Secretary of State regulations regarding the use of digital signatures by public entities.

This initial statement of reasons explains the purpose and necessity of the permanent digital signature regulations. Note that these permanent regulations are temporarily superseded by emergency regulations effective from 4/22/2020 through 10/20/2020, or until that date is extended or the emergency regulations are made permanent by regulatory action. See emergency regulations.

  • Section 22000  Definitions
  • Section 22001  Digital Signatures Must Be Created By an Acceptable Technology
  • Section 22002  Criteria for State to Determine If a Digital Signature Technology is Acceptable for Use by Public Entities
  • Section 22003  List of Acceptable Technologies
  • Section 22004  Provisions for Adding New Technologies to the List of Acceptable Technologies
  • Section 22005  Issues to be Addressed by Public Entities When Using Digital Signatures

Section 22000 - Definitions

Public Problem, Administrative Requirement, or Other Condition or Circumstance that the Regulation is Intended to Address.

Government Code Section 16.5 requires that the Secretary of State adopt regulations regarding the use of digital signatures by public entities.

Although the statute defines a Digital Signature, it does not define the other terms necessary to implement the required regulations that will enable the use of digital signatures.

Specific Purpose of the Regulation.

The proposed regulation will clarify the specific meaning of several terms that are a prerequisite for interpreting the other proposed regulations that comprise this chapter.

Necessity.

The legislature adopted Government Code Section 16.5 and required the promulgation of regulations because it identified a need for digital signatures to be available for the expansion of electronic commerce and communication with public entities.

The definitions in this regulation are necessary to achieve the goals of the legislature in facilitating electronic communication with the adoption of regulations to govern digital signatures.

Technical, Theoretical, and/or Empirical Study, Report, or Documents.

The Secretary of State relied on experts from both the public and private sector, including a consultant hired to facilitate the drafting of these proposed regulations, and numerous other states' legislation and draft rules and regulations to develop the definitions used in Section 22000.

Alternatives to the Proposed Regulatory Action that would be as Effective and Less Burdensome to Private Persons.

The Secretary of State finds that no alternatives it has considered would be more effective in carrying out the purpose of the proposed regulation or would be as effective and less burdensome to affected private persons than the proposed regulation.

Alternatives to the Proposed Regulatory Action that would Lessen any Adverse Economic Impact on Small Business.

The Secretary of State determines that the proposed regulation does not affect small businesses.

Back to Top

Section 22001 - Digitial Signatures Must Be Created by an Acceptable Technology

Public Problem, Administrative Requirement, or Other Condition or Circumstance that the Regulation is Intended to Address.

Government Code Section 16.5 requires that the Secretary of State adopt regulations regarding the use of digital signatures by public entities.

Because the industry that is evolving to provide software and services to implement the use of digital signatures has not yet fully developed, the public need exists to differentiate between legitimate technologies that can meet the requirements established in Government Code Section 16.5 and less capable technologies that are not able to provide the requisite products and services associated with digital signature transactions with public entities.

The requirement that digital signatures be created by an acceptable technology, as stated in Section 22001, protects public entities from accepting digital signatures that do not conform to the regulations and legislation governing the technology.

Specific Purpose of the Regulation.

This proposed regulation states that digital signatures either received or sent by public entities shall by created using a technology that is accepted by the state. The criteria for determining if a technology is acceptable for use by the state is identified in Section 22002.

Necessity.

The legislature adopted Government Code Section 16.5 and required the promulgation of regulations because it identified a need for digital signatures to be available for the expansion of electronic commerce and communication with public entities.

The requirement that the technology used to create a digital signature must be acceptable for use by the state is necessary to facilitate the construction of a list of acceptable technologies to protect public entities from purchasing or using technologies which are non-compliant with Government Code Section 16.5.

Technical, Theoretical, and/or Empirical Study, Report, or Documents.

The Secretary of State relied on experts from both the public and private sector, including a consultant hired to facilitate the drafting of these proposed regulations, and numerous other states' legislation and draft rules and regulations to develop the requirement in Section 22001.

Alternatives to the Proposed Regulatory Action that would be as Effective and Less Burdensome to Private Persons.

The Secretary of State finds that no alternatives it has considered would be more effective in carrying out the purpose of the proposed regulation or would be as effective and less burdensome to affected private persons than the proposed regulation.

Alternatives to the Proposed Regulatory Action that would Lessen any Adverse Economic Impact on Small Business.

