SECTION .0100 - GENERAL ADMINISTRATION 1 .0101 HOW TO
код для вставки1 2 SECTION .0100 - GENERAL ADMINISTRATION .0101 HOW TO CONTACT THE ELECTRONIC COMMERCE SECTION The North Carolina Department of the Secretary of State administers the Electronic 3 4 Commerce Act. The Secretary of State has designated the Electronic Commerce Section to 5 administer the Act. The Electronic Commerce Section may be contacted by the following means: (1) 6 Electronic mail messages (email) are welcome, and are an efficient means of 7 communicating with the Electronic Commerce Section. Email may be sent to 8 ecomm@mail.secstate.state.nc.us. 9 (2) Regular mail may be sent to the Electronic Commerce Section at the 10 following address: Electronic Commerce Section, Department of the 11 Secretary of State, Post Office Box 29622, 2 South Salisbury Street, 12 Raleigh, NC 27626-0626. 13 (3) Up-to-date contact information regarding the Electronic Commerce Section 14 is contained on the Department of the Secretary of State's Internet site at 15 http://www.state.nc.us/secstate. (4) 16 Suggestions regarding program administration are welcome. Suggestions 17 for improving electronic commerce in North Carolina, these Rules, the 18 Electronic Commerce Section, and the Electronic Commerce Act are always 19 welcome. Suggestions may be sent to the Electronic Commerce Section at 20 the addresses given above. 21 22 History Note: Authority G.S. 66-58.10 23 24 25 26 27 SECTION .0200 - DEFINITIONS .0201 APPLICABLE DEFINITIONS In addition to the definitions in the Electronic Commerce Act, Article 11A of Chapter 66 (G.S. 66- 58.1 et seq.), the following apply in these Rules: (1) Affiliated Individual. An affiliated individual is the subject of a certificate that is 28 associated with a sponsor approved by the Certification Authority (such as an employee 29 affiliated with an employer). Certificates issued to affiliated individuals are intended to 30 be associated with the sponsor and the responsibility for authentication lies with the 31 sponsor. 32 (2) Asymmetric Cryptosystem. A computer-based system that employs two different 33 but mathematically related keys. They keys are computer-generated codes having the 34 following characteristics: 35 (a) either key can be used to electronically sign and/or encrypt data, such that only 36 the other key in that key pair is capable of verifying the electronic signature 37 and/or decrypting the signed data; and 1 (b) infeasible to discover the other key. 2 3 the keys have the property that, knowing one key, it is computationally (3) Authorized Certification Authority. A Certification Authority that has been issued a 4 Certification Authority license by the North Carolina Department of the Secretary of 5 State to issue certificates that reference these Rules. 6 (4) Certification Authority Revocation List. A time-stamped list of revoked certification 7 Authorities digitally signed by a Certification Authority or the Electronic Commerce 8 Section. 9 (5) Certificate. A record which: 10 (a) identifies the certification authority issuing it; 11 (b) names or identifies its subscriber; 12 (c) contains a public key that corresponds to a private key under the control of the 13 subscriber; 14 (d) identifies its operational period or period of validity; 15 (e) contains a certificate serial number and is digitally signed by the Certification Authority issuing it; and 16 17 (f) conforms to the ITU/ISO X.509 Version 3 standards or other standards accepted 18 under these Rules. As used in these Rules the term "Certificate" refers to 19 certificates that expressly reference these Rules in the "Certificates Policy" filed 20 for an X.509 v.3 certificate. 21 (6) Certificate Manufacturing Authority. An entity that is responsible for the 22 manufacturing and delivery of certificates signed by a Certification Authority, but is not 23 responsible for identification and authentication of certificate subjects (i.e., a Certificate 24 Manufacturing Authority is delegated the certificate manufacturing task by a Certification 25 Authority). 26 (7) 27 28 Certificate Revocation List. A Certification Authority digitally signed, time- stamped list of revoked certificates. (8) Certification Authority. A Certification Authority is an entity authorized by the 29 Secretary of State to facilitate electronic commerce. A Certification Authority is 30 responsible for authorizing and causing certificate issuance. A Certification Authority 31 can perform the functions of a Registration Authority and a Certificate Manufacturing 32 Authority, or it can delegate or outsource either of these functions. A Certification 33 Authority vouches for the connection between an entity and that entity’s electronic 34 signature. A Certification Authority performs two essential functions: 35 (a) First, it is responsible for identifying and authenticating the intended subscriber 36 named in a certificate, and verifying the subscriber possesses the private key 37 corresponding to the public key listed in the certificate; and 1 (b) Second, the Certification Authority actually creates (or manufactures) and 2 digitally signs the certificate. The certificate issued by the Certification 3 Authority represents the Certification Authority's statement as to the identity of 4 the person named in the certificate and the binding of that person to a particular 5 public-private key pair. 6 (9) Certification Practice Statement. A "Certification Practice Statement" is 7 documentation of the practices, procedures, and controls employed by a Certification 8 Authority issuing, suspending, or revoking certificates and providing access to same. A 9 Certification Practice Statement shall contain, at a minimum, detailed discussions of the 10 following topics: 11 (a) 12 technical security controls, including cryptographic modules and management; 13 (b) physical security controls; 14 (c) procedural security controls; 15 (d) personnel security controls; 16 (e) repository obligations, including registration management, 17 subscriber information protection, and certificate revocation 18 management; and (f) 19 20 (10) financial responsibility. Electronic Commerce Act. The North Carolina Electronic Commerce Act, 21 N.C.G.S. Chapter 66, Article 11A. An Act to facilitate electronic commerce with and by 22 North Carolina public agencies by recognizing the validity of electronic signatures and 23 authorizing the Secretary of State to regulate electronic signatures and certification 24 authorities. 25 (11) Electronic Commerce Section. Component of the North Carolina Department of the 26 Secretary of State responsible for reviewing Certification Authority license applications 27 and administering the Electronic Commerce Act in North Carolina. 28 (12) Electronic signature. Any identifier or authentication technique attached to or 29 logically associated with an electronic record intended by the party using it to have the 30 same force and effect as the party's manual signature. 31 (13) Federal Information Processing Standards. Federal Standards prescribing specific 32 performance requirements, practices, formats, communications protocols, etc. for 33 hardware, software, data, telecommunications operation, etc. Federal agencies are 34 expected to apply these standards unless a waiver has been granted. 35 36 (14) Internet Engineering Task Force. The Internet Engineering Task Force is a large, open international community of network designers, operators, vendors, and researchers 1 concerned with the evolution of the Internet architecture and the smooth operation of the 2 Internet. 3 (15) 4 5 ITS Security Director. The ITS Security Director of North Carolina State government as designated by the Chief Information Officer for North Carolina State Government. (16) ITU/ISO X.509 Version 3 standards. Version three of the X.509 standards 6 promulgated by the International Telecommunications Union and the International 7 Organization for Standardization. 8 (17) 9 used to encrypt a message that can only be decrypted using the other key, and even knowing one key, it is computationally infeasible to discover the other key. 10 11 (18) 12 13 Key pair. Two mathematically related keys, having the properties that one key can be Object Identifier. An object identifier is a specially formatted number that is registered with an internationally recognized standards organization. (19) Operational Period of a Certificate. The operational period of a certificate is the period of 14 its validity. It would typically begin on the date the certificate is issued (or such later 15 date as specified in the certificate), and end on the date and time it expires as noted in the 16 certificate or as earlier revoked or suspended. 17 (20) PKIX. An Internet Engineering Task Force Working Group developing technical 18 specifications for a public key infrastructure components based on X.509 Version 3 19 certificates. 20 (21) 21 22 Private Key. The key of a key pair used to create a digital signature. This key must be kept a secret. It is also known as the confidential key or secret key. (22) Public Key. The key of a key pair used to verify a digital signature. The public key is 23 made available to anyone who will receive digitally signed messages from the holder of 24 the key pair. The public key is usually provided in a Certification Authority issued 25 certificate and is often obtained by accessing a repository. A public key is used to verify 26 the digital signature of a message purportedly sent by the holder of the corresponding 27 private key. It is also known as the published key. 28 (23) 29 30 Public Key Cryptography. A type of cryptographic technology employing an asymmetric cryptosystem. (24) Registration Authority. An entity responsible for identification and authentication of 31 certificate subjects, but that does not sign or issue certificates (i.e., a Registration 32 Authority is delegated certain tasks on behalf of a Certification Authority). 33 (25) 34 35 36 Relying Party. A recipient of a digitally signed message who relies on a certificate to verify the digital signature on the message. (26) Repository. A trustworthy system for storing and retrieving certificates and other information relating to those certificates. 1 (27) Repository Services Provider. An entity that maintains a repository accessible to the 2 public, or at least to relying parties, for purposes of obtaining copies of certificates and/or 3 verifying the status of such certificates. 4 (28) 5 6 Responsible Individual. A person designated by a sponsor to authenticate individual applicants seeking certificates on the basis of their affiliation with the sponsor. (29) 7 Revoke A Certificate. To prematurely end the operational period of a certificate from a specified time forward. 8 (30) Secretary. The North Carolina Secretary of State. 9 (31) Sponsor. An organization with which a subscriber is affiliated (e.g., as an employee, user of a service, business partner, customer, etc.). 