Skip to:

Minnesota State Agency Digital Signature Implementation and Use

IRM Standard 18, Version 1
Effective date: November 19, 1999

Supersedes: N/A

Applicability

This standard applies to Minnesota state agencies and offices that choose to implement digital signature technology. Agency heads, security officers, information resource management executives, managers and staff are responsible for compliance with the standard. This standard does not apply to the implementation and use of encryption generally, although encryption may also use key pair technology.

Definitions

Asymmetric cryptosystem: an algorithm or series of algorithms that provide a secure key pair.

Certificate: a computer-based record that: (1) identifies the certification authority using it; (2) names or identifies its subscriber; (3) contains the subscriber's public key; and (4) is digitally signed by the certification authority issuing it.

Certification authority: a person who issues a certificate. (Note: "person" means both a human being and an organization capable of signing a document.)

Digital signature: a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine: (1) whether the transformation was created using the private key that corresponds to the signer's public key; and (2) whether the initial message has been altered since the transformation was made.

Digital signature key pair: a private key and its corresponding public key in an asymmetric cryptosystem, keys which have the property that the public key can verify a digital signature that the private key creates.

Digital signature private key: the key of a key pair used to create a digital signature.

Digital signature public key: the key of a key pair used to verify a digital signature.

Escrow: a third party holds an item of value until specified conditions are met.

Ex officio signature: a digital signature where a public official has delegated the ability to digitally sign documents in his or her name.

Verify a digital signature: in relation to a given digital signature, message and public key, the ability to determine accurately that: (1) the digital signature was created by the private key corresponding to the public key; and (2) the message has not been altered since its digital signature was created.

Background

The Minnesota Electronic Authentication Act

The Minnesota Legislature created the Minnesota Electronic Authentication Act, Minnesota Statutes, chapter 325K, to:

(1) facilitate commerce by means of reliable electronic messages;

(2) minimize the incidence of forged digital signatures and fraud in electronic commerce;

(3) implement legally the general import of relevant standards, such as X.509 of the International Telecommunications Union, formerly known as the International Telegraph and Telephone consultative committee and ;

(4) establish, in coordination with multiple states, uniform rules regarding the authentication and reliability of electronic messages.

Technology authorized under the Act

Under the terms of the Act, the specific technology that is authorized to authenticate electronic messages is the digital signature. A digital signature is an asymmetric cryptosystem, which is an algorithm or series of algorithms that provide a secure key pair. The key pair is used to authenticate the message.

Example of use

For example, if a state employee wishes to digitally sign an email message, the employee uses the private key of the key pair to authenticate the message. The email, with the digital signature attached, is sent to the recipient who uses the public key found in the certificate issued by the certification authority to authenticate the message by making the algorithm function. The software displays a message to the recipient who then determines whether to accept the authenticated message.

Although Minnesota Statutes, chapter 325K does not limit the use of a digital signature, an example of its use is to sign a purchase order. Agencies will need to determine when it is necessary to authenticate an electronic document. Current practices for signing paper documents may be appropriate however, agencies may wish to use this opportunity to re-examine business practices to determine what level of authentication is needed whether the document is produced on paper or electronically. Once the need to authenticate electronic documents has been established, agencies will then need to determine the criteria that a certification authority will need to meet for their digital signatures to be accepted by the agency. For the requirements of Minnesota law and what makes a digital signature the legal equivalent of a pen-and-ink signature, see Minnesota Statutes, chapter 325K and Minnesota Rules, chapter 8275 (www.revisor.leg.state.mn.us).

Purpose of this standard

The purpose of this digital signature implementation and use standard is to provide consistent guidance as to what is expected of agencies and offices that wish to implement digital signature technology.

Standards requirements

1. Delegation of authority

The commissioner or agency head must designate for the agency who can authorize the issuance, suspension or revocation of key pairs for agency employees. This designation must be documented in a delegation of authority filed with the secretary of state.

