, ECSP will direct the applicant to the place of the CAD, where uploading the qualified electronic certificate will take place.

– ECSP in charge cannot request a fee from other ECSPs regarding Role and Secure Communication Electronic Certificates.

– ECSP will ensure that the following operations, which are carried out remotely through verification of the identity via the identity card, will take place continually/without interruption:

a) uploading the qualified electronic certificate,
b) renewing the qualified electronic certificate,
c) revoking the qualified electronic certificate,

In the amendment regarding Role and Secure Communication Certificates of the ECSP;

Article 13/B – ECSP conducts the following operations regarding the application for Role and Secure Communication Certificate:

a) It performs the role of server procurement and installation within its scope per the Turkish Standard (TS) 13681 standard, which was published in relation to the EAS by the Turkish Standards Institute (TSI).
b) It produces the key pairs required for Role and Secure Communication Certificates within the secure electronic creation tool determined according to the CAD standard (TS 13585).
c) It makes an application to the Information and Communication Technologies Authority ("Authority") with the certificate signing request (CSR) produced for the Role and Secure Communication Certificates, and with the document obtained from the authorized institutions showing that the role server complies with the relevant EAS standards and EAS Regulation. It gets the approval of the Authority and transmits this approval to the Turkey Ministry of Interior Civil Registration and Citizenship (TMICRC).

TMICRC examines the ECSP's application and, if found appropriate, transmits it to ECSP in charge. Otherwise, the applicant shall inform the ECSP.

ECSP in charge produces the Role and Secure Communication Certificates and securely transmits them to the ECSP, which is the applicant.

ECSP uploads the Role and Secure Communication Certificates into its own secure electronic signature creation tool.

In case of renewal of Role and Secure Communication Certificates, information and documents requested within the scope of subparagraph (c) of paragraph 1 of this article will not be submitted to the Authority again. ECSP will apply to TMICRC regarding the renewal of the certificates concerned, and TMICRC will apply to the ECSP in charge. Role and Secure Communication Certificates will be renewed by the ECSP in charge and submitted to the ECSP, which is the applicant.

CAD to be Used While Uploading a Qualified Electronic Certificate to The Identity Card

Article 13/C – ECSP submits the following information and documents regarding the CAD, which will be used for uploading a remote qualified electronic certificate to the identity card, renewing and revoking it:

a) CAD manufacturer information,
b) Information about place or application where CAD is used,
c) Information and document showing the compliance of CAD with CAD standards published by TSI,
ç) Common criteria conformity certificate of CAD to be used as a secure electronic signature creation tool,
d) Hash value of CAD firmware or CAD updated firmware passing common criteria,
e) A commitment to take the necessary security measures to ensure that the hash value of the CAD firmware to be used when uploading a qualified electronic certificate is equivalent to the hash value of the CAD firmware that passes the common criteria.

Qualified Electronic Certificate Application via Identity Card

Article 13/Ç – The identity verification process of the applicant through the identity card is made in accordance with subparagraph (h) of the first paragraph of Article 30 of the EAS Regulation.

Authentication Notification (AN) and Authentication Success Confirmation (ASC) are produced for identity verification per the TS 13679 standard. By the EAS standard, at least the following within the AN are included:

a) Copy of the Identity Card verification certificate of the person authenticated,
b) Information about the method used in verification,
c) Information about verification time.

Under the EAS standard, at least the following within the ASC are included:

a) Unique Number of Authentication Notification,
b) CAD Serial Number,
c) Summary of AN Verification Request,
ç) Biometric Verification Status.

In addition to ASC, the following are submitted to the relevant ECSP:

a) CAD's manufacturer information,
b) CAD's brand and serial number,
c) CAD's firmware knowledge,
ç) Hash value of CAD's firmware,
d) Certificate signed by the ECSP in charge and containing the Secure Access Module (SAM) manifest signing public key.

ECSP creates the application document in PADES-LTV format per the Identity Verification Regulation using the applicant's identity card and CAD.

Uploading a Qualified Electronic Certificate to The Identity Card

Article 13/D – ECSP verifies the applicant's identity per Article 13/Ç, so a remote qualified electronic certificate can be uploaded to the identity card.

If there is a pre-loaded certificate on the identity card, the applicant is informed about these certificates through CAD.

If all fields on the identity card that can be loaded with a qualified electronic certificate are full, the applicant is informed via CAD. For the new qualified electronic certificate to be uploaded to the identity card, the approval of the applicant regarding which certificate will be overwritten from the existing certificates is submitted to the ECSP to which the application is made.

The applicant's new certificate request to the ECSP is submitted directly through the CAD or via ASP. The following information is provided in this request:

a) ASC of the AN produced as a result of identity verification and belonging to the applicant
b) Hash value of CAD's firmware
c) Information of request regarding the certificate validity period of the applicant for the certificate production
d) Copy of the applicant's identity card verification certificate

ECSP, regarding the incoming application request; checks that the information belonging to the CAD, from which the request is received, is compatible with the information it has notified to the Authority, that ASC complies with the criteria specified in article 13/Ç, and that an authorized ASP has produced it within the scope of the EAS Regulation.

ECSP produces the qualified electronic certificate using the information contained in the Identity Card verification certificate sample of the applicant that comes to it, communicates securely with CAD using its secure communication certificate and role certificate, and transmits the certificate and keys to CAD directly or over ASP.