The Secretary of State determines that the proposed regulation does not affect small businesses.

Back to Top

Section 22002 - Criteria for State to Determine if a Digital Signature Technology is Acceptable for use by Public Entities

Public Problem, Administrative Requirement, or Other Condition or Circumstance that the Regulation is Intended to Address.

Government Code Section 16.5 requires that the Secretary of State adopt regulations regarding the use of digital signatures by public entities.

Section 22002 is designed to provide the Department of Information Technology with the tools it needs to determine if a specific technology is sufficiently developed to create digital signatures for use by public entities.

Specific Purpose of the Regulation.

This regulation states that digital signatures either received or sent by public entities shall by created using a technology that meets the requirements of Government Code Section 16.5 and that the signatures created by the technology can satisfy California's requirements for introducing writings into evidence.

Necessity.

The legislature adopted Government Code Section 16.5 and required the promulgation of regulations because it identified a need for digital signatures to be available for the expansion of electronic commerce and communication with public entities.

The criteria established by Section 22002 is necessary to provide a foundation for the development of a, potentially dynamic, list of acceptable technologies that can be referenced by public entities that seek to develop applications which would utilize digital signatures as a part of transactions or communications conducted electronically.

Technical, Theoretical, and/or Empirical Study, Report, or Documents.

The Secretary of State relied on experts from both the public and private sector, including a consultant hired to facilitate the drafting of these proposed regulations, and numerous other states' legislation and draft rules and regulations to develop the requirement in Section 22002.

Alternatives to the Proposed Regulatory Action that would be as Effective and Less Burdensome to Private Persons.

The Secretary of State finds that no alternatives it has considered would be more effective in carrying out the purpose of the proposed regulation or would be as effective and less burdensome to affected private persons than the proposed regulation.

Alternatives to the Proposed Regulatory Action that would Lessen any Adverse Economic Impact on Small Business.

The Secretary of State determines that the proposed regulation does not affect small businesses.

Back to Top

Section 22003 - List of Acceptable Technologies

Public Problem, Administrative Requirement, or Other Condition or Circumstance that the Regulation is Intended to Address.

Government Code Section 16.5 requires that the Secretary of State adopt regulations regarding the use of digital signatures by public entities.

The field of digital signature technology, including the creation, transmittal and validation of signatures is a rapidly emerging industry. Although internationally recognized technological standards exist for some aspects of digital signature technology, there does not appear to be an exclusive dominant technology that has emerged as the one and only method of conducting digital signature transactions.

Historically, computer software and hardware have evolved and improved at an exponential rate. Understanding that a technology which may appear to be dominant in the marketplace one day may be obsolete in a matter of years, the secretary of state has determined that there exists a need to develop a dynamic list of technologies which create digital signatures that are acceptable for use by public entities in California.

The absence of such a list could result in public entities accepting as reliable, digital signatures created by technologies that do not meet the standards established by the legislature in Government Code Section 16.5.

Specific Purpose of the Regulation.

The List of Acceptable Technologies (not to be confused with a list of acceptable vendors or vendor-specific applications) is established to provide guidance to public entities that wish to utilize digital signatures in written communications.

The list, which could be amended by future regulation, identifies two acceptable technologies that are capable of satisfying the requirements of Government Code Section 16.5.

Subsection 22003(a) identifies "Public Key Cryptography" as a technology that is acceptable for use by public entities in California.p

Subsection 22003(a)(1) provides a set of definitions relevant to this technology.

Subsection 22003(a)(2) re-states the requirement of Government Code Section 16.5(a)(1) and establishes the criteria a public-key-based digital signature must meet to satisfy the requirement that it is "unique to the person using it".

Subsection 22003(a)(3) re-states the requirement of Government Code Section 16.5(a)(2) and establishes the criteria a public-key based digital signature must meet to satisfy the requirement that it is "capable of verification".

Subsection 22003(a)(4) re-states the requirement of Government Code Section 16.5(a)(3) and establishes the criteria a public-key based digital signature must meet to satisfy the requirement that it is "under the sole control of the person using it".

Subsection 22003(a)(5) re-states the requirement of Government Code Section 16.5(a)(4) that a public-key based digital signature must be "linked to data in such a manner that if the data are changed, the digital signature is invalidated".

