La. Admin. Code tit. 4 § I-711

Current through Register Vol. 50, No. 11, November 20, 2024
Section I-711 - Acceptable Technology
A. The technology known as Public Key Cryptography is an acceptable technology for use by state agencies, provided that the digital signature is created consistent with the following.
1. A public key-based digital signature must be unique to the person using it. Such a signature may be considered unique to the person using it if:
a. the private key used to create the signature on the message is known only to the signer or, in the case of a role-based key, known only to the signer and an escrow agent acceptable to the signer and the state agency; and
b. the digital signature is created when a person runs a message through a one-way function, creating a message digest, then encrypting the resulting message digest using an asymmetric cryptosystem and the signer's private key; and
c. although not all digitally signed communications will require the signer to obtain a certificate, the signer is capable of being issued a certificate to certify that he or she controls the key pair used to create the signature; and
d. it is computationally infeasible to derive the private key from knowledge of the public key.
2. A public key based digital signature must be capable of independent verification. Such a signature may be considered capable of independent verification if:
a. the relying party can verify the message was digitally signed by using the signer's public key to decrypt the message; and
b. if a certificate is a required component of a transaction with a state agency, the issuing PKI service provider, either through a certification practice statement, certificate policy, or through the content of the certificate itself, has identified what, if any, proof of identification it required of the signer prior to issuing the certificate.
3. The private key of public key based digital signature must remain under the sole control of the person using it, or in the case of a role-based key, that person and an escrow agent acceptable to that person and the state agency. Whether a signature is accompanied by a certificate or not, the person who holds the key pair, or the subscriber identified in the certificate, must exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorized to create the subscriber's digital signature.
4. The digital signature must be linked to the message of the document in such a way that it would be computationally infeasible to change the data in the message or the digital signature without invalidating the digital signature.
5. Acceptable PKI Service Providers
a. The Division of Administration shall maintain an "Approved List of PKI Service Providers" authorized to issue certificates for digitally signed communications sent to state agencies or otherwise provide services in connection with the issuance of certificates. The list may include, but shall not necessarily be limited to, certification authorities, certificate manufacturers, registrars, and/or other PKI service providers accepted and approved for use in connection with electronic messages transmitted to other state or federal governmental entities. A copy of such list may be obtained directly from the Division of Administration, or may be obtained electronically via the World Wide Web.
b. State agencies shall only accept certificates from PKI service providers that appear on the "Approved List of PKI Service Providers."
c. The Division of Administration shall place a PKI service provider on the "Approved List of PKI Service Providers" after the PKI service provider provides the Division of Administration with a copy of its current certification practice statement, if any, and a copy of an unqualified performance audit performed in accordance with standards set in the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards No. 70 (S.A.S. 70) to ensure that the PKI service provider's practices and policies are consistent with the requirements of the PKI service provider's certification practice statement, if any, and the requirements of this Section.
d. In order to be placed on the "Approved List of PKI Service Providers" a PKI service provider that has been in operation for one year or less shall undergo a SAS 70 Type One audit-A Report of Policies and Procedures Placed in Operation, receiving an unqualified opinion.
e. In order to be placed on the "Approved List of PKI Service Providers" a PKI service provider that has been in operation for longer than one year shall undergo a SAS 70 Type Two audit-A Report of Policies and Procedures Placed in Operation and Test of Operating Effectiveness, receiving an unqualified opinion.
f. In lieu of the audit requirements of Subparagraphs d and e above, a PKI service provider may be placed on the "Approved List of PKI Service Providers" upon providing the Division of Administration with documentation issued by a person independent of the PKI service provider that is indicative of the security policies and procedures actually employed by the PKI service provider and that is acceptable to the Division of Administration in its sole discretion. The Division of Administration may request additional documentation relating to policies and practices employed by the PKI service provider indicating the trustworthiness of the technology employed and compliance with applicable guidelines published by the Division of Administration.
g. To remain on the "Approved List of PKI Service Providers" a certification authority must provide proof of compliance with the audit requirements or other acceptable documentation to the Division of Administration every two years after initially being placed on the list. In addition, a certification authority must provide a copy of any changes to its certification practice statement to the Division of Administration promptly following the adoption by the certification authority of such changes.
h. If the Division of Administration is informed that a PKI service provider has received a qualified or otherwise unacceptable opinion following a required audit or if the Division of Administration obtains credible information that the technology employed by the PKI service provider can no longer reasonably be relied upon, or if the PKI service provider's certification practice statement is substantially amended in a manner that causes the PKI service provider to become no longer in compliance with the audit requirements of this Section, the PKI service provider may be removed from the "Approved List of PKI Service Providers" by the Division of Administration. The effect of the removal of a PKI service provider from the "Approved List of PKI Service Providers" shall be to prohibit state agencies from thereafter accepting digital signatures for which the PKI service provider issued a certificate or provided services in connection with such issuance for so long as the PKI service provider is removed from the list. The removal of a PKI service provider from the "Approved List of PKI Service Providers" shall not, in and of itself, invalidate a digital signature for which a PKI service provider issued the certificate prior to its removal from the list.
B. The state may elect to enact or adopt the Federal Uniform Electronic Transactions Act.

La. Admin. Code tit. 4, § I-711

Promulgated by the Office of the Governor, Division of Administration, LR 27:527 (April 2001).
AUTHORITY NOTE: Promulgated in accordance with R.S. 39:4(c).