States, like other levels of government, have an interest in the promotion
of electronic commerce. The government at all levels has a duty to seek
efficiencies in the delivery of government services by reducing costs and
enhancing service quality. Modern economic development policies should
specifically promote electronic commerce in the private sector. Digital
signatures are an important tool to enable secure electronic commerce and
the technology underlying such signatures requires special attention.
State governments have an appropriate role in the development of legal
structures governing digital signatures. The use of digital signatures
will touch many areas of law at the state, national and international levels.
Laws and policies for digital signatures should balance the need for consistency
across state and national boundaries, the need to allow for experimentation
and innovation, and need to respect traditional state jurisdictions, e.g.,
commerce, contracts, and state rules of evidence.
The market for digital signature products and services is young and
dynamic. Digital signatures are not yet widely used. The software applications
are in an early stage of development. There remain important legal uncertainties.
Consumer acceptance does not yet exist. In this environment, it is premature
to adopt a uniform national structure governing this developing technology.
The best technologies, business practices and policy formulations have
not yet been devised. Many legal and policy issues are not yet ripe for
determination because the market has not matured, and therefor the uses
and implications of this technology remains uncertain.
Premature national treatment of this area runs the risk of stunting
the natural evolution of market forces which will produce the most cost-efficient,
user friendly, interoperable and effective implementations of digital signatures.
While early adopters of digital signature technology desire greater national
uniformity in the immediate future, the overall interests of evolving the
best public key infrastructures requires a period of experimentation.
State governments have taken a leadership position in the use and promotion
of digital signature technologies. There are several state statutes and
regulations governing the use of digital signatures; many more states are
developing legislation. Some state laws govern the use of digital signatures
only as regards state government applications; others also apply to private
electronic commerce. State policy makers are mindful of the need to adopt
uniform guiding principles(1). Current and proposed state digital signature
laws do not directly conflict and, in fact, allow for recognition of the
licensing or accreditation of certification authorities by other governmental
entities(2).
Even the most comprehensive state laws recognize the need to be permissive
in scope (e.g., Utah and Washington's laws provide statutory responsibilities
and benefits which may be entered into by private parties on a voluntary
basis - at the sole option of the citizen or business) Most current state
laws do no more than recognize the validity of electronic signatures generally,
including digital signatures. That is, they must not foreclose innovation
in secure electronic transaction, nor favor particular services or products.
State government activities are being coordinated and harmonized within
various forums. States recognize the need to communicate with each other,
with the private sector, the federal government and with international
bodies in developing their laws and policies. They currently participate
in national and international forums to compare approaches and address
common areas of concern, including the development of widely recognized
accreditation standards for certification authorities. In this regard,
the American Bar Association, the National Association of State Information
Resource Executives (NASIRE), the Congressional Internet Caucus, the U.S.
Innovation Partnership (USIP), a partnership of the National Governors
Association and the White House, and the U.S. Department of Commerce provide
valuable forums for these efforts.
This year, NASIRE -- representing the states' chief information officers,
in collaboration with two other 50 state organizations and the USIP, formally
began the process of creating a digital signature standards and accreditation
project. Seven states are currently taking the lead in developing these
standards. This project will result in the accreditation of certificate
authorities and participating partners in the project will conduct transactions
verified by certificates issued by accredited certificate authorities.
It is anticipated that the project will grow to include additional public
and private sector partners. The project is designed to fully leverage
private sector standards, practices and emerging technologies. This effort
will facilitate reciprocity between states and facilitate interstate and
international commerce.
In areas of traditional state jurisdiction, federal preemption should
be limited to those specific matters where dissimilarities in state law
result in specifically identified inefficiencies or impediments to the
widespread use and promotion of secure electronic commerce.
---------
End notes:
(1) State laws come in two basic types, "electronic
signature" laws and "secure signature laws." Electronic
signature laws (such as those in Florida, Virginia, and Texas) merely recognize
the common law of signatures to clarify how current law should apply to
electronic authentication. The common law of signatures is usually recognized
in this type of legislation with the following provisions: "a signature
is any symbol or method executed or adopted by a party with a present intent
to be bound by or to authenticate a record, including electronic means."
These laws would explicitly recognize the commonly held view that many
different technologies are capable of creating valid signatures, including
digital images of signatures, PIN numbers, and biometric devices.
By contrast, secure signature laws typically give special
statutory benefits (such as evidentiary presumptions and liability limits
or other special recognition) for electronic signatures that have an established
degree of reliability. For example, Utah, Washington and Minnesota recognize
digital signature technology as being sufficiently reliable to warrant
special statutory treatment. The state of California, rather than recognizing
digital signature technology in the statute itself, provides certain security
criteria that must be met and provides for the promulgation of regulations
to specify what technologies shall qualify. The current draft proposed
California regulations specifically recognize digital signatures as a approved
technology.
