Electronic signature key is a unique sequence of characters designed to create an ESig. It is also called a privacy key.
Electronic signature verification key — is a unique sequence of characters that is uniquely associated with an electronic signature key and is designed for Esig verification (hereinafter - Esig verification). It is also called a public key. The value of the electronic signature verification key can be found in the certificate.
Certificate authority (hereinafter also referred to as CA) — is a legal entity or an individual entrepreneur carrying out functions for creating and issuing certificates of electronic signatures verification keys, as well as other functions, in accordance with Federal Law #63-FZ "On Electronic Signatures”.
Electronic signature means (hereinafter also - ESig means) are means of encryption that are used to implement at least one of the following functions: creation of ESig, ESig verification, Esig key creation and Esig verification key creation.
Certificate authority means — software or hardware means used to implement the functions of the certificate authority.
The CA root certificate — is a certificate that was issued by a certificate authority to itself and is self-signed. All other certificates issued by this CA are signed with the ESig key of this root certificate. The notion of a public key infrastructure (PKI): if the CA root certificate is trusted, then all the certificates issued by this CA and signed by ESig key of this root certificate are automatically trusted. Usually there is only one CA root certificate.
Intermediate CA certificate — is a certificate, whose ESig key was used to sign another certificate, and the certificate itself has been signed by key of the Esig root certificate or another intermediate certificate of this CA. Intermediate certificates allow to build a wide hierarchical structure of CA certificates.
Self-signed certificate — is a certificate that is signed by the Esig key corresponding to the Esig verification key from this certificate. The certificate issuer fields contain the same information as the fields of the certificate owner.
ESig Creation — is the result of work of the ESig means in the course of Esig creation that produces a sequence of data bits of the fixed length after cryptographic transformation of the electronic document to the hash and hash encryption by the electronic signature key. Length of the name of the hashing and encryption algorithms is specified in the Certificate.
Confirmation of the authenticity of the ESig in the SED — is a positive result of the work of the ESig means in the course of Esig verification. The result is considered positive if the decryption of the Esig with the help of the Esig verification key specified in the Certificate in accordance with the cryptographic algorithm yields a value that equals the hash of the electronic document obtained in accordance with the appropriate cryptographic algorithm specified in the Certificate.
Hash — is a result of the hashing function, which converts the input data array of random length into the output bit string of the fixed length.
Electronic docflow participants — persons involved in the exchange of information in electronic form within the framework of this Agreement.
Compromised ESig key — is a breach of confidentiality of ESig key, when the value of the privacy key becomes known to the person who is not the Certificate owner.
Main Contract — Contract on Information Technology Collaboration when Completing Transfers by Individuals without Opening an Account.
System — a set of software and hardware means that enables the electronic docflow between the Operator and the Counterparty under this Agreement. The System includes ESig means and provides for ED preparation, the generation of ESig, the receipt, transmission and processing of SED using the computer facilities of each of the Parties. Data transfer in the System is implemented via the Internet.
List of revoked certificates (hereinafter also referred to as RCL) — is a list that contains the serial numbers of certificates that have been revoked by the issuing CA and that are no longer trusted. Certificates are added to the RCL upon the notification of the fact of the compromised Esig key.
Expert Committee — is a committee created by the parties to resolve disputes arising in the course of SED exchange.
Application — application on the accession of the Counterparty to the Main Contract completed in accordance with the form in Annex #9 to the Main Contract.
The Subject of the Agreement
This Agreement establishes the procedure for organizing and conducting electronic docflow between the parties pursuant to the Main Contract.
Electronic documents, which are transferred under this Agreement, must be signed by enhanced encrypted non-qualified electronic signature. Hereinafter ESig refers to EESig.
Electronic documents, which are transferred to the other party: the daily rosters maintained by the Operator in accordance with clause 3.1.4 of the Main Contract.
Exchange to other EDs in the System does not create obligations for the Parties under the Main Contract and Agreement. The Parties recognize the legal validity of the SED signed by EESig (upon verification of authenticity of the ESig in the SED), of its equal validity to paper documents issued in accordance with the legislation of the Russian Federation and the terms of the Agreement and the Main Contract, and signed by the authorized representatives of the parties, with affixed seals of the parties.
SED creates obligations for the parties, established by the Agreement and the Main Contract, if it was duly completed by the sending party, signed by EESig, and received, inspected and accepted for processing by the receiving party in accordance with the Agreement.
This Agreement applies only to protect information in the SED during its transfer via open communication channels. Other requirements for information protection are carried out by the parties independently and based on the requirements of the applicable law and the requirements of internal normative documents of the parties.
The transfer of SED is implemented through the System between the parties by sending email messages via the Internet.
Connection of the parties to the Internet is performed independently and is not the subject of the Agreement.
General Principles of Electronic Docflow
When signing an ED, each of the Parties uses its ESig key, and when verifying the signature, each of the Parties uses ESig verification key recorded in the Esig verification key certificate of the other Party.
The Parties shall exchange the certificates that will be used to create ESig.
For electronic docflow, the Parties can use self-signed certificates and certificates signed by another ESig key.
If the docflow uses a certificate that was not self-signed, but issued by the CA, then the parties shall also exchange CA root certificates and, if they exist, intermediate CA certificates.
Prior to beginning of the work, the parties agree to check their ESig means and to verify ESig authenticity with their help.
The Parties acknowledge that:
changes to the SED create a negative result for ESig verification;
faking an ESig is not possible without an owner ESig key;
each party is responsible for the safety of their ESig key and for the actions of its personnel when using ESig means;
legal significance of the SED comes into force the moment the SED is received via the System by the receiving party and is recorded in the log.