10 11 (32) 12 13 Subject. A person whose public key is certified in a certificate. Also referred to as a "subscriber". (33) Subscriber. (a) 14 15 (b) 17 holds a private key that corresponds to a public key listed in that certificate; and 18 (c) to whom digitally signed messages verified by reference to such certificate are to be attributed. See "subject”. 19 (34) 21 22 is the subject named or identified in a certificate issued to such person; and 16 20 The person to whom a certificate is issued. A person who: Suspend a certificate. To temporarily suspend the operational period of a certificate for a specified time period or from a specified time forward. (35) Transaction. An electronic transmission of data between an entity and a public agency, 23 or between two public agencies, including, but not limited to contracts, filings, and other 24 legally operative documents not specifically prohibited in the Electronic Commerce Act. 25 (36) Trustworthy System. Computer hardware, software, and procedures that: 26 (a) are reasonably secure from intrusion and misuse; 27 (b) provide a reasonable level of availability, reliability, and correct operation; 28 (c) are reasonably suited to performing their intended functions; and 29 (d) adhere to generally accepted security procedures. 30 (37) Valid Certificate. A Valid certificate is one that: 31 (a) a Certification Authority has issued; 32 (b) the subscriber listed in it has accepted; 33 (c) has not expired; and 34 (d) has not been suspended or revoked. 35 A certificate is not valid until it is both issued by a Certification 36 Authority and accepted by the subscriber. 1 (38) X.500. A directory standard / protocol for connecting local directory services to form 2 one distributed global directory. X.500 is an OSI (Open System Interconnection) 3 protocol, named after the number of the ITU (International Telecommunications Union - 4 a United Nations Specialized Agency) CCITT (International Telegraph and Telephone 5 Consultative Committee) Recommendation document containing its specification. (39) 6 X.509. A standard / protocol adopted by the International Telecommunication Union 7 (formerly known as the International Telegraphy and Telephone Consultation 8 Committee). For purposes of these rules, all references to X.509 shall be construed as 9 referring to version 3. Compliance with X.509 versions 1 or 2 shall not be construed as compliance with X.509. 10 11 12 History Note: Authority G.S. 66-58.10(a)(1) 13 SECTION .0300 PUBLIC KEY TECHNOLOGY 14 15 16 0301 PUBLIC KEY TECHNOLOGY LICENSING, FEES, RENEWAL (1) 17 18 To be considered for licensure under this subsection, a Certification Authority shall utilize certificate-based public key cryptography. (2) Any applicant seeking licensure must demonstrate compliance with the North 19 Carolina Electronic Commerce Act, N.C.G.S. Chapter 66, Article 11A, and these 20 Rules. 21 (3) To request licensure, a Certification Authority shall provide the Electronic 22 Commerce Section with a copy of its current Certification Practice Statement and 23 most recent reports of compliance audit(s) as required by 18 NCAC 10.0303 (13). 24 (4) A Certification Authority shall adhere to its Certification Practice Statement. If a 25 Certification Authority modifies its Certification Practice Statement, it shall 26 provide an updated copy of the Certification Practice Statement to the Electronic 27 Commerce Section as soon as is practicable, and no later than the date the updated 28 Certification Practice Statement is put into operation. As a condition of continued 29 licensure, the Electronic Commerce Section may require the Certification 30 Authority to undergo an audit to document compliance with its updated 31 Certification Practice Statement and these Rules. 32 (5) 33 34 initial application. (6) 35 36 37 An initial licensing fee of two thousand dollars ($2,000 US) shall accompany an A renewal fee of two thousand dollars ($2,000 US) shall accompany an application for renewal by a licensed Certification Authority. (7) A license issued by the Electronic Commerce Section pursuant to this section shall expire one year after its effective date, unless timely renewed. 1 (8) Financial Responsibility. (a) 2 As precondition of licensure a Certification Authority shall obtain a bond issued 3 by a surety company authorized to do business in North Carolina. A copy of the 4 bond shall be filed with the Electronic Commerce Section prior to licensure. 5 The amount of the bond shall not be less than twenty-five thousand dollars 6 ($25,000 US). The bond shall be in favor of the State of North Carolina. The 7 bond shall be payable for any penalties assessed by the Electronic Commerce 8 Section pursuant to these rules and for any losses the State encounters resulting 9 from a Certification Authority's conduct of activities subject to the Electronic 10 Commerce Act or arising out of a violation of the Electronic Commerce Act or 11 any Rule promulgated thereunder; 12 (b) As precondition of licensure a Certification Authority shall obtain indemnity 13 insurance coverage (e.g. “errors and omissions” and / or “cyber coverage” and / 14 or similar coverage) to protect subscribers, relying parties and the State for any 15 losses resulting from the Certification Authority's conduct of activities subject to 16 the Electronic Commerce Act or arising out of a violation of the Electronic 17 Commerce Act or any Rule promulgated thereunder. Indemnity coverage shall 18 be obtained and maintained in the amount of not less than one hundred thousand 19 dollars ($100,000 US) per occurrence and not less than one million dollars 20 ($1,000,000 US) for all occurrences; 21 (c) The failure of a Certification Authority to continuously maintain this surety 22 bond and indemnity insurance coverage may be the basis for revocation or 23 suspension of its license. 24 25 Authority G.S. 66-58.3; 66-58.10(a)(2). 26 27 .0302 28 ISSUANCE AND MANAGEMENT - OVERVIEW. 29 PUBLIC KEY TECHNOLOGY. CERTIFICATION AUTHORITY: CERTIFICATE (1) Overview. These Rules specify minimum requirements for issuance and 30 management of certificates that may be used in verifying digital signatures. The 31 digital signatures may be used on categories of electronic communications 32 specified as suitable applications in 18 NCAC 10.0302(2)(e). Each item in these 33 Rules must be specifically addressed by the Certification Authority in the 34 Certification Authority's Certification Practice Statement filed with the North 35 Carolina Department of the Secretary of State at the time the Certification 36 Authority submits an application for licensure or renewal. 37 (2) Community and Applicability. 1 (a) Certification Authorities. These Rules are binding on each licensed 2 Certification Authority issuing certificates identifying them, and govern 3 Certification Authority performance with respect to all certificates it 4 issues referencing the Rules. Specific Certification Authority Practice 5 Statements and procedures implementing the requirements of these Rules 6 shall be set forth in the Certification Authority Certification Practice 7 Statement; 8 (b) Certification Authorities Authorized to Issue Certificates Under 9 These Rules: Any Certification Authority may issue certificates 10 identifying these Rules if licensed in the State of North Carolina 11 and the Certification Authority agrees to be bound by and comply 12 with the undertakings and representations of these Rules with 13 respect to such certificates. Issuance of a certificate referencing 14 this Policy shall constitute issuing the agreement of the 15 Certification Authority to be bound by terms of the Rules for all 16 certificates referencing them; 17 (c) Subscribers. A Certification Authority may issue certificates that 18 reference these Rules to the following classes of subscribers: 19 (i) individuals (unaffiliated); 20 (ii) individuals associated with a sponsor recognized by the Certification Authority 21 ("affiliated individuals"), provided the sponsor is the subscriber of a valid certificate 22 issued by the Certification Authority in accordance with these Rules; 23 (iii) public agencies, as defined in N.C.G.S. В§ 66-58.2; and 24 (iv) organizations and businesses qualified as legal entities. 25 (d) Relying Parties. These Rules benefit the following persons, who may rely on 26 certificates issued to others referencing them ("Qualified Relying Parties"): 27 (i) individuals intending to engage in a transaction with a public agency; 28 (ii) public agencies, as defined in N.C.G.S. 66-58.2; 29 (iii) organizations and businesses, qualified as legal entities, engaged in a transaction 30 with a public agency; and 31 (iv) other parties to a transaction with the entity and a public agency. 32 (e) Suitable Applications. Certificates referencing this policy are intended to provide 33 a level of identity binding assurance and the protection of document encryption, and 34 are typically suitable for: 35 (i) System Access / Systems Security 36 (1) Verifying the identity of electronic mail correspondents for non-critical 37 communications; 1 (2) Obtaining access to databases, applications and systems; 2 (3) Message / document encryption for protection of contents / identities 3 where appropriate; 4 (ii) Digital Signature Activity 5 (1) Commerce involving various goods or services with various values; 6 (2) Obtaining personal data relating to the subscriber. 7 (iii) Message / Document Encryption: Documents encrypted to protect contents (e.g. 8 privacy of subject); 9 (iv) Some sample applications of these Rules: 10 (1) Computing applications providing access to the certificate holder’s own 11 personal information; 12 (2) Request and distribution of text information or other types of 13 copyrighted content for which fees are charged or subscriptions are 14 required; 15 (3) Verifying the identity of communicating parties; 16 (4) Verifying signatures on contracts, government benefits statements, and 17 other documentation; 18 (5) Signing of electronic messages; e.g. official reports, employee leave and 19 travel reporting, tax withholding, etc.; and 20 (6) Secure transport of individual, patient specific medical / other privileged 21 information over public networks. (g) 22 Prohibited Applications. (Reserved) 23 24 History Note: Authority G.S. 66-58.10 25 26 .0303 27 PROVISIONS 28 PUBLIC KEY TECHNOLOGY: CERTIFICATE POLICY GENERAL (1) Certification Authority Obligations. The Certification Authority is responsible for 29 all aspects of certificate issuance and management, including control over: 30 (a) the application / enrollment process; 31 (b) the identification and authentication process; 32 (c) the actual certificate manufacturing process; 33 (d) certificate publication; 34 (e) certificate suspension and revocation, publication of the 35 Certificate Revocation List and Certification Authority Revocation 36 Lists, as pertinent; 37 (f) certificate renewal; 1 (g) 2 services and Certification Authority operations and infrastructure 3 related to certificates issued under these Rules are performed in 4 accordance with the requirements, representations, and warranties of 5 these Rules; and 6 (h) 7 the NC ITS directory, where pertinent. 