The technology known as Public Key Cryptography is an acceptable technology for use in Nebraska, provided that the digital signature is created consistent with the provisions in NAC, Title 437, Ch. 3.
001.01 Definitions For purposes of Section 001, and unless the context expressly indicates otherwise:
001.01a "Acceptable Certification Authorities" means a certification authority that meets the requirements of subsections 001.06c - 001.06d of this section001.01b "Approved List of Certification Authorities" means the list of Certification Authorities approved by the Secretary of State to issue certificates for digital signature transactions in Nebraska.001.01c "Asymmetric cryptosystem" means a computer algorithm or series of algorithms which utilize two different keys with the following characteristics: i. one key signs a given message;ii. one key verifies a given message; and,iii. the keys have the property that, knowing one key, it is computationally infeasible to discover the other key.001.01d "Certificate" means a computer-based record which: i. identifies the certification authority issuing it;ii. names or identifies its subscriber;iii. contains the subscriber's public key; andiv. is digitally signed by the certification authority issuing or amending it, andv. conforms to widely-used standards.001.01e "Certification Authority" means a person or entity that issues a certificate, or in the case of certain certification processes, certifies amendments to an existing certificate.001.01f "Key pair" means a private key and its corresponding public key in an asymmetric cryptosystem. The keys have the property that the public key can verify a digital signature that the private key creates.001.01g "Practice statement" means documentation of the practices, procedures and controls employed by a Certification Authority.001.01h "Private key" means the key of a key pair used to create a digital signature.001.01i "Proof of Identification" means the document or documents presented to a Certification Authority to establish the identity of a subscriber.001.01j "Public key" means the key of a key pair used to verify a digital signature.001.01k "Subscriber" means a person who: i. is the subject listed in a certificate;ii. accepts the certificate; andiii. holds a private key which corresponds to a public key listed in that certificate.001.02 Nebraska Administrative Code Title 437, Ch. 3, sec. 001.01 requires that a digital signature be 'unique to the person using it'. A public key-based digital signature may be considered unique to the person using it, if: 001.02a The private key used to create the signature on the document is known only to the signer, and001.02b The digital signature is created when a person runs a message through a one-way function, creating a message digest, then encrypting the resulting message digest using an asymmetrical cryptosystem and the signer's private key, and001.02c although not all digitally signed communications will require the signer to obtain a certificate, the signer is capable of being issued a certificate to certify that he or she controls the key pair used to create the signature, and001.02d it is computationally infeasible to derive the private key from knowledge of the public key.001.03 Nebraska Administrative Code Title 437, Ch. 3, sec. 001.02 requires that a digital signature be 'capable of verification.' A public-key based digital signature is capable of verification if:001.03a the acceptor of the digitally signed document can verify the document was digitally signed by using the signer's public key to decrypt the message; and001.03b if a certificate is a required component of a transaction, the issuing Certification Authority, either through a certification practice statement or through the content of the certificate itself, if any, must identify which form(s) of identification it required of the signer prior to issuing the certificate.001.04 Nebraska Administrative Code Title 437, Ch. 3, sec. 001.03 requires that the digital signature remain 'under the sole control of the person using it'. Whether a signature is accompanied by a certificate or not, the person who holds the key pair, or the subscriber identified in the certificate, assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorized to create the subscriber's digital signature.001.05 The digital signature must be linked to the message of the document in such a way that if the data are changed, the digital signature is invalidated.001.06 Acceptable Certification Authorities 001.06a The Secretary of State shall maintain an "Approved List of Certificate Authorities" authorized to issue certificates for digitally signed communications in Nebraska.001.06b If a certificate is required for a transaction, in order for the signature to qualify as a digital signature under Title 437, Ch.4, sec. 001, the certificate must be issued by a Certification Authority that appear on the "Approved List of Certification Authorities" authorized to issue certificates by the Secretary of State001.06c The Secretary of State shall place Certification Authorities on the "Approved List of Certification Authorities" after the Certification Authority provides the Secretary of State with a copy of an unqualified performance audit performed in accordance with standards set in the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards No. 70 (S.A.S. 70) "Service Organizations" to ensure that the Certification Authorities practices and policies are consistent with their stated control objectives and these regulations. The AICPA Statement on Auditing Standards No. 70 is adopted by reference in its entirety as it existed on the date these regulations became effective and is available for viewing at the Office of the Secretary of State, Room 1305, State Capitol, Lincoln, Nebraska. i. Certification Authorities that have been in operation for one year or less shall undergo a SAS 70 Type One audit - A Report on Controls Placed in Operation, receiving an unqualified opinion.ii. Certification Authorities that have been in operation for longer than one year shall undergo a SAS 70 Type Two audit - A Report on Controls Placed in Operation and Tests of Operating Effectiveness, receiving an unqualified opinion.iii. To remain on the "Approved List of Certification Authorities" a Certification Authority must provide proof of compliance with Section 01.06c(ii) to the Secretary of State every two years after initially being placed on the list.001.06d In lieu of the completing the auditing requirement in Section 001.06c, Certification Authorities may be placed on the "Approved List of Certification Authorities" upon providing the Secretary of State with proof of accreditation by a national or international accreditation body or licensing or approval in another state, acceptable to the Secretary of State whose requirements for accreditation, licensing or approval are consistent with the requirements of Title 437, Ch. 4, sec. 001.06c - 001.06d. i. Certification Authorities placed on the approved list of certification authorities pursuant to section Sec. 001.06d shall be removed from the "Approved List of Acceptable Certifications Authorities" unless they provide current proof of accreditation, licensing or approval to the Secretary of State at least once per year.ii. If the Secretary of State becomes aware that a Certification Authority, placed on the approved list of certification authorities pursuant to section Sec. 001.06d, has had its accreditation, licensing or approval revoked in another jurisdiction, the Certification Authority shall be notified immediately by the Secretary of State of the Secretary's intent to revoke approval in Nebraska in writing. If the Certification Authority contests the intent to revoke within 30 days the Secretary of State shall set the matter for public hearing to determine whether approval of the Certification Authority should be revoked. If the intent to revoke is not contested within 30 days the Certification Authority shall be removed from the "Approved List of Certification Authorities". Certification authorities approved in Nebraska shall be required to notify the Secretary of State if they have had their accreditation, licensing, or approval revoked, lapsed or terminated by any other means.001.07 The Secretary of State may seek the advice and counsel of the Department of Administrative Services when approving certification authorities pursuant to chapter 4 of this Title.437 Neb. Admin. Code, ch. 4, § 001