SECTION .0100 - GENERAL ADMINISTRATION 1 .0101 HOW TO

1
2
SECTION .0100 - GENERAL ADMINISTRATION
.0101
HOW TO CONTACT THE ELECTRONIC COMMERCE SECTION
The North Carolina Department of the Secretary of State administers the Electronic
3
4
Commerce Act. The Secretary of State has designated the Electronic Commerce Section to
5
administer the Act. The Electronic Commerce Section may be contacted by the following means:
(1)
6
Electronic mail messages (email) are welcome, and are an efficient means of
7
communicating with the Electronic Commerce Section. Email may be sent to
8
ecomm@mail.secstate.state.nc.us.
9
(2)
Regular mail may be sent to the Electronic Commerce Section at the
10
following address: Electronic Commerce Section, Department of the
11
Secretary of State, Post Office Box 29622, 2 South Salisbury Street,
12
Raleigh, NC 27626-0626.
13
(3)
Up-to-date contact information regarding the Electronic Commerce Section
14
is contained on the Department of the Secretary of State's Internet site at
15
http://www.state.nc.us/secstate.
(4)
16
Suggestions regarding program administration are welcome. Suggestions
17
for improving electronic commerce in North Carolina, these Rules, the
18
Electronic Commerce Section, and the Electronic Commerce Act are always
19
welcome. Suggestions may be sent to the Electronic Commerce Section at
20
the addresses given above.
21
22
History Note: Authority G.S. 66-58.10
23
24
25
26
27
SECTION .0200 - DEFINITIONS
.0201
APPLICABLE DEFINITIONS
In addition to the definitions in the Electronic Commerce Act, Article 11A of Chapter 66 (G.S. 66-
58.1 et seq.), the following apply in these Rules:
(1)
Affiliated Individual.
An affiliated individual is the subject of a certificate that is
28
associated with a sponsor approved by the Certification Authority (such as an employee
29
affiliated with an employer). Certificates issued to affiliated individuals are intended to
30
be associated with the sponsor and the responsibility for authentication lies with the
31
sponsor.
32
(2)
Asymmetric Cryptosystem.
A computer-based system that employs two different
33
but mathematically related keys. They keys are computer-generated codes having the
34
following characteristics:
35
(a)
either key can be used to electronically sign and/or encrypt data, such that only
36
the other key in that key pair is capable of verifying the electronic signature
37
and/or decrypting the signed data; and
1
(b)
infeasible to discover the other key.
2
3
the keys have the property that, knowing one key, it is computationally
(3)
Authorized Certification Authority. A Certification Authority that has been issued a
4
Certification Authority license by the North Carolina Department of the Secretary of
5
State to issue certificates that reference these Rules.
6
(4)
Certification Authority Revocation List.
A time-stamped list of revoked certification
7
Authorities digitally signed by a Certification Authority or the Electronic Commerce
8
Section.
9
(5)
Certificate.
A record which:
10
(a)
identifies the certification authority issuing it;
11
(b)
names or identifies its subscriber;
12
(c)
contains a public key that corresponds to a private key under the control of the
13
subscriber;
14
(d)
identifies its operational period or period of validity;
15
(e)
contains a certificate serial number and is digitally signed by the Certification
Authority issuing it; and
16
17
(f)
conforms to the ITU/ISO X.509 Version 3 standards or other standards accepted
18
under these Rules. As used in these Rules the term "Certificate" refers to
19
certificates that expressly reference these Rules in the "Certificates Policy" filed
20
for an X.509 v.3 certificate.
21
(6)
Certificate Manufacturing Authority.
An entity that is responsible for the
22
manufacturing and delivery of certificates signed by a Certification Authority, but is not
23
responsible for identification and authentication of certificate subjects (i.e., a Certificate
24
Manufacturing Authority is delegated the certificate manufacturing task by a Certification
25
Authority).
26
(7)
27
28
Certificate Revocation List.
A Certification Authority digitally signed, time-
stamped list of revoked certificates.
(8)
Certification Authority.
A Certification Authority is an entity authorized by the
29
Secretary of State to facilitate electronic commerce. A Certification Authority is
30
responsible for authorizing and causing certificate issuance. A Certification Authority
31
can perform the functions of a Registration Authority and a Certificate Manufacturing
32
Authority, or it can delegate or outsource either of these functions. A Certification
33
Authority vouches for the connection between an entity and that entity’s electronic
34
signature. A Certification Authority performs two essential functions:
35
(a)
First, it is responsible for identifying and authenticating the intended subscriber
36
named in a certificate, and verifying the subscriber possesses the private key
37
corresponding to the public key listed in the certificate; and
1
(b)
Second, the Certification Authority actually creates (or manufactures) and
2
digitally signs the certificate. The certificate issued by the Certification
3
Authority represents the Certification Authority's statement as to the identity of
4
the person named in the certificate and the binding of that person to a particular
5
public-private key pair.
6
(9)
Certification Practice Statement.
A "Certification Practice Statement" is
7
documentation of the practices, procedures, and controls employed by a Certification
8
Authority issuing, suspending, or revoking certificates and providing access to same. A
9
Certification Practice Statement shall contain, at a minimum, detailed discussions of the
10
following topics:
11
(a)
12
technical security controls, including cryptographic modules
and management;
13
(b)
physical security controls;
14
(c)
procedural security controls;
15
(d)
personnel security controls;
16
(e)
repository obligations, including registration management,
17
subscriber information protection, and certificate revocation
18
management; and
(f)
19
20
(10)
financial responsibility.
Electronic Commerce Act.
The North Carolina Electronic Commerce Act,
21
N.C.G.S. Chapter 66, Article 11A. An Act to facilitate electronic commerce with and by
22
North Carolina public agencies by recognizing the validity of electronic signatures and
23
authorizing the Secretary of State to regulate electronic signatures and certification
24
authorities.
25
(11)
Electronic Commerce Section.
Component of the North Carolina Department of the
26
Secretary of State responsible for reviewing Certification Authority license applications
27
and administering the Electronic Commerce Act in North Carolina.
28
(12)
Electronic signature.
Any identifier or authentication technique attached to or
29
logically associated with an electronic record intended by the party using it to have the
30
same force and effect as the party's manual signature.
31
(13)
Federal Information Processing Standards. Federal Standards prescribing specific
32
performance requirements, practices, formats, communications protocols, etc. for
33
hardware, software, data, telecommunications operation, etc. Federal agencies are
34
expected to apply these standards unless a waiver has been granted.
35
36
(14)
Internet Engineering Task Force.
The Internet Engineering Task Force is a large, open
international community of network designers, operators, vendors, and researchers
1
concerned with the evolution of the Internet architecture and the smooth operation of the
2
Internet.
3
(15)
4
5
ITS Security Director.
The ITS Security Director of North Carolina State government
as designated by the Chief Information Officer for North Carolina State Government.
(16)
ITU/ISO X.509 Version 3 standards.
Version three of the X.509 standards
6
promulgated by the International Telecommunications Union and the International
7
Organization for Standardization.
8
(17)
9
used to encrypt a message that can only be decrypted using the other key, and even
knowing one key, it is computationally infeasible to discover the other key.
10
11
(18)
12
13
Key pair. Two mathematically related keys, having the properties that one key can be
Object Identifier. An object identifier is a specially formatted number that is registered
with an internationally recognized standards organization.
(19)
Operational Period of a Certificate. The operational period of a certificate is the period of
14
its validity. It would typically begin on the date the certificate is issued (or such later
15
date as specified in the certificate), and end on the date and time it expires as noted in the
16
certificate or as earlier revoked or suspended.
17
(20)
PKIX. An Internet Engineering Task Force Working Group developing technical
18
specifications for a public key infrastructure components based on X.509 Version 3
19
certificates.
20
(21)
21
22
Private Key. The key of a key pair used to create a digital signature. This key must be
kept a secret. It is also known as the confidential key or secret key.
(22)
Public Key. The key of a key pair used to verify a digital signature. The public key is
23
made available to anyone who will receive digitally signed messages from the holder of
24
the key pair. The public key is usually provided in a Certification Authority issued
25
certificate and is often obtained by accessing a repository. A public key is used to verify
26
the digital signature of a message purportedly sent by the holder of the corresponding
27
private key. It is also known as the published key.
28
(23)
29
30
Public Key Cryptography. A type of cryptographic technology employing an
asymmetric cryptosystem.
(24)
Registration Authority.
An entity responsible for identification and authentication of
31
certificate subjects, but that does not sign or issue certificates (i.e., a Registration
32
Authority is delegated certain tasks on behalf of a Certification Authority).
33
(25)
34
35
36
Relying Party.
A recipient of a digitally signed message who relies on a certificate to
verify the digital signature on the message.
(26)
Repository.
A trustworthy system for storing and retrieving certificates and other
information relating to those certificates.
1
(27)
Repository Services Provider.
An entity that maintains a repository accessible to the
2
public, or at least to relying parties, for purposes of obtaining copies of certificates and/or
3
verifying the status of such certificates.
4
(28)
5
6
Responsible Individual.
A person designated by a sponsor to authenticate individual
applicants seeking certificates on the basis of their affiliation with the sponsor.
(29)
7
Revoke A Certificate.
To prematurely end the operational period of a certificate from
a specified time forward.
8
(30)
Secretary.
The North Carolina Secretary of State.
9
(31)
Sponsor.
An organization with which a subscriber is affiliated (e.g., as an
employee, user of a service, business partner, customer, etc.).
10
11
(32)
12
13
Subject. A person whose public key is certified in a certificate. Also referred to as a
"subscriber".
