Answer the question
In order to leave comments, you need to log in
From the point of view of the law of the Russian Federation, is it legal to use openssl for EDS and encryption?
I don't want to buy CryptoPro. How legitimate is the use of openssl with support for GOST algorithms for signing documents, exchanging encrypted files with legal entities in the Russian Federation?
Openssl clearly does not have FSB of Russia certificates for cryptographic information protection (although I did not check it). If they are not there, there will be no questions (in terms of "this is impossible, immediately throw it away / remove it")?
Answer the question
In order to leave comments, you need to log in
In the Russian Federation:
For the purposes of this Federal Law, the following basic concepts are used:
1) electronic signature - information in electronic form that is attached to other information in electronic form (signed information) or is otherwise associated with such information and which is used to identify the person signing information;
2) electronic signature verification key certificate - an electronic document or a paper document issued by a certification center or a trustee of the certification center and confirming that the electronic signature verification key belongs to the owner of the electronic signature verification key certificate;
3) a qualified certificate of an electronic signature verification key (hereinafter referred to as a qualified certificate) - a certificate of an electronic signature verification key that meets the requirements established by this Federal Law and other regulatory legal acts adopted in accordance with it, created by an accredited certification center or a federal executive body authorized in the field of using an electronic signature (hereinafter referred to as the authorized federal body), and in connection with this, being an official document;
(as amended by Federal Laws No. 445-FZ of December 30, 2015, No. 476-FZ of December 27, 2019)
(see the text in the previous edition)
4) the owner of the certificate of the electronic signature verification key - a person who, in accordance with the procedure established by this Federal Law, has been issued a certificate of the electronic signature verification key;
5) electronic signature key - a unique sequence of characters intended for creating an electronic signature;
6) electronic signature verification key - a unique sequence of characters uniquely associated with an electronic signature key and intended for verifying the authenticity of an electronic signature (hereinafter referred to as electronic signature verification);
7) certification center - a legal entity, an individual entrepreneur or a state body or local government body that performs the functions of creating and issuing certificates of electronic signature verification keys, as well as other functions provided for by this Federal Law;
(as amended by Federal Law No. 445-FZ of December 30, 2015)
(see the text in the previous edition)
8) accreditation of a certification center - recognition of the compliance of a certification center with the requirements of this Federal Law;
(as amended by Federal Law No. 476-FZ of December 27, 2019)
(see the text in the previous edition)
ConsultantPlus: note.
From 01.01.2021 Art. 2 is supplemented by clause 8.1 (FZ of December 27, 2019 N 476-FZ). See future edition.
9) electronic signature means - encryption (cryptographic) means used to implement at least one of the following functions - creating an electronic signature, verifying an electronic signature, creating an electronic signature key and an electronic signature verification key;
10) means of the certification center - software and (or) hardware used to implement the functions of the certification center;
11) participants in electronic interaction - state bodies, local governments, organizations, individual entrepreneurs, as well as citizens exchanging information in electronic form;
(as amended by Federal Law No. 476-FZ of December 27, 2019)
(see the text in the previous edition)
12) corporate information system - an information system, the participants of electronic interaction in which constitute a certain circle of persons;
13) public information system - an information system, the participants of electronic interaction in which constitute an indefinite circle of persons and in the use of which these persons cannot be denied;
14) delivery of the certificate of the electronic signature verification key - the transfer by the authorized person of the certification center of the certificate of the electronic signature verification key created by this certification center to its owner;
(Clause 14 was introduced by Federal Law No. 445-FZ of December 30, 2015; as amended by Federal Law No. 476-FZ of December 27, 2019)
(see the text in the previous version)
15) confirmation of possession of an electronic signature key - receipt by a certification center, an authorized federal body of evidence that the person who applied for a certificate of an electronic signature verification key owns an electronic signature key that corresponds to the electronic signature verification key indicated by such a person for obtaining a certificate;
(Item 15 was introduced by Federal Law No. 445-FZ of December 30, 2015)
16) the applicant is a commercial organization, a non-profit organization, an individual entrepreneur, an individual who is not registered as an individual entrepreneur, but carries out professional activities that generate income, in accordance with federal laws on the basis of state registration and (or) a license, by virtue of membership in self-regulatory organization, as well as any other individual, persons holding public positions of the Russian Federation or public positions of constituent entities of the Russian Federation, officials of state bodies, local self-government bodies, employees of organizations subordinate to such bodies, notaries and persons authorized to perform notarial acts (hereinafter - notaries),applying with a corresponding application for the issuance of a certificate of the electronic signature verification key to the certification center for obtaining a certificate of the electronic signature verification key as the future owner of such a certificate.
Article 5. Types of Electronic Signatures
1. Types of electronic signatures, relations in the field of use of which are regulated by this Federal Law, are a simple electronic signature and an enhanced electronic signature. A distinction is made between an enhanced unqualified electronic signature (hereinafter referred to as an unqualified electronic signature) and an enhanced qualified electronic signature (hereinafter referred to as a qualified electronic signature).
2. A simple electronic signature is an electronic signature that, through the use of codes, passwords or other means, confirms the fact of the formation of an electronic signature by a certain person.
3. An unqualified electronic signature is an electronic signature that:
1) obtained as a result of cryptographic transformation of information using an electronic signature key;
2) allows you to identify the person who signed the electronic document;
3) allows you to detect the fact of making changes to the electronic document after the moment of its signing;
4) is created using electronic signature means.
4. A qualified electronic signature is an electronic signature that meets all the features of an unqualified electronic signature and the following additional features:
1) the electronic signature verification key is specified in the qualified certificate;
2) to create and verify an electronic signature, electronic signature tools are used that have confirmation of compliance with the requirements established in accordance with this Federal Law.
(As amended by Federal Law No. 445
-FZ of December 30, 2015)
(see the text in the previous edition)
Something like this...
In fact, in many cases, nothing can be done without CryptoPro. I once tried...
As far as I know, there are certified versions of openssl with GOST algorithms. I won’t give examples offhand, but at one time I found such information on the Internet. Google it.
There is another question here - our crypt, even if it implements the same algorithms, is not compatible with each other (at least there was this problem a few years ago). Therefore, you will have to use the software that the CA and your counterparty use. I'm afraid there isn't much of a choice. Although, perhaps, something has already moved in this regard.
everyone is so interesting - they rushed to answer, although the question was not asked to the end.
Author, what are you going to do with this ES (EDS - the word teapot marker)? Go to court and prove your case there? If yes, then the court will consider only certified CIPF. And if you just agree with partners that you will do this, then no one forbids you to do this.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question