Services
Malta Electronic Certification Services Limited (MECS Limited) is responsible for the issuance and management of certificates including the authentication and digital electronic signing certificates and has outsourced its day-to-day operation to Identità (“the Agency”).
The services offered by the Agency are the registration of applicants and the issuance of physical documents, whereas MECS acts as the Qualified Trust Service Provider on behalf of the Government of Malta and is responsible for the issuance of qualified certificates and the revocation qualified electronic signatures certificates (collectively “the Services”). Issue of qualified certificates for electronic signature
1.0Issue of qualified certificates for electronic signature
The issuance and revocation of qualified certificates for electronic signatures is regulated by EU Regulation No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS) and Act No. XXXV of 2016 amending the Electronic Commerce Act, Chapter 426 of the Laws of Malta. As a Qualified Trust Service Provider for the Government of Malta’s Public Key Infrastructure, MECS is authorised to issue, manage, revoke, and renew or re-key certificates.
Issued certificates can be used exclusively to verify electronic signatures created by a natural person being the certificate holder using a private key corresponding to the public key that is part of the certificate.
1.1 Obtaining a qualified certificate for electronic signature
As the issuing and Registration Authority (RA), the Agency performs the registration of applicants as well as the issuance of the physical cards themselves. The applicants’ identity assurance is made in person at the RA premises before issuing the identity documents embedding the certificates. The identity assurance is made using other official sources and government public registers.
Detailed information is contained in the Documents section of the Certification Policy for the verification of electronic signatures.
1.2 Application for revocation of an electronic signature certificate
As part of its day-to-day operations, the Agency also provides the certificate revocation status service, a process which is overseen by MECS.
For individual revocations, the Authentication and Signing certificates of an e-ID or e-RP card can be revoked at the request of the document holder in the following cases:
- If the e-ID, Private Keys or PINs of the document holders have been, or are suspected to have been, compromised or are insecure in any way;
- If any of the information contained in the Certificate, or the identification and authentication information has been changed, altered, or is otherwise no longer accurate or complete.
The Agency is obliged to revoke the certificate within 24 hours as stated in the Certificate Policy, if any of the above conditions is not met. The document holder requesting a revocation should do so by submitting the request in person at the Agency’s premises to verify the identity of the person making the request. The Agency may request supplementary documentation to further verify the identity of the document holder requesting revocation.
Furthermore, the QTSP can revoke certificates for the following reasons:
- If any of the information in the Certificate changes;
- If the QTSP and/or the RA knows or has reason to suspect that the Private Keys or password or PIN of the document holder have been compromised;
- If the document holder fails to comply with their obligations under their applicable Subscriber Agreement; or
- For any other reasons the QTSP and/or the RA deems necessary.
The Agency is obliged to revoke the certificate within 24 hours as stated in the Certificate Policy. The document holder requesting a revocation should do so by submitting the request in person at the Agency’s premises to verify the identity of the person making the request. The Agency may request supplementary documentation to further verify the identity of the document holder requesting revocation.
The revocation is coordinated with the supervisory body, the Malta Communications Authority (“MCA”), following the notification process followed by the QTSP. In such a case, the situation would be notified to the European Commission by the MCA.
2.0LISTS OF CERTIFICATES AND CRLs
MECS regularly issues an up-to-date list of revoked certificates. The issuance of lists of revoked qualified system certificates is governed by the valid Certification Policy for qualified certificates, in accordance with the requirements of EU Regulation No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS). The list of revoked certificates is updated after each received valid request for certificate revocation, if no such request is received, then once every 8 hours.