(33)
Subscriber.
(a)
14
15
(b)
17
holds a private key that corresponds to a public key listed in
that certificate; and
18
(c)
to whom digitally signed messages verified by reference to
such certificate are to be attributed. See "subject”.
19
(34)
21
22
is the subject named or identified in a certificate issued to
such person; and
16
20
The person to whom a certificate is issued. A person who:
Suspend a certificate.
To temporarily suspend the operational period of a certificate
for a specified time period or from a specified time forward.
(35)
Transaction. An electronic transmission of data between an entity and a public agency,
23
or between two public agencies, including, but not limited to contracts, filings, and other
24
legally operative documents not specifically prohibited in the Electronic Commerce Act.
25
(36)
Trustworthy System. Computer hardware, software, and procedures that:
26
(a)
are reasonably secure from intrusion and misuse;
27
(b)
provide a reasonable level of availability, reliability, and correct operation;
28
(c)
are reasonably suited to performing their intended functions; and
29
(d)
adhere to generally accepted security procedures.
30
(37)
Valid Certificate. A Valid certificate is one that:
31
(a)
a Certification Authority has issued;
32
(b)
the subscriber listed in it has accepted;
33
(c)
has not expired; and
34
(d)
has not been suspended or revoked.
35
A certificate is not valid until it is both issued by a Certification
36
Authority and accepted by the subscriber.
1
(38)
X.500. A directory standard / protocol for connecting local directory services to form
2
one distributed global directory. X.500 is an OSI (Open System Interconnection)
3
protocol, named after the number of the ITU (International Telecommunications Union -
4
a United Nations Specialized Agency) CCITT (International Telegraph and Telephone
5
Consultative Committee) Recommendation document containing its specification.
(39)
6
X.509. A standard / protocol adopted by the International Telecommunication Union
7
(formerly known as the International Telegraphy and Telephone Consultation
8
Committee). For purposes of these rules, all references to X.509 shall be construed as
9
referring to version 3. Compliance with X.509 versions 1 or 2 shall not be construed as
compliance with X.509.
10
11
12
History Note: Authority G.S. 66-58.10(a)(1)
13
SECTION .0300 PUBLIC KEY TECHNOLOGY
14
15
16
0301
PUBLIC KEY TECHNOLOGY LICENSING, FEES, RENEWAL
(1)
17
18
To be considered for licensure under this subsection, a Certification Authority
shall utilize certificate-based public key cryptography.
(2)
Any applicant seeking licensure must demonstrate compliance with the North
19
Carolina Electronic Commerce Act, N.C.G.S. Chapter 66, Article 11A, and these
20
Rules.
21
(3)
To request licensure, a Certification Authority shall provide the Electronic
22
Commerce Section with a copy of its current Certification Practice Statement and
23
most recent reports of compliance audit(s) as required by 18 NCAC 10.0303 (13).
24
(4)
A Certification Authority shall adhere to its Certification Practice Statement. If a
25
Certification Authority modifies its Certification Practice Statement, it shall
26
provide an updated copy of the Certification Practice Statement to the Electronic
27
Commerce Section as soon as is practicable, and no later than the date the updated
28
Certification Practice Statement is put into operation. As a condition of continued
29
licensure, the Electronic Commerce Section may require the Certification
30
Authority to undergo an audit to document compliance with its updated
31
Certification Practice Statement and these Rules.
32
(5)
33
34
initial application.
(6)
35
36
37
An initial licensing fee of two thousand dollars ($2,000 US) shall accompany an
A renewal fee of two thousand dollars ($2,000 US) shall accompany an
application for renewal by a licensed Certification Authority.
(7)
A license issued by the Electronic Commerce Section pursuant to this section shall
expire one year after its effective date, unless timely renewed.
1
(8)
Financial Responsibility.
(a)
2
As precondition of licensure a Certification Authority shall obtain a bond issued
3
by a surety company authorized to do business in North Carolina. A copy of the
4
bond shall be filed with the Electronic Commerce Section prior to licensure.
5
The amount of the bond shall not be less than twenty-five thousand dollars
6
($25,000 US). The bond shall be in favor of the State of North Carolina. The
7
bond shall be payable for any penalties assessed by the Electronic Commerce
8
Section pursuant to these rules and for any losses the State encounters resulting
9
from a Certification Authority's conduct of activities subject to the Electronic
10
Commerce Act or arising out of a violation of the Electronic Commerce Act or
11
any Rule promulgated thereunder;
12
(b)
As precondition of licensure a Certification Authority shall obtain indemnity
13
insurance coverage (e.g. “errors and omissions” and / or “cyber coverage” and /
14
or similar coverage) to protect subscribers, relying parties and the State for any
15
losses resulting from the Certification Authority's conduct of activities subject to
16
the Electronic Commerce Act or arising out of a violation of the Electronic
17
Commerce Act or any Rule promulgated thereunder. Indemnity coverage shall
18
be obtained and maintained in the amount of not less than one hundred thousand
19
dollars ($100,000 US) per occurrence and not less than one million dollars
20
($1,000,000 US) for all occurrences;
21
(c)
The failure of a Certification Authority to continuously maintain this surety
22
bond and indemnity insurance coverage may be the basis for revocation or
23
suspension of its license.
24
25
Authority G.S. 66-58.3; 66-58.10(a)(2).
26
27
.0302
28
ISSUANCE AND MANAGEMENT - OVERVIEW.
29
PUBLIC KEY TECHNOLOGY. CERTIFICATION AUTHORITY: CERTIFICATE
(1)
Overview.
These Rules specify minimum requirements for issuance and
30
management of certificates that may be used in verifying digital signatures. The
31
digital signatures may be used on categories of electronic communications
32
specified as suitable applications in 18 NCAC 10.0302(2)(e). Each item in these
33
Rules must be specifically addressed by the Certification Authority in the
34
Certification Authority's Certification Practice Statement filed with the North
35
Carolina Department of the Secretary of State at the time the Certification
36
Authority submits an application for licensure or renewal.
37
(2)
Community and Applicability.
1
(a)
Certification Authorities. These Rules are binding on each licensed
2
Certification Authority issuing certificates identifying them, and govern
3
Certification Authority performance with respect to all certificates it
4
issues referencing the Rules. Specific Certification Authority Practice
5
Statements and procedures implementing the requirements of these Rules
6
shall be set forth in the Certification Authority Certification Practice
7
Statement;
8
(b)
Certification Authorities Authorized to Issue Certificates Under
9
These Rules: Any Certification Authority may issue certificates
10
identifying these Rules if licensed in the State of North Carolina
11
and the Certification Authority agrees to be bound by and comply
12
with the undertakings and representations of these Rules with
13
respect to such certificates. Issuance of a certificate referencing
14
this Policy shall constitute issuing the agreement of the
15
Certification Authority to be bound by terms of the Rules for all
16
certificates referencing them;
17
(c)
Subscribers. A Certification Authority may issue certificates that
18
reference these Rules to the following classes of subscribers:
19
(i) individuals (unaffiliated);
20
(ii) individuals associated with a sponsor recognized by the Certification Authority
21
("affiliated individuals"), provided the sponsor is the subscriber of a valid certificate
22
issued by the Certification Authority in accordance with these Rules;
23
(iii) public agencies, as defined in N.C.G.S. В§ 66-58.2; and
24
(iv) organizations and businesses qualified as legal entities.
25
(d)
Relying Parties. These Rules benefit the following persons, who may rely on
26
certificates issued to others referencing them ("Qualified Relying Parties"):
27
(i) individuals intending to engage in a transaction with a public agency;
28
(ii) public agencies, as defined in N.C.G.S. 66-58.2;
29
(iii) organizations and businesses, qualified as legal entities, engaged in a transaction
30
with a public agency; and
31
(iv) other parties to a transaction with the entity and a public agency.
32
(e)
Suitable Applications.
Certificates referencing this policy are intended to provide
33
a level of identity binding assurance and the protection of document encryption, and
34
are typically suitable for:
35
(i) System Access / Systems Security
36
(1) Verifying the identity of electronic mail correspondents for non-critical
37
communications;
1
(2) Obtaining access to databases, applications and systems;
2
(3) Message / document encryption for protection of contents / identities
3
where appropriate;
4
(ii) Digital Signature Activity
5
(1) Commerce involving various goods or services with various values;
6
(2) Obtaining personal data relating to the subscriber.
7
(iii) Message / Document Encryption: Documents encrypted to protect contents (e.g.
8
privacy of subject);
9
(iv) Some sample applications of these Rules:
10
(1) Computing applications providing access to the certificate holder’s own
11
personal information;
12
(2) Request and distribution of text information or other types of
13
copyrighted content for which fees are charged or subscriptions are
14
required;
15
(3) Verifying the identity of communicating parties;
16
(4) Verifying signatures on contracts, government benefits statements, and
17
other documentation;
18
(5) Signing of electronic messages; e.g. official reports, employee leave and
19
travel reporting, tax withholding, etc.; and
20
(6) Secure transport of individual, patient specific medical / other privileged
21
information over public networks.
(g)
22
Prohibited Applications. (Reserved)
23
24
History Note: Authority G.S. 66-58.10
25
26
.0303
27
PROVISIONS
28
PUBLIC KEY TECHNOLOGY: CERTIFICATE POLICY GENERAL
(1)
Certification Authority Obligations. The Certification Authority is responsible for
29
all aspects of certificate issuance and management, including control over:
30
(a)
the application / enrollment process;
31
(b)
the identification and authentication process;
32
(c)
the actual certificate manufacturing process;
33
(d)
certificate publication;
34
(e)
certificate suspension and revocation, publication of the
35
Certificate Revocation List and Certification Authority Revocation
36
Lists, as pertinent;
37
(f)
certificate renewal;
1
(g)
2
services and Certification Authority operations and infrastructure
3
related to certificates issued under these Rules are performed in
4
accordance with the requirements, representations, and warranties of
5
these Rules; and
6
(h)
7
the NC ITS directory, where pertinent.
