Standards Review and Recommendation Publication
SRRPUB13
Digital Signatures & Public Key Infrastructure (PKI) Guidelines
Revised February 28, 2005 Version 3.1
Standards Review and Recommendations Publications (SRRPUB)
are issued by the Department of Information Resources (DIR).
They are intended to be used as guidance by Texas state agencies
and institutions of higher education. This SRRPUB provides additional guidance for Texas Government Code, §2054.060, and Texas Administrative Code §203 Management of Electronic Transactions and Signed Records.
Introduction
In 1997 and 1999 the Legislature enacted several laws that
are expected to facilitate and promote electronic business
and to make government more accessible to Texas citizens.
Digital signatures that comply with DIR rules will have the
same legal effect as a handwritten signature. As a result,
many transactions that required paper documents in the past
may now be completed electronically.
The 77th Legislature passed the Texas Uniform Electronic
Transactions Act (UETA) in 2001 to help establish a legal
framework for the growing use of Internet transactions between
state and local government and citizens. As is true with the
complex nature of the Internet, the new laws can seem imposing
and complicated. The legislative history makes clear that
until UETA was enacted, the government and business had risk
that what they thought were legally binding agreements were
indeed unenforceable.
The UETA Task Force was created by the Department of Information
Resources and the Texas State Library and Archives Commission
to study the impact and utility of UETA for the State. The
Task Force concluded that each Internet user should assess
their risk of the loss of valuable resources or money in determining
whether they should use the features of certification of signatures
and public keys, both of which add to the cost of using the
Internet.
In May 2003, the Department adopted the Guidelines for the
Management of Electronic Transactions and Signed Records as
a rule (T.A.C.§203) that must be followed
by state agencies that send and accept electronic records
and electronic signatures or otherwise create, generate, communicate,
store, process, use and rely upon electronic records and electronic
signatures.
The Guidelines are available at http://www.dir.state.tx.us/standards/UETA_Guideline.htm.
Background Information
In recent years, Texas state agencies have implemented systems
that include the electronic interchange of information between
agencies and the public. These systems have saved time and
money and improved the overall efficiency of government operations.
The legal bases of these transactions were generally established
by means of traditional contract law or by administrative
rules to establish the procedures and legal consequences for
the transactions. New Texas laws allow state agencies to take
advantage of additional electronic exchanges over the Internet
and other networks where authentication is required.
Digital Signatures and Certificate Authority - Resources
Before agreeing to accept/refusing to accept digitally signed documents, state agencies should become familiar with the rules (T.A.C. §203 ) and the policy, procedural, security, and technology issues related to digital signatures and PKI service providers.
One of the most often cited publications is the American
Bar Association (ABA) "Digital Signature Guidelines." The guidelines were developed
by the Information Security Committee of the ABA's Science
and Technology Section and were published in August 1996.
The guidelines contain a tutorial describing the legal and
technological elements of digital signatures based on a public
key encryption system. Key issues covered in the guidelines
are:
- Ensuring the identity of the holder of a private key
- Appropriate responsibility of those engaged in electronic
commerce
- The concept of a Trusted Third-Party (or "certificate
authority")
- The link between the public key and the holder of the
private key
- Authentication of dates and times of transactions
- Publication of reports for private keys that are no longer
valid/reliable (or "certificate revocation lists")
The electronic version of the guidelines is available for
free at http://www.abanet.org/scitech/ec/isc/dsgfree.html.
Approved List of Certification Authorities
DIR is required to establish and maintain a list of acceptable
Certification Authorities. There are two ways for a CA to
be placed on the list:
- §203. Digital Signatures,
identifies the performance audit requirements for Certification
Authorities (CA), based on the standards set in the American
Institute of Certified Public Accountants (AICPA)
Statement on Auditing Standards No. 70 (S.A.S. 70), prior
to being placed on the "Approved List of Certification Authorities."
- In lieu of the audit requirements, a CA may be placed
on the "Approved List of Certification Authorities" upon
providing the Department with proof of accreditation by
an accreditation body acceptable to the department whose
requirements for accreditation are consistent with the requirements
in §203.
The current list of approved PKI service providers is located
at: Approved list
of PKI service providers.
