REPUBLIC OF THE PHILIPPINES
DEPARTMENT OF INFORMATION AND
COMMUNICATIONS TECHNOLOGY
perartent orper No.2 34 APR O14 2024
SUBJECT: GUIDELINES ON THE USE OF THE PHILIPPINE NATIONAL. PUBLIC
KEY INFRASTRUCTURE (PNPKI) DIGITAL SIGNATURES IN THE
DEPARTMENT OF INFORMATION AND COMMUNICATIONS
TECHNOLOGY
In the exigency of the service and pursuant to the provisions of Republic Act (RA) No. 8792, or
the “Electronic Commerce Act of 2000’, Executive Order (EO) No. 810, s. 2009,! RA No. 11032 or the
“Ease of Doing Business and Eificient Government Service Delivery Act of 2018”, Commission on Audit
(COA) Circular No. 2021-006, and Government Procurement Policy Board (GPPB) Resolution No. 16-
2019, this Order is issued to establish the guidelines on the use of the Philippine National Public Key
Infrastructure (PNPKI) digital signatures on all official and internal documents, transactions,
communications, and processes in the Department of Information and Communications Technology
wicty:
I. SCOPE AND APPLICATION
‘This policy applies to all internal electronic documents and automated documentation systems
and/or processes and other Departmental transactions such as, but not limited to, memoranda,
correspondences, Department Circulars or Orders, Special/Office Orders, bidding and procurement
documents, administrative, legal and finance actions, and other management information system
processes. Internal system owners must adopt the requirements of this policy in any major upgrades
or modernization efforts of its systems such as, but not limited to, the Program Management
Information System and the Human Resource Management Information System.
All DICT officials and employees required and authorized to sign any official document (ie,
documents, forms, correspondences, and/or emails) for electronic government transactions pursuant to,
RA No, 11032, COA Circular No. 2021-006 or GPPB Resolution No, 16-2019 shall be governed by these
guidelines.
I DEFINITION OF TERMS
As used in this Order, the following terms shall be defined as follows:
1. Certificate Revocation List ~ refers to a list of digital certificates that would have been
compromised, revoked, or are expired.
+ Executive Order No. 810, 2008, Institutionaizing the Certification Scheme for Digital Signatures and Directing
the Application of Digital Signatures in E-Government Services.
2COA Gireular No. 2021-006, Guidelines on the Use of Electronic Documents, Electronic Signatures, and Digital
Signatures in Government Transactions.
3 GPPB Resolution No. 16-2019, Approval ofthe Use of Digital Signature in Procurement Related Documents.
(Carls P, Gaia Avenue Diliman, Quezon City 1103, Philippines
+632 8920-0101 | wor diet gow phDigital Certificate ~ a .p12 file issued by the DICT-PNPKI containing the user’s personal
information just like an ordinary ID, only in this case, itis digital. It is used to encrypt,
authenticate, or digitally sign an email and document.
Digital Signature — refers to a secure type of electronic signature consisting of a
transformation of an electronic document or an electronic data message using an
asymmetric or public cryptosystem such that a person having the initial untransformed
electronic document and the signer’s public key can accurately determines
a. Whether the transformation was created using the private key that corresponds to
the signer’s public key; and
b, Whether the initial electronic document had been altered after the transformation
was made.
Electronic Document ~ refers to information or the representation of information, data,
figures, symbols, or other modes of written expression, described or however represented,
bby which a right is established, or an obligation extinguished, or by which a fact may be
proved and affirmed, which is received, recorded, transmitted, stored, processed,
retrieved, or produced electronically.>
Electronic Signature - refers to any distinctive mark, characteristic, and/or sound in
electronic form, representing the identity of a person and attached to or logically associated
with the electronic data message or electronic document or any methodology or
procedures employed or adopted by a person and executed or adopted by such person
with the intention of authenticating or approving an electronic data message or electronic
document®. For purposes of this Order, an electronic signature is an electronic indication
of a person’s intent to agree to the content of a document or a set of data to which the
signature relates. Like its handwritten counterpart in the offline world, an electronic
signature is a legal concept capturing the signatory's intent to be bound by the terms of the
signed document?
Key Pair - refers to the two mathematically related keys, the public, and private keys.
Whatever is encrypted with a Public Key may only be decrypted by its corresponding
Private Key and vice versa. Public and private keys are paired for secure communication,
such as email.
Private Key — is a bit of code that is paired with a public key to set off algorithms for text
encryption and decryption. It is created as part of public key cryptography during
asymmetric-key encryption and used to decrypt and transform a message into a readable
format. A private key is also known as a secret key.