8
(2)
9
ensuring that all aspects of the certification Authority
Delivering certificate updates and revocation transactions to
Representations by Certification Authority. By issuing a certificate
referencing these Rules, a Certification Authority certifies to subscriber and
10
all Qualified Relying Parties (who reasonably and in good faith rely on a
11
certificate’s information during its operational period in accordance with
12
these Rules) that the Certification Authority has taken reasonable steps to
13
verify certificate information unless otherwise noted in its Certification
14
Practice Statement that:
15
(a)
16
certificate in accordance with these Rules;
17
(b)
18
these Rules and its applicable Certification Practice Statement when
19
authenticating the subscriber and issuing the certificate;
20
(c)
21
the Certification Authority, and the Certification Authority has taken
22
reasonable steps to verify additional information in the certificate unless
23
otherwise noted in its Certification Practice Statement;
24
(d)
25
been accurately transcribed to the certificate; and
26
(e)
27
the Certification Authority's certification practice statement.
28
(3)
the certification authority has issued, and will manage, the
the Certification Authority has complied with the requirements of
there are no misrepresentations of fact in the certificate known to
subscriber-provided information in the certificate application has
the certificate meets all material requirements of these Rules and
Registration Authority and Certificate Manufacturing Authority Obligations: The
29
Certification Authority shall be responsible for performing all identification and
30
authentication functions and all certificate manufacturing and issuing functions.
31
However, the Certification Authority may delegate performance of these
32
obligations to an identified Registration Authority and/or Certificate
33
Manufacturing Authority, provided the Certification Authority remains primarily
34
responsible for performance of those services by such third parties in a manner
35
consistent with requirements of these Rules.
36
37
(4)
Repository Obligations: The Certification Authority shall be responsible for
providing a repository, performing / providing certificate updates as required and
1
performing all associated functions. However, the Certification Authority may
2
delegate performance of this obligation to an identified Repository Services
3
Provider, provided the Certification Authority remains primarily responsible for
4
performance of those services by such third party in a manner consistent with
5
requirements of these Rules.
6
(5)
Subscriber Obligations. In all cases, the Certification Authority shall require the
7
subscriber to enter an enforceable contractual commitment for the benefit of
8
Qualified Relying Parties obligating the subscriber to:
9
(a)
take reasonable precautions to prevent any loss, disclosure,
10
or unauthorized use of the private key;
11
(b)
12
is warranting all information and representations made by the
13
subscriber included in the certificate are true;
14
(c)
15
purposes, consistent with these Rules;
16
(d)
17
the Certification Authority to revoke the certificate promptly upon
18
any actual or suspected loss, disclosure, or other subscriber private
19
key compromise.
20
(6)
acknowledge that by accepting the certificate the subscriber
use the certificate exclusively for authorized and legal
immediately contact the Certification Authority and instruct
Relying Party Obligations. A Qualified Relying Party has a right to
21
rely on a certificate referencing this Policy only if the certificate was
22
used and relied upon for lawful purposes and under circumstances
23
where:
24
(a)
25
of all circumstances known to the relying party at the time of
26
reliance;
27
(b)
28
appropriate under these Rules; and
29
(c)
30
certificate prior to reliance, or a check of the certificate’s
31
status would have indicated the certificate was valid.
the reliance was reasonable and in good faith in light
the purpose for which the certificate was used was
the relying party checked the certificate status
32
(7)
Liability. (Reserved)
33
(8)
Financial Responsibility. See 18 NCAC 10.0301(8).
1
(9)
Interpretation & Enforcement.
2
(a)
Governing Law. The laws of the State of North Carolina shall govern the
3
enforceability, construction, interpretation, and validity of these Rules;
4
(b)
5
any business by public agencies in North Carolina. All other state laws, policies, and
6
procedures required to engage in business with public agencies in North Carolina must be
7
complied with by the Certification Authority and public agencies.
8
(c)
9
parties or relying parties shall be reduced to writing and delivered to each party. Parties shall
The holders of North Carolina Certification Authority licenses are not guaranteed
Dispute Resolution Procedures. Disputes between or among subscribers, trusted third
10
negotiate in good faith and use reasonable efforts to resolve such disputes. Parties shall not
11
resort to any formal proceedings to resolve such disputes until they have reasonably
12
determined that a negotiated resolution is not possible.
13
(10)
Fees. A Certification Authority shall not impose any fees for reading these Rules or its
14
Certification Practice Statement. A Certification Authority may charge access fees on
15
certificates, certificate status information, or certificate revocation lists, subject to agreement
16
between the Certification Authority and subscriber, and in accordance with a fee schedule
17
published by the Certification Authority in its Certification Practice Statement or otherwise.
18
19
(11)
Publication & Repositories:
(a)
Publication of Certification Authority Information. Each authorized Certification
20
Authority shall operate a secure online repository available to Qualified Relying
21
Parties. The repository shall contain:
22
(i) issued certificates that reference these Rules;
23
(ii) a Certificate Revocation List or on-line certificate status database;
24
(iii) the Certification Authority's certificate for its signing key;
25
(iv) past and current versions of the Certification Authority's Certification Practice
26
Statement;
27
(v) a copy of these Rules; and
28
(vi) other relevant information relating to certificates referencing these Rules.
29
(b)
Frequency of Publication. All information to be published in the repository shall be
30
published promptly after such information is available to the Certification Authority.
31
In no case shall more than 24 hours pass between certification authority awareness of
32
a change and the Certification Authority publishing of the change. Certificates issued
33
by the Certification Authority referencing these Rules will be published promptly
34
upon acceptance of such certificate by the subscriber. Certificate revocations and
35
suspensions will be published contemporaneously with the act of revocation or
36
suspension. Information relating to revocation or suspension of a certificate and will
37
be published in accordance with 18 NCAC 10.0305(6)(b) and 10.0305(10).
1
(12)
Access Controls. The repository will be available to Qualified Relying Parties and subscribers
2
24 hours per day, 7 days per week, subject to reasonable, published, scheduled maintenance
3
and the Certification Authority's then-current terms of access. A Certification Authority shall
4
not impose any access controls on these Rules, the Certification Authority's certificate for its
5
signing key, and past and current versions of the Certification Authority's Certification
6
Practice Statement. A Certification Authority may impose access controls on certificates,
7
certificate status information, or Certificate Revocation Lists at its discretion, subject to
8
agreement between the Certification Authority and subscriber, in accordance with provisions
9
published in its Certification Practice Statement or otherwise.
10
11
(13)
Required Compliance Audits:
(a)
The Certification Authority must submit to audit to determine its stability, prospects
12
for longevity and adequacy of its security practices and conditions. The audits must
13
result in unqualified compliance reports. When a Certification Authority is licensed
14
in North Carolina based on a reciprocity agreement between North Carolina and
15
another state, the Certification Authority may submit certified copies of audit reports
16
required by the other jurisdiction. After review by the Electronic Commerce
17
Section, audit reports may be determined to meet North Carolina Certification
18
Authority audit requirements.
19
(b)
A Certification Authority shall adhere to its Certification Practice Statement. If a
20
Certification Authority modifies its Certification Practice Statement, it shall provide
21
an updated copy of the Certification Practice Statement to the Electronic Commerce
22
Section as soon as practicable and no later than the date the updated Certification
23
Practice Statement is put into operation. At the discretion of the Electronic
24
Commerce Section, the Certification Authority may be required to undergo
25
additional / other audits for license renewal.
26
(c) Stability and Longevity Prospects Audit:
27
(i) Before initial approval as a licensed Certification
28
Authority, the Certification Authority (and each
29
Registration Authority, Certificate Manufacturing
30
Authority, and Repository Services Provider, as
31
applicable) shall submit to audit by an independent
32
Certified Public Accounting firm. The audit must
33
address the American Institute of Certified Public
34
Accountants (AICPA) Section 341, “The Auditor’s
35
Consideration of an Entity’s Ability to Continue as a
36
Going Concern”.
1
(ii) The audit must produce an unqualified report
2
from the CPA firm to the Certification Authority. A
3
certified copy of the audit report must be attached by
4
the Certification Authority to the application for a
5
new Certification Authority license or renewal
6
license, and submitted to the Electronic Commerce
7
Section.
8
(iii) As a condition of continued licensure, the
9
Electronic Commerce Section may require the
10
Certification Authority to undergo audit to document
11
compliance with expectations for secure operations,
12
an updated Certification Practice Statement, or to
13
document continuing compliance with the ITU/ISO
14
X.509 Version 3 standards and these Rules.
15
(iv) A Certification Authority operated by an Agency
16
of the State of North Carolina is exempt from this
17
requirement.
18
(d)
Security Audit. The purpose of a security audit is to
19
verify:
20
(i) The Certification Authority has in place a secure
21
system assuring quality of Certification Authority
22
Services provided and;
23
(ii) the Certification Authority's system complies
24
with all security requirements of these Rules, the
25
Certification Authority's Certification Practice
26
Statement and ITU/ISO X.509 Version 3 standards.
