SECTION 203.24. Acceptable Digital Signature Technology  


Latest version.
  • (a) Digital Signatures must be created by an Acceptable Technology. For a digital signature to be valid for use by a state agency, it must be created by a technology that is accepted for use by the department pursuant to this section.

    (b) Criteria for Determining if a Digital Signature Technology is Acceptable. An acceptable technology must be capable of creating signatures that conform to requirements set forth in §2054.060, Texas Government Code and the requirements of this section.

    (c) List of Acceptable Technologies. The technology known as Public Key Cryptography is an acceptable technology for use by state agencies, provided that the digital signature is created consistent with the following:

    (1) A public key-based digital signature must be unique to the person using it. Such a signature may be considered unique to the person using it if:

    (A) the private key used to create the signature on the message is known only to the signer or, in the case of a role-based key, known only to the signer and an escrow agent acceptable to the signer and the state agency; and

    (B) the digital signature is created when a person runs a message through a one-way function, creating a message digest, then encrypting the resulting message digest using an asymmetric cryptosystem and the signer's private key; and

    (C) although not all digitally signed communications will require the signer to obtain a certificate, the signer is capable of being issued a certificate to certify that he or she controls the key pair used to create the signature; and

    (D) it is computationally infeasible to derive the private key from knowledge of the public key.

    (2) A public-key based digital signature must be capable of independent verification. Such a signature may be considered capable of independent verification if:

    (A) the relying party can verify the message was digitally signed by using the signer's public key to decrypt the message; and

    (B) if a certificate is a required component of a transaction with a state agency, the issuing PKI Service Provider, either through a certification practice statement, certificate policy, or through the content of the certificate itself, has identified what, if any, proof of identification it required of the signer prior to issuing the certificate.

    (3) The private key of public-key based digital signature must remain under the sole control of the person using it, or in the case of a role-based key, that person and an escrow agent acceptable to that person and the state agency. Whether a signature is accompanied by a certificate or not, the person who holds the key pair, or the subscriber identified in the certificate, must exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorized to create the subscriber's digital signature.

    (4) The digital signature must be linked to the message of the document in such a way that it would be computationally infeasible to change the data in the message or the digital signature without invalidating the digital signature.

    (5) An organization may use a PKI that is operated by the Department of Defense (DoD) PKI Program Management Office (PMO), and is certified and accredited in accordance with DoD Instruction 8510.01 "DoD Information Assurance Certification and Accreditation Process (DIACAP)".

Source Note: The provisions of this §203.24 adopted to be effective November 28, 2004, 29 TexReg 10710; amended to be effective November 23, 2015, 40 TexReg 8191