Public Key —is also a bit of code used to encrypt data. The key is provided by the Certificate
Authority and is made available to everyone through a directory or email
Public Key Infrastructure (PKI) ~ is an infrastructure that secures communications among
individuals and government entities. This way, the government's delivery of services to
citizens and businesses becomes safer, faster, and more efficient.
+Rule2 § 1(@), Rules on Electronic Evidence, A.M. No. 01-7-01-SC, July 17,2001
* Section 5(9), RA 8792 - lectronic Commerce Act of 2000.
® Section 5(), Id.
7 Buropean Commission, What is an electronic signature? Available at hiips:/c.curopa.cu/digital-building-
Dlocks/wikincisplay/DIGITALWhattisteSignature,
Page2 of 6mL.
ROLES AND RESPONSIBILITIES
a
‘The Digital Certificate Division (DCD), under the Cybersecurity Bureau, shall be the lead.
unit to roll-out, implement and facilitate the application, processing, and issuance of
DICT’s PNPKI digital certificates, in coordination with all designated PNPKI Registration
Authority Officers (RAOs) and Registration Authority Assistants (RAs) in the DICT
Regional Offices. It shall:
a. Develop and implement security measures, policies, and practices for the protection
of digital certificates;
b. Keep updated the Certificate Revocation List, and inform COA Auditors of
revocation or expiration without renewal of digital certificates; and
Implement a security awareness program to train DICT officers and employees on
the acceptable use of digital signatures on electronic documents.
Designated PNPKI RAOs, with the assistance of the RAAs in the DICT Regional Offices
and in coordination with the DCD, shall process the application, approval, issuance,
renewal, and revocation of digital signatures and certificates of personnel within their
respective area of responsibilty.
‘The Chief of the DCD, under the supervision of the Director of the Cybersecurity Bureau,
has overall responsibility for administering the implementation of the PNPKI security
‘measute, policies, and practices, and shall be the focal person forall matters pertaining to
igital signing implementation.
‘The designated PNPKI System Administrators are authorized to install, configure,
‘maintain and update trustworthy systems, but with controlled access to security-related.
information.
‘The designated PNPKI RAOs are responsible for approving end-user/subscriber
certificate generation, revocation, and renewal. The designated PNPKI RAAs shall
provide support to the RAO in the assessment, documentation, and consolidation of
received applications. The prescribed prerequisites and qualifications for designated
PNPKTRAO and RAA are as follows:
i, Employment under the purview of DICT, except in the case of the RAO, who is
‘required to hold a permanent position.
fi, Successful completion of the PNPKIRA Training program and the attainment of
certification thereof.
iil, Passed the requisite psychometric examination.
‘The designation of eligible PNPKI RAO and RAA shall be formalized through an office
order issued by the overseeing Senior Executive Offical.
‘The DICT Internal System Owners, which pertain to the Bureau, Service, Regional, or
Project Directors, shall evaluate their paper-based processes to identify those which are
good business cases for migrating to digital processes and shall issue office orders or
formulate guidelines for the implementation of the migration, which shall be in line with
the DICT’s digital signature policy, procedures, and associated guidelines.
‘The DICT Records Custodians or designated staff of each Bureau, Service, Regional Office,
or Project Management Team shall store and archive digitally signed documents
emanating from their respective office and, if necessary, print physical copies thereof,
pursuant to the provisions of this Department Order.
Page ofGUIDELINES FOR USING PNPKI DIGITAL CERTIFICATE AND DIGITAL
SIGNATURES
1. Scope of Authority - DICT officials and employees are authorized to use their respective
PNPKI digital certificates on official documents within their scope of responsibility and
authority. Each shall be responsible for the custody and proper use thereof in a safe and
secure manner.
2 Validity of Digitally Signed Documents ~ Holders of PNPKI certificates may affix their
respective PNPKCI digital signatures, in lieu of wet signatures, on the following documents:
a. Intemally issued office documents;
b. Department Cizculars or Orders;
Special Office Orders;
Financial Documents;
e. Administrative actions;
£ Documents generated by Intemal Management Information Systems of the
Department;
& Correspondences with DICT offices, including between and amongst the Central
and Regional Offices;
J. Electronic documents intended for external use;
i
Procurement-related documents defined in the GPPB Resblution No. 16-2019; and
Government permits and licenses, provided that there is compliance with the
requirements as set forth in the Electronic Commerce Act of 2000.
3. Final Version of Digitally Signed Documents — Digitally signed documents shall be
considered the final version once they are released or transmitted to their intended
recipients. The digitally signed documents shall be passed through emails to have a trace.
