Title 2. Administration
Division 7. Secretary of State
Chapter 10. Digital Signatures
These permanent regulations are temporarily superseded by emergency regulations effective from 4/22/2020 through 10/20/2020, or until that date is extended or the emergency regulations are made permanent by regulatory action. See emergency regulations.
- 22000 Definitions.
- 22001 Digital Signatures Must Be Created By An Acceptable Technology.
- 22002 Criteria For Determining If A Digital Signature Technology Is Acceptable.
- 22003 List of Acceptable Technologies.
- 22004 Provisions For Adding New Technologies to the List of Acceptable Technologies.
- 22005 Issues to Be Addressed By Public Entities When Using Digital Signatures.
- For purposes of this chapter, and unless the context expressly indicates otherwise:
- “Digitally-signed communication” is a message that has been processed by a computer in such a manner that ties the message to the individual that signed the message.
- “Message” means a digital representation of information intended to serve as a written communication with a public entity.
- “Person” means a human being or any organization capable of signing a document, either legally or as a matter of fact.
- “Public entity” means the public entity as defined by California Government Code Section 811.2.
- “Signer” means the person who signs a digitally signed communication with the use of an acceptable technology to uniquely link the message with the person sending it.
- “Technology” means the computer hardware and/or software-based method or process used to create digital signatures.
22001. Digital Signatures Must Be Created by an Acceptable Technology.
- For a digital signature to be valid for use by a public entity, it must be created by a technology that is acceptable for use by the State of California.
22002. Criteria for State to Determine if a Digital Signature Technology Is Acceptable for Use by Public Entities.
- An acceptable technology must be capable of creating signatures that conform to requirements set forth in California Government Code Section 16.5, specifically,
- It is unique to the person using it;
- It is capable of verification;
- It is under the sole control of the person using it;
- It is linked to data in such a manner that if the data are changed, the digital signature is invalidated;
- It conforms to Title 2, Division 7, Chapter 10 of the California Code of Regulations.
22003. List of Acceptable Technologies.
- The technology known as Public Key Cryptography is an acceptable technology for use by public entities in California, provided that the digital signature is created consistent with the provisions in Section 22003(a)1-5.
- Definitions - For purposes of Section 22003(a), and unless the context expressly indicates otherwise:
- “Acceptable Certification Authorities” means a certification authority that meets the requirements of either Section 22003(a)6(C) or Section 22003(a)6(D).
- “Approved List of Certification Authorities” means the list of Certification Authorities approved by the Secretary of State to issue certification for digital signature transactions involving public entities in California.
- “Asymmetric cryptosystem” means a computer algorithm or series of algorithms which utilize two different keys with the following characteristics:
- one key signs a given message;
- one key verifies a given message; and,
- the keys have the property that, knowing one key, it is computationally infeasible to discover the other key.
- “Certificate” means a computer-based record which:
- identifies the certification authority issuing it;
- names or identifies its subscriber;
- contains the subscriber's public key; and
- is digitally signed by the certification authority issuing or amending it, and
- conforms to widely-used industry standards, including, but not limited to ISO x.509 and PGP certificate standards.
- “Certification Authority” means a person or entity that issues a certificate, or in the case of certain certification processes, certifies amendments to an existing certificate.
- “Key pair” means a private key and its corresponding public key in an asymmetric cryptosystem. The keys have the property that the public key can verify a digital signature that the private key creates.
- “Practice statement” means documentation of the practices, procedures and controls employed by a Certification Authority.
- “Private key” means the key of a key pair used to create a digital signature.
- “Proof of Identification” means the document or documents presented to a Certification Authority to establish the identity of a subscriber.
- “Public key” means the key of a key pair used to verify a digital signature.
- “Subscriber” means a person who:
- is the subject listed in a certificate;
- accepts the certificate; and
- holds a private key which corresponds to a public key listed in tha t certificate.
- California Government Code § 16.5 requires that a digital signature be ‘unique to the person using it’. A public key-based digital signature may be considered unique to the person using it, if:
- The private key used to create the signature on the document is known only to the signer, and
- the digital signature is created when a person runs a message through a one-way function, creating a message digest, then encrypting the resulting message digest using an asymmetrical cryptosystem and the signer's private key, and,
- although not all digitally signed communications will require the signer to obtain a certificate, the signer is capable of being issued a certificate to certify that he or she controls the key pair used to create the signature, and
- it is computationally infeasible to derive the private key from knowledge of the public key.
- California Government Code § 16.5 requires that a digital signature be ‘capable of verification’. A public-key based digital signature is capable of verification if:
- the acceptor of the digitally signed document can verify the document was digitally signed by using the signer's public key to decrypt the message; and
- if a certificate is a required component of a transaction with a public agency, the issuing Certification Authority, either through a certification practice statement or through the content of the certificate itself, must identify which, if any, form(s) of identification it required of the signer prior to issuing the certificate.
- California Government Code § 16.5 requires that the digital signature remain ‘under the sole control of the person using it’. Whether a signature is accompanied by a certificate or not, the person who holds the key pair, or the subscriber identified in the certificate, assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorized to create the subscriber's digital signature pursuant to Evidence Code Section 669.
- The digital signature must be linked to the message of the document in such a way that if the data are changed, the digital signature is invalidated.
- Acceptable Certification Authorities
- The California Secretary of State shall maintain an “Approved List of Certificate Authorities” authorized to issue certificates for digitally signed communication with public entities in California.
