EDICOM as a Certification Authority Helps to Comply With NOM151
In 2002 the Mexican government started down the path toward a legal framework to cover in trade relations the retention of data in electronic format, resulting from contracts, agreements or commitments that grant rights and obligations between public and private entities. The result was the approval of the Official Mexican Standard NOM-151-SCFI-2002. The NOM 151, after various modifications has evolved toward the NOM-151-SCFI-2016.
Approved in January 2017, the Official Mexican Standard NOM-151-SCFI-2016 replaces the NOM-151-SCFI-2002 and currently governs the mechanisms that should be observed for the retention of data messages and digitalization of paper documents. The NOM151 sets a series of clear and rigorous criteria for the irrefutable accreditation that a document, either electronic in origin or the result of a process of digitalization, constitutes a valid original. This validity is determined by a prestigious third party accrediting the origin and integrity of these documents.
The following elements are involved in the retention of data messages and in digitalization: advanced electronic signature, constancy and archiving retention records, as well as digitalized documents. In the first two cases, they must be issued and controlled by a legally authorized third party as Certification Service Provider (CSP). It is the user who is in charge of retention, who can contract a third party for their administration.
In Mexico, EDICOM has been accredited for providing these services through resolution number 316.09.00483, dated 5 March 2009 published in the Official Journal of 7 May 2009.
As a Certification Authority in Mexico (ACEDICOMMX), EDICOM provides natural and legal persons with mechanisms for secure electronic identification that allows them to carry out activities where electronic signatures replace handwritten signatures with identical legal guarantees. For more information on ACEDICOMMX.
EDICOM is a technology provider specializing in EDI and Electronic Invoicing, with experience in international projects and is a Certification Authority for Europe and Mexico. This means that B2B the ecommerce solutions it offers as a technology provider are equipped with tools that guarantee the exchange of electronic messages securely, integrally and confidentially.
With this objective, the range of services EDICOM has developed allows the customer to cover all the technical needs to comply with all the requirements of NOM151.
EDICOM services as a Certification Authority
Issuance of certificates. EDICOM as a Certification Authority issues certificates that allow accrediting the identity of people and companies that use them to ensure the security of their electronic communications.
What are electronic certificates used for? For the electronic signature of documents and software, data encryption, digitalization or certified archiving or personal identification. In the case of the NOM151, it requires the use of certificates in the name of the holders of the documents to be retained.
The certificates can be non-qualified or qualified, with the qualified offering greater guarantees, as they meet a series of requirements that increase their security, the signatures obtained from them are the so-called advanced or trusted signatures.
Remote qualified signing service. The Remote Signing service of EDICOM “EDICOM CRYPTO SERVER (ECS)” allows qualified signing with certificates archived in secure signature creation devices (SSCD) via a WebService interface on HTTPS.
Time stamping. Time stamping is an online mechanism that allows demonstrating that a series of data have existed and have not been altered from a specific point of time.
In the context of the application of the NOM151, the time stamp is a service provided by the EDICOM Certification Authority that represents an electronic record used to verify its reception at a given moment of date, hour, minute and second. Any subsequent changes to that date on the original document can be detected immediately. In this way, added to the requirements of integrity and origin guaranteed by the digital signature, are the verification of the moment in which they were certified.
Long-term electronic archiving. EDICOM offers specific services of long-term archiving of all elements that make up the record files (Documents, ASN.1 Retention Request, NOM151 Data Message Retention Record), preserving at all times the characteristics of authenticity and integrity and allowing consultation, display and verification of the archived documents at any time. This archiving service, known as EDICOMLta, also offers reports with the detail of the evidence that justifies the actions taken to ensure the integrity and authenticity of documents archived, offering the probative value of the records retained at the request of third parties.
Certificate Revocation Lists (CRL) are a directory which include the list of certificates no longer valid in the electronic signature processes. These lists are updated by the EDICOM Certification Services Provider every 24 hours at the most.
It is also possible to see the revocation status of the certificates with consultations to the EDICOM Validation Services by means of the OCSP protocol (Online Certificate Status Protocol). This protocol allows determining the status of a certificate without having to consult the complete list of the CRL.