Certificates and keys from ECSP are securely uploaded to the identity card via CAD.

It is checked whether there is a pre-loaded electronic certificate on the identity card. If the qualified electronic certificate to be uploaded is the first certificate, the applicant creates the access data. Suppose there is another electronic certificate loaded on the identity card. In that case, the applicant is informed that "the same access data will be valid for all certificates on the identity card," and its approval is obtained. If the applicant wishes, it is ensured that the new access data is created and the access data created by the applicant is written to the identity card.

Recognizance of the application and hash value regarding the qualified electronic certificate loaded on the identity card are shown to the applicant via CAD, and they are provided to be signed with the new qualified electronic certificate loaded on the identity card. The signed recognizance is forwarded to the applicant. ECSP checks the accuracy and validity of this recognizance and ensures that the qualified electronic certificate is used in signing processes. In the event that the verification regarding the recognizance is not valid, the certificate is suspended by the ECSP after informing the certificate owner.

Renewal of The Qualified Electronic Certificate on The Identity Card

13/E – ECSP performs the authentication process regarding the remote qualified electronic certificate renewal request of the certificate holder in accordance with Article 13/Ç.

The certificates in the identity card are shown to the certificate holder through CAD. The certificate holder is enabled to choose the qualified electronic certificate they want to renew. The applicant's qualified electronic certificate renewal request is forwarded to ECSP either directly or directly or via ASP. This request includes the following:

a) ASC, which is produced due to identity verification and belonging to AN of the certificate owner, who requested renewal.
b) Hash value of CAD's firmware
c) Information of request regarding the certificate validity period of the applicant for the certificate renewal
d) Copy of certificate holder's Identity Card verification certificate

ECSP first checks whether the certificate in the incoming qualified electronic certificate renewal request belongs to it. If the certificate does not belong, it rejects the applicant's request for qualified electronic certificate renewal. If the certificate belongs to itself, ECSP checks that the information regarding the renewal request received by CAD is compatible with the information it has notified to the Authority, that AN complies with the criteria specified in article 13/Ç, and that an authorized ASP has produced it within the scope of the EAS Regulation.

ECSP renews the qualified electronic certificate using the information contained in the sample certificate of the certificate holder's Identity Card verification. It communicates securely with CAD by using its secure communication certificate and role certificate. It transmits the certificate and keys to CAD directly or securely over ASP. The certificate from the ECSP is securely uploaded to the ID card via CAD.

It is checked whether there is a pre-loaded electronic certificate on the identity card. If there is another electronic certificate loaded on the identity card, the applicant is informed that "the same access data will be valid for all certificates on the identity card." If the applicant wishes, it is ensured that the new access data is created and the access data created by the applicant is written to the identity card.

Recognizance of the application and hash value regarding the qualified electronic certificate renewed on the identity card is shown to the applicant via CAD, and they are provided to be signed with the new qualified electronic certificate renewed on the identity card. The signed recognizance is forwarded to the applicant. ECSP checks the accuracy and validity of this recognizance and ensures that the qualified electronic certificate is used in signing processes. In the event that the verification regarding the recognizance is not valid, the certificate is suspended by the ECSP after informing the certificate owner.

Revocation of the qualified electronic certificate on the identity card

13/F – Revocation requests of the qualified electronic certificate on the identity card by the certificate owner can be made by one of the following methods:

a) By one of the methods in the first paragraph of Article 13,
b) Through CAD.

In case the cancellation of the qualified electronic certificate in the identity card is carried out remotely via CAD, the authentication process regarding the qualified electronic certificate revocation request of the certificate owner is performed by the ECSP in accordance with Article 13/Ç.

The certificates in the identity card are shown to the certificate holder through CAD, the certificate holder is allowed to choose the qualified electronic certificate that they want to revoke, and the applicant's request for the cancellation of the qualified electronic certificate is forwarded to the ECSP either directly or via ASP. In this request, the following are included:

a) ASC, which is produced as a result of identity verification and belonging to AN of the certificate owner, who requested for revocation,
b) Hash value of CAD's firmware,
c) Certificate to be revoked.

ECSP first checks whether the qualified electronic certificate in the incoming revocation request belongs to it. If the qualified electronic certificate does not belong to it, it rejects the applicant's revocation request. Suppose the qualified electronic certificate belongs to itself. In that case, it immediately processes the revocation request. This request checks that the information belonging to the CAD where the request is received compatible with the information it has notified the Authority; ASC complies with the criteria specified in Article 13/Ç. It is an authorized document within the scope of the EAS Regulation. After that, it revokes the qualified electronic certificate.

ECSP uses its secure communication certificate and role certificate to communicate securely with CAD either directly or over ASP and ensures deletion of the qualified electronic certificate and key from the identity card via CAD.

Article 4 – The following paragraph has been added to come before the phrase in Article 14 of the same Regulation, which was saying "ECSP stores at least for twenty (20) years":

"g) By ensuring the security, confidentiality, and integrity of the record, which contains the information about all operations via the identity card related to remote qualified electronic certificate management when these operations were made and the person or persons who performed the operations concerned."

Article 5 – The phrase "Telecommunication Board" in Article 37 of the same Regulation has been changed to "Board."

Article 6 – This Regulation enters into force on the date of its publication.

Article 7 – The President of the Authority executes the provisions of this Regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.