Circular No. 16/2019/TT-BTTTT stipulates the List of Mandatory Standards for Digital Signatures and Digital Signature Certification Services under the Remote Signing Model on Mobile Devices and Remote Signing

This Decision promulgates the list of technical standards that must be adhered to when implementing digital signatures and digital signature certification services under the remote key management model (Remote signing) or on mobile devices (Mobile signing). The standards are divided into several groups including: Cryptography and digital signatures, Data information, Certification policies and regulations, Protocol for storing and retrieving digital certificates, Status checking of digital certificates, Security for HSM managing secret keys of digital signature certification service providers, System of customer key management devices, digital certificates, and digital signature creation.

Document No.16/2019/TT-BTTTT
Document typeCircular
Issuing authorityMinistry of Science and Technology
Signed byNguyễn Mạnh Hùng — Bộ trưởng
Updated14/06/2026
SectorInformation and Communications
FieldScience and Technology
Issued date05/12/2019
Effective date01/04/2020
Expiry date
StatusIn effect
✦ Smart summary

This Decision promulgates the list of technical standards that must be adhered to when implementing digital signatures and digital signature certification services under the remote key management model (Remote signing) or on mobile devices (Mobile signing). The standards are divided into several groups including: Cryptography and digital signatures, Data information, Certification policies and regulations, Protocol for storing and retrieving digital certificates, Status checking of digital certificates, Security for HSM managing secret keys of digital signature certification service providers, System of customer key management devices, digital certificates, and digital signature creation.

Scope of application

Organizations providing digital signature certification services under the Remote signing or Mobile signing models

Key points

  • PKCS #1 standard for asymmetric cryptography and digital signatures with a minimum key length of 2048 bits for Remote signing, 2048 bits or 3072 bits for Mobile signing.
  • Security requirements for SIM cards in the customer key management device system according to the FIPS PUB 140-2 level 2 or TCVN 8709 level EAL 4 standard.
  • Web service interface and security framework for Mobile signing according to the ETSI TS 102 203, ETSI TS 102 204, ETSI TR 102 206 standards.
  • Policy and security requirements for the digital signature server in Remote signing according to the ETSI TS 119 431-1, ETSI TS 119 431-2 standards.
  • Protocol for creating digital signatures in Remote signing according to the ETSI TS 119 432 standard.

🌐 Social impact of this document

  • Enhancing security for remote or mobile digital certification and signature systems
  • Developing a safe and reliable electronic service market
  • Improving the efficiency of customer key management and digital signature creation

❓ Frequently asked questions

What standards must be followed when implementing Remote signing?

PKCS #1 standard for asymmetric cryptography and digital signatures with a minimum key length of 2048 bits, FIPS PUB 140-2 level 3 or EN 419221-5:2018 standard for security of HSM managing secret keys of digital signature certification service providers.

What requirements are there for the system of customer key management devices, digital certificates, and digital signature creation in Mobile signing?

Security requirements for SIM cards according to the FIPS PUB 140-2 level 2 or TCVN 8709 level EAL 4 standard.

Which standards must the Web service interface and security framework for Mobile signing comply with?

ETSI TS 102 203, ETSI TS 102 204, ETSI TR 102 206 standards.

Which standards must the policy and security requirements for the digital signature server in Remote signing comply with?

ETSI TS 119 431-1, ETSI TS 119 431-2 standards.

Full text

MINISTRY OF INFORMATION AND COMMUNICATION
COMMUNICATION

-------

SOCIALIST REPUBLIC OF VIET NAM
Independence - Freedom - Happiness
---------------

Provincial People's Committees set specific prices2- An event (risk of disease outbreak) 16/2019/TT-BTTTT

Hanoi, dated May 5 December in Hanoi, Vietnam

CIRCULAR

REGULATIONS ON THE LIST OF COMPULSORY STANDARDS FOR DIGITAL SIGNATURES AND CERTIFICATION SERVICES FOR DIGITAL SIGNATURES IN THE MOBILE PKI MODEL AND REMOTE SIGNING

AND REMOTE SIGNING

PURSUANTpursuant to the Law on Electronic Transactions dated November 29, b) Circular No. 03/2015/TT-BKHĐT dated May 6, 2015 of the Minister of Planning and Investment detailing the preparation of construction tender documents.

