Petition for friendship of certification centers

image



Disclaimer: The described incident took place more than 2 months ago but most likely has not lost its relevance yet. Wrote a post just now as a possible call-to-action appeared just this week.



Background.



On May 27, my electronic signature expired. In SKB Kontur offered the best price and a remote release, and therefore appealed to them. I paid the invoice immediately. The application for the issue of EP was approved quickly, within an hour. But in the personal account on ca.kontur.ru, instead of the "Install certificate" button, there was only an offer "Call the service center".



The service center manager explained that without a personal visit to the service center SKB Kontur would not be able to issue a certificate. They say this is only possible if a valid certificate was also issued by the Kontur. I had it from the Infotex company.



I was not eager to spend 2 hours on the road to the nearest service center (and at the time of quarantine there were only 2 working SCs left for the whole of St. Petersburg). In addition, it seemed to me a little more than illegal that one company does not recognize the legal force of an electronic signature issued by another company. Googling, I also found a recommendation from the Ministry of Telecom and Mass Communications on the use of remote identification methods .



I did not need a new electronic signature urgently, I could wait up to a week until Contour's support would more thoroughly approach my situation. Therefore, I signed the old electronic signature (while it was in effect) through Kontur.Krypto application for the issuance of a certificate and sent it to the support of Kontur along with the requirement to issue an electronic signature remotely and a link to the recommendation of the Ministry of Telecom and Mass Communications.



During the week, support pondered my request. As a result, the answer came, the essence of which is something like this: we do everything according to the law, so figs for you dude and not remote delivery, go to the office. A little later, they sent an official response - I am publishing it here .



Because I had no more time to argue, I had to spend time on the road and go to the service center. I released the EP successfully on the same day, but the sediment, as they say, remained.



I immediately created a vote on the ROI, www.roi.ru/69581 . After 2 months it was approved. I wrote this post mainly to talk about voting and draw attention to the issue. I believe that in the age of IT and telecommuting, and especially in the context of the COVID epidemic, those services that can be provided remotely should be provided remotely, if this does not create security vulnerabilities. If you like my initiative, please support it.



Generally speaking, I saw two potential problems in the industry . And accordingly he asked questions.



1)The certification authorities do not trust each other . But after all, the certification center is not a sharashkin office, for it to work it needs to have a license from the FSB and accreditation from the Ministry of Telecom and Mass Communications. The latter should at least mean an equal degree of liability insurance and personal data protection. Why the hell, then, in the Circuit cannot accept a valid EDS from another company for an identity card?



2) The certifying centers did not care about the recommendations of the state . In the context of the COVID epidemic, this threatens the health of their own clients. If, on the way to the service center, a client becomes infected with a coronavirus and dies - is this definitely beneficial to the certification center?

What is the general problem with following the recommendations, do they contradict the law?



By the concept of "certification centers" I mean, first of all, SKB Kontur. But it is possible that there are similar problems with other companies. Share your experience in the comments.



There are also suspicions that SKB Kontur is abusing the law and deliberately does not issue an electronic signature remotely in order to limit competition. The logic is simple - many users who have a valid EDS do not want to go to the service center for renewal and would rather extend their EDS remotely in the same company, despite the fact that in other companies the cost of an EDS may be much lower. Again, perhaps other certification authorities are guided by the same logic, write in the comments if you have any evidence of this.



It is extremely interesting to hear the opinion of the habrasocommunity on all of the above.



All Articles