Section 100.10  Scope and Definitions

 

a)         The purpose of this Part is to provide maximum flexibility to the implementation of digital signature technology for the private sector under the Illinois Electronic Commerce Security Act [5 ILCS 175].  The Act sets forth procedures by which the Secretary of State may certify security procedures for digital signature technology.  However, the Act does not require any person to create, store, transmit, accept, or otherwise use or communicate information, records, or signatures by electronic means or in electronic form; or prohibit any person engaging in an electronic transaction from establishing reasonable requirements regarding the medium on which it will accept records or the method and type of symbol or security procedure it will accept as a signature.

 

b)         For the purposes of this Part, and unless the context expressly indicates otherwise, definitions are as follows:

 

            "Act" means the Illinois Electronic Commerce Security Act [5 ILCS 175].

 

            "Applicant" means a person or entity other than a State agency seeking certification by the Secretary as a certification authority in the State of Illinois.

 

            "Asymmetric cryptosystem" means a computer-based system capable of generating and using a key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature.

 

            "Certificate" means a record that at a minimum:

 

            identifies the certification authority issuing it;

 

            names or otherwise identifies its subscriber or a device or electronic agent under the control of the subscriber;

 

            contains a public key that corresponds to a private key under the control of the subscriber;

 

            specifies its operational period; and

 

            is digitally signed by the certification authority issuing it.

 

            "Certification authority" or "CA" means a person or entity who authorizes and causes the issuance of a certificate.

 

            "Certification practice statement" or "CPS" is a statement published by a certification authority that specifies the policies or practices that the certification authority employs in issuing, managing, suspending, and revoking certificates and providing access to them.

 

            "Certificate policy" or "CP" is a statement published by a certification authority that specifies the policies of the certification authority.

 

            "Digital  signature" means a type of electronic signature created by transforming an electronic record using a message digest function and encrypting the resulting transformation with an asymmetric cryptosystem using the signer's private key such that any person having the initial untransformed electronic record, the encrypted transformation, and the signer's corresponding public key can accurately determine whether the transformation was created using the private key that corresponds to the signer's public key and whether the initial electronic record has been altered since the transformation was made.  A digital signature is a security procedure.

 

            "Electronic" includes electrical, digital, magnetic, optical, electromagnetic, or any other form of technology that entails capabilities similar to these technologies.

 

            "Electronic record" means a record generated, communicated, received, or stored by electronic means for use in an information system or for transmission from one information system to another.

 

            "Electronic signature" means a signature in electronic form attached to or logically associated with an electronic record.

 

            "Key  pair" means, in an asymmetric cryptosystem, 2 mathematically related keys, referred to as a private key and a public key, having the properties that:

 

            one key (the private key) can encrypt a message that only the other key (the public key) can decrypt; and

 

            even knowing one key (the public key), it is computationally unfeasible to discover the other key (the private key).

 

            "Message digest function" means an algorithm that maps or translates the sequence of bits comprising an electronic record into another, generally smaller, set of bits (the message digest) without requiring the use of any secret information, such as a key, so that an electronic record yields the same message digest every time the algorithm is executed using such record as input and it is computationally unfeasible that any 2 electronic records can be found or deliberately generated that would produce the same message digest using the algorithm unless the 2 records are precisely identical.

 

            "Operational period of a certificate" begins on the date and time the certificate is issued by a certification authority (or on a later date and time certain if stated in the certificate) and ends on the date and time it expires as noted in the certificate or is earlier revoked, but does not include any period during which a certificate is suspended.

 

            "Person" means an individual, corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, joint venture, government, governmental subdivision, agency, or instrumentality, or any other legal or commercial entity.

 

            "Private key" means the key of a key pair used to create a digital signature.

 

            "Public key" means the key of a key pair used to verify a digital signature.

 

            "Record" means information that is inscribed, stored, or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.

 

            "Repository" means a system for storing and retrieving certificates or other information relevant to certificates, including information relating to the status of a certificate.

 

            "Revoke a certificate" means to permanently end the operational period of a certificate from a specified time forward.

 

            "Secretary" means the Secretary of State of Illinois.

 

            "Security procedure" means a methodology or procedure used for the purpose of:

 

            verifying that an electronic record is that of a specific person; or

 

            detecting error or alteration in the communication, content, or storage of an electronic record since a specific point in time.