8 (2) 9 ensuring that all aspects of the certification Authority Delivering certificate updates and revocation transactions to Representations by Certification Authority. By issuing a certificate referencing these Rules, a Certification Authority certifies to subscriber and 10 all Qualified Relying Parties (who reasonably and in good faith rely on a 11 certificate’s information during its operational period in accordance with 12 these Rules) that the Certification Authority has taken reasonable steps to 13 verify certificate information unless otherwise noted in its Certification 14 Practice Statement that: 15 (a) 16 certificate in accordance with these Rules; 17 (b) 18 these Rules and its applicable Certification Practice Statement when 19 authenticating the subscriber and issuing the certificate; 20 (c) 21 the Certification Authority, and the Certification Authority has taken 22 reasonable steps to verify additional information in the certificate unless 23 otherwise noted in its Certification Practice Statement; 24 (d) 25 been accurately transcribed to the certificate; and 26 (e) 27 the Certification Authority's certification practice statement. 28 (3) the certification authority has issued, and will manage, the the Certification Authority has complied with the requirements of there are no misrepresentations of fact in the certificate known to subscriber-provided information in the certificate application has the certificate meets all material requirements of these Rules and Registration Authority and Certificate Manufacturing Authority Obligations: The 29 Certification Authority shall be responsible for performing all identification and 30 authentication functions and all certificate manufacturing and issuing functions. 31 However, the Certification Authority may delegate performance of these 32 obligations to an identified Registration Authority and/or Certificate 33 Manufacturing Authority, provided the Certification Authority remains primarily 34 responsible for performance of those services by such third parties in a manner 35 consistent with requirements of these Rules. 36 37 (4) Repository Obligations: The Certification Authority shall be responsible for providing a repository, performing / providing certificate updates as required and 1 performing all associated functions. However, the Certification Authority may 2 delegate performance of this obligation to an identified Repository Services 3 Provider, provided the Certification Authority remains primarily responsible for 4 performance of those services by such third party in a manner consistent with 5 requirements of these Rules. 6 (5) Subscriber Obligations. In all cases, the Certification Authority shall require the 7 subscriber to enter an enforceable contractual commitment for the benefit of 8 Qualified Relying Parties obligating the subscriber to: 9 (a) take reasonable precautions to prevent any loss, disclosure, 10 or unauthorized use of the private key; 11 (b) 12 is warranting all information and representations made by the 13 subscriber included in the certificate are true; 14 (c) 15 purposes, consistent with these Rules; 16 (d) 17 the Certification Authority to revoke the certificate promptly upon 18 any actual or suspected loss, disclosure, or other subscriber private 19 key compromise. 20 (6) acknowledge that by accepting the certificate the subscriber use the certificate exclusively for authorized and legal immediately contact the Certification Authority and instruct Relying Party Obligations. A Qualified Relying Party has a right to 21 rely on a certificate referencing this Policy only if the certificate was 22 used and relied upon for lawful purposes and under circumstances 23 where: 24 (a) 25 of all circumstances known to the relying party at the time of 26 reliance; 27 (b) 28 appropriate under these Rules; and 29 (c) 30 certificate prior to reliance, or a check of the certificate’s 31 status would have indicated the certificate was valid. the reliance was reasonable and in good faith in light the purpose for which the certificate was used was the relying party checked the certificate status 32 (7) Liability. (Reserved) 33 (8) Financial Responsibility. See 18 NCAC 10.0301(8). 1 (9) Interpretation & Enforcement. 2 (a) Governing Law. The laws of the State of North Carolina shall govern the 3 enforceability, construction, interpretation, and validity of these Rules; 4 (b) 5 any business by public agencies in North Carolina. All other state laws, policies, and 6 procedures required to engage in business with public agencies in North Carolina must be 7 complied with by the Certification Authority and public agencies. 8 (c) 9 parties or relying parties shall be reduced to writing and delivered to each party. Parties shall The holders of North Carolina Certification Authority licenses are not guaranteed Dispute Resolution Procedures. Disputes between or among subscribers, trusted third 10 negotiate in good faith and use reasonable efforts to resolve such disputes. Parties shall not 11 resort to any formal proceedings to resolve such disputes until they have reasonably 12 determined that a negotiated resolution is not possible. 13 (10) Fees. A Certification Authority shall not impose any fees for reading these Rules or its 14 Certification Practice Statement. A Certification Authority may charge access fees on 15 certificates, certificate status information, or certificate revocation lists, subject to agreement 16 between the Certification Authority and subscriber, and in accordance with a fee schedule 17 published by the Certification Authority in its Certification Practice Statement or otherwise. 18 19 (11) Publication & Repositories: (a) Publication of Certification Authority Information. Each authorized Certification 20 Authority shall operate a secure online repository available to Qualified Relying 21 Parties. The repository shall contain: 22 (i) issued certificates that reference these Rules; 23 (ii) a Certificate Revocation List or on-line certificate status database; 24 (iii) the Certification Authority's certificate for its signing key; 25 (iv) past and current versions of the Certification Authority's Certification Practice 26 Statement; 27 (v) a copy of these Rules; and 28 (vi) other relevant information relating to certificates referencing these Rules. 29 (b) Frequency of Publication. All information to be published in the repository shall be 30 published promptly after such information is available to the Certification Authority. 31 In no case shall more than 24 hours pass between certification authority awareness of 32 a change and the Certification Authority publishing of the change. Certificates issued 33 by the Certification Authority referencing these Rules will be published promptly 34 upon acceptance of such certificate by the subscriber. Certificate revocations and 35 suspensions will be published contemporaneously with the act of revocation or 36 suspension. Information relating to revocation or suspension of a certificate and will 37 be published in accordance with 18 NCAC 10.0305(6)(b) and 10.0305(10). 1 (12) Access Controls. The repository will be available to Qualified Relying Parties and subscribers 2 24 hours per day, 7 days per week, subject to reasonable, published, scheduled maintenance 3 and the Certification Authority's then-current terms of access. A Certification Authority shall 4 not impose any access controls on these Rules, the Certification Authority's certificate for its 5 signing key, and past and current versions of the Certification Authority's Certification 6 Practice Statement. A Certification Authority may impose access controls on certificates, 7 certificate status information, or Certificate Revocation Lists at its discretion, subject to 8 agreement between the Certification Authority and subscriber, in accordance with provisions 9 published in its Certification Practice Statement or otherwise. 10 11 (13) Required Compliance Audits: (a) The Certification Authority must submit to audit to determine its stability, prospects 12 for longevity and adequacy of its security practices and conditions. The audits must 13 result in unqualified compliance reports. When a Certification Authority is licensed 14 in North Carolina based on a reciprocity agreement between North Carolina and 15 another state, the Certification Authority may submit certified copies of audit reports 16 required by the other jurisdiction. After review by the Electronic Commerce 17 Section, audit reports may be determined to meet North Carolina Certification 18 Authority audit requirements. 19 (b) A Certification Authority shall adhere to its Certification Practice Statement. If a 20 Certification Authority modifies its Certification Practice Statement, it shall provide 21 an updated copy of the Certification Practice Statement to the Electronic Commerce 22 Section as soon as practicable and no later than the date the updated Certification 23 Practice Statement is put into operation. At the discretion of the Electronic 24 Commerce Section, the Certification Authority may be required to undergo 25 additional / other audits for license renewal. 26 (c) Stability and Longevity Prospects Audit: 27 (i) Before initial approval as a licensed Certification 28 Authority, the Certification Authority (and each 29 Registration Authority, Certificate Manufacturing 30 Authority, and Repository Services Provider, as 31 applicable) shall submit to audit by an independent 32 Certified Public Accounting firm. The audit must 33 address the American Institute of Certified Public 34 Accountants (AICPA) Section 341, “The Auditor’s 35 Consideration of an Entity’s Ability to Continue as a 36 Going Concern”. 1 (ii) The audit must produce an unqualified report 2 from the CPA firm to the Certification Authority. A 3 certified copy of the audit report must be attached by 4 the Certification Authority to the application for a 5 new Certification Authority license or renewal 6 license, and submitted to the Electronic Commerce 7 Section. 8 (iii) As a condition of continued licensure, the 9 Electronic Commerce Section may require the 10 Certification Authority to undergo audit to document 11 compliance with expectations for secure operations, 12 an updated Certification Practice Statement, or to 13 document continuing compliance with the ITU/ISO 14 X.509 Version 3 standards and these Rules. 15 (iv) A Certification Authority operated by an Agency 16 of the State of North Carolina is exempt from this 17 requirement. 18 (d) Security Audit. The purpose of a security audit is to 19 verify: 20 (i) The Certification Authority has in place a secure 21 system assuring quality of Certification Authority 22 Services provided and; 23 (ii) the Certification Authority's system complies 24 with all security requirements of these Rules, the 25 Certification Authority's Certification Practice 26 Statement and ITU/ISO X.509 Version 3 standards. 