27
Before initial approval as a licensed Certification Authority,
28
and thereafter at least once every year, the Certification
29
Authority shall submit to a security compliance audit by an
30
independent nationally recognized security audit firm
31
approved by the Electronic Commerce Section. The audit
32
must evidence compliance with Federal Information
33
Processing Standards 140-1 “Security: Cryptographic
34
Modules” Level 2 and TSEC (The Orange Book) C2 criteria
35
or comply with contemporary Certification Authority security
36
criteria as expressed in terms of the “Common Criteria” – ISO
37
15408-1:1999. The security audit firm must be qualified to
1
perform a security audit on a Certification Authority and it
2
must have significant knowledge and / or experience in Public
3
Key Infrastructure application and cryptographic technologies.
4
A certified copy of the current unqualified security audit
5
report must be attached to an application for a new
6
certification authority license or renewal license, and
7
submitted to the NC Department of Secretary of State,
8
Electronic Commerce Section.
9
(14)
Confidentiality Policy. Subscriber consent must be obtained
10
for each incident of disclosure and for each item of
11
information unless required otherwise by law. The
12
Certification Authority may not sell or exchange information
13
in any circumstance that is not specifically allowed by these
14
Rules or otherwise required by law.
15
(a)
A Certification Authority may not use data gathered
16
in fulfilling its Certification Authority role for any
17
other purpose. A Certification Authority shall not
18
gather information beyond that necessary to
19
authenticate a subscriber nor shall it use information
20
gathered in its Certification Authority role to
21
assemble further information about subscribers;
(b)
22
Under no circumstance shall a Certification Authority
23
(or any Registration Authority, Repository Services
24
Provider, Certificate Manufacturing Authority) have
25
access to the signing private key(s) (versus
26
encryption key(s)) of any subscriber to whom it
27
issues a certificate referencing these Rules; except for
28
initial creation of the signing/secret key where the
29
key is not accessed and no enduring record is made
30
of the key;
31
32
(15)
Information Not Considered Confidential.
(a)
33
34
Information appearing on certificates is not
confidential.
(b)
Disclosure of Certificate Revocation / Suspension
35
Information. Information regarding the revocation or
36
suspension status of a certificate is not confidential
1
and is disclosed in the normal course of public key
2
infrastructure activity.
3
(c)
Release to law enforcement officials. (Reserved)
4
(d)
Release as part of civil discovery. (Reserved)
5
(e)
Any information may be disclosed upon owner’s
request.
6
7
(f)
Other information release circumstances. (Reserved)
8
9
History Note: Authority G.S. 66-58.10
10
11
12
.0304
PUBLIC KEY TECHNOLOGY; IDENTIFICATION AND AUTHENTICATION
(1) Initial Registration:
13
(a)
Subject to requirements of this rule certificate applications may be communicated
14
from the applicant to Certification Authority or Registration Authority, and
15
authorizations to issue certificates may be communicated from a Registration
16
Authority to the Certification Authority, electronically via E-mail or a web site,
17
provided all communication is secured by SSL or a similar security protocol, by first
18
class U.S. Mail or similar service;
(b)
19
North Carolina deploys two levels / classes of authentication certificate:
20
(i) A North Carolina Strong Authentication Certificate application requires the
21
subscriber to appear before the Certification Authority or Registration Authority in
22
person or for all identification documents to be notarized and delivered by a
23
trustworthy method (for example, US Mail, courier, etc.); or
24
(ii) A North Carolina Basic Authentication Certificate application may be
25
accomplished without subscriber personal appearance and without notarized
26
documents.
27
(2)
Types of Names. The subject name used for certificate applicants shall be the X.509
28
Distinguished Name. The name shall be unique for each entity certified by a Certification
29
Authority. A Certification Authority may issue more than one certificate with the same
30
subject name for the same subject entity;
31
(3)
Name Meanings. The subject name listed in a certificate must have a reasonable association
32
with the authenticated name of the subscriber. In the case of an individual, this should be a
33
combination of first name and/or initials and surname. In the case of an organization, the
34
name should reflect the legal name of the organization and/or unit;
35
(4)
Rules for Interpreting Various Name Forms. (Reserved)
36
(5)
Name Uniqueness. The subject name listed in a certificate shall be unambiguous and unique
37
for all certificates issued by the Certification Authority and shall conform to X.500 standards
1
for name uniqueness. If necessary, additional numbers or letters may be appended to the real
2
name to ensure the name's uniqueness within the domain of certificates issued by the
3
Certification Authority and detailed in the Certification Practice Statement;
4
(6)
Verification of Key Pair. The Certification Authority shall establish that the applicant is in
5
possession of the private key corresponding to the public key submitted with the application
6
in accordance with an appropriate secure protocol, such as that described in the Internet
7
Engineering Task Force Public Key Infrastructure Certificate Management Protocol or
8
through other means;
9
(7)
Authentication of an Organization. An organization can be issued a North
10
Carolina Strong Authentication Certificate. An organization cannot be
11
issued a North Carolina Basic Authentication Certificate.
12
(a)
Identification. A Certification Authority shall be
13
presumed to have confirmed that the prospective
14
subscriber organization is the organization to be
15
listed in a certificate where the Certification
16
Authority has assured by investigation:
17
(i) The organization exists and conducts business at
18
the address listed in the certificate application;
19
(ii) A duly authorized representative of the applicant
20
organization signed the certificate application;
21
(iii) The information contained in the certificate
22
application is correct;
23
(iv) If required by State law, the organization is
24
authorized to transact business and is in “good
25
standing” with the Corporations Division of the
26
North Carolina Department of the Secretary of State.
27
(b)
When authenticating an organizational applicant, the
28
Certificate Authority or Registration Authority shall
29
require the following elements of information from
30
the applicant on a notarized affidavit:
31
(i) Organization Name;
32
(ii) Street address and mailing address, if different
33
(iii) City;
34
(iv) State;
35
(v) Zip;
36
(vi) Tax Payer Identification Number / Employer Identification Number (EIN);
37
(vii) Corporate Identification Number (Issued by Secretary of State);
1
(viii) Date of incorporation or creation;
2
(ix) State or country of incorporation or creation;
3
(x) Telephone number (optional);
4
(xi) E-mail address (optional);
5
(xii) Post data element (e.g. password, etc.) to be a secret shared with the
6
Certification Authority / Registration Authority and used later for authentication in
7
the absence of the digital signature. This element could be used along with
8
additional information to authenticate a request for certificate revocations;
9
(xiii) Name of officially authorized agent, if applicable.
(c)
10
Authentication and Confirmation Procedure. In conducting its review and
11
investigation, the Certification Authority shall review official government records
12
and/or engage the services of a reputable third party vendor of business information
13
to do so. The Certification Authority or third party review will provide validation
14
information concerning each organization applying for a certificate, including legal
15
company name, type of entity, year of formation, names of directors and officers,
16
address, telephone number, and good standing in the jurisdiction where the applicant
17
was incorporated or otherwise organized.
18
19
(d) Personal Presence. (Reserved)
(8)
Authentication of Individual -- No Affiliation: An unaffiliated individual
20
may be issued a North Carolina Strong Authentication Certificate, North
21
Carolina Basic Authentication Certificate, or both. In determining the type
22
of certificate required, agencies should evaluate the application's sensitivity
23
and nature of business with which the certificate holder will be associated.
24
Based on the evaluation, a NC Basic Authentication Certificate may be
25
appropriate. In other cases, it may be appropriate to require a North
26
Carolina Strong Authentication Certificate.
27
(a)
Identification:
28
(i) North Carolina Strong Authentication Certificate.
29
A Certification Authority shall be presumed to have
30
confirmed that the prospective subscriber is the
31
person to be listed in a certificate where the
32
Certification Authority has been presented with
33
documents consisting at least of: two pieces of
34
identification when authenticating an unaffiliated
35
individual applicant for a North Carolina Strong
36
Authentication Certificate. At least one piece of
37
identification shall be a current federal or state
1
government-issued picture-type identification such as
2
a military or government identification card, driver’s
3
license, or similar identification document issued
4
under authority of another country, or passport. The
5
Certification Authority or Registration Authority
6
shall initial, date and archive copies of identification
7
used to establish the subscriber's identity.
8
9
(b)
Authentication for a North Carolina Strong
Authentication Certificate. Authenticating an
10
unaffiliated individual applicant, the Certification
11
Authority or Registration Authority shall require the
12
following elements of information from the applicant
13
on a notarized affidavit:
14
(i) Last name (family name);
15
(ii) First name (given name);
16
(iii) Middle Name(s);
17
(iv) Street address and mailing address, if different;
18
(v) City;
19
(vi) State;
20
(vii) Zip;
21
(viii) Social Security Number (SSN), national
22
identification number or passport number;
23
(ix) Driver's license number, or state
24
identification card number;
25
(x) Date of birth;
26
(xi) Place of birth;
27
(xiii) Telephone number (optional);
28
(xiv) E-mail address (optional);
29
(xv) Post data element (e.g. mother's maiden
30
name, password, etc.) to be used later for
31
authenticating an individual in the absence of
32
their digital signature. This element could be
33
used along with additional information to
34
authenticate a request for certificate
35
revocations;
36
(xvi) Name of officially authorized agent, if
37
applicable;
1
(c)
Authentication for a North Carolina Basic
2
Authentication Certificate. Certification Authorities
3
or Registration Authorities shall require a notarized
4
affidavit from the applicant’s personnel officer,
5
signed by the applicant including:
6
(i) Last name (family name);
7
(ii) First name (given name);
8
(iii) Middle name(s);
9
(iv) Street address and mailing address, if
10
different;
11
(v) City;
12
(vi) State;
13
(vii) Zip;
14
(viii) Social Security Number (SSN), national
15
identification number or passport number;
16
(ix) Driver's license number, or state
17
identification card number;
18
(x) Date of birth;
19
(xi) Place of birth;
20
(xii) Business Telephone number (optional);
21
(xiii) Business E-mail address (optional) as
22
assigned by agency;
23
(xiv) Post data element (e.g. mother's maiden
24
name, password, etc.) to be used later for
25
authenticating an individual in the absence of
26
their digital signature. This element could be
27
used along with additional information to
28
authenticate a request for certificate
29
revocations;
30
(xv) Name of officially authorized agent, if
31
applicable;
32
(xvi) Beginning date of employment;
33
(xvii) Ending date of employment (if known).
