1 ---
2 lang: en
3 title: 'Digital Signatures | California Secretary of State'
4 viewport: 'width=device-width'
5 ---
6
7 Digital Signatures
8 ==================
9
10 Title 2. Administration
11 -----------------------
12
13 ### Division 7. Secretary of State Chapter 10. Digital Signatures
14
15 These permanent regulations are temporarily
16 superseded by emergency regulations effective from
17 4/22/2020 through 10/20/2020, or until that date is
18 extended or the emergency regulations are made
19 permanent by regulatory action. See
20 [emergency regulations]
21 (https://www.sos.ca.gov/administration/regulations/current-regulations/technology/emergency-digital-signatures/).
22
23 + [22000](#22000) Definitions.
24 + [22001](#22001) Digital Signatures Must Be Created By An Acceptable
25 Technology.
26 + [22002](#22002) Criteria For Determining If A Digital Signature
27 Technology Is Acceptable.
28 + [22003](#20203) List of Acceptable Technologies.
29 + [22004](#22004) Provisions For Adding New Technologies to the List
30 of Acceptable Technologies.
31 + [22005](#22005) Issues to Be Addressed By Public Entities When Using
32 Digital Signatures.
33
34 ------------------------------------------------------------------------
35
36 22000. Definitions. {#22000}
37 -------------------
38
39 1. For purposes of this chapter, and unless the context expressly
40 indicates otherwise:
41
42 1. "Digitally-signed communication" is a message that has been
43 processed by a computer in such a manner that ties the message
44 to the individual that signed the message.
45
46 2. "Message" means a digital representation of information intended
47 to serve as a written communication with a public entity.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
48
49 3. "Person" means a human being or any organization capable of
50 signing a document, either legally or as a matter of fact.
51
52 4. "Public entity" means the public entity as defined by California
53 Government Code Section 811.2.
54 0 [2 lines]--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
56 communication with the use of an acceptable technology to
57 uniquely link the message with the person sending it.
58
59 6. "Technology" means the computer hardware and/or software-based
60 method or process used to create digital signatures.
61
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
62
63 22001. Digital Signatures Must Be Created by an Acceptable Technology. {#22001}
64 ----------------------------------------------------------------------
65
66 1. For a digital signature to be valid for use by a public entity, it
67 must be created by a technology that is acceptable for use by the
68 State of California.
69
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
70
71 22002. Criteria for State to Determine if a Digital Signature Technology Is Acceptable for Use by Public Entities. {#22002}
72 ------------------------------------------------------------------------------------------------------------------
73
74 An acceptable technology must be capable of creating signatures that
75 conform to requirements set forth in California Government Code Section
76 16.5, specifically:
77
78 1. It is unique to the person using it;
79 2. It is capable of verification;
80 3. It is under the sole control of the person using it;
81 4. It is linked to data in such a manner that if the data are changed,
82 the digital signature is invalidated;
83 5. It conforms to Title 2, Division 7, Chapter 10 of the California
84 Code of Regulations.
85
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
86
87 22003. List of Acceptable Technologies. {#20203}
88 -------------------------------
89
90 1. The technology known as Public Key Cryptography is an acceptable
91 technology for use by public entities in California, provided that
92 the digital signature is created consistent with the provisions in
93 Section 22003(a)1-5.
94
95 1. Definitions - For purposes of Section 22003(a), and unless the
96 context expressly indicates otherwise:
97
98 1. "Acceptable Certification Authorities" means a certification
99 authority that meets the requirements of either Section
100 22003(a)6(C) or Section 22003(a)6(D).
101
102
103 2. "Approved List of Certification Authorities" means the list
104 of Certification Authorities approved by the Secretary of
105 State to issue certification for digital signature
106 transactions involving public entities in California.
107
108 3. "Asymmetric cryptosystem" means a computer algorithm or
109 series of algorithms which utilize two different keys with
110 the following characteristics:
111 1. One key signs a given message;
112 2. One key verifies a given message; and
113 3. The keys have the property that, knowing one key, it is
114 computationally infeasible to discover the other key.
