The saying goes "the shoemaker's son always goes barefoot," which is almost revealing the end of this report before you start. The General Audit of the Nation (AGN, for its acronym in Spanish) noted that "the procedures for the authorization of a digital signature are made in paper format and not digitized when the origin of this type of heading has the purpose of de-papering the State."

The objective of the Watchdog was to evaluate the information technologies in the field of the National Office of Information Technology (ONTI, for its acronym in Spanish) in relation to the digital signature. To this end, it evaluated the agency between July 2014 and July 2015.

The digital signature is the replacement of the holographic signature in the documents in paper, is what gives validity to the document. It is done through a mathematical process that requires exclusive information of the signer.

At the computer level, "it is a small file that has a double encryption process, with a private key that only the signer knows, and a decryption made by the recipient of the document to verify the validity of the signature received," the report explains.

In turn, to ensure that the signatory is who says to be issued Digital Certificates issued by Certification Authorities or Licensed Certificates. The latter, in turn, must be previously authorized or certified by a Root Certification Authority or a Licensing Entity.

On this point, the Audit noted that "ONTI performs both tasks", is a Licensing and Licensed Entity. That is, it is on both sides of the counter and "violates the principle of control by opposition". This situation "has been dragging since 2003 when the Managing Entity was dissolved and these powers were given to the ONTI, which was already a Certifying Authority."

In addition, "the Licensing Entity does not carry out follow-up audits on the Certification Authorities with the stipulated periodicity."

In terms of security, the Office of Information Technology has some weaknesses. One of them is related to the physical office where the Registry Authority operates and the digital signature certificates are delivered."

It is that the income "is not controlled or registered in a guestbook" so "there is no way to know who visits the area where sensitive information is handled."

On the other hand, the back-up policy of Public Key Infrastructure "has weaknesses in its procedures that could affect the availability of information and their respective services." The Auditors noted that "it is not specified how databases and applications should be stored and that there are no back-up copies outside the building."

In case of a power outage, "the unit does not have alternative energy support that guarantees the continuity of the service" so if someone wanted to check a revoked signature with the listings could not be done and "it would be possible to take as valid blocked signatures."

Finally, the report, approved in November 2016, warned of "the dependence that is generated with key personnel in the Agency before the outdated digital signature platform was used."