34
(d)
Investigation and Confirmation. Verification of the name
35
and SSN and the Name and Driver's License (or ID
36
Number) data elements may be accomplished via checks
37
with the Social Security Administration and the appropriate
1
state motor vehicle administration. Verification of the name
2
and address data elements may be accomplished through
3
access to either a trusted commercial or governmental data
4
source. The address confirmation data sources may consist
5
of either online databases or local business records (e.g., a
6
bank's customer records, the U.S. Postal Service, state
7
motor vehicle department records, state personnel office,
8
etc.);
9
(e)
Personal Presence. Authentication of an unaffiliated
10
individual requires the applicant must either:
11
(i) personally present himself or herself to a
12
Registration Authority to be authenticated prior to
13
certificate issuance; or
14
(ii) securely deliver signed and notarized copies of
15
the requisite identification to the Certification
16
Authority [in which case, once notarized copies are
17
delivered parties may communicate electronically].
18
Where the applicant delivers notarized copies of
19
identification to the Certification Authority,
20
authentication of such identification will be
21
confirmed through the use of a shared secret [such as
22
a personal identification number]. The shared secret
23
is separately communicated in a trustworthy manner
24
to the applicant and included with the documents
25
delivered as part of the certificate application
26
process.
27
(iii)
An individual may meet expectations for
28
personal presence by an attorney-in-fact,
29
trustee or other court appointed fiduciary.
30
31
(9)
Authentication of Individual – Affiliated Certificate.
(a) Identification.
32
(i) The Certification Authority may establish a
33
trustworthy procedure whereby a sponsoring
34
organization that has been authenticated by the
35
Certification Authority and issued a certificate may
36
designate one or more Responsible Individuals, and
37
authorize them to represent the sponsoring
1
organization concerning the issuance and revocation
2
of certificates for affiliated individuals. The
3
Certification Authority may rely on a designated
4
Responsible Individual appointed by the sponsor to
5
properly authenticate the individual applicant, if the
6
Certification Authority has previously authenticated
7
the sponsor as an organization and the Responsible
8
Individual as an unaffiliated individual, in accordance
9
with these Rules. A Certification Authority shall be
10
presumed to have confirmed a prospective subscriber
11
is the person to be listed in a certificate where the
12
Certification Authority relies on a designated
13
Responsible Individual appointed by the sponsor to
14
properly authenticate the individual applicant, if the
15
Certification Authority has previously authenticated
16
the sponsor as an organization and the Responsible
17
Individual as an unaffiliated individual, in accordance
18
with these Rules.
19
(ii) In the absence of a trustworthy procedure,
20
affiliated individuals shall be authenticated in the
21
same manner as unaffiliated individuals.
22
(b)
Authentication Confirmation Procedure. Authentication of
23
the individual will be confirmed through the use of a shared
24
secret [such as a Personal Identification Number]. The
25
shared secret is distributed via a trustworthy out of band
26
communication to the applicant (either directly or via the
27
sponsor) and included in the application process as part of
28
the certificate enrollment process;
29
(c)
Personal Presence.
30
(i) Applicants affiliated with an approved sponsor
31
can be authenticated through an electronically
32
submitted application, based on an appropriate
33
agreement with the sponsor, the approval of a
34
designated Responsible Individual, and the
35
distribution of Personal Identification Numbers or a
36
similar security device;
1
(ii) If a Certification Authority elected to use an
2
online commercial database, the application may be
3
filled out and submitted via the Internet from a home
4
or business computer. In the case where a
5
Certification Authority elects to use a local record
6
check, the application process may take place over
7
the Internet, or alternatively, the Certification
8
Authority may require the applicant visit an
9
appropriate business site in order to enter required
information at a local terminal.
10
11
(d)
Duties of Responsible Individual. The Responsible
12
Individual represents the sponsoring organization with
13
respect to the issuance and management of certificates. In
14
that capacity he or she is responsible for properly indicating
15
which subscribers are to receive certificates.
16
(10)
Renewal Applications (Routine Re-key). A subscriber may request issuance of a
17
new certificate for a new key pair from the Certification Authority issuing the
18
original certificate. The request may be made electronically by a digitally signed
19
message based on the old key pair in the original certificate under these
20
conditions:
21
(a)
normal scheduled certificate expiration;
22
23
(b)
The subscriber must be authenticated following the principles of
these Rules; and
24
25
26
The request must occur during the period two months prior to
(c)
(11)
The original certificate has not been suspended or revoked.
Re-key after Revocation. Revoked or expired certificates shall not be renewed
27
under any conditions. Applicants without a valid certificate from the Certification
28
Authority that references these Rules shall be re-authenticated by the Certification
29
or Registration Authority on certificate application, just as with a first-time
30
application.
31
32
(12)
Revocation Request.
(a)
Electronic Revocation Request.
33
(i) A revocation request submitted electronically may be
34
authenticated by digital signature using the “old” key pair;
35
(ii)Electronic revocation requests authenticated on the basis
36
of the old (compromised) key pair shall always be accepted
37
as valid. Other revocation request authentication
1
mechanisms are acceptable. These authentication
2
mechanisms balance the need to prevent unauthorized
3
revocation requests against the need to quickly revoke
4
certificates.
5
(b)
Non-Electronic Revocation Request.
6
(i) Organization initiated revocation of affiliated
7
certificate(s) shall be authenticated by communication from
8
a known person and / or official authorized to initiate
9
revocations on behalf of an organization.
10
(ii) Subscriber initiated requests for revocation of certificate(s) shall be authenticated
11
by presentation of a signed and notarized request for revocation.
12
(iii) Subscriber initiated requests for revocation of
13
certificates via an attorney-in-fact shall be authenticated by
14
presentation of 1) a notarized request for revocation by the
15
attorney-in-fact; and 2) a certified copy of the power of
16
attorney.
17
(iv) Revocation by a court of competent jurisdiction may be
18
made by presentation of a certified court order.
19
20
History Note: Authority G.S. 66-58.10
21
22
23
.0305
PUBLIC KEY TECHNOLOGY: OPERATIONAL REQUIREMENTS
(1)
Certificate Application. A certificate applicant shall complete a certificate
24
application in a form prescribed by the Certification Authority Certificate
25
Policy and enter into a subscriber agreement with the Certification
26
Authority. All applications are subject to Certification Authority review,
27
approval, and acceptance. A Certificate Policy shall define the minimum
28
content to be used for a certificate application. The Certificate Policy shall
29
also specify that all applications are subject to review, approval, and
30
acceptance by the Policy Authority in addition to the Issuer.
31
(2)
Certificate Issuance. Upon successful completion of the subscriber
32
identification and authentication process in accordance with these Rules,
33
and complete and final approval of the certificate application, the
34
Certification Authority shall:
35
(a)
issue the requested certificate;
36
(b)
notify the applicant thereof; and
1
(c)
make the certificate available to the applicant using a
2
procedure that:
3
(i) assures the certificate is only delivered to or
4
available for subscriber pickup; and
5
(ii) provides adequate proof of subscriber
6
identification in accordance with these Rules.
7
A Certification Authority will not issue a certificate without the consent of
8
the applicant and, if applicable, the applicant's sponsor.
9
(3)
Certificate Acceptance. Following certificate issuance, the Certification Authority
10
shall continually require the subscriber to expressly indicate certificate acceptance
11
or rejection to the Certification Authority, in accordance with established
12
Certification Authority Certification Practice Statement procedures.
13
14
(4)
Circumstances for Revocation of Certificate.
(a)
Permissive Revocation. A subscriber may request
15
revocation of his, her, or its certificate at any time for any
16
reason. A sponsoring organization, where applicable, may
17
request certificate revocation of any affiliated individual at
18
any time for any reason. The issuing Certification
19
Authority may also revoke a certificate upon failure of the
20
subscriber, or where applicable, sponsoring organization
21
failure to meet its obligations under these Rules, the
22
applicable Certification Practice Statement, or any other
23
agreement, regulation, or law applicable to the certificate
24
that may be in force.
25
(b)
Required Revocation. A subscriber or sponsoring
26
organization, where applicable, shall promptly request
27
revocation of a certificate when:
28
(i) any information on the certificate changes
29
or becomes obsolete;
30
(ii) the private key, or the media holding the
31
private key associated with the certificate is, or
32
is suspected of having been compromised; or
33
(iii) an affiliated individual is no longer
34
affiliated with the sponsor;
35
36
(c)
The issuing Certificate Authority shall revoke a
certificate:
1
(i) upon request of the subscriber or
2
sponsoring organization;
3
(ii) upon failure of the subscriber (or the
4
sponsoring organization, where applicable) to
5
meet its material obligations under these
6
Rules, any applicable Certification Practice
7
Statement, or any other agreement, regulation,
8
or law applicable to the certificate that may be
9
in force;
10
(iii) if knowledge or reasonable suspicion of
11
compromise is obtained; or
12
(iv) if the Certification Authority determines
13
that the certificate was not properly issued in
14
accordance with these rules and/or any
15
applicable Certification Practice Statement.