115
116 4. "Certificate" means a computer-based record which:
117 1. Identifies the certification authority issuing it;
118 2. Names or identifies its subscriber;
119 3. Contains the subscriber's public key; and
120 4. Is digitally signed by the certification authority issuing or
121 amending it, and
122 5. Conforms to widely-used industry standards, including,
123 but not limited to ISO x.509 and PGP certificate
124 standards.
125
126 5. "Certification Authority" means a person or entity that issues a
127 certificate, or in the case of certain certification processes,
128 certifies amendments to an existing certificate.
129
130 6. "Key pair" means a private key and its corresponding public key in
131 an asymmetric cryptosystem. The keys have the property that the
132 public key can verify a digital signature that the private key
133 creates.
134
135 7. "Practice statement" means documentation of the practices,
136 procedures and controls employed by a Certification Authority.
137
138 8. "Private key" means the key of a key pair used to create a digital
139 signature.
140
141 9. "Proof of Identification" means the document or documents presented
142 to a Certification Authority to establish the identity of a
143 subscriber.
144
145 10. "Public key" means the key of a key pair used to verify a digital
146 signature.
147
148 11. "Subscriber" means a person who:
149 1. Is the subject listed in a certificate;
150 2. Accepts the certificate; and
151 3. Holds a private key which corresponds to a public key listed in
152 that certificate.
153
154 2. California Government Code § 16.5 requires that a digital
155 signature be 'unique to the person using it'. A public key-based digital
156 signature may be considered unique to the person using it, if:
157
158 1. The private key used to create the signature on the document is
159 known only to the signer, and
160
161 2. The digital signature is created when a person runs a message
162 through a one-way function, creating a message digest, then
163 encrypting the resulting message digest using an asymmetrical
164 cryptosystem and the signer\'s private key, and,
165
166 3. Although not all digitally signed communications will require the
167 signer to obtain a certificate, the signer is capable of being
168 issued a certificate to certify that he or she controls the key pair
169 used to create the signature, and
170
171 4. It is computationally infeasible to derive the private key from
172 knowledge of the public key.
173
174 3. California Government Code § 16.5 requires that a digital
175 signature be 'capable of verification'. A public-key based digital
176 signature is capable of verification if:
177
178 1. The acceptor of the digitally signed document can verify the
179 document was digitally signed by using the signer's public
180 key to decrypt the message; and
181 0 [2 lines]--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
183 public agency, the issuing Certification Authority, either through a
184 certification practice statement or through the content of the
185 certificate itself, must identify which, if any, form(s) of
186 identification it required of the signer prior to issuing the
187 certificate.
188
189 4. California Government Code § 16.5 requires that the digital
190 signature remain 'under the sole control of the person using it'.
191 Whether a signature is accompanied by a certificate or not, the person
192 who holds the key pair, or the subscriber identified in the certificate,
193 assumes a duty to exercise reasonable care to retain control of the
194 private key and prevent its disclosure to any person not authorized to
195 create the subscriber's digital signature pursuant to
196 Evidence Code Section 669.
197
198 5. The digital signature must be linked to the message of the document in
199 such a way that if the data are changed, the digital signature is
200 invalidated.
201
202 6. Acceptable Certification Authorities
203 1. The California Secretary of State shall maintain an
204 "Approved List of Certificate Authorities" authorized to
205 issue certificates for digitally signed communication with
206 public entities in California.
207 2. Public entities shall only accept certificates from
208 Certification Authorities that appear on the "Approved List
209 of Certification Authorities" authorized to issue
210 certificates by the California Secretary of State.
211 3. The Secretary of State shall place Certification Authorities
212 on the "Approved List of Certification Authorities" after
213 the Certification Authority provides the Secretary of State
214 with a copy of an unqualified performance audit performed in
215 accordance with standards set in the American Institute of
216 Certified Public Accountants (AICPA) Statement on Auditing
217 Standards No. 70 (S.A.S. 70) "Reports on the Processing of
218 Service Transactions by Service Organizations" (1992) to
219 ensure that the Certification Authorities\' practices and
220 policies are consistent with the Certifications Authority\'s
221 stated control objectives. The AICPA Statement on Auditing
222 Standards No. 70 (1992) is hereby incorporated by reference.
223 1. Certification Authorities that have been in operation
224 for one year or less shall undergo a SAS 70 Type One
225 audit - A Report of Policies and Procedures Placed in
226 Operation, receiving an unqualified opinion.
227 2. Certification Authorities that have been in operation
228 for longer than one year shall undergo a SAS 70 Type Two
229 audit - A Report Of Policies And Procedures Placed In
230 Operation And Test Of Operating Effectiveness, receiving
231 an unqualified opinion.