The ESig means should be built into the System. The Parties acknowledge the means are sufficient for ED signing and for ESig verification in SED.
ESig means of the System incorporate GnuGP software that provides the user with the interface for completing cryptographic operations, data encryption and decryption, data signing and signature validation that is, being the means of electronic signature.
Obligations of The Parties
The Parties undertake:
To independently equip the System with the necessary software and hardware and system software programs.
To appoint persons responsible for working with the System in accordance with this Agreement.
To assign a Security Administrator responsible for generating, recording, sharing and preservation of keys used in the System, for protecting it against unauthorized access and for the maintenance of the ESig means of the System.
To exchange certificates.
To make a planned replacement of ESig keys and corresponding ESig key validation certificates in accordance with the rules of the CA and/or applicable law. It is recommended that the planned replacement take place at least 1 time a year and 10 days prior to the expiration date of the certificate.
To immediately inform the other party about all cases of loss, theft, unauthorized use of ESig keys at the following addresses: The Operator at merchants@money.yandex.ru, the Counterparty is at the email address provided by the Counterparty in the Application. Meanwhile, the work in the System is suspended until the unplanned change of the keys is complete.
To assume all risks associated with functionality of their equipment and communication channels.
At their own expense, to maintain the System software and hardware facilities that are responsible for functionality of the computing and communication equipment for electronic docflow.
In due time (no less than three days in advance) to notify each other of changes in their actual location, network address and other essential details necessary to determine the legal status, as well as for the identification of the parties and fulfillment of obligations under the Agreement.
Not to take actions that could undermine the other party as a result of using the System.
In due time to inform (via email and/or phone) the other party about all cases of technical difficulties or other circumstances that prevent the electronic docflow.
In case of detection of possible threats to security, the parties undertake to inform each other of such threats with a purpose to concerted measures to neutralize them.
Strictly comply with the requirements of the technical and operational documentation for the System software and hardware equipment.
Develop and implement measures to ensure the confidentiality, integrity, and security of the System software, transferred SED, event logs, current key information and password information used to access the System.
Organize the internal mode of work place functionality of the responsible person in such a way as to exclude the possibility of use of the System by unauthorized persons having access to working with it, and to eliminate the possibility of the use of ESig means by unauthorized persons.
To ensure the privacy of information on information security technologies used in the ED exchange between the parties, except for the cases stipulated by the current legislation of the Russian Federation.
To maintain the System time of the software and hardware means in accordance with current astronomical time within the accuracy of five minutes. The Parties recognize the GMT time zone of the city of Moscow as unified time zone scale.
To exchange EDs that do not contain computer viruses and/or other malicious programs.
To implement obligatory anti-virus software checks of transmitted EDs before sending them. Anti-virus software databases must be up-to-date when such checks take place.
To send to the other party and to provide for receipt by the other party of the SED while monitoring the integrity and authorship in the cases and within the deadlines established by the Agreement and (or) the Main Contract.
To receive for implementation the ED in a timely manner as per the Agreement and (or) the Main Contract, if the EDs were received via the System, the EESig were signed and the ESig was successfully verified.
When performing the operations based on the received via the System EDs, to comply with the requirements of the legislation of the Russian Federation, as well as with the terms of the Main Contract and Agreement.
Parties arrange for archive storage of SED for the duration of validity of the equivalent documents issued on paper.
The Rights of The Parties
The Parties shall have the right to:
Limit and suspend the use of the System in case of improper execution of the Agreement by the other Party by notification no later than on the day of the suspension and at the request of the competent authorities, in the cases and in the manner prescribed by the legislation of the Russian Federation.
Change the software and hardware means of the System with sending an advance notice of no less than two business days to the other party.
Shut down the System due to technical reasons until its functionality is restored.
Implement planned replacement of the ESig key, ESig key validation and ESig validation key certificate on their own initiative with sending an advance notice of no less than two business days to the other Party.
Responsibility of the Parties and the Risks of Loss
The Parties are responsible for the contents of any SED provided ESig authenticity was verified.
Parties are responsible for the confidentiality and the proper use of the ESig keys.
The Party that allowed for ESig key being compromised is responsible for the ED signed with the compromised ESig key up until the moment of the official notification of revocation (withdrawal) of the certificate and the specific documents signed by the specified key.
The Party that reported the loss or the fact of the compromised ESig in untimely manner bears the associated risks.
In the event of the loss, the party which does not fulfill (properly perform) obligations under the Agreement, shall be held liable to by other Party for the resulting damages. In the absence of evidence of failure (improper fulfillment) by the parties of the obligations under the Agreement, the risk of losses is attributed to the party whose ESig was used to sign the ED, whose execution resulted in the loss.
If the proper performance of the ED results in damage to third parties, it is the responsibility of the Party on whose behalf the ED was signed by ESig.
The Parties are relieved from responsibility for partial or complete non-performance of their obligations under the Agreement, if any of such were the consequences of force majeure (Act of God/Nature) that took place after the entry into force of the Agreement, as a result of extraordinary events, which could not be foreseen and prevented by reasonable measures. Party shall promptly notify the other Party of the occurrence and termination of the force majeure, hindering the performance of the obligations under the Agreement, and the terms of performance of obligations under the Agreement shall be postponed in proportion to the time during which such circumstances were taking place.
In the event of termination of the Agreement for any reason, the parties bear responsibility for obligations arising before termination of the Agreement, in accordance with the legislation of the Russian Federation.
|