(d)
16
Notice of the Certification Authority ceasing
17
operation shall be posted to the Certification
18
Authority Revocation List maintained by the
19
Electronic Commerce Section of the Department of
20
the Secretary of State.
21
(5)
Who Can Request Revocation. The only persons permitted to request
22
revocation of a certificate issued pursuant to these Rules are:
23
(a)
the subscriber;
24
(b)
the sponsoring organization (where applicable); and
25
(c)
the issuing Certification Authority.
26
27
(6)
Procedure for Revocation Request.
(a)
A certificate revocation request should be promptly
28
communicated to the issuing Certification Authority, either
29
directly or through a Registration Authority. A certificate
30
revocation request may be communicated electronically if it
31
is digitally signed with the private key of the subscriber, or
32
where applicable, the sponsoring organization. Requests
33
digitally signed by the subscriber, or by the sponsoring
34
organization, are considered authenticated when received by
35
the Certification Authority or Registration Authority.
36
Alternatively, the subscriber, or where applicable, the
37
sponsoring organization, may request revocation by
1
contacting the Certification Authority or an authorized
2
Registration Authority in person and providing adequate
3
proof of identification to authenticate the request in
4
accordance with these Rules. Copies of the digitally signed
5
request must be archived by the Certification Authority or
6
Registration Authority. Other identification used to
7
establish the subscriber's identity shall be photocopied and
8
initialed by an authorized representative of the Certification
9
Authority or Registration Authority and archived.
(b)
10
Repository/Certificate Revocation List Update. Promptly,
11
within less than 2 hours of revocation, the Certificate
12
Revocation List, or certificate status database in the
13
repository, as applicable, shall be updated. All revocation
14
requests and the resulting actions taken by the Certification
15
Authority shall be archived.
16
(6)
Revocation Request Grace Period. Certificate revocation requests shall be
17
authenticated and processed within 2 hours of receipt by the Certification
18
Authority.
19
(7)
Certificate Suspension. The procedures and requirements stated for
20
certificate revocation must also be followed for certificate suspension,
21
where implemented.
22
(8)
Certificate Revocation List Issuance Frequency. When Certificate
23
Revocation Lists are used, an up-to-date Certificate Revocation List shall be
24
issued to the repository at least every 2 hours. If no change has been made
25
to the Certificate Revocation List, an update to the Certificate Revocation
26
List in the repository is not necessary.
27
(9)
Online Revocation / Status Checking Availability. Whenever an online
28
certificate status database is used as an alternative to a Certificate
29
Revocation List, such database shall be updated no later than 2 hours after
30
certificate revocation.
31
(10)
Computer Security Audit Procedures. All significant security events on the
32
Certification Authority system should be automatically recorded in audit
33
trail files. The audit log shall be processed and archived at least once a
34
week. Such files shall be retained for at least 6 months onsite, and
35
thereafter shall be securely archived.
36
(11)
Records, Archival.
1
(a)
Types of Records Archived. The following data and files must be
2
archived by (or on behalf of) the Certification Authority:
3
(i) All computer security audit data;
4
(ii) All certificate application data;
5
(iii)All certificates, and all Certificate Revocation Lists or
6
certificate status records generated;
7
(iv) Key histories; and
8
(v) All correspondence between the Certification Authority
9
and Registration Authority, Certificate Manufacturing
Authority, Repository Services Provider, and/or subscriber.
10
11
(b)
12
Retention Period for Archive. Key and certificate information and
archives of audit trail files must be retained for at least 30 years.
13
(c)
Protection of Archive. The archive media must be protected either
14
by physical security alone, or a combination of physical security
15
and cryptographic protection. The archive must be protected from
16
environmental threats such as temperature, humidity, and
17
magnetism. The Certification Practice Statement must address the
18
procedure for transferring and preserving the archive media in the
19
case of the Certification Authority ceasing operation in this State.
20
(d)
Archive Backup Procedures. Adequate backup procedures must be
21
in place. In event of loss or destruction of primary archives, a
22
complete set of backup copies must will be readily available within
23
no more than 24 hours. Back up procedures must be tested
24
regularly.
25
(12)
Archive Collection System (Internal or External). (Reserved)
26
(13)
Procedures to Obtain and Verify Archive Information. During the compliance
27
audit required by these Rules, the auditor shall verify integrity of the archives.
28
Either copy of the archive media determined corrupted or damaged in any way,
29
shall be replaced with the backup copy held in the separate location and noted in
30
the compliance audit report.
31
(14)
Key Changeover. (Reserved)
32
(15)
Compromise and Disaster Recovery.
33
(a)
Disaster Recovery Plan:
34
(i) The Certification Authority must have in place an
35
appropriate disaster recovery/business resumption plan. The
36
Certification Authority must set up and render operational a
37
facility located in a geographic area not affected or
1
disrupted by the disaster. The facility must provide
2
Certification Authority Services in accordance with these
3
Rules. The alternate facility must be operational within 24
4
hours of an unanticipated emergency. Disaster recovery
5
planning shall include a complete and periodic test of
6
facility readiness. Such plan shall be identified and
7
referenced within the Certification Practice Statement or
8
other appropriate documentation available to Qualified
9
Relying Parties.
10
(ii) The disaster recovery plan will have been reviewed during
11
Certification Authority initial and subsequent third party audits.
12
(b)
Key Compromise Plan. The Certification Authority must have a
13
key compromise plan in place. The plan must address procedures
14
to be followed in the event the Certification Authority's private
15
signing key used to issue certificates is compromised or in the
16
event the private signing key of any Certification Authority higher
17
in the chain of trust is compromised. Such plan shall include
18
procedures for revoking all affected certificates and promptly
19
notifying all subscribers and all Qualified Relying Parties.
20
(16)
Certification Authority Termination. In the event that the Certification Authority
21
ceases operation, the North Carolina Department of the Secretary of State
22
Electronic Commerce Section, North Carolina Information Technology Services,
23
all subscribers, sponsoring organizations, Registration Authorities, Certificate
24
Manufacturing Authorities, Repository Service Providers, and Qualified Relying
25
Parties shall be promptly notified of the termination. In addition, all Certification
26
Authorities with which cross-certification authority agreements are current at the
27
time of cessation must be promptly informed of the termination. All certificates
28
issued by the Certification Authority referencing these Rules will be revoked no
29
later than the time of termination.
30
31
History Note: Authority G.S. 66-58.10
32
33
.0306
34
SECURITY CONTROLS
35
36
PUBLIC KEY TECHNOLOGY: PHYSICAL, PROCEDURAL, AND PERSONNEL
(1)
Physical Security -- Access Controls.
(a)
The Certification Authorities, and all Registration Authorities,
37
Certificate Manufacturing Authorities and Repository Services
38
Providers, shall implement appropriate physical security controls
1
to restrict access to hardware and software (including the server,
2
workstations, and any external cryptographic hardware modules or
3
tokens) used in connection with providing Certification Authority
4
Services. Access to such hardware and software shall be limited to
5
personnel performing in a Trusted Role as described in this Rule.
6
Access shall be controlled through the use of electronic access
7
controls, mechanical combination lock sets, or deadbolts. Such
8
access controls must be manually or electronically monitored for
9
unauthorized intrusion at all times.
(b)
10
11
12
Breach of physical security and / or access control expectations
may result in revocation of the Certification Authority's license.
(2)
13
Procedural Controls.
(a)
Trusted Roles. All employees, contractors, and consultants of a
14
Certification Authority (collectively "personnel") having access to
15
or control over cryptographic operations that may materially affect
16
the Certification Authority's issuance, use, suspension, or
17
revocation of certificates shall, for purposes of these Rules, be
18
considered as serving in a trusted role. This includes access to
19
restricted operations of the Certificate Authority's repository. Such
20
personnel include, but are not limited to, system administration
21
personnel, operators, engineering personnel, and executives who
22
are designated to oversee the Certification Authority's operations.
23
(b)
Multiple Roles (Number of Persons Required Per Task). To ensure
24
that one person acting alone cannot circumvent safeguards,
25
multiple roles and individuals should share Certification Authority
26
server responsibilities. Each account on the Certification
27
Authority server shall have limited capabilities commensurate with
28
the role of the account holder.
29
30
(3)
Personnel Security Controls.
(a)
Background and Qualifications. Certification Authorities,
31
Registration Authorities, Certificate Manufacturing Authorities and
32
Repository Service Providers shall formulate and follow personnel
33
and management policies sufficient to provide reasonable
34
assurance of the trustworthiness and competence of their
35
employees and of the satisfactory performance of their duties in
36
manner consistent with these Rules.
37
(b)
Background Investigation.
1
(i) Certification Authorities shall conduct an appropriate
2
background investigation of all personnel who serve in
3
trusted roles (prior to their employment and periodically
4
thereafter, as necessary), to verify their trustworthiness and
5
competence in accordance with the requirements of these
6
Rules and the Certification Authority's personnel Practice
7
Statements or their equivalent. All personnel who fail an
8
initial or periodic investigation shall not serve or continue to
9
serve in a trusted role.
10
(ii) Operative personnel shall not ever have been convicted
11
of a felony or a crime involving fraud, false statement or
12
deception.
13
(iii) The principle of full disclosure must be applied in
14
relation to background investigations and representations of
15
operative personnel.
(c)
16
Training Requirements. All Certification Authority,
17
Registration Authority, Certificate Manufacturing Authority
18
and Repository Services Provider personnel must receive
19
proper training in order to perform their duties, and update
20
briefings thereafter as necessary to remain current.