232 3. To remain on the "Approved List of Certification
233 Authorities" a Certification Authority must provide
234 proof of compliance with Section 20003(a)(6)(C)(ii) to
235 the Secretary of State every two years after initially
236 being placed on the list.
237 4. In lieu of completing the auditing requirement in Section
238 22003(a)(6)(C), Certification Authorities may be placed on
239 the "Approved List of Certification Authorities" upon
240 providing the Secretary of State with proof of accreditation
241 that has been conferred by a national or international
242 accreditation body that the Secretary of State has
243 determined utilizes accreditation criteria that are
244 consistent with the requirements of Section 22003(a)(1)-(5).
245 1. Certification Authorities shall be removed from the
246 "Approved List of Acceptable Certifications Authorities"
247 unless they provide current proof of accreditation to
248 the Secretary of State at least once per year.
249 2. If the Secretary of State is informed that a
250 Certification Authority has had its accreditation
251 revoked, the Certification Authority shall be removed
252 from the "Approved List of Certification Authorities"
253 immediately.
254
255 2. The technology known as "Signature Dynamics" is an acceptable technology
256 for use by public entities in California, provided that the signature is
257 created consistent with the provisions in Section
258
259 22003(b)(1)-(5).
260 1. Definitions. For the purposes of Section 22003(b), and unless the
261 context expressly indicates otherwise:
262
263 1. "Handwriting Measurements" means the metrics of the shapes, speeds
264 and/or other distinguishing features of a signature as the person
265 writes it by hand with a pen or stylus on a flat surface.
266
267 2. "Signature Digest" is the resulting bit-string produced when a
268 signature is tied to a document using Signature Dynamics.
269
270 3. "Expert" means a person with demonstrable skill and knowledge based
271 on training and experience who would qualify as an expert pursuant
272 to California Evidence Code s720.
273
274 4. "Signature Dynamics" means measuring the way a person writes his or
275 her signature by hand on a flat surface and binding the measurements
276 to a message through the use of cryptographic techniques.
277
278 2. California Government Code § 16.5 requires that a digital
279 signatures be 'unique to the person using it.' A signature digest
280 produced by Signature Dynamics technology may be considered unique to
281 the person using it, if:
282
283 1. The signature digest records the handwriting measurements of the
284 person signing the document using signature dynamics technology, and
285
286 2. The signature digest is cryptographically bound to the handwriting
287 measurements, and
288
289 3. After the signature digest has been bound to the handwriting
290 measurements, it is computationally infeasible to separate the
291 handwriting measurements and bind them to a different signature
292 digest.
293
294 3. California Government Code § 16.5 requires that a digital
295 signature be capable of verification. A signature digest produced by
296 signature dynamics technology is capable of verification if:
297
298 1. The acceptor of the digitally signed message obtains the handwriting
299 measurements for purposes of comparison, and
300
301 2. If signature verification is a required component of a transaction
302 with a public entity, the handwriting measurements can allow an
303 expert handwriting and document examiner to assess the authenticity
304 of a signature.
305
306 4. California Government Code § 16.5 requires that a digital
307 signature remain 'under the sole control of the person using it'. A
308 signature digest is under the sole control of the person using it if:
309
310 1. The signature digest captures the handwriting measurements and
311 cryptographically binds them to the message directed by the signer
312 and to no other message, and
313
314 2. The signature digest makes it computationally infeasible for the
315 handwriting measurements to be bound to any other message.
316
317 5. The signature digest produced by signature dynamics technology must be
318 linked to the message in such a way that if the data in the message are
319 changed, the signature digest is invalidated.
