“Art. 8.3 The extinction of the validity of an electronic certificate will have effects against third parties, in the cases of expiration of its validity period, provided that this circumstance occurs and, in the other cases, provided that the indication of said extinction is included in the consultation service on the validity of the certificates of the certification services provider.”
Certification Authority Revocation Lists (ARLs) collect the serial numbers of those certificates of Intermediate Certification Authorities that have been revoked prior to the expiration of their validity period. For each certificate, date, time and cause of revocation are specified.
Certificate Revocation Lists (CRLs) record the serial numbers of those end-entity electronic certificates that have been revoked prior to the expiration of their validity period. For each certificate, date, time and cause of revocation are specified.
Root Certification Authorities certificates that have been revoked prior to the expiration of their term will be published on the ANF AC corporate website. During ANF AC's certification service provision, no CA Root certificate has been revoked.
• Signatures generated with revoked or expired certificates are not legally valid.
• As established in ANF AC's Certification Practice Statement, electronic signatures receivers are required to verify the validity status of the certificate used before relying on them.
• Revoked certificates may be withdrawn from a CRL three months after expiration. However, ANF AC maintains permanently and accessible to the public a history of all issued CRLs.
• In the field "Next Update", it is noted that reference standard RFC-3280 v.1 does not establish as mandatory the aforementioned value, but version 2 requires it. In order to ensure the interoperability with other PKI systems its inclusion has been made.
• The date that is outlined in that field, indicates exclusively the deadline on which a new CRL will be published. In no case it supposes that no new update will be published before such date.
• It is expressly forbidden to use the validation services of ANF AC to provide validation services to third parties. The Validation Policy establishes penalties for non-compliance.
• The download of a CRL does not accredit the received electronic signature verification obligation. It does not allow to determine the moment when it was downloaded, nor when the consultation was carried out.
The possible loss, subtraction of the device or simple fear that the signature activation PIN is at risk, requires its responsible to notify this fact to ANF AC, to revoke the certificate contained therein. These facts, among others, constitute reasons for extinction of the certificate, in accordance with the provisions of articles 8 (b and c) and 9 of the Spanish Electronic Signature Law. The person in charge of the device is obliged to carry out adequate escrow and maintain the privacy of the keys, the risk of misuse of the certificate is assumed by the owner of the signature, because he/she has control over its use.
Failure to notify a certificate risk situation, or change of the information recorded in it, presupposes on behalf of the holder a serious negligence in the fulfillment of its obligations in preserving the signature creation data, in the assurance of its confidentiality and in the protection of all access or disclosure (art. 23.1.c Spanish Electronic Signature Law). This provision is related to the expressed evidence in the certificate, that the subscriber has control over the signature creation data (art. 11.2.f Spanish Electronic Signature Law); of the verification of its possession by ANF AC, prior to the issuance of the certificate (art. 12.c Spanish Electronic Signature Law). The opposite exception could only be rejected by the certification service provider, if the fact of the loss, abduction or improper use of the Certificate was brought to the attention of the certification services provider and did not comply or was delayed in recording the contingency in the consultation Service on the Validity of the certificates (art. 22.3, in relation with 10.2 Spanish Electronic Signature Law)