What is the e.firma or FIEL, which are the files it encompasses and how does it work?

The e.firma or FIEL is the set of files issued under the SAT’s (Mexican tax authority) infrastructure that, when used in conjunction, allow to generate advanced (qualified) electronic signatures.

The procedure to get it is done at the SAT offices by appointment. Once issued, it is valid for four years. Its renewal can be done online whether it’s still valid or if it expired less than a year ago.

Files that comprise the e.firma
How to identify them
Can I open the e.firma files?
How does the e.firma work?

Files that comprise the e.firma

The two files that comprise the e.firma are:

Private key: As a user, you must generate it from your computer or at the SAT offices when requesting the e.firma. It’s protected by a password that you create and that is different from the CIEC (the password used to log into the SAT’s website. The private key itself is the tool that allows you to generate electronic signatures.
Public certificate: It is electronically signed by authorized SAT staff in their offices after validating your identity. It contains your personal information like name, RFC (tax ID), autograph signature and biometric data. At its core, it is a personal identification document for the digital world. It’s also known as digital certificate or public key certificate.

How to identify them

Identifying them is quite easy. The private key has a .key extension, though you must make sure it is not a Keynote file (Apple’s slideshow app). The public certificate has a .cer extension, which is common among digital certificates.

They are usually named ‘FIEL’, ‘CLAVEPRIVADA_FIEL’, your RFC, etc. This nomenclature also allows to distinguish them from similar files like the Certificado de Sello Digital (CSD), a set of certificate and private key that allows to generate tax invoices (CFDI) but cannot be used for other purposes (such as signing documents in Mifiel).

Can I open the e.firma files?

As a user of these files, you should not try to manipulate them (trying to open them to see its content with non-specialized apps). However, there is no problem when visualizing its information or selecting them to sign documents in Mifiel or to carry out online government procedures, for example.

How does the e.firma work?

File generation (obtaining the e.firma)

As a user you generate your private key (.key file) and a certificate request in your computer or at the SAT office. From that moment, both files are linked with each other, they are born together.
During an on-site appointment, SAT officials validate your identity using your identifying documents and capturing your biometric information (iris scan, fingerprint, handwritten signature).
Once your identity has been verified, the SAT certifies (signs) your request, generating a public certificate (.cer file), strictly tied to the private key that you generated.

The .cer and the .key work exclusively together, that’s why it is not possible to sign interchanging differente pairs (for example, using the certificate of one person (RFC) with someone else’s private key, or a new certificate with an old private key), it must always be the same pair.

Signing process

In Mifiel and other platforms that allow the use of advanced (qualified) electronic signature like the e.firma, the process for the user and at the technical level is the next one:

The platform or a user generates the document to be signed and gets its hash.
The signer enters the platform, this can be through an email invite to sign.
The signer visualizes the document.
The signer selects their .cer file. If it has expired, they can’t continue. If it’s still valid, they can continue.
The signer selects their .key file. If it doesn’t match with the .cer (is older, newer or belongs to a person with a different RFC), they can’t proceed to sign. If there is a match, they can proceed.
The platform checks the revocation status of the certificate with the SAT. If it has been revoked, the user cannot continue. If it hasn’t been revoked, they can continue.
In the signer’s device, the document’s hash is generated and is encrypted using the private key. The encrypted hash is the electronic signature itself.
The encrypted hash and the public certificate are sent to the platform’s servers. (To comply with the provisions of the Code of Commerce, neither the private key nor its password must ever leave the signer’s device).
In the servers, the encrypted hash is decrypted using the public certificate. If the result doesn’t match with the hash calculated at the beginning of the process, the signature is not valid and will not be stamped. If it matches, the signature will be stamped in a new document. This signature will have presumption attribution and non-repudiation guarantee.
Once all parties have signed, the platform can get a NOM-151 compliant record of data integrity from a duly accredited trust service provider. This gives the signed document integrity guarantee, as well as certain date, a requirement of the SAT and the Ley Nacional de Extinción de Dominio (Mexico’s Civil Asset Forfeiture Law).

Implications for Mifiel’s private signing process

Our private signing process uses the signer’s public certificate to encrypt the document. The user decrypts the document using their matching private key.

If the user renews their e.firma and tries using their new e.firma to decrypt a document that had been previously encrypted with their old certificate, they won’t be able to do it: remember that both files are born and die together. When this happens, as a signer you must get in touch with the document creator so they use your new certificate to encrypt the document.