Frequently Asked Questions About E-Signature

As defined in Law No. 5070 on Electronic Signature, electronic signature refers to electronic data attached to another piece of electronic data or logically associated with electronic data, used for the purpose of identity verification. Electronic signature consists of letters, characters, or symbols that guarantee, through electronic or similar means, that a piece of information is transmitted in an environment closed to access by third parties, without its integrity being compromised (in its original form as created by the transmitting party), and with the identities of the parties verified.

Electronic signature varies depending on the signed text and is obtained by processing the content through mathematical functions to derive a value considered unique. In other words, individuals do not have a single signature like a handwritten one; instead, they have keys used in the signing process.

It provides the following three basic features to electronic signature users:

• Data Integrity: To prevent unauthorized or accidental modification, deletion, or addition to the data,
• Identity Authentication and Validation: To ensure the validity of the message and the transmission of its owner,
• Non-repudiation: To prevent individuals from denying the transactions they performed in the electronic environment.

In Law No. 5070 on Electronic Signature, an electronic certificate is defined as an electronic record containing the data necessary for verifying the electronic signature and the identity information of the signature holder. Electronic certificates must be obtained from electronic certificate service providers operating in accordance with the law in exchange for a specific fee.

Electronic certificates are necessary to verify the validity of the affixed signature.

Qualified electronic certificates are electronic certificates that, as specified in Article 9 of the Law, contain a statement indicating that it is a "qualified certificate", the identity information of the certificate service provider and the name of the country in which it is established, identity information by which the signature holder can be identified, the period of validity of the certificate, and the serial number of the certificate.

Signature creation tools refer to the software or hardware used to create electronic signatures. Law No. 5070 mentions “secure” electronic signature creation tools and requires the provision of the following features:

• The electronic signature creation data it produces has no other equivalent among themselves, 
• It ensures that the electronic signature creation data stored on it cannot be extracted outside the tool in any manner and maintains its confidentiality, 
• The electronic signature creation data stored on it cannot be obtained or used by third parties, and it protects the electronic signature against forgery, 
• The data to be signed cannot be altered by anyone other than the signature holder, and this data can be viewed by the signature holder before the signature is created.

In the Electronic Signature Law, the Secure Electronic Signature is deemed equivalent to a handwritten signature, and it is stipulated that data created with a Secure Electronic Signature shall have the force of a promissory note, and such data shall be considered definitive evidence until proven otherwise. However, it is ruled that legal transactions subject to official form or special ceremony by laws, as well as guarantee contracts, cannot be executed with a Secure Electronic Signature. In other words, transactions such as real estate purchase and sale, inheritance and transfer, marriage, which require ceremonies by laws or the testimony of third parties, cannot be performed with an electronic signature.

It is assessed that the electronic signature can find widespread application areas in the medium and long term, primarily in banks and financial institutions, insurance companies with branch networks, public institutions and organizations, holdings and other large companies, universities, and organizations requiring high communication and information security. The following can be listed among the possible electronic signature applications in both the public and commercial sectors:

Applications in the Public Sector 

• All kinds of applications (ÖSS, KPSS, LES, passport, etc.)
• Inter-institutional communication (Police Departments, Population and Citizenship Affairs Directorates, etc.)
• Social security applications
• Health applications (Health personnel - hospitals - pharmacies)
• Tax payments
• Electronic voting procedures

Applications in the Commercial Sector 

• Internet banking
• Insurance transactions
• Paperless offices
• e-Contracts
• e-Orders

According to Law No. 5070 on Electronic Signature, the legal consequences of electronic certificates issued by an Electronic Certificate Service Provider established in a foreign country are determined by international agreements. For an electronic signature obtained from a foreign country to be usable in our country, if the electronic certificates issued by an Electronic Certificate Service Provider established in a foreign country are accepted by an Electronic Certificate Service Provider established in Turkey, these electronic certificates are considered qualified electronic certificates. The Electronic Certificate Service Provider in Turkey is also responsible for any damages arising from the use of these electronic certificates.

Secure Electronic Signature can only be provided with a Qualified Electronic Certificate. The Electronic Certificate Service Providers, which are the places where applications for Qualified Electronic Certificates can be made, are published on the website of the Information Technologies and Communication Authority.

