b) If the singer of digital messages attached to data messages is an organization, such signer is allowed to use the private key for organization to attach digital signatures to data messages.

2. Checking validity of digital certificates:

a) Digital certificates of persons attaching digital signatures to data messages are checked via the trusted path on such digital certificates and also checked by the national certification authority.

b) The checking of validity of a digital certificate at the digital signature time shall focus on:

- Validity period of the digital certificate;

- Status of the digital certificate through the Certificate Revocation List (CRL) published at the digital signature time or through the Online Certificate Status Protocol (OCSP) in the case where the certification authority provides OCSP services.

- Cryptographic algorithms used on the digital certificate;

...

...

...

c) The digital certificate remains valid if the following criteria are met:

- The validity period on the digital certificate remains unexpired at the digital signature time;

- Cryptographic algorithms used on the digital certificate comply with compulsorily applied technical regulations and standards for digital signatures and digital signature authentication which remain effective;

- The digital certificate remains operational at the digital signature time;

- The digital certificate is used for intended purposes and within the intended scope.

3. Storage and cancellation of the following pieces of information attached to digital signature data messages:

a) Digital certificates corresponding to private keys which signers use to sign data messages at the digital signature time;

b) List of certification authorities’ digital certificates revoked at the signature time that correspond to digital signatures attached to outgoing data messages;

c) Validation etiquettes of certification authorities issuing digital certificates that correspond to the digital signatures attached to outgoing data messages;

...

...

...

4. Change (addition or reduction) of digital signatures of certification authorities.

5. Notification (in alphabetical letters/symbols) of checking whether a digital signature is valid or not.

Section 2-Digital signature checking software

Article 6. General requirements

Technical standards for digital signatures attached to data messages in the List of technical standards for digital signatures attached to data messages promulgated together with this Circular shall be complied with.

Article 7. Functional requirements

1. Checking of validity of digital signatures affixed to data messages:

a) Digital signatures affixed to data messages are verified according to the principle: a digital signature is generated from a private key corresponding to the public key on the digital certificate;

b) Digital certificates of persons attaching digital signatures to data messages are checked via the trusted path on such digital certificates and also checked by the national certification authority.

...

...

...

- Validity period of the digital certificates;

- Status of the digital certificates through the Certificate Revocation List (CRL) published at the time of attaching the digital signature or through the Online Certificate Status Protocol (OCSP) in the case where the certification authority provides OCSP services.

- Cryptographic algorithms used on the digital certificates;

- Purpose and scope of the digital certificates.

d) A digital certificate remains valid if the following criteria are met:

 - The validity period on the digital certificate remains unexpired at the digital signature time;

- Cryptographic algorithms used on the digital certificate comply with compulsorily applied technical regulations and standards for digital signatures and digital signature authentication which remain effective;

- The digital certificate remains operational at the digital signature time;

- The digital certificate is used for intended purposes and within the intended scope.

...

...

...

- Decrypt the digital signature on each data message to obtain information about the hash value;

- Use the secure hash algorithm that generated the hash value on the digital signature to generate a hash value for the data message;

- Compare the two hash values to check if whether they match, thereby checking the integrity of the digital signature data message.

e) A digital signature on the data message is considered valid if:

- Information about the signer has been checked and verified;

- The signer’s digital certificate remains valid at the signature time;

- Digital signature on the data message matches the private key corresponding to the public key on the digital certificate and integrity of the data message is ensured.

2. Storage and cancellation of the following pieces of information attached to digital signature data messages:

a) Digital certificates corresponding to digital signatures attached to incoming digital signature data messages;

...

...

...

c) Validation etiquettes of certification authorities issuing digital certificates that correspond to digital signatures attached to incoming data messages;

d) Results of checking of digital certificate status appropriate for digital signatures attached to incoming data messages.

3. Change (addition or reduction) of digital signatures of certification authorities.

4. Notification (in alphabetical letters/symbols) of checking whether a digital signature is valid or not.

Chapter III

IMPLEMENTATION CLAUSE

Article 8. Implementation

1. The National Electronic Authentication Centre shall provide guidelines for the implementation of this Circular.

2. Public certification authorities and specialized certification authorities of organizations shall publish technical specifications (documents and tool sets), digital certificates related to certification authorities and standards for digital signatures on websites of the certification authorities.

...

...

...

Article 9. Grandfather clause

Organizations and individuals using digital signature software and digital signature checking software before the effective date of this Circular shall keep using them until they are changed, upgraded or replaced shall comply with the regulations laid down in this Circular.