27 Before initial approval as a licensed Certification Authority, 28 and thereafter at least once every year, the Certification 29 Authority shall submit to a security compliance audit by an 30 independent nationally recognized security audit firm 31 approved by the Electronic Commerce Section. The audit 32 must evidence compliance with Federal Information 33 Processing Standards 140-1 “Security: Cryptographic 34 Modules” Level 2 and TSEC (The Orange Book) C2 criteria 35 or comply with contemporary Certification Authority security 36 criteria as expressed in terms of the “Common Criteria” – ISO 37 15408-1:1999. The security audit firm must be qualified to 1 perform a security audit on a Certification Authority and it 2 must have significant knowledge and / or experience in Public 3 Key Infrastructure application and cryptographic technologies. 4 A certified copy of the current unqualified security audit 5 report must be attached to an application for a new 6 certification authority license or renewal license, and 7 submitted to the NC Department of Secretary of State, 8 Electronic Commerce Section. 9 (14) Confidentiality Policy. Subscriber consent must be obtained 10 for each incident of disclosure and for each item of 11 information unless required otherwise by law. The 12 Certification Authority may not sell or exchange information 13 in any circumstance that is not specifically allowed by these 14 Rules or otherwise required by law. 15 (a) A Certification Authority may not use data gathered 16 in fulfilling its Certification Authority role for any 17 other purpose. A Certification Authority shall not 18 gather information beyond that necessary to 19 authenticate a subscriber nor shall it use information 20 gathered in its Certification Authority role to 21 assemble further information about subscribers; (b) 22 Under no circumstance shall a Certification Authority 23 (or any Registration Authority, Repository Services 24 Provider, Certificate Manufacturing Authority) have 25 access to the signing private key(s) (versus 26 encryption key(s)) of any subscriber to whom it 27 issues a certificate referencing these Rules; except for 28 initial creation of the signing/secret key where the 29 key is not accessed and no enduring record is made 30 of the key; 31 32 (15) Information Not Considered Confidential. (a) 33 34 Information appearing on certificates is not confidential. (b) Disclosure of Certificate Revocation / Suspension 35 Information. Information regarding the revocation or 36 suspension status of a certificate is not confidential 1 and is disclosed in the normal course of public key 2 infrastructure activity. 3 (c) Release to law enforcement officials. (Reserved) 4 (d) Release as part of civil discovery. (Reserved) 5 (e) Any information may be disclosed upon owner’s request. 6 7 (f) Other information release circumstances. (Reserved) 8 9 History Note: Authority G.S. 66-58.10 10 11 12 .0304 PUBLIC KEY TECHNOLOGY; IDENTIFICATION AND AUTHENTICATION (1) Initial Registration: 13 (a) Subject to requirements of this rule certificate applications may be communicated 14 from the applicant to Certification Authority or Registration Authority, and 15 authorizations to issue certificates may be communicated from a Registration 16 Authority to the Certification Authority, electronically via E-mail or a web site, 17 provided all communication is secured by SSL or a similar security protocol, by first 18 class U.S. Mail or similar service; (b) 19 North Carolina deploys two levels / classes of authentication certificate: 20 (i) A North Carolina Strong Authentication Certificate application requires the 21 subscriber to appear before the Certification Authority or Registration Authority in 22 person or for all identification documents to be notarized and delivered by a 23 trustworthy method (for example, US Mail, courier, etc.); or 24 (ii) A North Carolina Basic Authentication Certificate application may be 25 accomplished without subscriber personal appearance and without notarized 26 documents. 27 (2) Types of Names. The subject name used for certificate applicants shall be the X.509 28 Distinguished Name. The name shall be unique for each entity certified by a Certification 29 Authority. A Certification Authority may issue more than one certificate with the same 30 subject name for the same subject entity; 31 (3) Name Meanings. The subject name listed in a certificate must have a reasonable association 32 with the authenticated name of the subscriber. In the case of an individual, this should be a 33 combination of first name and/or initials and surname. In the case of an organization, the 34 name should reflect the legal name of the organization and/or unit; 35 (4) Rules for Interpreting Various Name Forms. (Reserved) 36 (5) Name Uniqueness. The subject name listed in a certificate shall be unambiguous and unique 37 for all certificates issued by the Certification Authority and shall conform to X.500 standards 1 for name uniqueness. If necessary, additional numbers or letters may be appended to the real 2 name to ensure the name's uniqueness within the domain of certificates issued by the 3 Certification Authority and detailed in the Certification Practice Statement; 4 (6) Verification of Key Pair. The Certification Authority shall establish that the applicant is in 5 possession of the private key corresponding to the public key submitted with the application 6 in accordance with an appropriate secure protocol, such as that described in the Internet 7 Engineering Task Force Public Key Infrastructure Certificate Management Protocol or 8 through other means; 9 (7) Authentication of an Organization. An organization can be issued a North 10 Carolina Strong Authentication Certificate. An organization cannot be 11 issued a North Carolina Basic Authentication Certificate. 12 (a) Identification. A Certification Authority shall be 13 presumed to have confirmed that the prospective 14 subscriber organization is the organization to be 15 listed in a certificate where the Certification 16 Authority has assured by investigation: 17 (i) The organization exists and conducts business at 18 the address listed in the certificate application; 19 (ii) A duly authorized representative of the applicant 20 organization signed the certificate application; 21 (iii) The information contained in the certificate 22 application is correct; 23 (iv) If required by State law, the organization is 24 authorized to transact business and is in “good 25 standing” with the Corporations Division of the 26 North Carolina Department of the Secretary of State. 27 (b) When authenticating an organizational applicant, the 28 Certificate Authority or Registration Authority shall 29 require the following elements of information from 30 the applicant on a notarized affidavit: 31 (i) Organization Name; 32 (ii) Street address and mailing address, if different 33 (iii) City; 34 (iv) State; 35 (v) Zip; 36 (vi) Tax Payer Identification Number / Employer Identification Number (EIN); 37 (vii) Corporate Identification Number (Issued by Secretary of State); 1 (viii) Date of incorporation or creation; 2 (ix) State or country of incorporation or creation; 3 (x) Telephone number (optional); 4 (xi) E-mail address (optional); 5 (xii) Post data element (e.g. password, etc.) to be a secret shared with the 6 Certification Authority / Registration Authority and used later for authentication in 7 the absence of the digital signature. This element could be used along with 8 additional information to authenticate a request for certificate revocations; 9 (xiii) Name of officially authorized agent, if applicable. (c) 10 Authentication and Confirmation Procedure. In conducting its review and 11 investigation, the Certification Authority shall review official government records 12 and/or engage the services of a reputable third party vendor of business information 13 to do so. The Certification Authority or third party review will provide validation 14 information concerning each organization applying for a certificate, including legal 15 company name, type of entity, year of formation, names of directors and officers, 16 address, telephone number, and good standing in the jurisdiction where the applicant 17 was incorporated or otherwise organized. 18 19 (d) Personal Presence. (Reserved) (8) Authentication of Individual -- No Affiliation: An unaffiliated individual 20 may be issued a North Carolina Strong Authentication Certificate, North 21 Carolina Basic Authentication Certificate, or both. In determining the type 22 of certificate required, agencies should evaluate the application's sensitivity 23 and nature of business with which the certificate holder will be associated. 24 Based on the evaluation, a NC Basic Authentication Certificate may be 25 appropriate. In other cases, it may be appropriate to require a North 26 Carolina Strong Authentication Certificate. 27 (a) Identification: 28 (i) North Carolina Strong Authentication Certificate. 29 A Certification Authority shall be presumed to have 30 confirmed that the prospective subscriber is the 31 person to be listed in a certificate where the 32 Certification Authority has been presented with 33 documents consisting at least of: two pieces of 34 identification when authenticating an unaffiliated 35 individual applicant for a North Carolina Strong 36 Authentication Certificate. At least one piece of 37 identification shall be a current federal or state 1 government-issued picture-type identification such as 2 a military or government identification card, driver’s 3 license, or similar identification document issued 4 under authority of another country, or passport. The 5 Certification Authority or Registration Authority 6 shall initial, date and archive copies of identification 7 used to establish the subscriber's identity. 