21
(d)
Documentation Supplied to Personnel. All Certification
22
Authority, Registration Authority, Certificate
23
Manufacturing Authority, and Repository Services Provider
24
personnel must receive comprehensive user manuals
25
detailing the procedures for certificate creation, update,
26
renewal, suspension, revocation, and software functionality.
27
28
History Note: Authority G.S. 66-58.10
29
30
31
32
.0307
PUBLIC KEY TECHNOLOGY: TECHNICAL SECURITY CONTROLS
(1)
Key Pair Generation and Installation.
(a)
Key Pair Generation. Key pairs for Certification Authorities,
33
Registration Authorities, Certificate Manufacturing Authorities,
34
Repository Services Providers, and subscribers must be generated
35
in such a way that the private key is not known by other than the
36
authorized user of the key pair. Acceptable methods include:
1
(i) Having all users (Certification Authorities,
2
Certificate Manufacturing Authorities, Registration
3
Authorities, Repository Services Providers and
4
subscribers) generate their own keys on a trustworthy
5
system, and not reveal the private keys to anyone
6
else; or
7
(ii) Having keys generated in hardware tokens from
8
which the private key cannot be extracted.
9
(b)
Certification Authority, Registration Authority, and
10
Certificate Manufacturing Authority keys must be generated
11
in hardware tokens. Key pairs for Repository Services
12
Providers, and end-entities can be generated in either
13
hardware or software as detailed in the Certification
14
Practice Statement.
15
(2)
Private Key Delivery to Entity. The private (secret) key shall be delivered
16
to the subscriber in an “out of band” transaction. The secret key may
17
delivered to the subscriber in a tamper-proof hardware or software
18
container. The secret key may be delivered to the subscriber embedded in a
19
hardware token protected by encryption and password protected.
20
(3)
Subscriber Public Key Delivery to Certification Authority. The subscriber’s
21
public key must be transferred to the Registration Authority or Certification
22
Authority in a way that ensures:
23
(a)
it has not been changed during transit;
24
(b)
the sender possesses the private key that corresponds to the
25
transferred public key; and
26
(c)
27
28
the sender of the public key is the legitimate user claimed in
the certificate application.
(4)
Certification Authority Public Key Delivery to Users. The public key of the
29
Certification Authority signing key pair may be delivered to subscribers in
30
an on-line transaction in accordance with Internet Engineering Task Force
31
Public Key Infrastructure Part 3, or via another appropriate mechanism.
32
33
(5)
Key Sizes – Asymmetric Cryptographic Applications.
(a)
34
35
36
Minimum key length for other than elliptic curve based
algorithms is 1024 bits;
(b)
Minimum key length for elliptic curve group algorithms is
170 bits.
1
(6)
Acceptable algorithms for public key cryptography applications include, but
2
are not limited to:
3
(a)
4
RSA (Rivest, Shamir, Adelman) -- digital signature and
information security;
5
(b)
ElGamal -- digital signature and information security;
6
(c)
Diffie – Hellman -- digital signature and information
7
security;
(d)
8
9
10
DSA /DSS (Digital Signature Algorithm) -- digital signature
applications.
(7)
Certification Authority Private Key Protection. The Certification
11
Authority (and the Registration Authority, Certificate Manufacturing
12
Authority and Repository Services Provider) shall each protect its
13
private key(s) in accordance with the provisions of these Rules.
14
(a)
Standards for Cryptographic Module. Certification
15
Authority signing key generation, storage and signing
16
operations shall be on a hardware crypto module rated at
17
Federal Information Processing Standards 140-1 Level 2 (or
18
higher). Subscribers shall use Federal Information
19
Processing Standards 140-1 Level 1 approved cryptographic
20
modules (or higher) and related pertinent cryptographic
21
module security requirements of the Common Criteria –
22
ISO 15408-1 “Evaluation Criteria”.
23
(b)
Private Key (N-M) Multi-Person Control. (Reserved)
24
(c)
Private Key Escrow:
25
(i) Certification Authority signing private keys shall not be
26
escrowed;
27
(ii) Keys used solely for encryption purposes within and by
28
employees of the State of North Carolina shall be escrowed,
29
unless otherwise provided by law.
30
(d)
Private Key Backup. An entity may back up its own private key.
31
(e)
Private Key Archival. An entity may archive its own private key.
32
(f)
Private Key Entry into Cryptographic Module. (Reserved)
33
(g)
Method of Activating Private Key. (Reserved)
34
(h)
Method of Deactivating Private Key. (Reserved)
35
(i)
Method of Destroying Private Key. (Reserved)
1
(j)
Other Aspects of Key Pair Management.
2
(i) Public Key Archival. (Reserved)
3
(ii) Key Replacement. Certification Authority key pairs must be
4
replaced at least every three (3) years. Registration Authority and
5
subscriber key pairs must be replaced not less than every two (2)
6
years and a new certificate issued.
7
(k)
Restrictions on Certification Authority's Private Key Use.
8
(i) The Certification Authority's signing key used for
9
issuing certificates conforming to these Rules shall be used
10
only for signing certificates and, optionally, Certificate
11
Revocation Lists.
12
(ii) A private key used by a Registration Authority or
13
Repository Services Provider for purposes associated with
14
its Registration or Repository Services Provider function
15
shall not be used for any other purpose without the express
16
written permission of the Certification Authority.
17
(iii) A private key held by a Certificate Manufacturing
18
Authority and used for purposes of manufacturing
19
certificates for the Certification Authority:
20
(1) is considered the Certification
21
Authority's signing key;
22
(2) is held by the Certificate Manufacturing
23
Authority as a fiduciary for the Certification
24
Authority; and
25
(3) shall not be used for any reason without
26
the express written permission of the
27
Certification Authority;
28
(iv) Any other private key used by a Certificate
29
Manufacturing Authority for purposes associated with its
30
Certificate Manufacturing Authority function shall not be
31
used for any other purpose without the express written
32
permission of the Certification Authority.
33
(8)
Activation Data. No stipulation.
34
(9)
Computer Security Controls. All Certification Authority servers must include the
35
functionality satisfying Federal Information Processing Standards 140-1 Level 2
36
(or higher) and pertinent cryptographic module security requirements of the
37
Common Criteria – ISO 15408-1 “Evaluation Criteria” for IT Security either
1
through the operating system, or combination of operating system, public key
2
infrastructure application, and physical safeguards.
3
(10)
4
Life Cycle Technical Controls:
(a)
System Development Controls. System design and development
5
shall be conducted using an industrial standard methodology, e.g.
6
systems development life cycle approach (SDLC);
7
(b)
Security Management Controls. (Reserved)
8
(11)
Network Security Controls. (Reserved)
9
(12)
Cryptographic Module Engineering Controls. (Reserved)
10
11
History Note: Authority G.S. 66-58.10
12
13
.0308
14
LIST PROFILES
15
PUBLIC KEY TECHNOLOGY: CERTIFICATE AND CERTIFICATE REVOCATION
(1)
Certificate Profile:
(a)
16
Certificates referencing these Rules shall contain public keys used
17
for authenticating the sender of an electronic message and
18
verifying the integrity of such messages, i.e. public keys used for
19
digital signature verification;
20
(b)
All certificates referencing these Rules will be issued in the X.509
21
version 3 format and will include a reference to the Object
22
Identifier for these Rules, when assigned, within the appropriate
23
field. The Certification Practice Statement shall identify the
24
certificate extensions supported, and the level of support for those
25
extensions.
26
(2)
Certificate Revocation List Profile. If utilized, Certificate Revocation Lists will be
27
issued in the X.509 version 2 format. The Certificate Practice Statement shall
28
identify the Certificate Revocation List extensions supported and the level of
29
support for these extensions.
30
31
32
33
History Note: Authority G.S. 66-58.10
.0309
PUBLIC KEY TECHNOLOGY: RULE ADMINISTRATION
34
(1)
Rule Change Procedures. (Reserved)
35
(2)
List of Items. Notice of all proposed changes to these Rules, under
36
consideration by the Department of the Secretary of State, that may
37
materially affect users of the Rules (other than editorial or typographical
38
corrections, or changes to the contact details) will be provided to licensed
1
Certification Authorities. Notice will be posted on the World Wide Web site
2
of the North Carolina Department of the Secretary of State. Authorized
3
Certification Authorities shall post notice of such proposed changes in their
4
repositories and shall advise their subscribers, in writing or by e-mail, of
5
such proposed changes;
(4)
6
7
Publication and Notification Procedures:
(a)
A copy of these Rules is available in electronic form on the
Internet at www.secretary.state.nc.us/ecomm/;
8
9
(b)
Authorized Certification Authorities shall post copies of these
Rules in their repositories.
10
11
12
History Note: Authority G.S. 66-58.10
13
SECTION .0400 BIOMETRICS. (RESERVED)
14
15
16
SECTION .0500 SIGNATURE DYNAMICS. (RESERVED)
17
SECTION .0600 (RESERVED)
18
19
SECTION .0700 ALTERNATE TECHNOLOGIES
20
21
22
23
.0701
ALTERNATE TECHNOLOGIES AND PROVISIONAL LICENSING
(1)
Alternate Technologies: Any person may petition the Electronic Commerce
24
Section to initiate rulemaking to recognize a technology not currently recognized
25
under these Rules. The petition shall be made pursuant to G.S. 150B-20. General
26
Statute 150B-20 and other statutes can be viewed at the North Carolina General
27
Assembly's Internet site at http://www.ncga.state.nc.us/. In addition to the
28
requirements of G.S. 150B-20, in order to enable the Electronic Commerce
29
Section to best consider the petition, the petitioner should also provide a detailed
30
explanation of the proposed technology, and a discussion of how the technology
31
complies with the substantive intent of the Electronic Commerce Act.
