Title 2. Administration
Division 7. Secretary of State
Chapter 10. Digital Signatures
These emergency regulations are effective from 4/22/2020 through 10/20/2020, or until that date is extended or the regulations are made permanent by regulatory action.
- 22000 Definitions.
- 22001 Digital Signatures Must Be Created By An Acceptable Technology.
- 22002 Criteria For Determining If A Digital Signature Technology Is Acceptable for Use by Public Entities.
- 22003 Acceptable Technologies.
- 22004 Repealed
- 22005 Criteria for Public Entities to Use in Accepting Digital Signatures.
22000. Definitions.
- For purposes of this chapter, and unless the context expressly indicates otherwise
- “Digitally signed communication” is a message that has been processed by an acceptable technology, pursuant to section 23003, in such a manner that ties the message to the signer.
- “Message” means a digital representation of information intended to serve as a written communication provided to a public entity by a public entity or a private entity.
- “Person” means a human being or any organization capable of signing a document, either legally or as a matter of fact.
- “Public entity” means the public entity as defined by California Government Code Section 811.2.
- “Signer” means the person who signs a digitally signed communication with the use of an acceptable technology to uniquely link the message with the person sending it.
- “Technology” means the computer hardware and/or software-based method or process used to create digital signatures.
Note: Authority cited: Section 16.5, Government Code. Reference: Section 16.5, Government Code.
22001. Digital Signatures Must Be Created by an Acceptable Technology.
- For a digital signature to be valid for use by a public entity, it must be created by a technology that is acceptable for use by the State of California.
Note: Authority cited: Section 16.5, Government Code. Reference: Section 16.5, Government Code.
22002. Criteria for State to Determine if a Digital Signature Technology Is Acceptable for Use by Public Entities.
- An acceptable technology must be capable of creating signatures that conform to requirements set forth in California Government Code Section 16.5, specifically:
- It is unique to the person using it;
- It is capable of verification;
- It is under the sole control of the person using it;
- It is linked to data in such a manner that if the data are changed, the digital signature is invalidated; and
- It conforms to Title 2, Division 7, Chapter 10 of the California Code of Regulations.
Note: Authority cited: Section 16.5, Government Code. Reference: Section 16.5, Government Code.
22003. Acceptable Technologies.
- The technology known as Public Key Cryptography is an acceptable technology for use by public entities in California, provided that the digital signature is created consistent with the following provisions:
- Definitions. For purposes of section 22003(a), and unless the context expressly indicates otherwise:
- “Asymmetric cryptosystem” means a computer algorithm or series of algorithms which utilize two different keys with the following characteristics:
- One key signs a given message;
- One key verifies a given message; and
- The keys have the property that, knowing one key, it is computationally infeasible to discover the other key.
- “Certificate” means a computer-based record which:
- Identifies the certification authority issuing it;
- Names or identifies its subscriber;
- Contains the subscriber's public key;
- Is digitally signed by the certification authority issuing or amending it; and
- Conforms to widely-used industry standards, including, but not limited to, ISO x.509 and PGP certificate standards.
- “Certification Authority” means a person or entity that issues a certificate, or in the case of certain certification processes, certifies amendments to an existing certificate.
- “Key pair” means a private key and its corresponding public key in an asymmetric cryptosystem. The keys have the property that the public key can verify a digital signature that the private key creates.
- “Practice statement” means documentation of the practices, procedures and controls employed by a Certification Authority.
- “Private key” means the key of a key pair used to create a digital signature.
- “Proof of Identification” means the document or documents presented to a Certification Authority to establish the identity of a subscriber.
- “Public key” means the key of a key pair used to verify a digital signature.
- “Subscriber” means a person who:
- Is the subject listed in a certificate;
- Accepts the certificate; and
- Holds a private key which corresponds to a public key listed in that certificate.
- “Asymmetric cryptosystem” means a computer algorithm or series of algorithms which utilize two different keys with the following characteristics:
- California Government Code Section 16.5 requires that a digital signature be ‘unique to the person using it’. A public key-based digital signature may be considered unique to the person using it if:
- The private key used to create the signature on the document is known only to the signer;
- The digital signature is created when a person runs a message through a one-way function, creating a message digest, then encrypting the resulting message digest using an asymmetrical cryptosystem and the signer's private key;
- Although not all digitally signed communications will require the signer to obtain a certificate, the signer is capable of being issued a certificate to certify that he or she controls the key pair used to create the signature; and
- It is computationally infeasible to derive the private key from knowledge of the public key.