8 9 (b) Authentication for a North Carolina Strong Authentication Certificate. Authenticating an 10 unaffiliated individual applicant, the Certification 11 Authority or Registration Authority shall require the 12 following elements of information from the applicant 13 on a notarized affidavit: 14 (i) Last name (family name); 15 (ii) First name (given name); 16 (iii) Middle Name(s); 17 (iv) Street address and mailing address, if different; 18 (v) City; 19 (vi) State; 20 (vii) Zip; 21 (viii) Social Security Number (SSN), national 22 identification number or passport number; 23 (ix) Driver's license number, or state 24 identification card number; 25 (x) Date of birth; 26 (xi) Place of birth; 27 (xiii) Telephone number (optional); 28 (xiv) E-mail address (optional); 29 (xv) Post data element (e.g. mother's maiden 30 name, password, etc.) to be used later for 31 authenticating an individual in the absence of 32 their digital signature. This element could be 33 used along with additional information to 34 authenticate a request for certificate 35 revocations; 36 (xvi) Name of officially authorized agent, if 37 applicable; 1 (c) Authentication for a North Carolina Basic 2 Authentication Certificate. Certification Authorities 3 or Registration Authorities shall require a notarized 4 affidavit from the applicant’s personnel officer, 5 signed by the applicant including: 6 (i) Last name (family name); 7 (ii) First name (given name); 8 (iii) Middle name(s); 9 (iv) Street address and mailing address, if 10 different; 11 (v) City; 12 (vi) State; 13 (vii) Zip; 14 (viii) Social Security Number (SSN), national 15 identification number or passport number; 16 (ix) Driver's license number, or state 17 identification card number; 18 (x) Date of birth; 19 (xi) Place of birth; 20 (xii) Business Telephone number (optional); 21 (xiii) Business E-mail address (optional) as 22 assigned by agency; 23 (xiv) Post data element (e.g. mother's maiden 24 name, password, etc.) to be used later for 25 authenticating an individual in the absence of 26 their digital signature. This element could be 27 used along with additional information to 28 authenticate a request for certificate 29 revocations; 30 (xv) Name of officially authorized agent, if 31 applicable; 32 (xvi) Beginning date of employment; 33 (xvii) Ending date of employment (if known). 34 (d) Investigation and Confirmation. Verification of the name 35 and SSN and the Name and Driver's License (or ID 36 Number) data elements may be accomplished via checks 37 with the Social Security Administration and the appropriate 1 state motor vehicle administration. Verification of the name 2 and address data elements may be accomplished through 3 access to either a trusted commercial or governmental data 4 source. The address confirmation data sources may consist 5 of either online databases or local business records (e.g., a 6 bank's customer records, the U.S. Postal Service, state 7 motor vehicle department records, state personnel office, 8 etc.); 9 (e) Personal Presence. Authentication of an unaffiliated 10 individual requires the applicant must either: 11 (i) personally present himself or herself to a 12 Registration Authority to be authenticated prior to 13 certificate issuance; or 14 (ii) securely deliver signed and notarized copies of 15 the requisite identification to the Certification 16 Authority [in which case, once notarized copies are 17 delivered parties may communicate electronically]. 18 Where the applicant delivers notarized copies of 19 identification to the Certification Authority, 20 authentication of such identification will be 21 confirmed through the use of a shared secret [such as 22 a personal identification number]. The shared secret 23 is separately communicated in a trustworthy manner 24 to the applicant and included with the documents 25 delivered as part of the certificate application 26 process. 27 (iii) An individual may meet expectations for 28 personal presence by an attorney-in-fact, 29 trustee or other court appointed fiduciary. 30 31 (9) Authentication of Individual – Affiliated Certificate. (a) Identification. 32 (i) The Certification Authority may establish a 33 trustworthy procedure whereby a sponsoring 34 organization that has been authenticated by the 35 Certification Authority and issued a certificate may 36 designate one or more Responsible Individuals, and 37 authorize them to represent the sponsoring 1 organization concerning the issuance and revocation 2 of certificates for affiliated individuals. The 3 Certification Authority may rely on a designated 4 Responsible Individual appointed by the sponsor to 5 properly authenticate the individual applicant, if the 6 Certification Authority has previously authenticated 7 the sponsor as an organization and the Responsible 8 Individual as an unaffiliated individual, in accordance 9 with these Rules. A Certification Authority shall be 10 presumed to have confirmed a prospective subscriber 11 is the person to be listed in a certificate where the 12 Certification Authority relies on a designated 13 Responsible Individual appointed by the sponsor to 14 properly authenticate the individual applicant, if the 15 Certification Authority has previously authenticated 16 the sponsor as an organization and the Responsible 17 Individual as an unaffiliated individual, in accordance 18 with these Rules. 19 (ii) In the absence of a trustworthy procedure, 20 affiliated individuals shall be authenticated in the 21 same manner as unaffiliated individuals. 22 (b) Authentication Confirmation Procedure. Authentication of 23 the individual will be confirmed through the use of a shared 24 secret [such as a Personal Identification Number]. The 25 shared secret is distributed via a trustworthy out of band 26 communication to the applicant (either directly or via the 27 sponsor) and included in the application process as part of 28 the certificate enrollment process; 29 (c) Personal Presence. 30 (i) Applicants affiliated with an approved sponsor 31 can be authenticated through an electronically 32 submitted application, based on an appropriate 33 agreement with the sponsor, the approval of a 34 designated Responsible Individual, and the 35 distribution of Personal Identification Numbers or a 36 similar security device; 1 (ii) If a Certification Authority elected to use an 2 online commercial database, the application may be 3 filled out and submitted via the Internet from a home 4 or business computer. In the case where a 5 Certification Authority elects to use a local record 6 check, the application process may take place over 7 the Internet, or alternatively, the Certification 8 Authority may require the applicant visit an 9 appropriate business site in order to enter required information at a local terminal. 10 11 (d) Duties of Responsible Individual. The Responsible 12 Individual represents the sponsoring organization with 13 respect to the issuance and management of certificates. In 14 that capacity he or she is responsible for properly indicating 15 which subscribers are to receive certificates. 16 (10) Renewal Applications (Routine Re-key). A subscriber may request issuance of a 17 new certificate for a new key pair from the Certification Authority issuing the 18 original certificate. The request may be made electronically by a digitally signed 19 message based on the old key pair in the original certificate under these 20 conditions: 21 (a) normal scheduled certificate expiration; 22 23 (b) The subscriber must be authenticated following the principles of these Rules; and 24 25 26 The request must occur during the period two months prior to (c) (11) The original certificate has not been suspended or revoked. Re-key after Revocation. Revoked or expired certificates shall not be renewed 27 under any conditions. Applicants without a valid certificate from the Certification 28 Authority that references these Rules shall be re-authenticated by the Certification 29 or Registration Authority on certificate application, just as with a first-time 30 application. 31 32 (12) Revocation Request. (a) Electronic Revocation Request. 33 (i) A revocation request submitted electronically may be 34 authenticated by digital signature using the “old” key pair; 35 (ii)Electronic revocation requests authenticated on the basis 36 of the old (compromised) key pair shall always be accepted 37 as valid. Other revocation request authentication 1 mechanisms are acceptable. These authentication 2 mechanisms balance the need to prevent unauthorized 3 revocation requests against the need to quickly revoke 4 certificates. 5 (b) Non-Electronic Revocation Request. 6 (i) Organization initiated revocation of affiliated 7 certificate(s) shall be authenticated by communication from 8 a known person and / or official authorized to initiate 9 revocations on behalf of an organization. 10 (ii) Subscriber initiated requests for revocation of certificate(s) shall be authenticated 11 by presentation of a signed and notarized request for revocation. 12 (iii) Subscriber initiated requests for revocation of 13 certificates via an attorney-in-fact shall be authenticated by 14 presentation of 1) a notarized request for revocation by the 15 attorney-in-fact; and 2) a certified copy of the power of 16 attorney. 17 (iv) Revocation by a court of competent jurisdiction may be 18 made by presentation of a certified court order. 19 20 History Note: Authority G.S. 66-58.10 21 22 23 .0305 PUBLIC KEY TECHNOLOGY: OPERATIONAL REQUIREMENTS (1) Certificate Application. A certificate applicant shall complete a certificate 24 application in a form prescribed by the Certification Authority Certificate 25 Policy and enter into a subscriber agreement with the Certification 26 Authority. All applications are subject to Certification Authority review, 27 approval, and acceptance. A Certificate Policy shall define the minimum 28 content to be used for a certificate application. The Certificate Policy shall 29 also specify that all applications are subject to review, approval, and 30 acceptance by the Policy Authority in addition to the Issuer. 31 (2) Certificate Issuance. Upon successful completion of the subscriber 32 identification and authentication process in accordance with these Rules, 33 and complete and final approval of the certificate application, the 34 Certification Authority shall: 35 (a) issue the requested certificate; 36 (b) notify the applicant thereof; and 1 (c) make the certificate available to the applicant using a 2 procedure that: 3 (i) assures the certificate is only delivered to or 4 available for subscriber pickup; and 5 (ii) provides adequate proof of subscriber 6 identification in accordance with these Rules. 7 A Certification Authority will not issue a certificate without the consent of 8 the applicant and, if applicable, the applicant's sponsor. 9 (3) Certificate Acceptance. Following certificate issuance, the Certification Authority 10 shall continually require the subscriber to expressly indicate certificate acceptance 11 or rejection to the Certification Authority, in accordance with established 12 Certification Authority Certification Practice Statement procedures. 13 14 (4) Circumstances for Revocation of Certificate. (a) Permissive Revocation. A subscriber may request 15 revocation of his, her, or its certificate at any time for any 16 reason. A sponsoring organization, where applicable, may 17 request certificate revocation of any affiliated individual at 18 any time for any reason. The issuing Certification 19 Authority may also revoke a certificate upon failure of the 20 subscriber, or where applicable, sponsoring organization 21 failure to meet its obligations under these Rules, the 22 applicable Certification Practice Statement, or any other 23 agreement, regulation, or law applicable to the certificate 24 that may be in force. 