2. Agency policy

Each agency that chooses to use digital signature technology must establish a digital signature implementation and use policy. The agency policy must

  • describe how the agency will determine which employees will have a digital signature key pair, the scope of an employee's authority to use the digital signature and for what purposes. (It is strongly recommended that business criteria be used in making the determination);
  • identify the roles and responsibilities for issuing digital signature key pairs, letters authorizing the issuance of certificates, procedures to protect digital signature key pairs, and procedures and requirements for suspension and/or revocation of digital signature certificates;
  • identify the roles and responsibilities for training concerning digital signature issues;
  • direct employees to protect their digital signature private keys in a manner similar to the policy to protect security access cards and passwords;
  • require the reporting of lost or compromised digital signature key pairs to the Certification Authority and to any office or position designated by the agency;
  • describe if and when an ex officio digital signature may be used to conduct agency business. The policy must describe which positions or individuals are authorized to use an ex officio digital signature, when an ex officio digital signature can be used, when it cannot be used and how an ex officio digital signature key pair will be protected. Each authorized user must receive a separate ex officio digital signature key pair. As set forth in the Computerized Information Resources Security Standards for State Agencies (IRM Standard 16; www.ot.state.mn.us/ot_files/handbook/standard/std16-1.html), it is not appropriate to disclose a means of authentication therefore, disciplinary action, including termination from employment, could result from an intentional, voluntary or negligent disclosure of a digital signature key pair.

3. Employee responsibility

An individual must protect and not disclose or make available his or her digital signature private key or password to other persons, including fellow state employees, managers and supervisors. As set forth in the Computerized Information Resources Security Standards for State Agencies (IRM Standard 16), it is not appropriate to disclose a means of authentication. Therefore, disciplinary action, including termination from employment, could result from an intentional, voluntary or negligent disclosure of a digital signature key pair.

4. Use of unauthorized digital signatures prohibited

When conducting State business, an employee must only use a digital signature key pair and certificate purchased with State funds. Employees must not use a State digital signature key pair for personal business. A violation of this standard will result in disciplinary action, which could include termination from employment.

5. No escrow of individual private keys

An agency must not have or escrow a copy of an individual's digital signature private key.

6. Revocation of ex officio digital signature key pair

The agency must revoke the ex officio digital signature key pair whenever there is a change in the person occupying the office.

7. Evaluation of services of certification authority

The security of the storage location of the digital signature key pair (token or hard drive) must be considered in evaluating the services of a certification authority whether for the provision of digital signature certificates or for the verification of a digital signature.

Implementation Best Practices

These 9 implementation best practices provide additional guidance to agencies in how to make use of digital signature technology. In contrast to the standards requirements listed above, the following best practices are not mandatory, but do represent the "best" information available to assist agencies in the successful use of digital signature technology. Their adoption by agencies is strongly encouraged.

1. Agency heads may delegate the responsibility for making the decisions on who will need a digital signature key pair. A formal delegation of authority may be used or the position(s) should be designated in the agency's policy.

2. An agency's determination to use an ex officio digital signature does not preclude the office holder from having a separate, individual digital signature key pair.

3. An employee should keep a digital signature certification and digital signature key pair for the life of the certificate unless it is necessary to suspend or revoke it. A change in the agency head or the person who delegated to the employee the ability to have a digital signature key pair should not automatically cause a certificate suspension or revocation.

4. Training concerning digital signature private key security should be incorporated with other security training. Possible training avenues are handouts from a Help Desk or regular messages on security issues.

5. In advertising for and retaining digital signature services, an agency needs to consider the implications of the Minnesota Government Data Practices Act, Minnesota Statutes, chapter 13. In evaluating certification authority services, an agency can not require an employee to provide non-public data to meet identification requirements for receipt of a certificate.

6. In verifying and determining whether to accept a digital signature, an agency should use the provisions of Minnesota Statutes, chapter 325K and Minnesota Rules, chapter 8275. Agencies should establish a policy that outlines for employees the expectations the agency has concerning decisions to accept or reject a digital signature.

7. An agency should establish a policy that states the agency's requirements for creating an auditable trail to document the verification and acceptance of a digital signature.

8. Each agency should use a licensed certification authority to get the protections found in Minnesota Statutes, chapter 325K. Information about licensed certification authorities can be found at www.sos.state.mn.us/

9. Each agency should designate two or more persons or positions with authority to issue digital signature key pairs and/or letters of authorization. Human resources offices that have access to SEMA4 and security administrators will most likely be involved.