- California Government Code Section 16.5 requires that a digital signature be ‘capable of verification.’ A public key-based digital signature is capable of verification if:
- The acceptor of the digitally signed document can verify the document was digitally signed by using the signer's public key to decrypt the message; and
- If a certificate is a required component of a transaction with a public agency, the issuing Certification Authority, either through a certification practice statement or through the content of the certificate itself, must identify which, if any, form(s) of identification it required of the signer prior to issuing the certificate.
- California Government Code Section 16.5 requires that the digital signature remain ‘under the sole control of the person using it.’ Whether a signature is accompanied by a certificate or not, the person who holds the key pair, or the subscriber identified in the certificate, assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorized to create the subscriber's digital signature pursuant to California Evidence Code Section 669.
- The digital signature must be linked to the message of the document in such a way that if the data are changed, the digital signature is invalidated.
- If the signature is accompanied by a certificate, the certificate is from a Certification Authority that, at the time of signing, is included in at least one of the following third-party certificate program lists:
- Apple Root Certificate Program
- Microsoft Trusted Root Program
- Mozilla Root Program
- Definitions. For purposes of section 22003(a), and unless the context expressly indicates otherwise:
- The technology known as “Signature Dynamics” is an acceptable technology for use by public entities in California, provided that the signature is created consistent with the following provisions:
-
- Definitions. For the purposes of Section 22003(b), and unless the context expressly indicates otherwise:
- “Handwriting Measurements” means the metrics of the shapes, speeds and/or other distinguishing features of a signature as the person writes it by hand with a pen or stylus on a flat surface
- “Signature Digest” is the resulting bit-string produced when a signature is tied to a document using Signature Dynamics.
- “Expert” means a person with demonstrable skill and knowledge based on training and experience who would qualify as an expert pursuant to California Evidence Code Section 720.
- “Signature Dynamics” means measuring the way a person writes his or her signature by hand on a flat surface and binding the measurements to a message through the use of cryptographic techniques.
- California Government Code Section 16.5 requires that a digital signatures be ‘unique to the person using it.’ A signature digest produced by Signature Dynamics technology may be considered unique to the person using it if:
- The signature digest records the handwriting measurements of the person signing the document using signature dynamics technology;
- The signature digest is cryptographically bound to the handwriting measurements; and
- After the signature digest has been bound to the handwriting measurements, it is computationally infeasible to separate the handwriting measurements and bind them to a different signature digest.
- California Government Code Section 16.5 requires that a digital signature be ‘capable of verification.’ A signature digest produced by signature dynamics technology is capable of verification if:
- The acceptor of the digitally signed message obtains the handwriting measurements for purposes of comparison; and
- If signature verification is a required component of a transaction with a public entity, the handwriting measurements can allow an expert handwriting and document examiner to assess the authenticity of a signature.
- California Government Code Section 16.5 requires that a digital signature remain ‘under the sole control of the person using it.’ A signature digest is under the sole control of the person using it if:
- The signature digest captures the handwriting measurements and cryptographically binds them to the message directed by the signer and to no other message; and
- The signature digest makes it computationally infeasible for the handwriting measurements to be bound to any other message.
- The signature digest produced by signature dynamics technology must be linked to the message in such a way that if the data in the message are changed, the signature digest is invalidated.
- Definitions. For the purposes of Section 22003(b), and unless the context expressly indicates otherwise:
Note: Authority cited: Section 16.5, Government Code. Reference: Section 16.5, Government Code.
22004. REPEALED.
22005. Criteria for Public Entities To Use in Accepting Digital Signatures.
- Prior to accepting a digital signature, public entities shall ensure that the level of security used to identify the signer of a document is sufficient for the transaction being conducted.
- Prior to accepting a digital signature, public entities shall ensure that the level of security used to transmit the signature is sufficient for the transaction being conducted.
- If a certificate is a required component of a digital signature transaction, public entities shall ensure that the certificate format used by the signer is sufficient for the security and interoperability needs of the public entity.
- Prior to accepting a digital signature, public entities shall ensure that it is created by an acceptable technology pursuant to section 22003.