25 (b) Required Revocation. A subscriber or sponsoring 26 organization, where applicable, shall promptly request 27 revocation of a certificate when: 28 (i) any information on the certificate changes 29 or becomes obsolete; 30 (ii) the private key, or the media holding the 31 private key associated with the certificate is, or 32 is suspected of having been compromised; or 33 (iii) an affiliated individual is no longer 34 affiliated with the sponsor; 35 36 (c) The issuing Certificate Authority shall revoke a certificate: 1 (i) upon request of the subscriber or 2 sponsoring organization; 3 (ii) upon failure of the subscriber (or the 4 sponsoring organization, where applicable) to 5 meet its material obligations under these 6 Rules, any applicable Certification Practice 7 Statement, or any other agreement, regulation, 8 or law applicable to the certificate that may be 9 in force; 10 (iii) if knowledge or reasonable suspicion of 11 compromise is obtained; or 12 (iv) if the Certification Authority determines 13 that the certificate was not properly issued in 14 accordance with these rules and/or any 15 applicable Certification Practice Statement. (d) 16 Notice of the Certification Authority ceasing 17 operation shall be posted to the Certification 18 Authority Revocation List maintained by the 19 Electronic Commerce Section of the Department of 20 the Secretary of State. 21 (5) Who Can Request Revocation. The only persons permitted to request 22 revocation of a certificate issued pursuant to these Rules are: 23 (a) the subscriber; 24 (b) the sponsoring organization (where applicable); and 25 (c) the issuing Certification Authority. 26 27 (6) Procedure for Revocation Request. (a) A certificate revocation request should be promptly 28 communicated to the issuing Certification Authority, either 29 directly or through a Registration Authority. A certificate 30 revocation request may be communicated electronically if it 31 is digitally signed with the private key of the subscriber, or 32 where applicable, the sponsoring organization. Requests 33 digitally signed by the subscriber, or by the sponsoring 34 organization, are considered authenticated when received by 35 the Certification Authority or Registration Authority. 36 Alternatively, the subscriber, or where applicable, the 37 sponsoring organization, may request revocation by 1 contacting the Certification Authority or an authorized 2 Registration Authority in person and providing adequate 3 proof of identification to authenticate the request in 4 accordance with these Rules. Copies of the digitally signed 5 request must be archived by the Certification Authority or 6 Registration Authority. Other identification used to 7 establish the subscriber's identity shall be photocopied and 8 initialed by an authorized representative of the Certification 9 Authority or Registration Authority and archived. (b) 10 Repository/Certificate Revocation List Update. Promptly, 11 within less than 2 hours of revocation, the Certificate 12 Revocation List, or certificate status database in the 13 repository, as applicable, shall be updated. All revocation 14 requests and the resulting actions taken by the Certification 15 Authority shall be archived. 16 (6) Revocation Request Grace Period. Certificate revocation requests shall be 17 authenticated and processed within 2 hours of receipt by the Certification 18 Authority. 19 (7) Certificate Suspension. The procedures and requirements stated for 20 certificate revocation must also be followed for certificate suspension, 21 where implemented. 22 (8) Certificate Revocation List Issuance Frequency. When Certificate 23 Revocation Lists are used, an up-to-date Certificate Revocation List shall be 24 issued to the repository at least every 2 hours. If no change has been made 25 to the Certificate Revocation List, an update to the Certificate Revocation 26 List in the repository is not necessary. 27 (9) Online Revocation / Status Checking Availability. Whenever an online 28 certificate status database is used as an alternative to a Certificate 29 Revocation List, such database shall be updated no later than 2 hours after 30 certificate revocation. 31 (10) Computer Security Audit Procedures. All significant security events on the 32 Certification Authority system should be automatically recorded in audit 33 trail files. The audit log shall be processed and archived at least once a 34 week. Such files shall be retained for at least 6 months onsite, and 35 thereafter shall be securely archived. 36 (11) Records, Archival. 1 (a) Types of Records Archived. The following data and files must be 2 archived by (or on behalf of) the Certification Authority: 3 (i) All computer security audit data; 4 (ii) All certificate application data; 5 (iii)All certificates, and all Certificate Revocation Lists or 6 certificate status records generated; 7 (iv) Key histories; and 8 (v) All correspondence between the Certification Authority 9 and Registration Authority, Certificate Manufacturing Authority, Repository Services Provider, and/or subscriber. 10 11 (b) 12 Retention Period for Archive. Key and certificate information and archives of audit trail files must be retained for at least 30 years. 13 (c) Protection of Archive. The archive media must be protected either 14 by physical security alone, or a combination of physical security 15 and cryptographic protection. The archive must be protected from 16 environmental threats such as temperature, humidity, and 17 magnetism. The Certification Practice Statement must address the 18 procedure for transferring and preserving the archive media in the 19 case of the Certification Authority ceasing operation in this State. 20 (d) Archive Backup Procedures. Adequate backup procedures must be 21 in place. In event of loss or destruction of primary archives, a 22 complete set of backup copies must will be readily available within 23 no more than 24 hours. Back up procedures must be tested 24 regularly. 25 (12) Archive Collection System (Internal or External). (Reserved) 26 (13) Procedures to Obtain and Verify Archive Information. During the compliance 27 audit required by these Rules, the auditor shall verify integrity of the archives. 28 Either copy of the archive media determined corrupted or damaged in any way, 29 shall be replaced with the backup copy held in the separate location and noted in 30 the compliance audit report. 31 (14) Key Changeover. (Reserved) 32 (15) Compromise and Disaster Recovery. 33 (a) Disaster Recovery Plan: 34 (i) The Certification Authority must have in place an 35 appropriate disaster recovery/business resumption plan. The 36 Certification Authority must set up and render operational a 37 facility located in a geographic area not affected or 1 disrupted by the disaster. The facility must provide 2 Certification Authority Services in accordance with these 3 Rules. The alternate facility must be operational within 24 4 hours of an unanticipated emergency. Disaster recovery 5 planning shall include a complete and periodic test of 6 facility readiness. Such plan shall be identified and 7 referenced within the Certification Practice Statement or 8 other appropriate documentation available to Qualified 9 Relying Parties. 10 (ii) The disaster recovery plan will have been reviewed during 11 Certification Authority initial and subsequent third party audits. 12 (b) Key Compromise Plan. The Certification Authority must have a 13 key compromise plan in place. The plan must address procedures 14 to be followed in the event the Certification Authority's private 15 signing key used to issue certificates is compromised or in the 16 event the private signing key of any Certification Authority higher 17 in the chain of trust is compromised. Such plan shall include 18 procedures for revoking all affected certificates and promptly 19 notifying all subscribers and all Qualified Relying Parties. 20 (16) Certification Authority Termination. In the event that the Certification Authority 21 ceases operation, the North Carolina Department of the Secretary of State 22 Electronic Commerce Section, North Carolina Information Technology Services, 23 all subscribers, sponsoring organizations, Registration Authorities, Certificate 24 Manufacturing Authorities, Repository Service Providers, and Qualified Relying 25 Parties shall be promptly notified of the termination. In addition, all Certification 26 Authorities with which cross-certification authority agreements are current at the 27 time of cessation must be promptly informed of the termination. All certificates 28 issued by the Certification Authority referencing these Rules will be revoked no 29 later than the time of termination. 30 31 History Note: Authority G.S. 66-58.10 32 33 .0306 34 SECURITY CONTROLS 35 36 PUBLIC KEY TECHNOLOGY: PHYSICAL, PROCEDURAL, AND PERSONNEL (1) Physical Security -- Access Controls. (a) The Certification Authorities, and all Registration Authorities, 37 Certificate Manufacturing Authorities and Repository Services 38 Providers, shall implement appropriate physical security controls 1 to restrict access to hardware and software (including the server, 2 workstations, and any external cryptographic hardware modules or 3 tokens) used in connection with providing Certification Authority 4 Services. Access to such hardware and software shall be limited to 5 personnel performing in a Trusted Role as described in this Rule. 6 Access shall be controlled through the use of electronic access 7 controls, mechanical combination lock sets, or deadbolts. Such 8 access controls must be manually or electronically monitored for 9 unauthorized intrusion at all times. (b) 10 11 12 Breach of physical security and / or access control expectations may result in revocation of the Certification Authority's license. (2) 13 Procedural Controls. (a) Trusted Roles. All employees, contractors, and consultants of a 14 Certification Authority (collectively "personnel") having access to 15 or control over cryptographic operations that may materially affect 16 the Certification Authority's issuance, use, suspension, or 17 revocation of certificates shall, for purposes of these Rules, be 18 considered as serving in a trusted role. This includes access to 19 restricted operations of the Certificate Authority's repository. Such 20 personnel include, but are not limited to, system administration 21 personnel, operators, engineering personnel, and executives who 22 are designated to oversee the Certification Authority's operations. 23 (b) Multiple Roles (Number of Persons Required Per Task). To ensure 24 that one person acting alone cannot circumvent safeguards, 25 multiple roles and individuals should share Certification Authority 26 server responsibilities. Each account on the Certification 27 Authority server shall have limited capabilities commensurate with 28 the role of the account holder. 29 30 (3) Personnel Security Controls. (a) Background and Qualifications. Certification Authorities, 31 Registration Authorities, Certificate Manufacturing Authorities and 32 Repository Service Providers shall formulate and follow personnel 33 and management policies sufficient to provide reasonable 34 assurance of the trustworthiness and competence of their 35 employees and of the satisfactory performance of their duties in 36 manner consistent with these Rules. 