32
(2)
Provisional Licensing: If the Electronic Commerce Section accepts the proposed
33
technology for rulemaking, it may, but is not required to, enter into provisional
34
licensing agreements with persons utilizing the proposed technology and desiring
35
licensure during the time before the new Rules are effective. The terms and
36
conditions of any provisional licensing agreement shall be substantially consistent
37
with these Rules.
1
2
History Note: Authority G.S. 66-58.10
3
4
SECTION .0800 - SANCTIONS AND ENFORCEMENT
5
6
7
.0801
CIVIL SANCTIONS
(1)
If, upon investigation, the Electronic Commerce Section finds that a Certification
8
Authority has violated any provision of the Electronic Commerce Act or these
9
Rules, or finds that the Certification Authority has had a license revoked or
10
suspended in any other jurisdiction, the Electronic Commerce Section may revoke
11
or suspend any license issued under the Electronic Commerce Act and these Rules.
12
The revocation or suspension may be in addition to any civil monetary penalty
13
issued against the Certification Authority. As a condition of license reinstatement
14
following a period of suspension, the Electronic Commerce Section may require
15
that the Certification Authority submit updated or additional documentation or
16
assurances regarding its operations.
17
(2)
If, upon investigation, the Electronic Commerce Section finds that a Certification
18
Authority has violated any provision of the Electronic Commerce Act or these
19
Rules, the Electronic Commerce Section may assess a civil monetary penalty of
20
not more than five thousand dollars ($5,000 US) for each violation. The civil
21
monetary penalty may be in addition to any revocation or suspension of the
22
Certification Authority's license. As a condition of continued licensure following
23
assessment of a civil monetary penalty, the Electronic Commerce Section may
24
require that the Certification Authority submit updated or additional
25
documentation or assurances regarding its operations.
26
(3)
Adjustment factors. In determining the length of any suspension or amount of any
27
civil monetary penalty, the Electronic Commerce Section shall consider:
28
(a)
29
30
The organizational size of the Certification Authority cited for
violating the provisions of the Electronic Commerce Act;
(b)
The good faith of the Certification Authority cited, including but
31
not limited to any procedures or processes implemented by the
32
violator to prevent the violation from recurring;
33
(c)
The gravity of the violation;
34
(d)
The prior record of the violator in complying or failing to comply
35
36
with the Electronic Commerce Act or these Rules; and
(e)
The risk of harm cause by the violation.
1
(4)
Continuing Violations. After the receipt of notice of a violation, if any
2
Certification Authority willfully continues to violate by action or inaction the
3
Electronic Commerce Act or these Rules, each day or transaction the violation
4
continues or is repeated may be considered a separate violation.
5
(5)
Civil Sanction Notification. When the Electronic Commerce Section determines
6
that a civil sanction shall be assessed, the Electronic Commerce Section shall
7
notify the Certification Authority of the following information by electronic mail,
8
if possible, and by any means permitted under Rule 4 of the North Carolina Rules
9
of Civil Procedure:
10
(a)
The nature of the violation;
11
(b)
The civil sanction imposed;
12
(c)
That the civil sanction will become final unless within 15 days
13
after receiving notice of the violation the Certification Authority
14
either (i) takes exception to the civil sanction assessment by filing
15
a contested case petition with the Office of Administrative
16
Hearings; or (ii) submits a written request for the reduction of the
17
sanction; and
18
(d)
reduction of the sanction.
19
20
The procedure for taking exception to the violation or seeking the
(6)
Civil Sanction Finality. The Certification Authority must file a contested case
21
petition pursuant to G.S. 150B-23 or submit a written request for the reduction of
22
the sanction within 15 days of receipt of the notice of the civil sanction assessment
23
or the assessment shall become final. Notice shall be deemed received at the time
24
of service by any method permitted under Rule 4 of the North Carolina Rules of
25
Civil Procedure.
26
(7)
Request for Reduction of Civil Sanction. A Certification Authority that admits a
27
cited violation but wishes to seek reduction of the length of a suspension or
28
amount of a civil monetary penalty may request reduction of the civil sanction.
29
(a)
Any request for reduction of a civil sanction shall be submitted to
30
the Electronic Commerce Section in writing and must include a
31
written statement supporting the reduction request. Requests for
32
reduction of a sanction are solely for the purpose of allowing the
33
Certification Authority to contest the reasonableness of the civil
34
sanction arising under this Rule. The Certification Authority
35
should not attempt to contest the existence of a violation or raise
36
questions of law in the request for reduction of the sanction.
1
(b)
The Electronic Commerce Section shall determine if the assessed
2
sanction is to be reduced pursuant to a reduction request and shall
3
notify the Certification Authority of its decision in writing.
4
(c)
If the Electronic Commerce Section determines that the reduction
5
request raises issues of fact or questions of law, the Electronic
6
Commerce Section may decline to consider the reduction request,
7
and shall notify the Certification Authority by certified or
8
registered mail that it must file a contested case petition with the
9
Office of Administrative Hearings in order to preserve its claim
10
and legal rights. The Certification Authority must file a contested
11
case petition with the Office of Administrative Hearings within 15
12
days of receipt of notice or the sanction assessed shall be final.
13
(d)
If the reduction request does not raise issues of fact or questions of
14
law, the Electronic Commerce Section shall determine if the
15
assessed sanction is to be reduced, and shall notify the
16
Certification Authority of its decision in writing by electronic mail,
17
if possible, and by any other means permitted under Rule 4 of the
18
North Carolina Rules of Civil Procedure. In the event the
19
Electronic Commerce Section denies the reduction request, or
20
grants the reduction request in an amount unacceptable to the
21
Certification Authority, the Certification Authority must file a
22
contested case petition with the Office of Administrative Hearings
23
within 15 days of receipt of notice of the Electronic Commerce
24
Section's decision, or the decision shall become the final decision.
25
Notice shall be deemed received at the time of service by any
26
method permitted under Rule 4 of the North Carolina Rules of
27
Civil Procedure.
28
(8)
Payment. Any civil monetary penalty shall be due within 60 days of the date of the
29
initial assessment of the penalty, except that if the Certification Authority files a
30
contested case petition pursuant to G.S. 150B-23 or submits a written request for
31
reduction of the penalty, the penalty shall be due within 60 days of the date of the
32
final decision. The penalty shall be paid with cash or certified funds by personal
33
delivery or certified mail to the Electronic Commerce Section. In the event the
34
Certification Authority fails to pay the penalty assessed within the time periods set
35
forth in this Rule, the Electronic Commerce Section may collect the amount of the
36
penalty from the bond required by these Rules.
37
1
Authority G.S. 66-58.6; 66-58.10
2
3
.0802 CRIMINAL PENALTIES AND INJUNCTIVE RELIEF
4
The Department of the Secretary of State has the authority to investigate, prosecute and otherwise
5
pursue criminal penalties for violations of the Electronic Commerce Act, pursuant to G.S. 66-58.8, or
6
injunctive relief pursuant to G.S. 66-58.6.
7
8
Authority G.S. 66-58.6; 66-58.8; 66-58.10
9
10
SECTION .0900 - RECIPROCITY
11
12
13
.0901
RECIPROCAL AGREEMENTS AND LICENSURE BY RECIPROCITY
(1)
The Electronic Commerce Section may enter into reciprocal licensing agreements
14
with other jurisdictions that have adopted electronic commerce laws similar in
15
nature and intent to the Electronic Commerce Act.
16
(2)
Certification Authorities licensed by other jurisdictions may request North
17
Carolina licensure by the North Carolina Electronic Commerce Section. The
18
applicant must be currently licensed in good standing with another jurisdiction.
19
(3)
To seek reciprocal licensure in North Carolina, Certification Authorities licensed
20
by other jurisdictions shall do the following:
21
(a)
Pay the licensing fee as described in these Rules;
22
(b)
Provide the Electronic Commerce Section with evidence of
23
24
licensure in good standing from the other licensing jurisdiction;
(c)
Provide the Electronic Commerce Section with a complete copy of
25
the licensing application that led to the Certification Authority
26
becoming licensed in the other jurisdiction, including any
27
amendments thereto;
28
(d)
Provide full disclosure of any former, current or proposed
29
disciplinary action or criminal proceeding arising from or related
30
to the Certification Authority's license or activities as a
31
Certification Authority;
32
(e)
Provide a complete history of licensure in all other jurisdictions,
33
whether continuous or disrupted, and if disrupted the length of the
34
disruption and basis therefore; and
35
36
(f)
Provide any additional information as required by the Electronic
Commerce Section.
1
(4)
The Electronic Commerce Section shall have the power to impose civil sanctions
2
against a reciprocal licensee on the same basis that the Electronic Commerce
3
Section can impose civil sanction against a Certification Authority license
4
otherwise issued, or upon finding that the Certification Authority has had a license
5
revoked or suspended in another jurisdiction.
6
(5)
Any Certification Authority that obtains a reciprocal license under these Rules
7
shall be obligated to inform the Electronic Commerce Section in writing of any
8
civil or criminal proceeding that arises from or relates to the Certification
9
Authority's license or any disciplinary action commenced against the Certification
10
Authority in any other jurisdiction within ten days of notice of the proceeding or
11
action.
12
13
Authority G.S. 66-58.3; 66-58.6; 66-58.7; 66-58.8; 66-58.10; 66.58.11