Subsection 22003(a)(6) identifies requirements regarding "Certification Authorities" that are parties to most public-key based digital signature transactions. Under this sub-section, the Department of Information Technology is charged with maintaining a list of acceptable certification authorities. The subsection also requires public entities that accept digital signatures with certificates to only accept certificates from certification authorities that appear on the approved list maintained by the Department of Information Technology.

Subsection 22003(a)(6)(C) and 22003(a)(6)(D) establish the criteria a certification authority must meet to be placed on the list of approved certification authorities by the Department of Information Technology. In the absence of an internationally-recognized accreditation body (referenced in subsection 22003(a)(6)(D)), subsection 22003(a)(6)(C) requires certification authorities to file an unqualified performance audit with the Department of Information Technology to ensure that the policies and practices of the certification authority are consistent with the requirements of Government Code Section 16.5 and these proposed regulations.

Subsection 22003(b) identifies "Signature Dynamics" as an acceptable technology for use by public entities in California.

Subsection 22003(b)(1) provides a set of definitions relevant to the proposed regulations for this technology.

Subsection 22003(b)(2) re-states the requirement of Government Code Section 16.5(a)(1) and establishes the criteria a signature-dynamics-based digital signature must meet to satisfy the requirement that it is "unique to the person using it".

Subsection 22003(b)(3) re-states the requirement of Government Code Section 16.5(a)(2) and establishes the criteria a signature-dynamics-based digital signature must meet to satisfy the requirement that it is "capable of verification".

Subsection 22003(b)(4) re-states the requirement of Government Code Section 16.5(a)(3) and establishes the criteria a signature-dynamics-based digital signature must meet to satisfy the requirement that it is "under the sole control of the person using it".

Subsection 22003(b)(5) re-states the requirement of Government Code Section 16.5(a)(4) that a signature-dynamics-based digital signature must be "linked to data in such a manner that if the data are changed, the digital signature is invalidated".

Necessity.

The legislature adopted Government Code Section 16.5 and required the promulgation of regulations because it identified a need for digital signatures to be available for the expansion of electronic commerce and communication with public entities.

The list of acceptable technologies and the requirements that define the technologies that appear on the list are necessary to further the intent of the legislature in facilitating the use of electronic communication.

"Public Key Cryptography" is the technology upon which most other states and nations have focused their energy when preparing digital signature legislation and regulations. The technology also meets the criteria established by Government Code Section 16.5. Consequently, the secretary of state has determined that it is necessary to adopt regulations that authorize its use and define the parameters under which signatures created using this technology are valid.

"Signature Dynamics" is a derivative of digitized signature technology that has been in use in the private sector for some time. With recent enhancements to the technology, it is also capable of meeting the criteria established by Government Code Section 16.5. Consequently, the secretary of state has determined that it is necessary to adopt regulations that authorize its use and define the parameters under which signatures created using this technology are valid.

Technical, Theoretical, and/or Empirical Study, Report, or Documents.

The Secretary of State relied on experts from both the public and private sector, including a consultant hired to facilitate the drafting of these proposed regulations, and numerous other states' legislation and draft rules and regulations to develop Section 22003.

Section 22003(a)(6)(C) references performance audit standards established by the American Institute of Certified Public Accountants (AICPA) in their Statement on Auditing Standards Number 70. This performance audit standard is used by auditors to report on the processing of transactions by service organizations. This requirement that Certification Authorities undergo a performance audit can be by-passed by the Certification Authority once they provide proof of accreditation by an internationally recognized accreditation body. Numerous states and state agencies have recently coalesced to develop such an accreditation body.

Alternatives to the Proposed Regulatory Action that would be as Effective and Less Burdensome to Private Persons.

The Secretary of State finds that no alternatives it has considered would be more effective in carrying out the purpose of the proposed regulation or would be as effective and less burdensome to affected private persons than the proposed regulation.

Alternatives to the Proposed Regulatory Action that would Lessen any Adverse Economic Impact on Small Business.

The Secretary of State determines that the proposed regulation does not affect small businesses. The proposed regulation allows the public entities to accept signatures with digital certificates that are issued by private vendors who would be subject to filing a performance audit or filing proof of accreditation with the Department of Information Technology. However the Secretary of State has determined that the companies that would be subject to this proposed regulation do not meet the definition of small business as defined in the California Government Code.

Back to Top

Section 22004 - Provisions for Adding New Technologies to the List of Acceptable Technologies

Public Problem, Administrative Requirement, or Other Condition or Circumstance that the Regulation is Intended to Address.