37 (b) Background Investigation. 1 (i) Certification Authorities shall conduct an appropriate 2 background investigation of all personnel who serve in 3 trusted roles (prior to their employment and periodically 4 thereafter, as necessary), to verify their trustworthiness and 5 competence in accordance with the requirements of these 6 Rules and the Certification Authority's personnel Practice 7 Statements or their equivalent. All personnel who fail an 8 initial or periodic investigation shall not serve or continue to 9 serve in a trusted role. 10 (ii) Operative personnel shall not ever have been convicted 11 of a felony or a crime involving fraud, false statement or 12 deception. 13 (iii) The principle of full disclosure must be applied in 14 relation to background investigations and representations of 15 operative personnel. (c) 16 Training Requirements. All Certification Authority, 17 Registration Authority, Certificate Manufacturing Authority 18 and Repository Services Provider personnel must receive 19 proper training in order to perform their duties, and update 20 briefings thereafter as necessary to remain current. 21 (d) Documentation Supplied to Personnel. All Certification 22 Authority, Registration Authority, Certificate 23 Manufacturing Authority, and Repository Services Provider 24 personnel must receive comprehensive user manuals 25 detailing the procedures for certificate creation, update, 26 renewal, suspension, revocation, and software functionality. 27 28 History Note: Authority G.S. 66-58.10 29 30 31 32 .0307 PUBLIC KEY TECHNOLOGY: TECHNICAL SECURITY CONTROLS (1) Key Pair Generation and Installation. (a) Key Pair Generation. Key pairs for Certification Authorities, 33 Registration Authorities, Certificate Manufacturing Authorities, 34 Repository Services Providers, and subscribers must be generated 35 in such a way that the private key is not known by other than the 36 authorized user of the key pair. Acceptable methods include: 1 (i) Having all users (Certification Authorities, 2 Certificate Manufacturing Authorities, Registration 3 Authorities, Repository Services Providers and 4 subscribers) generate their own keys on a trustworthy 5 system, and not reveal the private keys to anyone 6 else; or 7 (ii) Having keys generated in hardware tokens from 8 which the private key cannot be extracted. 9 (b) Certification Authority, Registration Authority, and 10 Certificate Manufacturing Authority keys must be generated 11 in hardware tokens. Key pairs for Repository Services 12 Providers, and end-entities can be generated in either 13 hardware or software as detailed in the Certification 14 Practice Statement. 15 (2) Private Key Delivery to Entity. The private (secret) key shall be delivered 16 to the subscriber in an “out of band” transaction. The secret key may 17 delivered to the subscriber in a tamper-proof hardware or software 18 container. The secret key may be delivered to the subscriber embedded in a 19 hardware token protected by encryption and password protected. 20 (3) Subscriber Public Key Delivery to Certification Authority. The subscriber’s 21 public key must be transferred to the Registration Authority or Certification 22 Authority in a way that ensures: 23 (a) it has not been changed during transit; 24 (b) the sender possesses the private key that corresponds to the 25 transferred public key; and 26 (c) 27 28 the sender of the public key is the legitimate user claimed in the certificate application. (4) Certification Authority Public Key Delivery to Users. The public key of the 29 Certification Authority signing key pair may be delivered to subscribers in 30 an on-line transaction in accordance with Internet Engineering Task Force 31 Public Key Infrastructure Part 3, or via another appropriate mechanism. 32 33 (5) Key Sizes – Asymmetric Cryptographic Applications. (a) 34 35 36 Minimum key length for other than elliptic curve based algorithms is 1024 bits; (b) Minimum key length for elliptic curve group algorithms is 170 bits. 1 (6) Acceptable algorithms for public key cryptography applications include, but 2 are not limited to: 3 (a) 4 RSA (Rivest, Shamir, Adelman) -- digital signature and information security; 5 (b) ElGamal -- digital signature and information security; 6 (c) Diffie – Hellman -- digital signature and information 7 security; (d) 8 9 10 DSA /DSS (Digital Signature Algorithm) -- digital signature applications. (7) Certification Authority Private Key Protection. The Certification 11 Authority (and the Registration Authority, Certificate Manufacturing 12 Authority and Repository Services Provider) shall each protect its 13 private key(s) in accordance with the provisions of these Rules. 14 (a) Standards for Cryptographic Module. Certification 15 Authority signing key generation, storage and signing 16 operations shall be on a hardware crypto module rated at 17 Federal Information Processing Standards 140-1 Level 2 (or 18 higher). Subscribers shall use Federal Information 19 Processing Standards 140-1 Level 1 approved cryptographic 20 modules (or higher) and related pertinent cryptographic 21 module security requirements of the Common Criteria – 22 ISO 15408-1 “Evaluation Criteria”. 23 (b) Private Key (N-M) Multi-Person Control. (Reserved) 24 (c) Private Key Escrow: 25 (i) Certification Authority signing private keys shall not be 26 escrowed; 27 (ii) Keys used solely for encryption purposes within and by 28 employees of the State of North Carolina shall be escrowed, 29 unless otherwise provided by law. 30 (d) Private Key Backup. An entity may back up its own private key. 31 (e) Private Key Archival. An entity may archive its own private key. 32 (f) Private Key Entry into Cryptographic Module. (Reserved) 33 (g) Method of Activating Private Key. (Reserved) 34 (h) Method of Deactivating Private Key. (Reserved) 35 (i) Method of Destroying Private Key. (Reserved) 1 (j) Other Aspects of Key Pair Management. 2 (i) Public Key Archival. (Reserved) 3 (ii) Key Replacement. Certification Authority key pairs must be 4 replaced at least every three (3) years. Registration Authority and 5 subscriber key pairs must be replaced not less than every two (2) 6 years and a new certificate issued. 7 (k) Restrictions on Certification Authority's Private Key Use. 8 (i) The Certification Authority's signing key used for 9 issuing certificates conforming to these Rules shall be used 10 only for signing certificates and, optionally, Certificate 11 Revocation Lists. 12 (ii) A private key used by a Registration Authority or 13 Repository Services Provider for purposes associated with 14 its Registration or Repository Services Provider function 15 shall not be used for any other purpose without the express 16 written permission of the Certification Authority. 17 (iii) A private key held by a Certificate Manufacturing 18 Authority and used for purposes of manufacturing 19 certificates for the Certification Authority: 20 (1) is considered the Certification 21 Authority's signing key; 22 (2) is held by the Certificate Manufacturing 23 Authority as a fiduciary for the Certification 24 Authority; and 25 (3) shall not be used for any reason without 26 the express written permission of the 27 Certification Authority; 28 (iv) Any other private key used by a Certificate 29 Manufacturing Authority for purposes associated with its 30 Certificate Manufacturing Authority function shall not be 31 used for any other purpose without the express written 32 permission of the Certification Authority. 33 (8) Activation Data. No stipulation. 34 (9) Computer Security Controls. All Certification Authority servers must include the 35 functionality satisfying Federal Information Processing Standards 140-1 Level 2 36 (or higher) and pertinent cryptographic module security requirements of the 37 Common Criteria – ISO 15408-1 “Evaluation Criteria” for IT Security either 1 through the operating system, or combination of operating system, public key 2 infrastructure application, and physical safeguards. 3 (10) 4 Life Cycle Technical Controls: (a) System Development Controls. System design and development 5 shall be conducted using an industrial standard methodology, e.g. 6 systems development life cycle approach (SDLC); 7 (b) Security Management Controls. (Reserved) 8 (11) Network Security Controls. (Reserved) 9 (12) Cryptographic Module Engineering Controls. (Reserved) 10 11 History Note: Authority G.S. 66-58.10 12 13 .0308 14 LIST PROFILES 15 PUBLIC KEY TECHNOLOGY: CERTIFICATE AND CERTIFICATE REVOCATION (1) Certificate Profile: (a) 16 Certificates referencing these Rules shall contain public keys used 17 for authenticating the sender of an electronic message and 18 verifying the integrity of such messages, i.e. public keys used for 19 digital signature verification; 20 (b) All certificates referencing these Rules will be issued in the X.509 21 version 3 format and will include a reference to the Object 22 Identifier for these Rules, when assigned, within the appropriate 23 field. The Certification Practice Statement shall identify the 24 certificate extensions supported, and the level of support for those 25 extensions. 26 (2) Certificate Revocation List Profile. If utilized, Certificate Revocation Lists will be 27 issued in the X.509 version 2 format. The Certificate Practice Statement shall 28 identify the Certificate Revocation List extensions supported and the level of 29 support for these extensions. 30 31 32 33 History Note: Authority G.S. 66-58.10 .0309 PUBLIC KEY TECHNOLOGY: RULE ADMINISTRATION 34 (1) Rule Change Procedures. (Reserved) 35 (2) List of Items. Notice of all proposed changes to these Rules, under 36 consideration by the Department of the Secretary of State, that may 37 materially affect users of the Rules (other than editorial or typographical 38 corrections, or changes to the contact details) will be provided to licensed 1 Certification Authorities. Notice will be posted on the World Wide Web site 2 of the North Carolina Department of the Secretary of State. Authorized 3 Certification Authorities shall post notice of such proposed changes in their 4 repositories and shall advise their subscribers, in writing or by e-mail, of 5 such proposed changes; (4) 6 7 Publication and Notification Procedures: (a) A copy of these Rules is available in electronic form on the Internet at www.secretary.state.nc.us/ecomm/; 8 9 (b) Authorized Certification Authorities shall post copies of these Rules in their repositories. 