- Public entities shall only accept certificates from Certification Authorities that appear on the “Approved List of Certification Authorities” authorized to issue certificates by the California Secretary of State.
- The Secretary of State shall place Certification Authorities on the “Approved List of Certification Authorities” after the Certification Authority provides the Secretary of State with a copy of an unqualified performance audit performed in accordance with standards set in the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards No. 70 (S.A.S. 70) “Reports on the Processing of Service Transactions by Service Organizations” (1992) to ensure that the Certification Authorities' practices and policies are consistent with the Certifications Authority's stated control objectives. The AICPA Statement on Auditing Standards No. 70 (1992) is hereby incorporated by reference.
- Certification Authorities that have been in operation for one year or less shall undergo a SAS 70 Type One audit - A Report of Policies and Procedures Placed in Operation, receiving an unqualified opinion.
- Certification Authorities that have been in operation for longer than one year shall undergo a SAS 70 Type Two audit - A Report Of Policies And Procedures Placed In Operation And Test Of Operating Effectiveness, receiving an unqualified opinion.
- To remain on the “Approved List of Certification Authorities” a Certification Authority must provide proof of compliance with Section 20003(a)(6)(C)(ii) to the Secretary of State every two years after initially being placed on the list.
- In lieu of completing the auditing requirement in Section 22003(a)(6)(C), Certification Authorities may be placed on the “Approved List of Certification Authorities” upon providing the Secretary of State with proof of accreditation that has been conferred by a national or international accreditation body that the Secretary of State has determined utilizes accreditation criteria that are consistent with the requirements of Section 22003(a)(1)-(5).
- Certification Authorities shall be removed from the “Approved List of Acceptable Certifications Authorities” unless they provide current proof of accreditation to the Secretary of State at least once per year.
- If the Secretary of State is informed that a Certification Authority has had its accreditation revoked, the Certification Authority shall be removed from the “Approved List of Certification Authorities” immediately.
- The technology known as “Signature Dynamics” is an acceptable technology for use by public entities in California, provided that the signature is created consistent with the provisions in Section 22003(b)(1)-(5).
- Definitions - For the purposes of Section 22003(b), and unless the context expressly indicates otherwise:
- “Handwriting Measurements” means the metrics of the shapes, speeds and/or other distinguishing features of a signature as the person writes it by hand with a pen or stylus on a flat surface.
- “Signature Digest” is the resulting bit-string produced when a signature is tied to a document using Signature Dynamics.
- “Expert” means a person with demonstrable skill and knowledge based on training and experience who would qualify as an expert pursuant to California Evidence Code s720.
- “Signature Dynamics” means measuring the way a person writes his or her signature by hand on a flat surface and binding the measurements to a message through the use of cryptographic techniques.
- California Government Code § 16.5 requires that a digital signatures be ‘unique to the person using it.’ A signature digest produced by Signature Dynamics technology may be considered unique to the person using it, if:
- the signature digest records the handwriting measurements of the person signing the document using signature dynamics technology, and
- the signature digest is cryptographically bound to the handwriting measurements, and
- after the signature digest has been bound to the handwriting measurements, it is computationally infeasible to separate the handwriting measurements and bind them to a different signature digest.
- California Government Code § 16.5 requires that a digital signature be capable of verification. A signature digest produced by signature dynamics technology is capable of verification if:
- the acceptor of the digitally signed message obtains the handwriting measurements for purposes of comparison, and
- if signature verification is a required component of a transaction with a public entity, the handwriting measurements can allow an expert handwriting and document examiner to assess the authenticity of a signature.
- California Government Code § 16.5 requires that a digital signature remain ‘under the sole control of the person using it’. A signature digest is under the sole control of the person using it if:
- the signature digest captures the handwriting measurements and cryptographically binds them to the message directed by the signer and to no other message, and
- the signature digest makes it computationally infeasible for the handwriting measurements to be bound to any other message.
- The signature digest produced by signature dynamics technology must be linked to the message in such a way that if the data in the message are changed, the signature digest is invalidated.
22004. Provisions for Adding New Technologies to the List of Acceptable Technologies.
- Any individual or company can, by providing a written request that includes a full explanation of a proposed technology which meets the requirements of Section 22002, petition the California Secretary of State to review the technology. If the Secretary of State determines that the technology is acceptable for use with the state, the Secretary of State shall adopt regulation(s), pursuant to the Administrative Procedure Act, which would add the proposed technology to the list of acceptable technologies in Section 22003.
- The Secretary of State has 180 calendar days from the date the request is received to review the petition and inform the petitioner, in writing, whether the technology is accepted or rejected. If the petition is rejected, the Secretary of State shall provide the petitioner with the reasons for the rejection.
- If the proposed technology is rejected, the petitioner can appeal the decision through the Administrative Procedures Act (Government Code Section 11500 et seq).
22005. Criteria for Public Entities To Use in Accepting Digital Signatures.
- Prior to accepting a digital signature, public entities shall ensure that the level of security used to identify the signer of a document is sufficient for the transaction being conducted.
- Prior to accepting a digital signature, public entities shall ensure that the level of security used to transmit the signature is sufficient for the transaction being conducted.
- If a certificate is a required component of a digital signature transaction, public entities shall ensure that the certificate format used by the signer is sufficient for the security and interoperability needs of the public entity.