• Law No. 5070 on Electronic Signature (Official Gazette dated January 23, 2004 and No. 25355) 
• Regulation on Certificate Financial Liability Insurance (Official Gazette dated August 26, 2004 and No. 25565) 
• Prime Ministry Circular No. 2004/21 (Official Gazette dated September 6, 2004 and No. 25575) 
• Regulation on the Procedures and Principles for the Implementation of Law No. 5070 on Electronic Signature (Official Gazette dated January 6, 2005 and No. 25692) 
• Communiqué on Processes and Technical Criteria Related to Electronic Signature (Official Gazette dated January 6, 2005 and No. 25692) 
• General Conditions for Mandatory Certificate Financial Liability Insurance (Official Gazette dated January 27, 2005 and No. 25709) 
• Certificate Financial Liability Insurance Tariff and Instructions (Official Gazette dated January 27, 2005 and No. 25709) 
• Prime Ministry Circular No. 2006/13 (Official Gazette dated April 19, 2006 and No. 26144) 
• Board Decision on the Guide for Profiles of Qualified Electronic Certificate, CRL and OCSP Request/Response Messages (Board Decision dated April 18, 2007 and No. 2007/DK-77/207)

           Annex: Guide for Profiles of Qualified Electronic Certificate, CRL and OCSP Request/Response Messages 

• Board Decision on the Determination of Fees for Qualified Electronic Certificate, Time Stamp and Related Services (Board Decision dated December 20, 2006 and No. 2006/DK-77/760)
• Board Decision on Procedures and Principles Regarding Secure Electronic Signature Creation and Verification Applications and Secure Electronic Signature Formats (Board Decision dated June 1, 2006 and No. 2006/DK-77/353)

Signature creation devices refer to software or hardware used to create electronic signatures. Law No. 5070 refers to "secure" electronic signature creation devices and requires the following features to be provided:

• The electronic signature creation data it produces have no equivalent among themselves, 
• It ensures that the electronic signature creation data recorded on it cannot be extracted from the device in any manner and maintains their confidentiality, 
• The electronic signature creation data recorded on it cannot be obtained or used by third parties, and it protects the electronic signature against forgery, 
• The data to be signed cannot be altered by anyone other than the signatory, and this data can be viewed by the signatory before the signature is created.

According to Law No. 5070, an Electronic Certificate Service Provider is “public institutions and organizations, as well as real persons or private law legal entities that provide services related to electronic certificates, time stamps, and electronic signatures.”

It issues certificates for users, keeps certificate status information up to date and prepares certificate revocation lists, provides current certificates and certificate revocation lists to those who request them, and maintains archives of expired or revoked certificates.

Information regarding the activity status of Electronic Certificate Service Providers is published on our institution's website.

The Electronic Certificate Service Provider;

• using secure products and systems,
• providing the service in a reliable manner,
• is obliged to meet the conditions related to taking all measures to prevent the imitation and falsification of certificates.

The faster provision and wider dissemination of public services, the provision of accurate and sufficient information, and the reduction of operating expenses have also ensued as a consequence. Based on this situation, in the context of electronic signature applications that will increasingly become widespread in our country, in order to prevent unnecessary duplicate investments in the public sector and to ensure operation in a compatible, interoperable, and reliable structure, following the proposal made by our Institution, a decision was ensured to be taken at the e-Transformation Turkey VI. Executive Board Meeting dated June 10, 2004, for the provision of institutional certificates of public employees from a single center. In accordance with this decision, the duty and responsibility for establishing and operating the Public Certification Center structure has been assigned to TÜBİTAK-UEKAE. The duty and responsibility for reviewing this structure, which aims to gather all public institutions and organizations under the same institutional certificate structure and to provide the creation of institutional certificates only for public institutions and organizations as well as the management of the certificate lifecycle, and for monitoring its suitability, belongs to the Telecommunications Authority.

No operations are being carried out by the Institution regarding electronic certificates and e-signatures. To obtain an electronic certificate, you should apply to one of the Authorized Electronic Certificate Service Providers (http://www.btk.gov.tr/bilgi_teknolojileri/elektronik_imza/eshs.php). You can access the contact information for ESHSs from the link provided above.

If you are working in a public institution and will use your signature in intra-institutional and inter-public institution transactions, you must obtain your certificate from TÜBİTAK UEKAE in accordance with the Prime Ministry Circular. For this purpose, your institution must make an institutional application to TÜBİTAK UEKAE. 

Electronic certificates should not be obtained from organizations other than the service providers announced on our website.

According to the Electronic Signature Law, the certificate service provider demonstrates in detail that it meets the conditions regarding the use of secure products and systems, the reliable execution of the service, and taking all measures to prevent the imitation and falsification of certificates, and notifies the Information Technologies and Communication Authority. The information and documents required to be submitted to our Authority in this notification are specified in the “Regulation on the Procedures and Principles for the Implementation of the Electronic Signature Law No. 5070” published in the Official Gazette dated January 6, 2005, and numbered 25692. The Information Technologies and Communication Authority reviews the submitted notification. An Electronic Certificate Service Provider that fully complies with the notification requirements may commence operations 2 months after the date of notification. The infrastructure required for providing Electronic Certificate Service Provider services is quite expensive due to high security requirements, with costs ranging between 3-8 million Euros.