 

            A security procedure may require the use of algorithms or codes, identifying words or numbers, encryption, answer back or acknowledgment procedures, or similar security devices.

 

            "Signature device" means unique information, such as codes, algorithms, letters, numbers, private keys, or personal identification numbers (PINs), or a uniquely configured physical device that is required, alone or in conjunction with other information or devices, in order to create an electronic signature attributable to a specific person.

 

            "Signed" or "signature" includes any symbol executed or adopted, or any security procedure employed or adopted, using electronic means or otherwise, by or on behalf of a person with intent to authenticate a record.

 

            "State agency" means and includes all officers, boards, commissions, courts, and agencies created by the Illinois Constitution, whether in the executive, legislative or judicial branch; all officers, departments, boards, commissions, agencies, institutions, authorities, universities, bodies politic and corporate of the State; and administrative units or corporate outgrowths of the State government that are created by or pursuant to statute, other than units of local government and their officers, school districts and boards of election commissioners; all administrative units and corporate outgrowths of the above and as may be created by executive order of the Governor.

 

            "Subscriber" means a person who is the subject named or otherwise identified in a certificate, who controls a private key that corresponds to the public key listed in that certificate, and who is the person to whom digitally signed messages verified by reference to such certificate are to be attributed.

 

            "Suspend a certificate" means to temporarily suspend the operational period of a certificate for a specified time period or from a specified time forward.

 

            "Trustworthy manner" means through the use of computer hardware, software, and procedures that, in the context in which they are used:

 

            can be shown to be reasonably resistant to penetration, compromise, and misuse;

 

            provide a reasonable level of reliability and correct operation;

 

            are reasonably suited to performing their intended functions or serving their intended purposes;

 

            comply with applicable agreements between the parties, if any;  and

 

            adhere to generally accepted security procedures.

 

            "Valid certificate" means a certificate that a certification authority has issued and that the subscriber listed in the certificate has accepted.

 

            "Verify a digital signature" means to use the public key listed in a valid certificate, along with the appropriate message digest function and asymmetric cryptosystem, to evaluate a digitally signed electronic record, such that the result of the process concludes that the digital signature was created using the private key corresponding to the public key listed in the certificate and the electronic record has not been altered since its digital signature was created.

 

(Source:  Amended at 31 Ill. Reg. 7284, effective May 7, 2007)

 

Section 100.20  Certification of a Qualified Security Procedure for Electronic Records and Signature

 

a)         In order to obtain the Secretary's certification of a qualified security procedure, an applicant must file an application form, designated by the Secretary, at the following location:

 

            Certification Authority Application Section

            Room 461

            Howlett Building

            Springfield, Illinois 62756

 

b)         The applicant must document security procedures, policies and practices that delineate full and complete identification of security procedures. The documentation shall be submitted for review, in the form of a Certification Practice Statement (CPS) and Certificate Policy (CP), to the Secretary's Electronic Signature Steering Committee.

 

c)         Applicants certified by the Secretary shall:

 

1)         have adopted secure policies and procedures as designated by a recognized industry organization;

 

2)         meet the criteria for acceptance of electronic signatures and records and the criteria for recognition of qualified security procedures as delineated in Sections 100.30 and 100.40 of this Part;

 

3)         maintain an office in this State or maintain a registered agent for service of process in this State;

 

4)         submit a suitable guaranty described in Section 100.50 of this Part;

 

5)         submit an annual audit that complies with Section 100.60 of this Part;

 

6)         pay an annual application fee of $2,000.  The fee shall be paid by certified check upon the annual submittal of the application and be made payable to the Illinois Secretary of State.  Such fee shall not be applicable to agencies of State government applying for the Secretary's certification pursuant to this Part; and

 

7)         maintain records in accordance with Section 100.100 of this Part.

 

Section 100.30  Criteria for Acceptance of Electronic Signatures

 

A qualified security procedure is a security procedure for identifying a person that is capable of creating, in a trustworthy manner, an electronic signature that:

 

a)         is unique to the signer within the context in which it is used;

 

b)         can be used to objectively identify the person signing the electronic record;

 

c)         was reliably created by such identified person and that cannot be readily duplicated or compromised;

 

d)         is created and is linked to the electronic record to which it relates in a manner that, if the record or the signature is intentionally or unintentionally changed after signing, the electronic signature is invalidated; and

 

e)         complies with this Part.

