Frequently asked questions

If your question isn't here, open a GitHub issue.

  1. Does my private key (.p12) ever reach the server?

    No. Signing happens 100% in your browser. The .p12 file and password are processed inside a dedicated Web Worker, the private key is imported into the Web Crypto API as CryptoKey extractable:false, and the buffers are overwritten with zeros upon completion. You can verify this yourself by opening DevTools → Network during signing: there are no outbound requests carrying that data.

  2. Is it compatible with FirmaEC by MINTEL?

    Yes. PDFs signed by firmar.ec use the PAdES Baseline B-B profile (ETSI EN 319 142-1), the same profile produced by FirmaEC desktop. They can be validated in FirmaEC, Adobe Reader, the MINTEL Minka validator, the SRI validator, and any other standard PAdES verifier.

  3. Is the signature legally valid in Ecuador?

    Yes, provided your certificate was issued by a Certification Information Entity (ECI) accredited by ARCOTEL: BCE, Consejo de la Judicatura (iCert-EC), Security Data, ANFAC, ArgosData, Uanataca, Eclipse Soft, Datil. These signatures qualify as advanced electronic signatures (FEA) under Ecuador’s E-Commerce, Electronic Signatures and Data Messages Law (LCE 2002-67) and have the same legal effect as a handwritten signature (Art. 14).

  4. What file types can I sign?

    In this version, PDFs only. XAdES (XML for SRI) and CAdES (detached signature for any file) support is on the roadmap but not in v1. If you need to sign SRI electronic receipts today, your best option remains the native flow in your accounting system.

  5. How much does it cost?

    Zero. firmar.ec is a non-profit open-source project by IDK Manager. There is no premium plan, no subscription, no signature limit. There is also no advertising or telemetry: IDK Manager absorbs the maintenance cost as a contribution to Ecuador’s digital ecosystem.

  6. Can I sign a very large PDF?

    Yes, up to 50 MB on mobile and 200 MB on desktop per PDF. Signing runs in a dedicated Web Worker, so the UI remains responsive even if the PDF takes a few seconds to process. For larger PDFs the limiting factor is browser memory, not the app.

  7. Does it work on iPhone and Android?

    Yes. iOS Safari ≥16 and Android Chrome ≥110. firmar.ec is a mobile-first PWA, fully responsive and installable to the home screen. All cryptography runs on the browser’s native Web Crypto API (no Java or token driver installation required).

  8. Does it support USB / hardware cryptographic tokens?

    Today it supports .p12 / .pfx files. Hardware tokens (eToken, BCE token, etc.) require PKCS#11 access that browsers do not expose directly; we are evaluating integration via WebUSB and WebHID for v2, but this involves important security and compatibility trade-offs we have not yet resolved.

  9. Does verification detect revoked certificates?

    Yes. The verifier queries OCSP (RFC 6960) in real time against the responder of the certificate’s issuing CA. If the CA does not expose OCSP or is temporarily unreachable, we display a clear warning in the verification report, distinguishing between “OCSP unavailable” and “certificate revoked”.

  10. Can I use it in my company or institution?

    Using the app as-is (the web app) is 100% free, including inside your company or institution — sign and verify all you need at no cost.

    What has conditions is integrating the code into your own systems: firmar.ec is open source under AGPL-3.0, whose copyleft requires that, if you integrate it into a product or service you offer to third parties, you publish the complete source code of that system under the same license. If you’d rather integrate it into a proprietary/closed-source commercial product or service for profit without releasing your code, a commercial license is available.

    Need an integration (SSO, bulk signing via API, branding, certificate issuance, SLA/support) for a company or government? Email us at [email protected] and we’ll set up the commercial license or integration agreement.

  11. Which certificate authorities (ACE) is it compatible with?

    With the ARCOTEL-accredited authorities whose trust root is embedded in the app: Security Data, Banco Central del Ecuador (BCE), UANATACA, ANF AC, Consejo de la Judicatura (iCert-EC), ArgosData, Datil, Lazzate, Eclipsoft and the rest of the accredited issuers. It even handles .p12 files that ship “leaf only” (without the intermediate CA), such as UANATACA’s: firmar.ec completes the chain automatically. If your certificate was issued by any of them, it is recognised and validated offline.

  12. Is it safe to sign my PDFs online?

    Yes, by design. Everything happens inside your browser: your .p12 certificate and private key are never uploaded to any server, because there is no signing server. The code is open source (AGPL-3.0) and auditable, and the site scores A+ on Mozilla Observatory and SSL Labs. Since nothing leaves your device, it is LOPDP-compliant by design. You can check for yourself: disconnect from the internet after the page loads and signing still works.

  13. Can I validate my .p12 certificate before signing?

    Yes. Under Validate certificate you upload your .p12, enter its password, and firmar.ec shows the holder, the ID/RUC, the issuing authority (ACE), the validity dates and whether the chain links to an ARCOTEL-accredited root — all in your browser, without the private key ever leaving your device. Useful to confirm your certificate is valid and recognised before a filing.