Reliability
The DIR rules focus on the reliability of acceptable technologies,
and identify two (2) acceptable technologies: public key cryptology
using asymmetric cryptosystems; and Signature Dynamics, provided
that the signature is created consistent with the provisions
of T.A.C.§203 . While both of these
technologies are technically acceptable, they are fundamentally
different and one or the other may not be appropriate for
an agency depending on its particular security needs.
Other technologies for digital signatures are available and
may meet agency reliability requirements when minimal security
is required and the parties to the transactions are known
(e.g., limited group of organizations/membership) and are
using a specific technology (e.g., Signature Dynamics).
Technical Interoperability
The National Institute of Standards and Technology (NIST)
has published "Minimum Interoperability Specifications for
PKI Components" (MISPC). The URL for the current draft is
http://csrc.nist.gov/pki.
Security
The Internet Council of NACHA has just published "The Management
of Risks Created by Internet-Initiated Value Transfers." It
identifies the types of Internet transactions likely to be
viable over the next 5-10 years, and addresses the issues
of payment security and authenticity over open networks such
as the Internet.A copy can reviewed at the DIR Technology Information Center (TIC).
The National Information Assurance Partnership (NIAP) is
a joint initiative of the National Institute of Standards
and Technology (NIST) and the National Security Agency (NSA).
The program is intended to foster the availability of objective
measures and test methods for evaluating the quality of Information
Technology (IT) security products via the Common Criteria
(CC). The CC is a replacement for the Rainbow Series for unclassified
but sensitive information and provides a comprehensive method
for specifying security functionality and assurance requirements
for products (or classes of products), usually in the form
of protection profiles (PPs). The CC provides an internationally
recognized basis for specifying and testing a wide range of
security technology, from components to products and systems.
CC version 2.1 is now International Organization Standard
(ISO) 15408.
The United States, Canada, France, Germany, Australia, New
Zealand, and the United Kingdom have signed mutual recognition
arrangement for Common Criteria-based evaluations. The CC
specifies the security requirements that are to be satisfied
by a cryptographic module utilized within a security system
protecting unclassified information within computer and telecommunication
systems (including voice systems). The standard provides four
increasing, qualitative levels of security: Level 1, Level
2, Level 3, and Level 4. These levels are intended to cover
the wide range of potential applications and environments
in which cryptographic modules may be employed. The security
requirements cover areas related to the secure design and
implementation of a cryptographic module. These areas include
basic design and documentation, module interfaces, authorized
roles and services, physical security, software security,
operating system security, key management, cryptographic algorithms,
electromagnetic interference/ electromagnetic compatibility
(EMI/EMC), and self-testing.
The NIST has established new Cooperative Research and Development
Agreements (CRADAs) for the enhancement of the Minimum Interoperability
Specifications for Public Key Infrastructure (PKI) Components
(MISPC), NIST Special Publication 800-15. The following vendors/
organizations are represented: AT&T; CertCo; Certicom;
Cylink; Digital Signature Trust; Dyncorp; Entrust; Frontier
Technologies; GTE; ID Certify; MasterCard; Microsoft; Motorola;
Spyrus; VeriSign; and Visa.
The NIST is developing "Security Requirements for PKI Components,"
to address the fact that commercial vendors are offering certificate
issuing and management system (CIMS) hardware and software,
mainly in the form of Certificate Authority (CA) and Registration
Authority (RA) products. The goal of this initiative is to
develop a validation program for the components of a CIMS.
The NIST has established a Secure Multipurpose Internet Mail
Extension (S/MIME) laboratory to test the interoperability
and overall functionality attained using current S/MIME products.
The testing is designed to test the interoperability between
peer S/MIME applications and Certification Authority products,
and between S/MIME applications and Directories. The NSA has
provided funding for the development of reference implementations
of S/MIME V3.
Frequently Asked Questions (FAQ)
To facilitate communications and address questions relating to the use of Digital Signatures, the department has established a FAQ page.
Recommendations
- State agencies are encouraged to implement programs that improve electronic access to government information and services by other government entities and the public. Where the identity of the sender or the contents of the message must be authenticated, the use of Digital Signatures is also encouraged.
- State agencies may refuse to accept documents containing digital signatures created by means of a particular technology if the cost of accepting such documents is excessive and unreasonable. Before accepting a digitally-signed document that is intended to be forwarded to another agency, a state agency should consult with the ultimate recipient and ensure that the digital signature will be acceptable to that agency as well.
Address questions about the Texas Information Technology
Standards Web pages to:
DIR Standards and Architecture
|