Based on Decree No. 130/2018/2018/ND-CP dated September 27, 2018 of the Government detailing and guiding the implementation of the Law on Electronic Transactions regarding digital signatures,8 of the Governmentimplemen tation of the Law on Electronic Transactions concerning digital signatures, ||| and digital signature authentication services;

pursuant to Decree No. 17/2017/2017/ND-CP dated February 17, 2017 of the Government stipulating the functions, tasks, powers, and organizational structure of the Ministry of Information and Communications;pursuant to the Decree of the Government No. 17/2017/ND-CP dated February 17, 2017 stipulating the functions, tasks, powers, and organizational structure of the Ministry of Information and Communications;

Pursuant to the proposal of the Director of the Science and Technology Department,

The Minister of Information and Communications issues this Circular regulating the List of Compulsory Standards for Digital Signatures and Certification Services for Digital Signatures in the Mobile PKI Model and Remote Signing.standards for digital signatures and certification services for digital signatures number in the mobile PKI model and remote signing. on mobile devices and remote signing. signing.

Article 1. Scope of Regulation

This Circular regulates the List of Compulsory Standards for Digital Signatures and Certification Services for Digital Signatures in the Mobile PKI Model and Remote Signing (Annex attached).

Article 2. Applicability

This Circular applies to organizations providing public digital signature certification services, organizations providing specialized digital signature certification services for agencies and organizations that have been granted certificates confirming their qualifications to ensure security for specialized digital signatures, foreign organizations providing digital signature certification services with recognized digital certificates by the Ministry of Information and Communications in Vietnam providing digital signature certification services in the mobile PKI model and remote signing; organizations and individuals developing applications using digital signatures, providing digital signature solutions in the mobile PKI model and remote signing.

Article 3. Implementation Organization

1. The Ministry of Information and Communications shall review, amend, and supplement the List of Compulsory Standards for Digital Signatures and Certification Services for Digital Signatures in the Mobile PKI Model and Remote Signing prescribed in Article 1 of this Circular in accordance with technological development and state management policies.

2. The Department of Science and Technology shall be responsible for leading the review and updating of the List of Compulsory Standards for Digital Signatures and Certification Services for Digital Signatures in the Mobile PKI Model and Remote Signing prescribed in Article 1 of this Circular.

3. The National Center for Electronic Certification shall be responsible for guiding, inspecting, and evaluating the application of standards included in the List of Compulsory Standards for Digital Signatures and Certification Services for Digital Signatures in the Mobile PKI Model and Remote Signing prescribed in Article 1 of this Circular.

Article 4. Implementation provisions

1. This Circular takes effect from April 1, 2020.

2. In case there is a discrepancy between the provisions of this Circular and the provisions of Circular No. 39/2017/TT-BTTTT dated December 15, 2017 promulgating the List of Technical Standards for Information Technology Applications in State Agencies related to the same standard concerning the use of digital signatures and certification services for digital signatures provided by organizations offering digital signature certification services in state agencies, the provisions of this Circular shall apply.

3. The Director of the Office, the Heads of the Department of Science and Technology, the Director of the National Center for Electronic Certification, the Heads of Ministries' agencies and units, and relevant organizations and individuals shall be responsible for implementing this Circular.

4. During the implementation process, if difficulties or obstacles arise, agencies, organizations, and individuals shall promptly report them to the Ministry of Information and Communications for consideration and resolution./.


Place of Receipt:
- Prime Minister, Deputy Prime Ministers;
- Ministries, agencies equivalent to ministries, and government agencies;
- People's Committees and Provincial Information and Communications Departments of provinces and centrally governed cities;
- Legal Documents Supervision Bureau (Ministry of Justice);
- Official Gazette, Government Portal;
- Ministry of Information and Communications: Ministers and Deputy Ministers, agencies and units under the Ministry, the Ministry's electronic information portal;
- To be filed: VT, KHCN (250).

THE MINISTER




Nguyen Manh Hung

 

ANNEX

LIST OF COMPULSORY STANDARDS FOR DIGITAL SIGNATURES AND CERTIFICATION SERVICES FOR DIGITAL SIGNATURES IN THE MOBILE PKI MODEL AND REMOTE SIGNING
(Issued together with Circular No. 16/2019/2019/TT-BTTTT dated December 5,2019 2019 of the Minister of Information and Communications)

Number No.

Type of standard

Standard codeFor power plants invested under the Build-Operate-Transfer (BOT) model, n is determined according to the operational period of the power plant stipulated in the BOT contract.

Full Name of Standard

Application Provisions

1

Digital signatures and certification services for digital signatures in the mobile PKI model

1.1

Cryptography and digital signature standards

1.1.1

Asymmetric cryptography and digital signatures

PKCS #1

RSA Cryptography Standard

- Apply one of two standards.

- For the RSA standard:

+ Version 2.1

+ Use the RSAES-OAEP scheme for encryption and RSASSA-PSS for signing.