4, Storage, Integrity, and Authenticity — Digitally signed documents shall be stored in a
secured file format, such as-Portable Document Format (PDF). Additionally, to ensure the
integrity and authenticity of the contents, digitally signed documents must have the
following attributes:
a. All digital signatures must indicate “valid” both with respect to the signer’s
identity and the PNPI digital certificate used. This can be done by clicking on the
document's digital signatures and checking through the application (e.g., Adobe
Reader, Foxit, etc).
b. All digital signatures must at least have a label such as but not limited to “Digitally
signed by: < common name of signatory>" or any similar label/s signifying that it
isa digital signature.
5. Mixed Signing of Documents ~ In cases where mixed signing occurs in a single document,
the signer is responsible for ensuring the authenticity of the document before he/she signs
it in digital or wet form. Mixed signing occurs when a document was either:
a. Initially wet signed which was thereafter scanned/photographed and later
digitally signed, or
b. Digitally signed which was thereafter printed out and later wet signed,
6 Printouts of Digitally Signed Documents — Physical printouts of digitally signed
documents shall show markings or proof that the original copy of the document is digitally
signed. To achieve this, the approach is to attach markings to the back of each page of the
Page sof 6v.
printed document, which contains the statement: "The original document exists in digital
format and has been digitally signed." or an equivalent wording that serves the same purpose.
IE feasible, 2 QR code that directs to the original digital copy may be included as marking.
1. Security Measures ~The subscriber of PNPKI digital certificates shall be responsible for
keeping the security and integrity of the duly issued .p12 file by storing Its passphrase ina
safe location.
8 Misuse or Abuse of Digital Signatures ~ Misuse or abuse of digital signatures, including
but not limited to, signing on behalf of another person, falsifying signatures, or using.
Aigital signatures on unauthorized documents, will be subject to necessary administrative
sanctions, in accordance with applicable laws, rules, and regulations,
Renewal of Expired Digital Certificate - The subscriber will be notified via email at least
‘one month before the expiration of his/her digital certificate. The subscriber must then
submit to the concerned (Regional or Central) PNPKI team an email request for renewal,
along with an updated application form, pursuant to Department Order No, 053 series of
2020.
10. Revocation of Digital Certificate - The subscriber must submit a duly accomplished
revocation form to their respective (Regional or Central) PNPKI Team in the following
instances:
a. If the digital certificate ts compromised (i, forgotten password, lost certificate,
etc.)
. In case of a breach or security compromise in the device that stores the digital
certificate; or
¢. Ifthe subscriber is leaving as DICT personnel (either from plantilla, contractual, or
job order) due to resignation, retirement, or service termination,
Should the subscriber fail to submit the revocation form on the last day of his/her service
as DICT personnel, the DICT Human Resource Management Division (HRMD) or their
HIRRegional counterparts, as the case may be, shall ile the request for revocation on behalf
of the subscriber.
11. Suspension/Blacklisting of Digital Certificates ~ The PNPKI shall suspend subscriber
accounts and/or blacklistrevoke issued digital certificates, should any of the following,
instances occur:
a. The PNPKI obiains evidence that the certificate was misused or abused.
b. The PNPKI confirms a material change in the information contained in the
certificate.
¢. The PNPKI determines or confirms that any information appearing in the certificate
is inaccurate,
4d. The PNPKI confirms that there is clear evidence that the specific method used to
generate the private key was flawed.
e The PNPKI confirms that the subscriber did not adhere to the “Subscriber
Obligations” stated in the Subscribers Agreement,
ISSUANCE OF MANAGEMENT REPRESENTATION / POLICY STATEMENT
In line with Item IV (B)(4) of COA Circular No, 2021-006, the DICT, through the Office
of the Undersecretary for Support Services, shall inform the COA Auditor of these internal
Pages ofrules through the submission of a Management Representation/Policy Statement on the issue
of signatures on electronic documents in the operations,
VL MISCELLANEOUS PROVISIONS
1. Repeating Clause— All other orders, departmental issuances, or parts thereof that are
inconsistent with this policy are hereby amended, modified, repealed or superseded or
modified accordingly.
2. Effectivity— This policy shall be effective immediately upon its posting in the DICT's
bulletin boards and other official internal communication mechanism,
Alll DICT Offices and attached agencies (i. the National Telecommunications Commission,
‘National Privacy Commission, and Cybercrime Investigation and Coordination Center) are hereby
directed to adopt this Order to ensure standard and automated document signing and intact electronic
records.
Alll other departmental issuances inconsistent herewith are hereby revoked, superseded,
amended, and/or modified accordingly. This Order takes effect immediately and shall remain in force
until further orders.
AD)
svavjonniey
Jere
(GUIDELINES ON THE USE OF THE PHILIPPINE NATIONAL PUBLIC KEY INFRASTRUCTURE (PNPKI) DIGITAL
SIGNATURES IN THE DEPARTMENT OF INFORMATION AND COMMUNICATIONS TECHNOLOGY
Page 6of6