IMT Standards. Standard number A GoA IMT Standards. Effective Date: Scheduled Review: Last Reviewed: Type: Technical

Transcription

1 IMT Standards IMT Standards Oversight Cmmittee Gvernment f Alberta Effective Date: Scheduled Review: Last Reviewed: Type: Technical Standard number A Electrnic Signature Metadata Categry: Data/Infrmatin Keywrds: Recrds Management, Electrnic Signature, Secured Electrnic Signature, Electrnic Signature Specificatins, Digital Signature Certificate Requirements, Certificatin Authrity Requirements, Requirements Descriptin f Standard This standard describes the electrnic signature prcess requirements, the specificatins and the metadata requirements that ministries must implement t supprt the creatin f authentic, reliable and trustwrthy electrnic recrds that have an electrnic signature attachment r assciatin. Standard Specificatin Terms Asymmetric Cryptgraphy 1 means a cryptgraphic system that relies n key pairs. Certificatin Authrity 1 means a persn r entity that issues digital signature certificates and has been apprved by the CISO. Digital Signature Certificate 1 in respect f a persn, means an electrnic dcument that (a) identifies the certificatin authrity that issued it and is digitally signed by that certificatin authrity; 1 Adpted frm Secure Electrnic Signature Regulatins P.C February 1, 2005, Sectin 1. Page 1 f 16

2 (b) identifies, r can be used t identify, the persn; and, (c) cntains the persn s public key. Electrnic Signature 2 is an electrnic sund, symbl, r prcess, attached t r lgically assciated with a cntract r ther recrd and executed r adpted by a persn with the intent t sign the recrd. Hash Functin 1 means an electrnic ne-way mathematical prcess that cnverts data cntained in an electrnic dcument int a message digest that is unique t the data in a way that, were that data changed, it wuld, n cnversin, result in a change message digest. Key Pair 1 means a pair f keys held by r fr a persn that includes a private key and a public key that are mathematically related t, but different frm, each ther. Private Key 1 means a string f data that (a) is used in asymmetric cryptgraphy t encrypt data cntained in an electrnic dcument; and (b) is unique t the persn wh is identified in, r can be identified thrugh, a digital signature certificate and crrespnds nly t the public key in that certificate. Public Key 1 means a string f data cntained in a digital signature certificate that (a) is used in asymmetric cryptgraphy t decrypt data cntained in an electrnic dcument that was encrypted thrugh the applicatin f the private key in the key pair; and (b) crrespnds nly t the private key in the key pair. Secure Electrnic Signature 3 must meet the requirements defined in this standard. The standard is technlgy neutral but uses encryptin technlgy t sign data, which requires a public and private key and based n a qualified digital signature certificate. 2 Adpted frm US ESIGN Act f 2000, Sectin 106(5) 3 Reprt Frm the Cmmissin T The Eurpean Parliament and the Cuncil, Reprt n the peratin f Directive 1999/93/EC n a Cmmunity framewrk fr electrnic signatures, Sectin Page 2 f 16

3 Signature Requirements Type Requirements Specificatins 1 Electrnic Signature Serves as a methd t identify and authenticate data. 4 The persn that sent the text has practical use (key hlder) f the electrnic signature; hwever, may nt be the entity (key wner) that has explicit right t use the electrnic signature. (a) Must validate the data. (b) Nt a methd r technlgy fr entity (key wner) verificatin. Type Requirements 5 Specificatins 6 The electrnic signature resulting frm the use by a persn f the technlgy r prcess is unique t the persn; 2 Secured Electrnic Signature The use f the technlgy r prcess by a persn t incrprate, attach r assciate the persn s electrnic signature t an electrnic dcument is under the sle cntrl f the persn; The technlgy r prcess can be used t identify the persn using the technlgy r prcess; and, The electrnic signature can be linked with an electrnic dcument in such a way that it can be used t determine whether (a) Applicatin f the hash functin t the data t generate a message digest; (b) Applicatin f a private key t encrypt the message digest; (c) Incrpratin in, attachment t, r assciatin with the electrnic dcument f the encrypted message digest; (d) Transmissin f the electrnic dcument and encrypted message digest tgether with either (i) a digital signature certificate, r (ii) a means f access t a digital certificate; and Page 3 f 16