+ Minimum key length is 1024 bits

- For the ECDSA standard: minimum key length is 256 bits

ANSI X9.62-2005

Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)

1.1.2

Symmetric cryptography

TCVN 7816:2007

(FIPS PUB 197)

Information technology - Cryptographic techniques - Advanced Encryption Standard (AES) data encryption algorithm

(Advanced Encryption Standard)

Apply one of two standards

NIST 800-67

Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher

1.1.3

Secure hash function

XML Key Management

XKMS

Apply one of the following hash functions: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256

FIPS PUB 202

SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

1.2

Information and data standards

1.2.1

Digital certificate format and certificate revocation list (CRL)

RFC 5280

Internet X.509 Public Key Infrastructure Certificate and CRL Profile

 

1.2.2

Encrypted message syntax

PKCS #7

Cryptographic Message Syntax Standard

Version 1.5

1.2.3

Certification request syntax

PKCS #10

Certification Request Syntax Standard

Version 1.7

1.3

Certification policy and practice standardsCertification framework and policy standards

1.3.1

RFC 3647

Internet X.509 Public Key Infrastructure - Certificate Policy and Certification Practices Framework

Standards for storage and retrieval protocols for digital certificates

 

1.4

LDAPv2 schema diagramRFC 2587Internet X.509 Public Key Infrastructure LDAPv2 Schema

1.4.1

RFC 4523

Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates

LDAP protocol

Apply one of two standards

 

 

RFC 2251

Lightweight Directory Access Protocol (v3)

 

1.4.2

Apply either RFC 2251 or the set of four standards:

RFC 4510, RFC 4511, RFC 4512, RFC 4513

RFC 4510

Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map

RFC 4511

Lightweight Directory Access Protocol (LDAP): The Protocol

RFC 4512

Lightweight Directory Access Protocol (LDAP): Directory Information Models

RFC 4513

Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms

Standards for certificate status checking

Protocol for transmitting and receiving digital certificates and certificate revocation lists

RFC 2585

1.5

Internet X.509 Public Key Infrastructure - Operational Protocols: FTP and HTTPApply either or both of the FTP and HTTP protocols

1.5.1

Protocol for online certificate status checking

RFC 2560

X.509 Internet Public Key Infrastructure - Online Certificate Status Protocol

Áp dụng một hoặc cả hai giao thức FTP và HTTP

1.5.2

Giao thức để kiểm tra trạng thái chứng thư số trực tuyến

RFC 2560

X.509 Internet Public Key Infrastructure - Online Certificate Status Protocol

 

1.6

Security standards for HSM managing secret keys of digital signature certification service providers

1.6.1

Security requirements for hardware security module (HSM) hardware security blocks

FIPS PUB 140-2

Security Requirements for Cryptographic Modules

Minimum level 3 requirements

1.7

Standards for equipment systems managing secret keys, digital certificates, and generating digital signatures for customers

1.7.1

Security requirements for SIM cards

FIPS PUB 140-2

Security Requirements for Cryptographic Modules

- Apply one of two standards.

- For the FIPS PUB 140-2 standard:

Minimum level 2 requirements

- For the TCVN 8709 (ISO/IEC 15408) standard:

Minimum EAL level 4 requirements

TCVN 8709 (ISO/IEC 15408)

Information technology - Security techniques - Information technology security evaluation criteria

(Common Criteria for Information Technology Security Evaluation)

1.7.2

Functional and operational requirements

ETSI TR 102 203

Mobile Commerce (M-COMM); Mobile Signatures; Business and Functional Requirements

Version V1.1.1

1.7.3

Web service interface

ETSI TS 102 204

Mobile Commerce (M-COMM); Mobile Signature Service; Web Service Interface

Version V1.1.4

1.7.4

Security framework

ETSI TR 102 206

Mobile Commerce (M-COMM); Mobile Signature Service; Security Framework

Version V1.1.3

1.7.5

Roaming specifications

ETSI TS 102 207

Mobile Commerce (M-COMM); Mobile Signature Service; Specifications for Roaming in Mobile Signature Services

Version V1.1.3

2

Digital signatures and digital signature certification services according to the remote signing model

2.1

Cryptography and digital signature standards

2.1.1

Asymmetric cryptography and digital signatures

PKCS #1

RSA Cryptography Standard

- Apply one of two standards.

- For the RSA standard:

+ Version 2.1

+ Use the RSAES-OAEP scheme for encryption and RSASSA-PSS for signing.