320
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
321
322 22004. Provisions for Adding New Technologies to the List of Acceptable Technologies. {#22004}
323 ---------------------------------------------------------------------------------------
324
325 1. Any individual or company can, by providing a written request that
326 includes a full explanation of a proposed technology which meets the
327 requirements of Section 22002, petition the California Secretary of
328 State to review the technology. If the Secretary of State determines
329 that the technology is acceptable for use with the state, the
330 Secretary of State shall adopt regulation(s), pursuant to the
331 Administrative Procedure Act, which would add the proposed
332 technology to the list of acceptable technologies in Section 22003.
333 2. The Secretary of State has 180 calendar days from the date the
334 request is received to review the petition and inform the
335 petitioner, in writing, whether the technology is accepted or
336 rejected. If the petition is rejected, the Secretary of State shall
337 provide the petitioner with the reasons for the rejection.
338 1. If the proposed technology is rejected, the petitioner can
339 appeal the decision through the Administrative Procedures Act
340 (Government Code Section 11500 et seq).
341
342 22005. Criteria for Public Entities To Use in Accepting Digital Signatures. {#22005}
343 ---------------------------------------------------------------------------
344
345 1. Prior to accepting a digital signature, public entities shall ensure
346 that the level of security used to identify the signer of a document
347 is sufficient for the transaction being conducted.
348
349 2. Prior to accepting a digital signature, public entities shall ensure
350 that the level of security used to transmit the signature is
351 sufficient for the transaction being conducted.
352
353 3. If a certificate is a required component of a digital signature
354 transaction, public entities shall ensure that the certificate
355 format used by the signer is sufficient for the security and
356 interoperability needs of the public entity.
|
1 ---
2 lang: en
3 title: 'Digital Signatures (Emergency Regulations) | California Secretary of State'
4 viewport: 'width=device-width'
5 ---
6
7 Digital Signatures (Emergency Regulations)
8 ==========================================
9
10 Title 2. Administration
11 -----------------------
12
13 ### Division 7. Secretary of State Chapter 10. Digital Signatures
14
15 These emergency regulations are effective from
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
16 4/22/2020 through 10/20/2020, or until that date is
17 extended or the regulations are made permanent by
18 regulatory action.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
19
20 + [22000](#22000) Definitions.
21 + [22001](#22001) Digital Signatures Must Be Created By An Acceptable
22 Technology.
23 + [22002](#22002) Criteria For Determining If A Digital Signature
24 + Technology Is Acceptable for Use by Public Entities.
25 + [22003](#20203) Acceptable Technologies.
26 + [22004](#22004) Repealed
27
28 + [22005](#22005) Criteria for Public Entities to Use in Accepting
29 Digital Signatures.
30
31 ------------------------------------------------------------------------
32
33 22000. Definitions. {#22000}
34 -------------------
35
36 1. For purposes of this chapter, and unless the context expressly
37 indicates otherwise:
38
39 1. "Digitally-signed communication" is a message that has been
40 processed by an acceptable technology, pursuant to section
41 23003, in such a manner that ties the message to the signer.
42
43 2. "Message" means a digital representation of information intended
44 to serve as a written communication provided to a public entity
45 by a public entity or a private entity.
46
47 3. "Person" means a human being or any organization capable of
48 signing a document, either legally or as a matter of fact.
49
50 4. "Public entity" means the public entity as defined by California
51 Government Code Section 811.2.
52 0 [2 lines]--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
54 communication with the use of an acceptable technology to
55 uniquely link the message with the person sending it.
56
57 6. "Technology" means the computer hardware and/or software-based
58 method or process used to create digital signatures.