10 11 12 History Note: Authority G.S. 66-58.10 13 SECTION .0400 BIOMETRICS. (RESERVED) 14 15 16 SECTION .0500 SIGNATURE DYNAMICS. (RESERVED) 17 SECTION .0600 (RESERVED) 18 19 SECTION .0700 ALTERNATE TECHNOLOGIES 20 21 22 23 .0701 ALTERNATE TECHNOLOGIES AND PROVISIONAL LICENSING (1) Alternate Technologies: Any person may petition the Electronic Commerce 24 Section to initiate rulemaking to recognize a technology not currently recognized 25 under these Rules. The petition shall be made pursuant to G.S. 150B-20. General 26 Statute 150B-20 and other statutes can be viewed at the North Carolina General 27 Assembly's Internet site at http://www.ncga.state.nc.us/. In addition to the 28 requirements of G.S. 150B-20, in order to enable the Electronic Commerce 29 Section to best consider the petition, the petitioner should also provide a detailed 30 explanation of the proposed technology, and a discussion of how the technology 31 complies with the substantive intent of the Electronic Commerce Act. 32 (2) Provisional Licensing: If the Electronic Commerce Section accepts the proposed 33 technology for rulemaking, it may, but is not required to, enter into provisional 34 licensing agreements with persons utilizing the proposed technology and desiring 35 licensure during the time before the new Rules are effective. The terms and 36 conditions of any provisional licensing agreement shall be substantially consistent 37 with these Rules. 1 2 History Note: Authority G.S. 66-58.10 3 4 SECTION .0800 - SANCTIONS AND ENFORCEMENT 5 6 7 .0801 CIVIL SANCTIONS (1) If, upon investigation, the Electronic Commerce Section finds that a Certification 8 Authority has violated any provision of the Electronic Commerce Act or these 9 Rules, or finds that the Certification Authority has had a license revoked or 10 suspended in any other jurisdiction, the Electronic Commerce Section may revoke 11 or suspend any license issued under the Electronic Commerce Act and these Rules. 12 The revocation or suspension may be in addition to any civil monetary penalty 13 issued against the Certification Authority. As a condition of license reinstatement 14 following a period of suspension, the Electronic Commerce Section may require 15 that the Certification Authority submit updated or additional documentation or 16 assurances regarding its operations. 17 (2) If, upon investigation, the Electronic Commerce Section finds that a Certification 18 Authority has violated any provision of the Electronic Commerce Act or these 19 Rules, the Electronic Commerce Section may assess a civil monetary penalty of 20 not more than five thousand dollars ($5,000 US) for each violation. The civil 21 monetary penalty may be in addition to any revocation or suspension of the 22 Certification Authority's license. As a condition of continued licensure following 23 assessment of a civil monetary penalty, the Electronic Commerce Section may 24 require that the Certification Authority submit updated or additional 25 documentation or assurances regarding its operations. 26 (3) Adjustment factors. In determining the length of any suspension or amount of any 27 civil monetary penalty, the Electronic Commerce Section shall consider: 28 (a) 29 30 The organizational size of the Certification Authority cited for violating the provisions of the Electronic Commerce Act; (b) The good faith of the Certification Authority cited, including but 31 not limited to any procedures or processes implemented by the 32 violator to prevent the violation from recurring; 33 (c) The gravity of the violation; 34 (d) The prior record of the violator in complying or failing to comply 35 36 with the Electronic Commerce Act or these Rules; and (e) The risk of harm cause by the violation. 1 (4) Continuing Violations. After the receipt of notice of a violation, if any 2 Certification Authority willfully continues to violate by action or inaction the 3 Electronic Commerce Act or these Rules, each day or transaction the violation 4 continues or is repeated may be considered a separate violation. 5 (5) Civil Sanction Notification. When the Electronic Commerce Section determines 6 that a civil sanction shall be assessed, the Electronic Commerce Section shall 7 notify the Certification Authority of the following information by electronic mail, 8 if possible, and by any means permitted under Rule 4 of the North Carolina Rules 9 of Civil Procedure: 10 (a) The nature of the violation; 11 (b) The civil sanction imposed; 12 (c) That the civil sanction will become final unless within 15 days 13 after receiving notice of the violation the Certification Authority 14 either (i) takes exception to the civil sanction assessment by filing 15 a contested case petition with the Office of Administrative 16 Hearings; or (ii) submits a written request for the reduction of the 17 sanction; and 18 (d) reduction of the sanction. 19 20 The procedure for taking exception to the violation or seeking the (6) Civil Sanction Finality. The Certification Authority must file a contested case 21 petition pursuant to G.S. 150B-23 or submit a written request for the reduction of 22 the sanction within 15 days of receipt of the notice of the civil sanction assessment 23 or the assessment shall become final. Notice shall be deemed received at the time 24 of service by any method permitted under Rule 4 of the North Carolina Rules of 25 Civil Procedure. 26 (7) Request for Reduction of Civil Sanction. A Certification Authority that admits a 27 cited violation but wishes to seek reduction of the length of a suspension or 28 amount of a civil monetary penalty may request reduction of the civil sanction. 29 (a) Any request for reduction of a civil sanction shall be submitted to 30 the Electronic Commerce Section in writing and must include a 31 written statement supporting the reduction request. Requests for 32 reduction of a sanction are solely for the purpose of allowing the 33 Certification Authority to contest the reasonableness of the civil 34 sanction arising under this Rule. The Certification Authority 35 should not attempt to contest the existence of a violation or raise 36 questions of law in the request for reduction of the sanction. 1 (b) The Electronic Commerce Section shall determine if the assessed 2 sanction is to be reduced pursuant to a reduction request and shall 3 notify the Certification Authority of its decision in writing. 4 (c) If the Electronic Commerce Section determines that the reduction 5 request raises issues of fact or questions of law, the Electronic 6 Commerce Section may decline to consider the reduction request, 7 and shall notify the Certification Authority by certified or 8 registered mail that it must file a contested case petition with the 9 Office of Administrative Hearings in order to preserve its claim 10 and legal rights. The Certification Authority must file a contested 11 case petition with the Office of Administrative Hearings within 15 12 days of receipt of notice or the sanction assessed shall be final. 13 (d) If the reduction request does not raise issues of fact or questions of 14 law, the Electronic Commerce Section shall determine if the 15 assessed sanction is to be reduced, and shall notify the 16 Certification Authority of its decision in writing by electronic mail, 17 if possible, and by any other means permitted under Rule 4 of the 18 North Carolina Rules of Civil Procedure. In the event the 19 Electronic Commerce Section denies the reduction request, or 20 grants the reduction request in an amount unacceptable to the 21 Certification Authority, the Certification Authority must file a 22 contested case petition with the Office of Administrative Hearings 23 within 15 days of receipt of notice of the Electronic Commerce 24 Section's decision, or the decision shall become the final decision. 25 Notice shall be deemed received at the time of service by any 26 method permitted under Rule 4 of the North Carolina Rules of 27 Civil Procedure. 28 (8) Payment. Any civil monetary penalty shall be due within 60 days of the date of the 29 initial assessment of the penalty, except that if the Certification Authority files a 30 contested case petition pursuant to G.S. 150B-23 or submits a written request for 31 reduction of the penalty, the penalty shall be due within 60 days of the date of the 32 final decision. The penalty shall be paid with cash or certified funds by personal 33 delivery or certified mail to the Electronic Commerce Section. In the event the 34 Certification Authority fails to pay the penalty assessed within the time periods set 35 forth in this Rule, the Electronic Commerce Section may collect the amount of the 36 penalty from the bond required by these Rules. 37 1 Authority G.S. 66-58.6; 66-58.10 2 3 .0802 CRIMINAL PENALTIES AND INJUNCTIVE RELIEF 4 The Department of the Secretary of State has the authority to investigate, prosecute and otherwise 5 pursue criminal penalties for violations of the Electronic Commerce Act, pursuant to G.S. 66-58.8, or 6 injunctive relief pursuant to G.S. 66-58.6. 7 8 Authority G.S. 66-58.6; 66-58.8; 66-58.10 9 10 SECTION .0900 - RECIPROCITY 11 12 13 .0901 RECIPROCAL AGREEMENTS AND LICENSURE BY RECIPROCITY (1) The Electronic Commerce Section may enter into reciprocal licensing agreements 14 with other jurisdictions that have adopted electronic commerce laws similar in 15 nature and intent to the Electronic Commerce Act. 16 (2) Certification Authorities licensed by other jurisdictions may request North 17 Carolina licensure by the North Carolina Electronic Commerce Section. The 18 applicant must be currently licensed in good standing with another jurisdiction. 19 (3) To seek reciprocal licensure in North Carolina, Certification Authorities licensed 20 by other jurisdictions shall do the following: 21 (a) Pay the licensing fee as described in these Rules; 22 (b) Provide the Electronic Commerce Section with evidence of 23 24 licensure in good standing from the other licensing jurisdiction; (c) Provide the Electronic Commerce Section with a complete copy of 25 the licensing application that led to the Certification Authority 26 becoming licensed in the other jurisdiction, including any 27 amendments thereto; 28 (d) Provide full disclosure of any former, current or proposed 29 disciplinary action or criminal proceeding arising from or related 30 to the Certification Authority's license or activities as a 31 Certification Authority; 32 (e) Provide a complete history of licensure in all other jurisdictions, 33 whether continuous or disrupted, and if disrupted the length of the 34 disruption and basis therefore; and 35 36 (f) Provide any additional information as required by the Electronic Commerce Section. 1 (4) The Electronic Commerce Section shall have the power to impose civil sanctions 2 against a reciprocal licensee on the same basis that the Electronic Commerce 3 Section can impose civil sanction against a Certification Authority license 4 otherwise issued, or upon finding that the Certification Authority has had a license 5 revoked or suspended in another jurisdiction. 6 (5) Any Certification Authority that obtains a reciprocal license under these Rules 7 shall be obligated to inform the Electronic Commerce Section in writing of any 8 civil or criminal proceeding that arises from or relates to the Certification 9 Authority's license or any disciplinary action commenced against the Certification 10 Authority in any other jurisdiction within ten days of notice of the proceeding or 11 action. 12 13 Authority G.S. 66-58.3; 66-58.6; 66-58.7; 66-58.8; 66-58.10; 66.58.11
1/--страниц