(2) The following provision of legislation shows how states
can recognize an accreditation regime for certification authorities under
current and proposed law. Even states which provide for the license of
a CA will allow for the recognition of an accreditation regime under certain
circumstances. The current proposed Illinois law provides for recognition
of accreditation rather than license of CAs in two sections of the legislation.
The current proposed draft regulations for California also specifically
recognize the possibility of private sector based accreditation as sufficient
for meeting the quality assurance requirements under that state's law.
In the case of Utah and Washington, the accreditation would have to be
recognized through another "government" entity (if the state
of California or Illinois or Massachusetts, for example, were to recognize
accreditation, then Utah and Washington would then recognize accreditation
as meeting the requirements of their statute). Representatives from the
governments of states with current legislation consistently recognize the
need to further refine provisions of enacted law to reflect accreditation
regimes which will evolve.
- Utah - Washington
46-3-201: Division may recognize by rule the licensing
or authorization of CAs by other governmental entities, provided that those
licensing or authorization requirements are substantially similar to those
of this state.
(a) Part 4 of this chapter which relates to presumptions
and legal effects, applied to certificates issued by the CAs licensed or
authorized by that governmental entity in the same manner as it applied
to licensed CAs of this state; and
(b) The liability limits of section 46-3-309 apply to
the CAs licensed or authorized by that governmental entity in the same
manner as they apply to licensed CAs of this state.
(license or "authorization" by "governmental"
entity with substantially similar requirements)
- California -
22003 (6)(D)
In lieu of completing the auditing requirements in section
22003(A)(6)(C), CAs may be placed on the approved list of CAs upon providing
the DOIT with proof of accreditation by an international accreditation
body, acceptable to the DOIT whose requirements for accreditation are consistent
with the requirements of section 22003(A)(1-5).
(i) CAs shall be removed from the approved list of acceptable
CAs unless they provide current proof of accreditation to DOIT at least
once per year.
(ii) if DOIT is informed that a CA has had its accreditation
revoked, the CA shall be removed from the approved list of CAs immediately.
(proof of accreditation by an "international body"
with consistent requirements)
- Illinois -
Sec. 402. SECURE ELECTRONIC SIGNATURE. When all or any
portion of an electronic record is signed with a digital signature, the
digital signature shall be considered a secure electronic signature with
respect to such portion of the record, if:
(a) The digital signature was created during the operational
period of a valid certificate and is verified by reference to the public
key listed in such certificate, and
(b) The certificate is considered trustworthy (i.e., an
accurate binding of a public key to a person's identity) because:
(1) The certificate was issued by a certification authority
in accordance with standards issued [or approved] by the Secretary;
(2) The certificate was issued by a certification authority
licensed by the Secretary and operating in compliance with the regulations
adopted by the Secretary;
(3) The certificate was issued by a certification authority
accredited by an accreditation body approved by the Secretary;
(4) The certificate was issued by a certification authority
whose name appears on a list of [approved/authorized/certified] certification
authorities issued by the Secretary;
(5) The trier of fact finds that the certificate was issued
by a certification authority that properly authenticated the subscriber
and the subscriber's public key, or otherwise finds that the material information
set forth in the certificate is true; or
(6) The parties have agreed between themselves
(sender and recipient) to use digital signatures as a security procedure,
and the digital signature was properly verified by reference to the sender's
public key.
(
===
Sec. 801. SECRETARY AUTHORITY TO ADOPT REGULATIONS.
The Secretary may take one or more of the following steps for the purpose
of helping to ensure the quality of certificates issued by certification
authorities, to define when a digital signature or any other technology
qualifies as a secure electronic signature, or to ensure the quality of
repositories and the services they provide:
(1) specify or adopt standards that must be met
by certification authorities and certificates before a digital signature
verified by reference to a certificate will qualify as a secure electronic
signature;
(1) specify or adopt standards that must be met
by repositories;
(2) adopt appropriate regulations governing the conduct,
and providing for the voluntary licensing, of certification authorities
or repositories;
(3) adopt appropriate regulations specifying that certification
authorities must be accredited by one or more independent accrediting
entities before a digital signature verified by reference to a certificate
will qualify as a secure electronic signature; or
(3) adopt appropriate regulations specifying that repositories
must be accredited by one or more independent accrediting entities;
or
(4) adopt appropriate regulations specifying the manner
in which the Secretary will evaluate certification authorities in order
to develop a list of approved certification authorities or repositories
that are certified by the Secretary to meet applicable quality control
standards.
In developing any of the foregoing, the Secretary shall
endeavor to do so in a manner that will provide maximum flexibility to
the development of digital signature technology and the business models
necessary to support it, that will maximize the opportunities for uniformity
with the laws of other jurisdictions, and that will ___________.
Return to the Information Security Committee Home Page
