SRRPUB13 – Digital Signatures & Public Key Infrastructure (PKI) Guidelines
Revised February 28, 2005 Version 3.1
Standards Review and Recommendations Publications (SRRPUB) are issued by the Department of Information Resources (DIR). They are intended to be used as guidance by Texas state agencies and institutions of higher education. This SRRPUB provides additional guidance for Texas Government Code, §2054.060, and Texas Administrative Code Section Section 203 Management of Electronic Transactions and Signed Records.
In 1997 and 1999 the Legislature enacted several laws that are expected to facilitate and promote electronic business and to make government more accessible to Texas citizens. Digital signatures that comply with DIR rules will have the same legal effect as a handwritten signature. As a result, many transactions that required paper documents in the past may now be completed electronically.
The 77th Legislature passed the Texas Uniform Electronic Transactions Act (UETA) in 2001 to help establish a legal framework for the growing use of Internet transactions between state and local government and citizens. As is true with the complex nature of the Internet, the new laws can seem imposing and complicated. The legislative history makes clear that until UETA was enacted, the government and business had risk that what they thought were legally binding agreements were indeed unenforceable.
The UETA Task Force was created by the Department of Information Resources and the Texas State Library and Archives Commission to study the impact and utility of UETA for the State. The Task Force concluded that each Internet user should assess their risk of the loss of valuable resources or money in determining whether they should use the features of certification of signatures and public keys, both of which add to the cost of using the Internet.
In May 2003, the Department adopted the Guidelines for the Management of Electronic Transactions and Signed Records as a rule (1 TAC 203) that must be followed by state agencies that send and accept electronic records and electronic signatures or otherwise create, generate, communicate, store, process, use and rely upon electronic records and electronic signatures.
In recent years, Texas state agencies have implemented systems that include the electronic interchange of information between agencies and the public. These systems have saved time and money and improved the overall efficiency of government operations. The legal bases of these transactions were generally established by means of traditional contract law or by administrative rules to establish the procedures and legal consequences for the transactions. New Texas laws allow state agencies to take advantage of additional electronic exchanges over the Internet and other networks where authentication is required.
Digital Signatures and Certificate Authority – Resources
Before agreeing to accept/refusing to accept digitally signed documents, state agencies should become familiar with the rules (1 TAC 203) and the policy, procedural, security, and technology issues related to digital signatures and PKI service providers.
One of the most often cited publications is the American Bar Association "Digital Signature Guidelines." The guidelines were developed by the Information Security Committee of the ABA's Science and Technology Section and were published in August 1996. The guidelines contain a tutorial describing the legal and technological elements of digital signatures based on a public key encryption system. Key issues covered in the guidelines are:
- Ensuring the identity of the holder of a private key
- Appropriate responsibility of those engaged in electronic commerce
- The concept of a Trusted Third-Party (or "certificate authority")
- The link between the public key and the holder of the private key
- Authentication of dates and times of transactions
- Publication of reports for private keys that are no longer valid/reliable (or "certificate revocation lists")
Approved List of Certification Authorities
DIR is required to establish and maintain a list of acceptable Certification Authorities. There are two ways for a CA to be placed on the list:
- 1 TAC 203 Digital Signatures, identifies the performance audit requirements for Certification Authorities (CA), based on the standards set in the American Institute of Certified Public Accountants Statement on Auditing Standards No. 70 (S.A.S. 70), prior to being placed on the "Approved List of Certification Authorities."
- In lieu of the audit requirements, a CA may be placed on the "Approved List of Certification Authorities" upon providing the Department with proof of accreditation by an accreditation body acceptable to the department whose requirements for accreditation are consistent with the requirements in 1 TAC 203.
The DIR rules focus on the reliability of acceptable technologies, and identify two acceptable technologies: public key cryptology using asymmetric cryptosystems; and Signature Dynamics, provided that the signature is created consistent with the provisions of 1 TAC 203. While both of these technologies are technically acceptable, they are fundamentally different and one or the other may not be appropriate for an agency depending on its particular security needs.
Other technologies for digital signatures are available and may meet agency reliability requirements when minimal security is required and the parties to the transactions are known (e.g., limited group of organizations/membership) and are using a specific technology (e.g., Signature Dynamics).
The National Institute of Standards and Technology (NIST) has published "Minimum Interoperability Specifications for PKI Components" (MISPC).
The Internet Council of NACHA has just published "The Management of Risks Created by Internet-Initiated Value Transfers." It identifies the types of Internet transactions likely to be viable over the next 5-10 years, and addresses the issues of payment security and authenticity over open networks such as the Internet.
The National Information Assurance Partnership (NIAP) is a joint initiative of the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). The program is intended to foster the availability of objective measures and test methods for evaluating the quality of Information Technology (IT) security products via the Common Criteria (CC). The CC is a replacement for the Rainbow Series for unclassified but sensitive information and provides a comprehensive method for specifying security functionality and assurance requirements for products (or classes of products), usually in the form of protection profiles (PPs). The CC provides an internationally recognized basis for specifying and testing a wide range of security technology, from components to products and systems. CC version 2.1 is now International Organization Standard (ISO) 15408.
The United States, Canada, France, Germany, Australia, New Zealand, and the United Kingdom have signed mutual recognition arrangement for Common Criteria-based evaluations. The CC specifies the security requirements that are to be satisfied by a cryptographic module utilized within a security system protecting unclassified information within computer and telecommunication systems (including voice systems). The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/ electromagnetic compatibility (EMI/EMC), and self-testing.
The NIST has established new Cooperative Research and Development Agreements (CRADAs) for the enhancement of the Minimum Interoperability Specifications for Public Key Infrastructure (PKI) Components (MISPC), NIST Special Publication 800-15. The following vendors/ organizations are represented: AT&T; CertCo; Certicom; Cylink; Digital Signature Trust; Dyncorp; Entrust; Frontier Technologies; GTE; ID Certify; MasterCard; Microsoft; Motorola; Spyrus; VeriSign; and Visa.
The NIST is developing "Security Requirements for PKI Components," to address the fact that commercial vendors are offering certificate issuing and management system (CIMS) hardware and software, mainly in the form of Certificate Authority (CA) and Registration Authority (RA) products. The goal of this initiative is to develop a validation program for the components of a CIMS.
The NIST has established a Secure Multipurpose Internet Mail Extension (S/MIME) laboratory to test the interoperability and overall functionality attained using current S/MIME products. The testing is designed to test the interoperability between peer S/MIME applications and Certification Authority products, and between S/MIME applications and Directories. The NSA has provided funding for the development of reference implementations of S/MIME V3.
- State agencies are encouraged to implement programs that improve electronic access to government information and services by other government entities and the public. Where the identity of the sender or the contents of the message must be authenticated, the use of Digital Signatures is also encouraged.
- State agencies may refuse to accept documents containing digital signatures created by means of a particular technology if the cost of accepting such documents is excessive and unreasonable. Before accepting a digitally-signed document that is intended to be forwarded to another agency, a state agency should consult with the ultimate recipient and ensure that the digital signature will be acceptable to that agency as well.