Frequently Asked Questions

What is electronic signature?

1. What are electronic signature, electronic certificate, secured electronic signature, signature creation data and signature verification data?

As it was described within 5070 Electronic Signature Act; “e-signature” is the electronic data used for authentication which has a logical connection added to any electronic document; “"Electronic Certificate" is the electronic record linking signature with the signature verification data and its credentials; “Secure Electronic Signature" has the same legal effects as a handwritten signature and contains particular conditions specified in the Act; "Qualified Electronic Certificate" is the electronic certificate in order to create secure electronic signature which will provide the conditions prescribed by Act; "Signature Creation Data" which belongs to the owner of the signature, is the information, encryption and cryptographic keys used to create an unprecedented electronic signatures by the owner of the signature; "Signature Verification Data” is the passwords and all data such as cryptographic open keys used to verify the electronic signature.

Why Electronic Signature is used and for which applications?

2. Why Electronic Signature is used and for which applications?

5070 Electronic Signature Act provides a great opportunity to have legal effects to secure transactions in paper form to be carried out electronically. Thus, you can use the NES(Qualified Electronic Signature) and e-signature to save time, effort and money for your personal or corporate business by moving to electronic media. By purchasing NES, you can use e-signature for;

  • In banking transactions and other financial applications,
  • In a variety of applications and transactions carried out in public institutions,
  • In electronic correspondence and contracts,
  • In electronic communications,
  • In insurance operations,
  • In legal proceedings,
  • In Enterprise resource planning applications,
  • In e-government, e-commerce, e-business applications!

Advantages of e-signatures?

3. What are the advantages of e-signatures?

Since electronic signatures can be used equivalent to handwritten signatures, they are used to electronically qualify all official transactions. Electronic signatures ensure reliable, fast and cost-effective processing compare to handwritten signatures. In this context, electronic signature can be used in all available processes stated on Electronic Signature Act of 5070 including electronic communications, contracts, transactions with public institutions, banking operations, insurance operations, e-government, e-business and e-commerce applications.

What is public key infrstructure?

4. What is public key infrastructure? Why its used? What is provided?

Public key infrastructure is a technology used to ensure safe and reliable implementation of the electronic signature. Electronic signature which created with public key infrastructure is used for; determining whose signature it is; ensuring accuracy and integrity of the signed text of the electronic media; not allowing denial of the signature by signature owner.

What is Time Stamp?

5. What is Time Stamp? Why it is used and used for which applications?

Time Stamp is defined by the law as “a record which verified by electronic signature to determine saving, changing, recording, sending and receiving time of an electronic data”. It is used to prove existance of electronic data such as document, record and agreement within electronic media. It enables reliable time information to be added to the process in an electronic environment. It can be used on any electronic application, statement, agreement and similar electronic data which needs time information.

What is CSP?

6. What is Certificate Service Provider (CSP)? What are its duties?

Electronic Certificate Service Provider (CSP) is described within the law as “a private legal entities or public institutions providing services related to e-signature, electronic certificates and timestamp“. CSP takes the application to provide electronic certificates, evaluates, produces and delivers electronic certificates to the applicant under safe conditions. In addition, it provides certificate renewal and revocation services, certificate revocation status, data publishing services and time-stamping services.

What obligations CSP possess?

7. What obligations CSP possess? Which features must be carried in order to be a CSP?

By 5070 Electronic Signature Act and related regulations, CSP’s are obligated:

  • to employ personnel qualified for these type of services,
  • to verify the identity of qualified certificate applicant with official documents in a reliable way,
  • to verify the certificate owner who; will have the authority to act on behalf of another person; will have personal information or professional information on the certificate with official documents in a reliable manner,
  • to ensure the confidentiality of certification process; If signature creation data is produced at premises of CSP by CSP or by the person requesting the certificate; if signature creation data is produced by the tools provided by CSP,
  • to notify certificate applicant about secure electronic signature being equivalent to handwritten signatures in writing before delivery, by keeping exclusive rights of specifications for the use of certificate, requirements relating to settlement of disputes and the limitations provided by the law,
  • to warn and to inform the certificate owner about not to let someone else use the signature creation data corresponding to the signature verification on the certificate in writing,
  • to keep all records related to the services for a period determined by regulation,
  • to inform BTK (ICTA) and electronic certificate owner about going out of business at least three months before.

In order to be in operation, CSP should; use secure products and systems; conduct a reliable service; demonstrate satisfying requirements about taking all preventive measures for counterfeiting and falsification of certification. CSP can not retrieve or store a copy of generated signature creation data.

How is CSP structure in Turkey?

8. How is CSP structure in Turkey?

By law, principles and procedures for the implementation of legal and technical aspects of the electronic signature and task of monitoring CSP activities given to BTK (ICTA) in Turkey. The Agency may inspect CSP s when it deems necessary. Once fulfilling the requirements of the law, legal persons or organizations may operate as CSP after BTK (ICTA) audit. For Government Organizations and Institutions a certification center has been established which is affiliated with BTK (ICTA). CSP s which were certified by BTK (ICTA) give certification services to remaining applicants who stays outside scope of government certification.

Certificate usage

9. How long certificates are used for? Why?

The validity of an electronic certificate has been restricted for security reasons. At the end of validity period, if the certificate owner wants to extend the usage of the certificate then they have to renew their certificate through methods defined by CSP. In general, Qualified Electronic Certificates are used for one (1), two (2) or three (3) year period of validity.

What is SSL Certificate?

