EDS for signing files by employees?

A

Andrey Shevchuk2013-09-30 16:53:16

Cryptography

Andrey Shevchuk, 2013-09-30 16:53:16

Suppose a company wants to sign arbitrary files using a legally valid EDS (according to Federal Law No. 63). In order to later transfer the file to a partner company, and there they could open it as usual, and, if desired (and the availability of software), make sure that it was signed by such and such an employee (or employees; the person, not the company, is verified, i.e.). For this, of course, the signature must be disconnected, otherwise the partner without software will not open anything.
To obtain an EDS, you need a certification authority. But the sites of the centers are full of offers to buy an EDS for bidding, reporting, interaction with government agencies, etc., and no one offers ordinary certificates for signing files. I understand that with the help of more sophisticated certificates, you can also sign files, but such unanimity confuses me a little, so I'm already a little confused.
Maybe I misunderstood something, and today there is simply no way to run the program, feed it a file and a signature, and receive information from an accredited certification center about whose signature it is and whether it is valid?
So the questions are:

Is the above possible?
If yes, what exactly is needed for this? I suppose certificates for employees + software, but what certificates, how do they differ, do you need something else?
Where is the best place to get it and how much does it cost?
I have already thought about UEC for employees, am I healthy? If yes, are there any pitfalls?
If the above is not possible, what is the closest way to get there? It's probably a little expensive to start your own certification center.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

Y

ystr, 2013-09-30
@IIIEB4YK

Answers to questions:
1) Yes, this is certainly possible;
2) For a more correct decision, it is necessary to issue so-called “qualified certificates” to all employees (see Federal Law No. 63). As a result, so-called "legally significant signatures" will be obtained. Certificates for trading and other differ from ordinary certificates for individuals (or employees) only in additional "purposes of use" (fields of certificates that mean little to you). You can sign messages using any certificate. Restrictions on use can only be imposed by programs with which you will make such a signature;
3) In any CA. It’s only better that the site mentions that this is a “TC accredited according to 63-FZ”. Give them a call and see if they can service your company and issue signatures to employees. I am sure that any CA will answer positively;
4) Yes, you can also use the UEC - there the certificate is also “qualified”. Only here is one “but” - in the certificate with the UEC, the home address of the owner is usually indicated, and this information is usually hidden. It is better, in my opinion, to agree with the CA - the employee's company, position and everything you want will be immediately indicated there, up to the address in Skype;
5) Doing your own CA is unnecessary, see the recommendations above;

M

mayorovp, 2013-09-30
@mayorovp

A local certification authority with a self-signed certificate is enough - unless, of course, by “partners” you mean the whole world.

N

Nikolai Turnaviotov, 2013-09-30
@foxmuldercp

At the level of companies and Active Directory, you can configure the digital signature and trust domains and make friends with each other issuing CAs.

P

polyakstar, 2013-10-01
@polyakstar

There is such a service for legal entities kontur.spb.ru/diadoc/
Everything is implemented there. and the CA, and the workflow itself