 

Section 100.40  Recognition of Qualified Security Procedures

 

a)         The security structure of technology known as public key cryptographyis certified by a CA as a qualified security procedure for use by private entities in Illinois, provided that the digital signature is created consistent with this Section.  Cryptography is a commercially reasonable standard and procedure for use by private industries in Illinois, provided that the digital signature is created consistent with this Section.

 

b)         The Electronic Commerce Security Act requires that a digital signature be unique to the signer within the context in which it is used. A public key-based digital signature may be considered unique to the signer using it if:

 

1)         the digital signature is created using an asymmetric algorithm;

 

2)         the private key used to create the signature on the document is known only to the signer;

 

3)         the digital signature can be verified by reference to the public key listed in a CA certificate;

 

4)         the digital signature is created during the operational period of a valid CA certificate;

 

5)         it is computationally infeasible to derive the private key from knowledge of the public key; and

 

6)         the digital signature is created within the scope of any other restrictions specified or incorporated by reference in the CA certificate.

 

c)         The Act requires that a digital signature can be used to objectively identify the person signing the electronic record.  A public-key based digital signature is capable of objectively identifying the person signing the electronic record if:

 

1)         the acceptor of the digitally signed document can verify the document was digitally signed by using the signer's public key and message digest function to decrypt the message; and

 

2)         the issuing certification authority, through a process defined in the CP or CPS, authenticates the subscriber and the subscriber's public key and identifies the forms of identification required of the signer prior to issuing the CA certificate.

 

d)         The Act requires that the digital signature be reliably created by an identified person and cannot be readily duplicated or compromised.  The signer and all other persons that rightfully have access to signature devices assume a duty to exercise reasonable care to retain control and maintain secrecy of the signature device and to protect it from any unauthorized access, disclosure, or use during the period when reliance on a signature created by such device is reasonable.

 

e)         The Act requires that the digital signature be created, and be linked to the electronic record to which it relates, in a manner that, if the record or the signature is intentionally or unintentionally changed after signing, the electronic signature is invalidated.

 

(Source:  Amended at 31 Ill. Reg. 7284, effective May 7, 2007)

 

Section 100.50  Suitable Guaranty

 

In order to receive the Secretary's certification of a qualified security procedure, an applicant is required to:

 

a)         Provide suitable guaranty in the form of a surety bond executed by an insurer lawfully operating in this State or an irrevocable letter of credit issued by a financial institution lawfully operating in this State in the amount of $100,000.

 

b)         The form of the suitable guaranty or letter of credit must:

 

1)         identify the insurer;

 

2)         identify the applicant;

 

3)         be made payable to the Secretary for the purpose of persons holding qualified rights of payment against the applicant named as principal of the bond or customer of the letter of credit;

 

4)         state that the bond or letter of credit is issued under the Act; and

 

5)         specify a term of effectiveness of at least five years.

 

Section 100.60  Audit Requirements

 

a)         Upon application for the Secretary's certification of a qualified security procedure, the applicant shall submit annually to the Secretary an independent third party audit with an unqualified opinion.  If the applying certification authority has been in operation for one year or less, the applicant shall submit an American Institute of Certified Public Accountants Statement of Standards (S.A.S. 70) Type One Audit.  If the applying certification authority has been in operation for longer than one year, the applicant shall submit a Type Two Audit.  (The American Institute of Certified Public Accountants Statement of Standards (S.A.S. 70) (December 15, 1999; no subsequent dates or editions) is hereby incorporated and is available from the Institute at 1211 Avenue of the Americans, New York NY 10036.)

 

b)         The auditor shall be a certified public accountant licensed in the State of Illinois, and shall have a current and valid certificate as either a certified information systems auditor by the Information Systems Audit and Control Foundation or as a certified information systems security professional by the International Information Systems Security Certification Consortium.

 

c)         The auditors shall attest that they have demonstrated significant experience in the application of public key cryptographic technologies and computer security.