- Minimum key length is 2048 bits

- For the ECDSA standard: minimum key length is 256 bits

ANSI X9.62-2005

Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)

2.1.2

Symmetric cryptography

TCVN 7816:2007 (FIPS PUB 197)

Information technology - Cryptographic techniques - Advanced Encryption Standard (AES) data encryption algorithm

Apply one of two standards

NIST 800-67

Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher

2.1.3

Secure hash function

XML Key Management

XKMS

Apply one of the following hash functions:

SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256

FIPS PUB 202

SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

2.2

Information and data standards material

2.2.1

Digital certificate format and certificate revocation list (CRL)

RFC 5280

Internet X.509 Public Key Infrastructure Certificate and CRL Profile

 

2.2.2

Encrypted message syntax

PKCS #7

Cryptographic Message Syntax Standard

Version 1.5

2.2.3

Certification request syntax

PKCS #10

Certification Request Syntax Standard

Version 1.7

2.2.4

Private-key information syntax

PKCS #8

Private-Key Information Syntax Standard

Version 1.2

2.2.5

Cryptographic token communication interface

PKCS #11

Cryptographic token interface standard

Version 2.20

2.2.6

Personal information exchange syntax

PKCS #12

Personal Information Exchange Syntax Standard

Version 1.0

2.3

LDAPv2 schema diagramInformation policies and regulations and Individuals in Handling Errors, Losses, Misplacements, or Damage to Files and Results, and in Delayed Result DeliveryCertification framework and policy standards

2.3.1

RFC 3647

Internet X.509 Public Key Infrastructure - Certificate Policy and Certification Practices Framework

Standards for storage and retrieval protocols for digital certificates

 

2.4

StandardsDigital certificate storage and retrieval protocol standards

2.4.1

RFC 4523

Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates

LDAP protocol

Apply one of two standards

RFC 2251

Lightweight Directory Access Protocol (v3)

2.4.2

Apply either RFC 2251 or the set of four standards:

RFC 4510, RFC 4511, RFC 4512, RFC 4513

RFC 4510

Apply either RFC 2251 or the set of four standards: RFC 4510, RFC 4511, RFC 4512, RFC 4513

Lightweight Directory Access Protocol (LDAP): The Protocol

Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map

Lightweight Directory Access Protocol (LDAP): Directory Information Models

RFC 4513

Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms

Standards for certificate status checking

Protocol for transmitting and receiving digital certificates and certificate revocation lists

RFC 2585

2.5

Internet X.509 Public Key Infrastructure - Operational Protocols: FTP and HTTPApply either or both of the FTP and HTTP protocols

2.5.1

Protocol for online certificate status checking

RFC 2560

X.509 Internet Public Key Infrastructure - Online Certificate Status Protocol

Áp dụng một hoặc cả hai giao thức FTP và HTTP

2.5.2

Giao thức để kiểm tra trạng thái chứng thư số trực tuyến

RFC 2560

X.509 Internet Public Key Infrastructure - Online Certificate Status Protocol

 

2.6

Security standards for HSM managing secret keys of digital signature certification service providers

2.6.1

Security requirements for hardware security module (HSM) hardware security blocks

FIPS PUB 140-2

Security Requirements for Cryptographic Modules

- Apply one of two standards.

- For the FIPS PUB 140-2 standard:

Minimum level 3 requirements

EN 419221-5:2018

Protection Profiles for TSP Cryptographic modules - Part 5: Cryptographic Module for Trust Services

2.7

Standards for equipment systems managing secret keys, digital certificates, and creating signaturesNumberingDigital signatures number of customers

2.7.1

Policy and security requirements for digital signature servers

ETSI TS 119 431-1

Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 1: TSP service components operating a remote QSCD/SCDev

Apply both parts of the standard;

Version V1.1.1 (12/2018)

ETSI TS 119 431-2

Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service providers; Part 2: TSP service components supporting AdES digital signature creation

2.7.2

Digital signature generation protocols

ETSI TS 119 432

Electronic Signatures and Infrastructures (ESI); Protocols for remote digital signature creation

Version V1.1.1 (03/2019)

2.7.3

Server-side digital signature application

EN 419241-1:2018

Trustworthy Systems Supporting Server Signing - Part 1: General system security requirements

 

2.7.4

Requirements for signature module

EN 419241-2:2019

Trustworthy Systems Supporting Server Signing - Part 2: Protection Profile for QSCD for Server Signing

 

2.7.5

Security requirements for hardware security module (HSM) hardware security blocks

EN 419221-5:2018

Protection Profiles for TSP Cryptographic modules - Part 5: Cryptographic Module for Trust Services

 

 

 

Original document (PDF)

Open PDF in a new tab ↗

Relations map

↑ Basis & documents that affect this document
16/2019/TT-BTTTT
Circular No. 16/2019/TT-BTTTT stipulates the List of Mandatory Standards for Digital Signatures and Digital Signature Certification Services under the Remote Signing Model on Mobile Devices and Remote Signing
In effect

Click a document to open. A red border = a relation that changes validity.