Article 10. Effect

1. This Circular comes into force from November 01, 2020.

2. Chief of Office, National Electronic Authentication Centre, heads of agencies and units affiliated to the Ministry of Information and Communications, Directors of Departments of Information and Communications of provinces and central-affiliated cities, and relevant organizations and individuals are responsible for the implementation of this Circular.

3. Difficulties that arise during the implementation of this Circular should be promptly reported to the Ministry of Information and Communications (the National Electronic Authentication Centre) for consideration and resolution./.

...

...

...

APPENDIX

LIST OF TECHNICAL STANDARDS FOR DIGITAL SIGNATURES ATTACHED TO DATA MESSAGES
(Enclosed with the Circular No. 22/2020/TT-BTTTT dated September 07, 2020 of the Minister of Information and Communications)

No.

Type of standard

Standard code

Full name of standard

Form of application

1

...

...

...

1.1

Character set and encoding

ASCII

American Standard Code for Information Interchange

Recommended

1.2

Coded Vietnamese character set

TCVN

6909:2001

...

...

...

Compulsory 

1.3

Character set demonstration

UTF-8

8-bit Universal Character Set (UCS)/ Unicode Transformation Format

Recommended

1.4

Data message format language

XML v1.0

...

...

...

Extensible Markup

Language version 1.0 (5th Edition)

Compulsory application of one of the two standards

XML v1.1

(2nd Edition)

Extensible Markup

Language version 1.1

1.5

XML Schema Definition

...

...

...

XML Schema version 1.1

Recommended

1.6

XML metadata interchange specification

XML v2.4.2

XML Metadata Interchange version 2.4.2

Recommended

2

Standards for digital signatures and checking of digital signatures

...

...

...

Standards for digital signatures on private key management devices, digital signature software, creation of digital signatures, digital certificates and digital signature checking software.

2.1.1

Encryption algorithms

TCVN 7816:2007

Cryptographic technique - Cryptographic algorithms - Data Encryption Algorithm AES

Recommended

NIST 800-67

Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher

Recommended

...

...

...

RSA Cryptography Standard

(Version 2.1 or later)

Application and use of the RSAES-OAEP scheme for encryption

A minimum of 2048-bit keys

Recommended

ECC

Elliptic Curve Crytography

Recommended

2.1.2

...

...

...

TCVN 7635:2007

Cryptography technique - Digital signature

- Application of one of the three standards.

- For TCVN 7635:2007 and

+ Version 2.1

+ Application of  

+ A minimum of 2048-bit keys

- For the standard ECDSA: a minimum of 256-bit keys

PKCS#1

...

...

...

ANSI X9.62-2005

Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)

2.1.3

Secure hash function

FIPS PUB 180-4

Secure Hash Algorithms

Application of one of the
SHA-224,
SHA-256,
SHA-384,
SHA-512,
SHA-512/224,
SHA-512/256,
SHA3-224,
SHA3-256,
SHA3-384,
SHA3-512, SHAKE128, SHAKE256

...

...

...

SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

2.1.4

Secure XML message exchange

XML Encryption Syntax and Processing

XML Encryption Syntax and Processing

Compulsory

XML Signature Syntax and Processing

XML Signature Syntax and Processing

Compulsory

...

...

...

XML public key management

XKMS v2.0

XML Key Management Specification version 2.0

Compulsory

2.1.6

Cryptographic message syntax for signing and encrypting

PKCS#7 v1.5 (RFC 2315)

Cryptographic message syntax for file-based signing and encrypting version 1.5

Compulsory

...

...

...

Standards for digital signatures on the system of equipment for management of private keys and digital certificates and remote digital signature creation

2.2.1

Policy and security requirements for digital signature servers

ETSI TS 119 431-1

Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 1: TSP service components operating a remote QSCD/SCDev

Application of the 2 part standard;

Version V1.1.1 (12/2018)

ETSI TS 119 431-2

...

...

...

2.2.2

Protocol for creation of digital signatures

ETSI TS 119 432

Electronic Signatures and Infrastructures (ESI); Protocols for remote digital signature creation

Version V1.1.1 (03/2019)

2.2.3

Signature application on a digital signature server

EN 419241-1:2018

...

...

...

2.2.4

Requirements for digital signature module

EN 419241-2:2019

Trustworthy Systems Supporting Server Signing - Part 2: Protection Profile for QSCD for Server Signing

2.2.5

Security requirements for

EN 419221-5:2018

...

...

...

3

Standards for checking digital certificate status

3.1

Protocol for transmission and receipt of digital signatures and the Certificate Revocation List

RFC 2585

Internet X.509 Public Key Infrastructure - Operational Protocols: FTP and HTTP

Application of either one or both of FTP and HTTP protocols

3.2

...

...

...

RFC 2560

X.509 Internet Public Key Infrastructure - On-line Certificate status protocol