 

d)         The audit shall include the auditor's opinion or attestation that the applicant has implemented and designed CA certification practices and policies to achieve the requirements of the applicant authority's policy and stated control objectives.  The audit shall also establish that the applicant authority has the use of a  trustworthy system.

 

Section 100.70  Certification Authorities

 

Certification authorities certified by the Secretary shall:

 

a)         inform each subscriber of its agreement to be bound by the CPS and CP before obtaining a CA certificate;

 

b)         provide each subscriber with a copy of the CPS and CP, or the Universal Resource Locator where the CPS and CP can be obtained;

 

c)         include warranty disclaimers, liability limitations and indemnification provisions in their CPS or CP;

 

d)         inform each subscriber as to changes made to the CPS or CP on a timely basis;

 

e)         inform each subscriber as to its responsibility to maintain the confidentiality of its private key; and

 

f)         inform each subscriber as to the applicant's responsibility to maintain a private key and utilize a trustworthy system.

 

(Source:  Amended at 31 Ill. Reg. 7284, effective May 7, 2007)

 

Section 100.80  Decertification of Certification Authorities

 

a)         The Secretary may decertify a security procedure employed by a certification authority that was certified by the Secretary, in accordance with 5 ILCS 175/10-135d, for failure to comply with any requirement of this Part, for failure to remain qualified for the Secretary's certification, for failure to revoke a CA certificate pursuant to 5 ILCS 175/15-320, or for failure to comply with a lawful order of the Secretary.

 

b)         Certification authorities in the State of Illinois that have been certified by the Secretary shall notify the Secretary in writing, within 10 days, if the certification authority has had its accreditation, licensing, Secretary's certification or approval revoked, lapsed or terminated by any other means by another state or authority.

 

c)         The Secretary may order the summary suspension of the Secretary's certification of a certification authority following an appropriate investigation or review.

 

d)         Any applicant or certification authority adversely affected by a decision of the Secretary of State pursuant to this Part may seek administrative review of that decision pursuant to the administrative hearings procedure set forth at 92 Ill. Adm. Code 1001.10-1001.130.

 

(Source:  Amended at 31 Ill. Reg. 7284, effective May 7, 2007)

 

Section 100.90  Performance of Services

 

The certification authority is solely responsible for all duties and responsibilities of contracted services and functions.

 

Section 100.100  Records Retention

 

State records shall be retained in accordance with Section 5-13 of the Act and the State Records Act [5 ILCS 160], when applicable.

 

Section 100.110  Provisions for Promoting Uniformity

 

a)         The Secretary or the Department of Central Management Services may act as a certification authority under the Act.

 

b)         The Secretary or the Department of Central Management Services may contract with an outside vendor to acquire the certification authority services required by this Part.

 

c)         The Secretary's Electronic Signature Steering Committee, after review, may recognize proposed technologies as a qualified security procedure for the purpose of the Secretary's certification.

 

(Source:  Amended at 31 Ill. Reg. 7284, effective May 7, 2007)

 

Section 100.120  Foreign and Other Jurisdictional Certificates

 

a)         The Secretary of State may recognize foreign private sector certification authorities, provided that the foreign private sector certification authority:

 

1)         is certified:

 

A)        as a certification authority by the Secretary; or

 

B)        licensed by another state of the United States; or

 

C)        licensed by the federal government or a federal government agency; and

 

2)         the foreign private sector certification authority agrees to be bound to the terms of the Secretary's CP and CPS.

 

b)         A foreign private sector certification authority shall provide to the Secretary a certified copy of a license or certification issued by a government entity.  A license or certification recognized under this subsection (b) shall be valid in Illinois only during the time it is valid in the issuing jurisdiction.

 

c)         A foreign private sector certification authority recognized in the State of Illinois shall provide notification, within 10 days, to the Secretary in writing if the certification authority has had its accreditation, licensing, certification or approval revoked, lapsed or terminated by any other means by another state or authority.

 

d)         Certification authorities certified by the Secretary shall not be required to accept certificates issued by international entities.

 

e)         A foreign private sector certification authority doing business in the State of Illinois shall be subject to the laws of Illinois.

 

f)         The CPS of a certification authority certified by the Secretary shall indicate whether the CA accepts foreign certificates.

 

(Source:  Amended at 31 Ill. Reg. 7284, effective May 7, 2007)