59
60 *Note: Authority cited: Section 16.5, Government Code. Reference:
61 Section 16.5, Government Code.*
62
63 22001. Digital Signatures Must Be Created by an Acceptable Technology. {#22001}
64 ----------------------------------------------------------------------
65
66 1. For a digital signature to be valid for use by a public entity, it
67 must be created by a technology that is acceptable for use by the
68 State of California.
69
70 *Note: Authority cited: Section 16.5, Government Code. Reference:
71 Section 16.5, Government Code.*
72
73 22002. Criteria for State to Determine if a Digital Signature Technology Is Acceptable for Use by Public Entities. {#22002}
74 ------------------------------------------------------------------------------------------------------------------
75
76 An acceptable technology must be capable of creating signatures that
77 conform to requirements set forth in California Government Code Section
78 16.5, specifically:
79
80 1. It is unique to the person using it;
81 2. It is capable of verification;
82 3. It is under the sole control of the person using it;
83 4. It is linked to data in such a manner that if the data are changed,
84 the digital signature is invalidated; and
85 5. It conforms to Title 2, Division 7, Chapter 10 of the California
86 Code of Regulations.
87
88 *Note: Authority cited: Section 16.5, Government Code. Reference:
89 Section 16.5, Government Code.*
90
91 22003. Acceptable Technologies. {#20203}
92 -------------------------------
93
94 1. The technology known as Public Key Cryptography is an acceptable
95 technology for use by public entities in California, provided that
96 the digital signature is created consistent with the following provisions:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
97
98 1. Definitions. For purposes of section 22003(a), and unless the context
99 expressly indicates otherwise:
100
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
101
102
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
103
104 1. "Asymmetric cryptosystem" means a computer algorithm or
105 series of algorithms which utilize two different keys with
106 the following characteristics:
107 1. One key signs a given message;
108 2. One key verifies a given message; and
109 3. The keys have the property that, knowing one key, it is
110 computationally infeasible to discover the other key.
111
112 2. "Certificate" means a computer-based record which:
113 1. Identifies the certification authority issuing it;
114 2. Names or identifies its subscriber;
115 3. Contains the subscriber's public key;
116 4. Is digitally signed by the certification authority issuing or
117 amending it; and
118 5. Conforms to widely-used industry standards, including,
119 but not limited to, ISO x.509 and PGP certificate
120 standards.
121
122 3. "Certification Authority" means a person or entity that issues a
123 certificate, or in the case of certain certification processes,
124 certifies amendments to an existing certificate.
125
126 4. "Key pair" means a private key and its corresponding public key in
127 an asymmetric cryptosystem. The keys have the property that the
128 public key can verify a digital signature that the private key
129 creates.
130
131 5. "Practice statement" means documentation of the practices,
132 procedures and controls employed by a Certification Authority.
133
134 6. "Private key" means the key of a key pair used to create a digital
135 signature.
136
137 7. "Proof of Identification" means the document or documents presented
138 to a Certification Authority to establish the identity of a
139 subscriber.
140
141 8. "Public key" means the key of a key pair used to verify a digital
142 signature.
143
144 9. "Subscriber" means a person who:
145 1. Is the subject listed in a certificate;
146 2. Accepts the certificate; and
147 3. Holds a private key which corresponds to a public key listed in
148 that certificate.
149
150 2. California Government Code Section 16.5 requires that a digital
151 signature be 'unique to the person using it'. A public key-based digital
152 signature may be considered unique to the person using it if:
153
154 1. The private key used to create the signature on the document is
155 known only to the signer;
156
157 2. The digital signature is created when a person runs a message
158 through a one-way function, creating a message digest, then
159 encrypting the resulting message digest using an asymmetrical
160 cryptosystem and the signer\'s private key;
161
162 3. Although not all digitally signed communications will require the
163 signer to obtain a certificate, the signer is capable of being
164 issued a certificate to certify that he or she controls the key pair
165 used to create the signature; and
166
167 4. It is computationally infeasible to derive the private key from
168 knowledge of the public key.
169
170 3. California Government Code Section 16.5 requires that a digital
171 signature be 'capable of verification'. A public-key based digital
172 signature is capable of verification if:
173
174 1. The acceptor of the digitally signed document can verify the
175 document was digitally signed by using the signer's public
176 key to decrypt the message; and
177 0 [2 lines]--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
179 public agency, the issuing Certification Authority, either through a
180 certification practice statement or through the content of the
181 certificate itself, must identify which, if any, form(s) of
182 identification it required of the signer prior to issuing the
183 certificate.
184
185 4. California Government Code Section 16.5 requires that the digital
186 signature remain 'under the sole control of the person using it'.