10. What is SSL Certificate? Why and where its used?

SSL (Secure Sockets Layer) server certificate is a digital certificate that is used to verify the identity of the web site that is connected and used to encrypt the data exchanged to and from the server. SSL certificates are used to verify the servers that are connected over the internet or any network by the users. If the user who connects the server also possesses an electronic certificate, it is possible to verify the identity of the user as well. During this type of a connection, a secure tunnel is formed between the client and the server and the exchanged data is encrypted. SSL certificates are mainly used on web servers for providing connection security. Banking sector, e-commerce and e-government applications are the most frequently used areas of SSL certificates.

What is Root Certificate?

11. What is Root Certificate?

The Certificate which was created with CSP’s own signature creation data is called Root Certificate. Root Certificate enables the production of certificate for the applicant, also establishes a link between ECSP's corporate identity and signature creation data used to sign certificates. In accordance with the Electronic Signature Law 5070, "Regulation on the Principles and Procedures on the Implementation of Electronic Signature Law", published by BTK (ICTA), CSP should; publish certificate hash value of root certificate and hash algorithm over its web site; publish them over top rated newspapers; and give one copy of it to BTK within seven (7) days of its business activity.

Certificate content

12. What information electronic certificates contain?

Electronic Certificates contain primarily following information:

  • Certificate Holder information (name, company, work unit, location, country, e-mail etc.).
  • Server information on the server certificates (domain name, server name, company name, etc.).
  • Country name TR (Turkey), including CSP information
  • Start and end time of the certificate validity period
  • Algorithms used to create electronic signatures
  • Signature verification data of Certificate owner
  • Certificate serial number
  • ECSP's signature

Qualified Electronic Certificates contain following information required by law:

  • The phrase states that it is "qualified electronic certificate"
  • The information, if authorized certificate holder acts on behalf of another person
  • Personal and vocational information, if certificate holder requests
  • Financial transaction limit conditions for the use of the certificate, if it does exist

E-signature tools and specs

13. What are the electronic signature creation and verification tools? What should be its features?

Secure electronic signature creation tools (in accordance with 5070 Electronic Signature Law);

  • The electronic signature creation data which used to produce certificates should be unique,
  • The information contained within the signature tool should be kept in secret and never could be broken into,
  • The information contained within the signature tool should be kept away from third parties and electronic signatures should be protected against forgery,
  • The information which will be on the Certificate; should only be changed by Certificate owner; should be shown to Certificate owner before issuance.

The secure electronic signature verification tool;

  • Shows the data used to verify the signature to the person who altering the information,
  • Runs the signature verification reliably and precisely, shows the results of the verification without any changes to the person who does verification,
  • If necessary, provides display of signed data in reliable manner,
  • Shows the results of accuracy and validity of electronic certificates used to verify the signature to the person who does verification,
  • Shows the identity of the person in certificate to person who does verification,
  • Enables to detect the changes which will affect the conditions relating to the verification

Certificate revocation, suspension, renewal

14. What is certificate revocation, certificate suspension, certificate renewal, renewal of the key? How are they done?

In case of losing its validity, certificate is revoked within its period of use. Below conditions require cancellation of certificate:

  • Request of the certificate holder,
  • Emergence of false or inaccurate information on documents at CSP related to qualified electronic certificate,
  • Certificate holder information located in certificate content has a change,
  • Emergence of Certificate holder’s death, default, bankruptcy or license limitation,
  • Danger of being loss, stolen or reveal of signature creation data,
  • Disappearance or corruption of secure signature creation device that contains signature creation data,
  • Understanding of contradictory usage of the certificate to the provisions of CSP Certificate Holder Agreement, SI and SUE booklets,
  • Stopping certificate services by CSP.

CSP creates a reliable and quickly accessible record when cancelling certificate which will allow third persons to accurately detect it. Instead of revoking, certificate is suspended if the origin of cancellation cannot be verified or cancellation reasons are met by end user or not. During suspension, certificate has a state which cannot be verified by third parties. For personal use, electronic certificates must be renewed in order to continue to be used at the end of its validity period. Certificate renewal is done at the end of its certificate where there is no change in certificate information. During certificate renewal process, pair of signature creation and signature verification data are renewable.

Legal basis

15. What is the legal basis on the subject?

Legal basis related to implementation of electronic signature in Turkey are "5070 Electronic Signature Law", "Regulation on the Principles and Procedures on the Implementation of Electronic Signature Law" and "Communiqué on Processes and Technical Criteria Regarding Electronic Signatures" published by ICT.

Foreign certificates

16. Are foreign certificates reliable?

By law, the legal consequences of an electronic certificate issued by the CSP located in a foreign country is determined by international agreements. In case of acceptance of an electronic certificates issued by a foreign CSP by Turkish CSP, these electronic certificates are considered qualified electronic certificate. Turkish CSP will also be reliable for any damages arising as a result of the usage of these electronic certificates.

Usable softwares

17. What kind of software can be used with electronic certificates?

Various client software are available to verify the electronic certificates and introduce them to computer systems. These applications can be custom developed software or some package programs that may also fulfill this function. Many email clients and web browsers already have ability to use electronic certificate.

Certification Policy and Certification Practice Principles

18. What is Certification Policy and Certification Practice Principles? What purpose are they used?

Certificate Principles explain all related administrative, technical and legal requirements for; receipt of applications; certificate generation and management; certificate renewal and revocation. Also, determines responsibilities of CSP, certificate holder and third party applications. The Certification Practice Statement explains how to comply to the requirements specified in the Certificate Policies by CSP, certificate holder and third parties. CSP maintains the conditions of its Certificate Policies with business activities carried out in accordance with Certification Practice Statement.

Customer Services 0850 222 444 6