Pursuant to the relevant legislation, it is not possible to use certificates for user verification purposes such as system login. Therefore, other certificates must be produced for user verification purposes. However, in cases where system login can be converted into a signing process (such as signing the system login form), electronic signature certificates can also be used for this purpose.

No. Although encryption is technically possible with e-signature technology, e-signature has a different scope of use and purpose. The Electronic Signature Law only regulates electronic signatures, while cryptography (encryption) is regulated by different laws worldwide due to aspects such as national security. The more frequently the e-signature creation data is used, the higher the probability of it being obtained, and thus the probability of its security and reliability decreasing. Therefore, the e-signature creation data should only be used for signature creation purposes. Indeed; paragraph d of Article 15 of the Regulation on the Procedures and Principles Regarding the Implementation of the Electronic Signature Law, published by the Telecommunications Authority on January 6, 2005, obliges the certificate holder to “use the signature creation and verification data only for the purposes of electronic signature creation and verification and within the limitations regarding the use and material scope contained in the qualified electronic certificate.” This provision prevents the use of the public and private keys provided with the certificate for encryption purposes.

Yes. Every electronic certificate has a clearly specified start and end time for use. Most applications check the validity period of the certificate before performing operations with electronic certificates. Generally, this period varies between one year and three years.

Mobile electronic signature can be defined as an electronic signature created using a mobile device. The only difference between mobile electronic signature and electronic signature is the use of the SIM card placed inside a mobile device as the tool for creating the electronic signature. Since the legislation regarding electronic signatures also covers mobile electronic signatures, mobile electronic signatures also provide the legal validity offered by secure electronic signatures in electronic environments.

In today's world, the intensive use of electronic environments has led to the emergence of certain demands and trust issues. At this point, the electronic signature application, which provides confidentiality, authentication, data integrity, and non-repudiation, has emerged. Together with these four fundamental features of the electronic signature, the opportunities for secure transactions in electronic commerce and e-transformation projects being carried out in the public sector have been expanded in electronic environments, and supported by the Electronic Signature Law No. 5070 and secondary regulations issued by our Institution, thereby ensuring the legal validity of the works and transactions conducted in these environments. The Electronic Signature Law and secondary regulations stipulate that the electronic signature shall produce the same legal effect as a handwritten wet signature and shall be accepted as conclusive evidence. In short, the electronic signature is important in terms of providing legal validity to transactions conducted in electronic environments. Therefore, the use of electronic or mobile signatures is an inevitable necessity for every transaction where legal validity is desired to be granted in electronic environments.

Qualified Electronic Certificate holder;

• Providing all the information and documents required to obtain a qualified electronic certificate completely and accurately,
• In the event of any change in the information provided to the ESHS, immediately notifying the Electronic Certificate Service Provider,
• In the case of generating the signature creation data itself, using the algorithms and parameters specified in the "Communiqué on Processes and Technical Criteria Related to Electronic Signatures",
• Using the signature creation and verification data only for the purpose of creating and verifying electronic signatures and within the limitations regarding the scope of use and material coverage contained in the qualified electronic certificate,
• Not allowing the signature creation data to be used by others and taking the necessary measures in this regard,
• Immediately notifying the Electronic Certificate Service Provider in case of any suspicion regarding the confidentiality or security of the signature creation data,
• Using a secure electronic signature creation tool,
• Ensuring the necessary security in cases where the signature creation and verification data are generated in places and with tools not belonging to the Electronic Certificate Service Provider, 
• Immediately notifying the Electronic Certificate Service Provider in the event of loss, theft, or suspicion regarding the reliability of the signature creation tool or access data is obliged.

Third parties;

• check whether the certificate is a “Qualified Electronic Certificate”, 
• check the revocation and validity status of the Qualified Electronic Certificate or use a secure electronic signature verification tool, 
• are obliged to check whether there is any restriction on the use of the Qualified Electronic Certificate.

The timestamp is defined in Law No. 5070 on Electronic Signature as "a record verified by an electronic signature by the electronic certificate service provider for the purpose of detecting the time when an electronic data is produced, modified, sent, received, and/or recorded." It is used to prove that electronic data such as documents, records, and contracts in the electronic environment existed before a specific time. It enables the addition of reliable time information to transactions in the electronic environment. It can be used on any electronic data, such as electronic applications, minutes, contracts, and similar items, that require time information.