187 Whether a signature is accompanied by a certificate or not, the person
188 who holds the key pair, or the subscriber identified in the certificate,
189 assumes a duty to exercise reasonable care to retain control of the
190 private key and prevent its disclosure to any person not authorized to
191 create the subscriber's digital signature pursuant to California
192 Evidence Code Section 669.
193
194 5. The digital signature must be linked to the message of the document in
195 such a way that if the data are changed, the digital signature is
196 invalidated.
197
198 6. If the signature is accompanied by a certificate, the certificate is
199 from a Certification Authority that, at the time of signing, is included
200 in at least one of the following third-party certificate program lists:
201
202 1. Apple Root Certificate Program
203 2. Microsoft Trusted Root Program
204 3. Mozilla Root Program
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
205
206 2. The technology known as "Signature Dynamics" is an acceptable technology
207 for use by public entities in California, provided that the signature is
208 created consistent with the following provisions:
209
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
210 1. Definitions. For the purposes of Section 22003(b), and unless the
211 context expressly indicates otherwise:
212
213 1. "Handwriting Measurements" means the metrics of the shapes, speeds
214 and/or other distinguishing features of a signature as the person
215 writes it by hand with a pen or stylus on a flat surface.
216
217 2. "Signature Digest" is the resulting bit-string produced when a
218 signature is tied to a document using Signature Dynamics.
219
220 3. "Expert" means a person with demonstrable skill and knowledge based
221 on training and experience who would qualify as an expert pursuant
222 to California Evidence Code Section 720.
223
224 4. "Signature Dynamics" means measuring the way a person writes his or
225 her signature by hand on a flat surface and binding the measurements
226 to a message through the use of cryptographic techniques.
227
228 2. California Government Code Section 16.5 requires that a digital
229 signatures be 'unique to the person using it.' A signature digest
230 produced by Signature Dynamics technology may be considered unique to
231 the person using it if:
232
233 1. The signature digest records the handwriting measurements of the
234 person signing the document using signature dynamics technology;
235
236 2. The signature digest is cryptographically bound to the handwriting
237 measurements; and
238
239 3. After the signature digest has been bound to the handwriting
240 measurements, it is computationally infeasible to separate the
241 handwriting measurements and bind them to a different signature
242 digest.
243
244 3. California Government Code Section 16.5 requires that a digital
245 signature be 'capable of verification'. A signature digest produced by
246 signature dynamics technology is capable of verification if:
247
248 1. The acceptor of the digitally signed message obtains the handwriting
249 measurements for purposes of comparison; and
250
251 2. If signature verification is a required component of a transaction
252 with a public entity, the handwriting measurements can allow an
253 expert handwriting and document examiner to assess the authenticity
254 of a signature.
255
256 4. California Government Code Section 16.5 requires that a digital
257 signature remain 'under the sole control of the person using it'. A
258 signature digest is under the sole control of the person using it if:
259
260 1. The signature digest captures the handwriting measurements and
261 cryptographically binds them to the message directed by the signer
262 and to no other message; and
263
264 2. The signature digest makes it computationally infeasible for the
265 handwriting measurements to be bound to any other message.
266
267 5. The signature digest produced by signature dynamics technology must be
268 linked to the message in such a way that if the data in the message are
269 changed, the signature digest is invalidated.
270
271 *Note: Authority cited: Section 16.5, Government Code. Reference:
272 Section 16.5, Government Code.*
273
274 22004. REPEALED. {#22004}
275 ----------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
276
277 22005. Criteria for Public Entities To Use in Accepting Digital Signatures. {#22005}
278 ---------------------------------------------------------------------------
279
280 1. Prior to accepting a digital signature, public entities shall ensure
281 that the level of security used to identify the signer of a document
282 is sufficient for the transaction being conducted.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
283 2. Prior to accepting a digital signature, public entities shall ensure
284 that the level of security used to transmit the signature is
285 sufficient for the transaction being conducted.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
286 3. If a certificate is a required component of a digital signature
287 transaction, public entities shall ensure that the certificate
288 format used by the signer is sufficient for the security and
289 interoperability needs of the public entity.
|