The advanced (qualified) electronic signing process in Mifiel complies with the Mexican Code of Commerce
The e.firma is made of two files: the public certificate (.cer) and the private key (.key). The second file is protected by a password only known by its owner.
Considering this and in order to comply with the Mexican Code of Commerce, it is essential that the private key and its password are at all times under the signer’s sole control. In a platform like Mifiel, it means that this data is never shared with us, which is very important since sharing the sensitive information of the FIEL with third parties can lead to serious consequences.
So, how is it possible to sign a document in Mifiel with your FIEL without actually sharing it? Why do we ask you to select your e.firma and enter its password?
Your sensitive data stays in your device
To keep your sensitive data safe, the document signing computational process in Mifiel is never done in our servers. This data never leaves your device. All the validations that need your .key file and its password are executed locally in your browser. Once finished, the files are deleted from the browser.
Don’t take our word for it, you can always verify it on your own using your browser’s console.
Advanced (qualified) electronic signing process in Mifiel
The advanced (qualified) electronic signature is a computational cryptographic process, in Mifiel the steps are:
- A user uploads a PDF and our server calculates its hash (a unique, unrepeatable summary of the original document, its digital fingerprint).
- Each signer enters the document and reviews it. This is done in the Mifiel widget.
- The signer selects their .cer file and it is sent to our server (remember that it is a public certificate).
- The signer selects their .key file and enters its password, both of which are never uploaded to any server, they always stay in the signer’s computer or device.
- The widget electronically signs the document, which at a technical level is the process of encrypting the document’s hash using the private key and it password. This is done locally in your browser.
- The widget deletes the .key file and its password from your browser. Then the signing result (encrypted hash) is sent to our server.
- In the server, Mifiel decrypts the hash using your .cer public certificate. Then it compares this hash with the one calculated in step 1. If they match, it stamps the signatures into the original document and if all parties have signed, it gets a NOM-151 compliant record of data integrity which is also added to the document.
- A copy of the signed document with the record of data integrity is sent to the participants and viewers.
This way, in Mifiel we always keep your e.firma safe.