1. What are electronic signature, electronic certificate, secured electronic signature, signature creation data and signature verification data?
As it was described within 5070 Electronic Signature Act; “e-signature” is the electronic data used for authentication which has a logical connection added to any electronic document; “"Electronic Certificate" is the electronic record linking signature with the signature verification data and its credentials; “Secure Electronic Signature" has the same legal effects as a handwritten signature and contains particular conditions specified in the Act; "Qualified Electronic Certificate" is the electronic certificate in order to create secure electronic signature which will provide the conditions prescribed by Act; "Signature Creation Data" which belongs to the owner of the signature, is the information, encryption and cryptographic keys used to create an unprecedented electronic signatures by the owner of the signature; "Signature Verification Data” is the passwords and all data such as cryptographic open keys used to verify the electronic signature.
2. Why Electronic Signature is used and for which applications?
5070 Electronic Signature Act provides a great opportunity to have legal effects to secure transactions in paper form to be carried out electronically. Thus, you can use the NES(Qualified Electronic Signature) and e-signature to save time, effort and money for your personal or corporate business by moving to electronic media. By purchasing NES, you can use e-signature for;
3. What are the advantages of e-signatures?
Since electronic signatures can be used equivalent to handwritten signatures, they are used to electronically qualify all official transactions. Electronic signatures ensure reliable, fast and cost-effective processing compare to handwritten signatures. In this context, electronic signature can be used in all available processes stated on Electronic Signature Act of 5070 including electronic communications, contracts, transactions with public institutions, banking operations, insurance operations, e-government, e-business and e-commerce applications.
4. What is public key infrastructure? Why its used? What is provided?
Public key infrastructure is a technology used to ensure safe and reliable implementation of the electronic signature. Electronic signature which created with public key infrastructure is used for; determining whose signature it is; ensuring accuracy and integrity of the signed text of the electronic media; not allowing denial of the signature by signature owner.
5. What is Time Stamp? Why it is used and used for which applications?
Time Stamp is defined by the law as “a record which verified by electronic signature to determine saving, changing, recording, sending and receiving time of an electronic data”. It is used to prove existance of electronic data such as document, record and agreement within electronic media. It enables reliable time information to be added to the process in an electronic environment. It can be used on any electronic application, statement, agreement and similar electronic data which needs time information.
6. What is Certificate Service Provider (CSP)? What are its duties?
Electronic Certificate Service Provider (CSP) is described within the law as “a private legal entities or public institutions providing services related to e-signature, electronic certificates and timestamp“. CSP takes the application to provide electronic certificates, evaluates, produces and delivers electronic certificates to the applicant under safe conditions. In addition, it provides certificate renewal and revocation services, certificate revocation status, data publishing services and time-stamping services.
7. What obligations CSP possess? Which features must be carried in order to be a CSP?
By 5070 Electronic Signature Act and related regulations, CSP’s are obligated:
In order to be in operation, CSP should; use secure products and systems; conduct a reliable service; demonstrate satisfying requirements about taking all preventive measures for counterfeiting and falsification of certification. CSP can not retrieve or store a copy of generated signature creation data.
8. How is CSP structure in Turkey?
By law, principles and procedures for the implementation of legal and technical aspects of the electronic signature and task of monitoring CSP activities given to BTK (ICTA) in Turkey. The Agency may inspect CSP s when it deems necessary. Once fulfilling the requirements of the law, legal persons or organizations may operate as CSP after BTK (ICTA) audit. For Government Organizations and Institutions a certification center has been established which is affiliated with BTK (ICTA). CSP s which were certified by BTK (ICTA) give certification services to remaining applicants who stays outside scope of government certification.
9. How long certificates are used for? Why?
The validity of an electronic certificate has been restricted for security reasons. At the end of validity period, if the certificate owner wants to extend the usage of the certificate then they have to renew their certificate through methods defined by CSP. In general, Qualified Electronic Certificates are used for one (1), two (2) or three (3) year period of validity.
10. What is SSL Certificate? Why and where its used?
SSL (Secure Sockets Layer) server certificate is a digital certificate that is used to verify the identity of the web site that is connected and used to encrypt the data exchanged to and from the server. SSL certificates are used to verify the servers that are connected over the internet or any network by the users. If the user who connects the server also possesses an electronic certificate, it is possible to verify the identity of the user as well. During this type of a connection, a secure tunnel is formed between the client and the server and the exchanged data is encrypted. SSL certificates are mainly used on web servers for providing connection security. Banking sector, e-commerce and e-government applications are the most frequently used areas of SSL certificates.
11. What is Root Certificate?
The Certificate which was created with CSP’s own signature creation data is called Root Certificate. Root Certificate enables the production of certificate for the applicant, also establishes a link between ECSP's corporate identity and signature creation data used to sign certificates. In accordance with the Electronic Signature Law 5070, "Regulation on the Principles and Procedures on the Implementation of Electronic Signature Law", published by BTK (ICTA), CSP should; publish certificate hash value of root certificate and hash algorithm over its web site; publish them over top rated newspapers; and give one copy of it to BTK within seven (7) days of its business activity.
12. What information electronic certificates contain?
Electronic Certificates contain primarily following information:
Qualified Electronic Certificates contain following information required by law:
13. What are the electronic signature creation and verification tools? What should be its features?
Secure electronic signature creation tools (in accordance with 5070 Electronic Signature Law);
The secure electronic signature verification tool;
14. What is certificate revocation, certificate suspension, certificate renewal, renewal of the key? How are they done?
In case of losing its validity, certificate is revoked within its period of use. Below conditions require cancellation of certificate:
CSP creates a reliable and quickly accessible record when cancelling certificate which will allow third persons to accurately detect it. Instead of revoking, certificate is suspended if the origin of cancellation cannot be verified or cancellation reasons are met by end user or not. During suspension, certificate has a state which cannot be verified by third parties. For personal use, electronic certificates must be renewed in order to continue to be used at the end of its validity period. Certificate renewal is done at the end of its certificate where there is no change in certificate information. During certificate renewal process, pair of signature creation and signature verification data are renewable.
15. What is the legal basis on the subject?
Legal basis related to implementation of electronic signature in Turkey are "5070 Electronic Signature Law", "Regulation on the Principles and Procedures on the Implementation of Electronic Signature Law" and "Communiqué on Processes and Technical Criteria Regarding Electronic Signatures" published by ICT.
16. Are foreign certificates reliable?
By law, the legal consequences of an electronic certificate issued by the CSP located in a foreign country is determined by international agreements. In case of acceptance of an electronic certificates issued by a foreign CSP by Turkish CSP, these electronic certificates are considered qualified electronic certificate. Turkish CSP will also be reliable for any damages arising as a result of the usage of these electronic certificates.
17. What kind of software can be used with electronic certificates?
Various client software are available to verify the electronic certificates and introduce them to computer systems. These applications can be custom developed software or some package programs that may also fulfill this function. Many email clients and web browsers already have ability to use electronic certificate.
18. What is Certification Policy and Certification Practice Principles? What purpose are they used?
Certificate Principles explain all related administrative, technical and legal requirements for; receipt of applications; certificate generation and management; certificate renewal and revocation. Also, determines responsibilities of CSP, certificate holder and third party applications. The Certification Practice Statement explains how to comply to the requirements specified in the Certificate Policies by CSP, certificate holder and third parties. CSP maintains the conditions of its Certificate Policies with business activities carried out in accordance with Certification Practice Statement.