Section 105.210  Qualified  Security Procedures

a)         A qualified security procedure is a security procedure for identifying a person that is capable of creating, in a trustworthy manner, an electronic signature that:

1)         is unique to the signer within the context in which it is used;

2)         can be used to objectively identify the person signing the electronic record;

3)         was reliably created by the identified person and that cannot be readily duplicated or compromised;

4)         is created and is linked to the electronic record to which it relates in a manner that, if the record or the signature is intentionally or unintentionally changed after being signed, the electronic signature is invalidated; and

5)         complies with this Part.

b)         The Department will accept as adequate a security procedure that meets the requirements of the Federal Information Processing Standards promulgated by NIST's Information Technology Laboratory, as incorporated by Section 105.20(a)(3).

c)         Public Key Cryptography

1)         The security structure known as public key cryptography is a qualified security procedure for purposes of this Section, provided that the digital signature is created consistently with this Part.  Public key cryptography with a digital signature created consistent with this Part is a commercially reasonable standard and procedure that has been generally accepted in the security and scientific communities.

2)         The Act requires that a digital signature be unique to the signer within the context in which it is used. A public key-based digital signature may be considered unique to the signer using it if:

A)        the digital signature is created using an asymmetric algorithm;

B)        the private key used to create the signature on the document is known only to the signer;

C)        the digital signature can be verified by reference to the public key listed in the certificate;

D)        the digital signature is created during the operational period of a valid  certificate;

E)        it is computationally infeasible to derive the private key from knowledge of the public key; and

F)         the digital signature is created within the scope of any other restrictions specified or incorporated by reference in the certificate.

3)         The Act requires that a digital signature can be used to objectively identify the person signing the electronic record.  A public-key based digital signature is capable of objectively identifying the person signing the electronic record if:

A)        the acceptor of the digitally signed document can verify the document was digitally signed by using the signer's public key and message digest function to decrypt the message; and

B)        CMS, or a designated RA, through a process defined in the CP or CPS, authenticates the subscriber and the subscriber's public key and identifies the forms of identification required of the signer prior to issuing the certificate.

4)         The Act requires that the digital signature be reliably created by an identified person and cannot be readily duplicated or compromised.  The signer and all other persons that rightfully have access to signature devices assume a duty to exercise reasonable care to retain control and maintain secrecy of the signature device and to protect it from any unauthorized access, disclosure, or use during the period when reliance on a signature created by the signature device is reasonable.

5)         The Act requires that the digital signature be created, and be linked to the electronic record to which it relates, in a manner that, if the record or the signature is intentionally or unintentionally changed after being signed, the electronic signature is invalidated.