4 Type Requirements 5 Specificatins 6 the electrnic dcument (e) After receipt f the has been changed since electrnic dcument, the the electrnic signature encrypted message was incrprated in, digest and the digital attached t r assciated signature certificate r the with the electrnic means f access t the dcument. digital signature certificate, (i) applicatin f the public key cntained in the digital signature certificate t decrypt the encrypted message digest and prduce the message digest referred t in paragraph (a), (ii) applicatin f the hash functin t the data cntained in the electrnic dcument t generate a new message digest, (iii) verificatin that, n cmparisn, the message digests referred t in paragraph (a) and subparagraph (ii) are identical, and (iv) verificatin that the digital signature certificate is valid in accrdance with the Digital Signature Certificate Requirements. 4 Reprt Frm the Cmmissin T The Eurpean Parliament and the Cuncil, Reprt n the peratin f Directive 1999/93/EC n a Cmmunity framewrk fr electrnic signatures, Sectin Adpted frm the Persnal Infrmatin Prtectin and Electrnic Dcuments Act (2000, c.5) in paragraphs 48(2)(a) t (d). 6 Adpted frm Secure Electrnic Signature Regulatins P.C February 1, 2005, Sectin 2. Page 4 f 16

5 Digital Signature Certificate Requirements 7 The digital signature certificate is valid if, at the time when the data cntained in an electrnic dcument is digitally signed in accrdance with the Secured Electrnic Signature specificatin and the certificate is: (a) readable r perceivable by any persn r entity wh is entitled t have access t the digital signature certificate; (b) has nt expired r been revked; and (c) when the digital signature certificate is supprted by ther digital signature certificates, in rder fr the digital signature certificate t be valid, the supprting certificates must als be valid. Certificatin Authrity Requirements T recgnize a persn r entity as a certificatin authrity, the CISO must verify that the persn r entity has the capacity t issue digital signature certificate in a secure and reliable manner within the cntext f Requirements fr s. 7 Adpted frm Secure Electrnic Signature Regulatins, P.C February 1, Sectin 3(1) (a) t (b) and 3(2) Page 5 f 16

6 Metadata Requirements Metadata describes business bjects r resurces and are stred within the trusted digital repsitry fr as least as lng as the recrds t which they relate are retained. Signature Type 1 Electrnic Signature Metadata Elements signature signer date signed 2 Secured Electrnic Signature signature signer date signed algrithm identifier algrithm parameters date signature verified validated by validated tken certificate issuer certificatin service prvider cunter signature electrnic certificate electrnic certificate serial number encryptin algrithm encryptin level Where t Apply This Standard This applies t all Gvernment f Alberta Ministries, bards, agencies and cmmissins. Authrity and Exceptins Verify individual Ministry Acts t determine any specific exclusin. Page 6 f 16

7 This standard des nt apply t 8 : recrds that are prescribed, r that belng t a class that is prescribed, as recrds r a class f recrds t which this standard des nt apply; wills, cdicils and trusts created by wills r cdicils; enduring pwer f attrney under the Pwers f Attrney Act; persnal directives under the Persnal Directives Act; recrds that create r transfer interest in land, including interest in mines and minerals; dcuments f title; guarantees under the Guarantees Acknwledgment Act; and, negtiable instruments. Supprting Dcumentatin Directive 1999/93/EC f the Eurpean Parliament and f the Cuncil f 13 December 1999 n a Cmmunity Framewrk fr Electrnic Signatures Electrnic Transactins Act, S.A. 2001, c. E-5.5 MReq2 Mdel Requirements Fr The Management f Electrnic Recrds, Update and Extensin, 2008, Appendix 9 T The MReq2 Specificatin: Metadata Mdel Persnal Infrmatin Prtectin and Electrnic Dcuments Act S.C., 2000, c.5 Reprt Frm the Cmmissin T The Eurpean Parliament and The Cuncil, Reprt n the peratin f Directive 1999/93/EC n a Cmmunity framewrk fr electrnic signatures. Secure Electrnic Signature Regulatins P.C February 1, 2005 Owner Service Alberta Cntact at imt.standards@gv.ab.ca 8 Adpted frm Electrnic Transactins Act, S.A. 2001, c. E-5.5, Sectin 7(1) and (2). Page 7 f 16