Government Code Section 16.5 requires that the Secretary of State adopt regulations regarding the use of digital signatures by public entities.

Section 22003 lists the technologies that are acceptable for use by public entities in California. However, as has often been the case in the rapidly changing world of computer software and hardware, newer, better and more innovative technologies seem to emerge all the time. To guard against the static acceptance of what could eventually become obsolete technology, the secretary of state finds it necessary to include provisions for the addition of new technologies to the List of Acceptable Technologies.

Specific Purpose of the Regulation.

Section 22004 states that individuals or companies who would like to request additions to the list of acceptable technologies may do so by petitioning the Department of Information Technology to review their technology. If the Department of Information Technology concurs with the petitioner that Section 22003 needs to be amended to add a new technology, the Department of Information Technology shall then work with the Secretary of State to amend the list.

Necessity.

The legislature adopted Government Code Section 16.5 and required the promulgation of regulations because it identified a need for digital signatures to be available for the expansion of electronic commerce and communication with public entities.

Section 22004 is necessary to ensure that the technological expertise of the Department of Information Technology is fully utilized in assessing the capability of new technologies to meet the requirements of these proposed regulations and Government Code Section 16.5.

Provisions for approving new technologies are essential to ensure that the state retains the flexibility to accommodate marketplace utilization and development of digital signature technologies.

Technical, Theoretical, and/or Empirical Study, Report, or Documents.

The Secretary of State relied on experts from both the public and private sector, including a consultant hired to facilitate the drafting of these proposed regulations, and numerous other states' legislation and draft rules and regulations to develop the requirement in Section 22004.

Alternatives to the Proposed Regulatory Action that would be as Effective and Less Burdensome to Private Persons.

The Secretary of State finds that no alternatives it has considered would be more effective in carrying out the purpose of the proposed regulation or would be as effective and less burdensome to affected private persons than the proposed regulation.

Alternatives to the Proposed Regulatory Action that would Lessen any Adverse Economic Impact on Small Business.

The Secretary of State determines that the proposed regulation does not affect small businesses.

Back to Top

Section 22005 - Issues to be Addressed by Public Entities when Using Digital Signatures

Public Problem, Administrative Requirement, or Other Condition or Circumstance that the Regulation is Intended to Address.

Government Code Section 16.5 requires that the Secretary of State adopt regulations regarding the use of digital signatures by public entities.

The industry that has developed to fill the market demand for digital signatures is still emerging and consequently, the understanding of the technology and its various applications is limited.

To assist public entities in understanding the varying levels of security offered by the different digital signature technologies and vendors, Section 22005 is proposed to ensure that the security level of the digital signature is sufficient for the transaction the public entity plans to conduct.

Specific Purpose of the Regulation.

This proposed regulation states that prior to accepting a digital signatures, the public entity shall determine that the signature is being transmitted securely and the level of security used to positively identify the signer of the documents is sufficient for the transaction being conducted.

Necessity.

Public entities will undoubtedly be approached by a number of digital signature vendors offering their services and suggesting that their products will meet the guidelines established in Government Code Section 16.5 and in these proposed regulations. However, it is important for the public entities to also be assured that the technology which, although approved for use in many transactions, may not suit the specific needs of every transaction being conducted.

Digital signatures may be affixed to documents that deal with multi-million dollar government contract awards or for applications to hold a public meeting in the town park. Obviously, the level of security needed for each of these transactions is substantially different. While the public entity may be willing to accept a signature dynamics signature, with no prior third party verification, for the public meeting request, it may need additional levels of security, like a digital certificate, to ensure that the signature on the document was in fact affixed by the individual it purports to be represent.

Technical, Theoretical, and/or Empirical Study, Report, or Documents.

The Secretary of State relied on experts from both the public and private sector, including a consultant hired to facilitate the drafting of these proposed regulations, and numerous other states' legislation and draft rules and regulations to develop the requirement in Section 22005.

Alternatives to the Proposed Regulatory Action that would be as Effective and Less Burdensome to Private Persons.

The Secretary of State finds that no alternatives it has considered would be more effective in carrying out the purpose of the proposed regulation or would be as effective and less burdensome to affected private persons than the proposed regulation.

Alternatives to the Proposed Regulatory Action that would Lessen any Adverse Economic Impact on Small Business.

The Secretary of State determines that the proposed regulation does not affect small businesses.

Back to Top