(a) Digital Signatures must be created by an Acceptable
Technology. For a digital signature to be valid for use by a state
agency, it must be created by a technology that is accepted for use
by the department pursuant to this section.
(b) Criteria for Determining if a Digital Signature
Technology is Acceptable. An acceptable technology must be capable
of creating signatures that conform to requirements set forth in §2054.060,
Texas Government Code and the requirements of this section.
(c) List of Acceptable Technologies. The technology
known as Public Key Cryptography is an acceptable technology for use
by state agencies, provided that the digital signature is created
consistent with the following:
(1) A public key-based digital signature must be unique
to the person using it. Such a signature may be considered unique
to the person using it if:
(A) the private key used to create the signature on
the message is known only to the signer or, in the case of a role-based
key, known only to the signer and an escrow agent acceptable to the
signer and the state agency; and
(B) the digital signature is created when a person
runs a message through a one-way function, creating a message digest,
then encrypting the resulting message digest using an asymmetric cryptosystem
and the signer's private key; and
(C) although not all digitally signed communications
will require the signer to obtain a certificate, the signer is capable
of being issued a certificate to certify that he or she controls the
key pair used to create the signature; and
(D) it is computationally infeasible to derive the
private key from knowledge of the public key.
(2) A public-key based digital signature must be capable
of independent verification. Such a signature may be considered capable
of independent verification if:
(A) the relying party can verify the message was digitally
signed by using the signer's public key to decrypt the message; and
(B) if a certificate is a required component of a transaction
with a state agency, the issuing PKI Service Provider, either through
a certification practice statement, certificate policy, or through
the content of the certificate itself, has identified what, if any,
proof of identification it required of the signer prior to issuing
the certificate.
(3) The private key of public-key based digital signature
must remain under the sole control of the person using it, or in the
case of a role-based key, that person and an escrow agent acceptable
to that person and the state agency. Whether a signature is accompanied
by a certificate or not, the person who holds the key pair, or the
subscriber identified in the certificate, must exercise reasonable
care to retain control of the private key and prevent its disclosure
to any person not authorized to create the subscriber's digital signature.
(4) The digital signature must be linked to the message
of the document in such a way that it would be computationally infeasible
to change the data in the message or the digital signature without
invalidating the digital signature.
(5) An organization may use a PKI that is operated
by the Department of Defense (DoD) PKI Program Management Office (PMO),
and is certified and accredited in accordance with DoD Instruction
8510.01 "DoD Information Assurance Certification and Accreditation
Process (DIACAP)".
|