8 Additinal Infrmatin Audience GOA Surce Service Alberta, Infrmatin Management and Lgistics Sensitivity Unrestricted Prpsed Date Prpsed By Service Alberta, Infrmatin Management and Lgistics Barbara Seeley, Manager ECM Prgram Develpment and Innvatin Page 8 f 16

9 Appendix A Metadata Legend a name fr the metadata prperty. Definitin: a shrt descriptin f the metadata prperty. the reasn fr which smething exists r is dne. Applies T: t which series, flder, flder part, r recrd the prperty applies t. whether value fr prperty is mandatry r ptinal fr cmpliance. whether mre than ne value is allwed fr the prperty. hw the values fr this element are prduced. cnditins and rules that gvern the use and value(s) f the prperty. signature Definitin: Applies T: signature The electrnic signature itself Cntains the electrnic signature used t determine authenticity. Recrd Mandatry N Electrnic Signature Can nt be mdified Page 9 f 16

10 signer Definitin: Applies T: signer This is a textual descriptin identifying the entity that signed the bject. T describe the signer fr display purpses when shwing the recrd. Recrd Optinal N Electrnic Signature Element is nt prtected frm mdificatin by an electrnic signature and its value cannt be trusted t remain unchanged. date signed Definitin: Applies T: date signed Date and time the signature was applied. T prvide indicatin f when the recrd was signed. Recrd Optinal N Electrnic Signature The time shuld be specified at least t the minute. This value is nt prtected frm mdificatin by the Page 10 f 16

11 electrnic signature and its value cnsequently can nt be trusted t remain unchanged. algrithm identifier Definitin: Applies T: algrithm identifier Identifies the cryptgraphic algrithm used t generate the signature. Necessary t verify the electrnic signature Recrd Mandatry N The value f this element indicates the cmbinatin f electrnic signature algrithm and hashing algrithm used t generate the electrnic signature. algrithm parameters algrithm parameters Definitin: This element cntains any parameters required by the electrnic signature algrithm. Additinal infrmatin t verify the electrnic signature. Applies T: Recrd Optinal N Page 11 f 16

12 date signature verified date signature verified Definitin: The date and time the electrnic signature was verified. T determine when the electrnic signature was verified. Applies T: Recrd Mandatry Yes Can nt be mdified validated by Definitin: Applies T: validated by System identifier f an agent wh has initiated the validatin f an electrnic signature r certificate. T determine which agent validated the electrnic signature r certificate. Recrd Mandatry N r manual entry Mandatry if checking a certificate Nt mandatry if checking an electrnic signature. Null if the check is initiated autmatically by the system. Can nt be mdified. Page 12 f 16

13 validated tken Definitin: Applies T: validated tken A validatin ticket r tken issued by a certificatin service prvider. T identify the electrnic signature Recrd Optinal N r manual entry Can nt be mdified certificate issuer Definitin: Applies T: certificate issuer The issuer f an electrnic certificate T determine the issuer f an electrnic certificate Recrd Mandatry N Can nt be mdified certificatin service prvider certificatin service prvider Definitin: The certificatin service prvider issuing the electrnic certificate. T identify wh issued the electrnic certificate. Page 13 f 16

14 Applies T: Recrd Mandatry N Can nt be mdified cunter signature Definitin: Applies T: Use Cnditin: cunter signature A certificatin service prvider s cunter-signature. A cunter-signature is required by sme electrnic signature applicatins. Recrd Optinal Yes Can nt be mdified electrnic certificate Definitin: Applies T: electrnic certificate The electrnic certificate f a recrd. T capture the electrnic certificate. Recrd Mandatry Yes Page 14 f 16

15 Use Cnditin: Can nt be mdified electrnic certificate serial number electrnic certificate serial number Definitin: The serial number f the electrnic certificate. T capture the serial number f the electrnic certificate. Applies T: Recrd Mandatry N Can nt be mdified encryptin algrithm encryptin algrithm Definitin: The encryptin algrithm used t encrypt the recrd. Used t encrypt the recrd. Applies T: Recrd Mandatry N r manual entry Can nt be mdified Updated autmatically when a different algrithm is used. Page 15 f 16

16 encryptin level Definitin: Applies T: Use Cnditin: encryptin level The encryptin level f the encryptin cde used n the recrd. T determine the encryptin level. Recrd Mandatry N Updated autmatically by the system when a different level is used. Page 16 f 16