California Code of Regulations
Title 2 - Administration
Division 7 - Secretary of State
Chapter 10 - Digital Signatures
Section 22003 - Acceptable Technologies

Universal Citation: 2 CA Code of Regs 22003

Current through Register 2024 Notice Reg. No. 38, September 20, 2024

(a) The technology known as Public Key Cryptography is an acceptable technology for use by public entities in California, provided that the digital signature is created consistent with the following provisions:

(1) Definitions. For purposes of section 22003(a), and unless the context expressly indicates otherwise:
(A) "Asymmetric cryptosystem" means a computer algorithm or series of algorithms which utilize two different keys with the following characteristics:
(i) One key signs a given message;

(ii) One key verifies a given message; and

(iii) The keys have the property that, knowing one key, it is computationally infeasible to discover the other key.

(B) "Certificate" means a computer-based record which:
(i) Identifies the certification authority issuing it;

(ii) Names or identifies its subscriber;

(iii) Contains the subscriber's public key;

(iv) Is digitally signed by the certification authority issuing or amending it; and

(v) Conforms to widely used industry standards, including, but not limited to, ISO x.509 and PGP certificate standards.

(C) "Certification Authority" means a person or entity that issues a certificate, or in the case of certain certification processes, certifies amendments to an existing certificate.

(D) "Key pair" means a private key and its corresponding public key in an asymmetric cryptosystem. The keys have the property that the public key can verify a digital signature that the private key creates.

(E) "Practice statement" means documentation of the practices, procedures and controls employed by a Certification Authority.

(F) "Private key" means the key of a key pair used to create a digital signature.

(G) "Proof of Identification" means the document or documents presented to a Certification Authority to establish the identity of a subscriber.

(H) "Public key" means the key of a key pair used to verify a digital signature.

(I) "Subscriber" means a person who:
(i) Is the subject listed in a certificate;

(ii) Accepts the certificate; and

(iii) Holds a private key which corresponds to a public key listed in that certificate.

(2) California Government Code Section 16.5 requires that a digital signature be 'unique to the person using it.' A public key-based digital signature may be considered unique to the person using it if:
(A) The private key used to create the signature on the document is known only to the signer;

(B) The digital signature is created when a person runs a message through a one-way function, creating a message digest, then encrypting the resulting message digest using an asymmetrical cryptosystem and the signer's private key;

(C) Although not all digitally signed communications will require the signer to obtain a certificate, the signer is capable of being issued a certificate to certify that he or she controls the key pair used to create the signature; and

(D) It is computationally infeasible to derive the private key from knowledge of the public key.

(3) California Government Code Section 16.5 requires that a digital signature be 'capable of verification.' A public key-based digital signature is capable of verification if:
(A) The acceptor of the digitally signed document can verify the document was digitally signed by using the signer's public key to decrypt the message; and

(B) If a certificate is a required component of a transaction with a public agency, the issuing Certification Authority, either through a certification practice statement or through the content of the certificate itself, must identify which, if any, form(s) of identification it required of the signer prior to issuing the certificate.

(4) California Government Code Section 16.5 requires that the digital signature remain 'under the sole control of the person using it.' Whether a signature is accompanied by a certificate or not, the person who holds the key pair, or the subscriber identified in the certificate, assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorized to create the subscriber's digital signature pursuant to California Evidence Code Section 669.

(5) The digital signature must be linked to the message of the document in such a way that if the data are changed, the digital signature is invalidated.

(6) If the signature is accompanied by a certificate, the certificate is from a Certification Authority that, at the time of signing, is included in at least one of the following third-party certificate program lists:
(A) Apple Root Certificate Program

(B) Microsoft Trusted Root Program

(C) Mozilla Root Program

(b) The technology known as "Signature Dynamics" is an acceptable technology for use by public entities in California, provided that the signature is created consistent with the following provisions:

(1) Definitions. For the purposes of Section 22003(b), and unless the context expressly indicates otherwise:
(A) "Handwriting Measurements" means the metrics of the shapes, speeds and/or other distinguishing features of a signature as the person writes it by hand with a pen or stylus on a flat surface.

(B) "Signature Digest" is the resulting bit-string produced when a signature is tied to a document using Signature Dynamics.

(C) "Expert" means a person with demonstrable skill and knowledge based on training and experience who would qualify as an expert pursuant to California Evidence Code Section 720.

(D) "Signature Dynamics" means measuring the way a person writes his or her signature by hand on a flat surface and binding the measurements to a message through the use of cryptographic techniques.

(2) California Government Code Section 16.5 requires that a digital signatures be 'unique to the person using it.' A signature digest produced by Signature Dynamics technology may be considered unique to the person using it if:
(A) The signature digest records the handwriting measurements of the person signing the document using signature dynamics technology;

(B) The signature digest is cryptographically bound to the handwriting measurements; and

(C) After the signature digest has been bound to the handwriting measurements, it is computationally infeasible to separate the handwriting measurements and bind them to a different signature digest.

(3) California Government Code Section 16.5 requires that a digital signature be 'capable of verification.' A signature digest produced by signature dynamics technology is capable of verification if:
(A) The acceptor of the digitally signed message obtains the handwriting measurements for purposes of comparison; and

(B) If signature verification is a required component of a transaction with a public entity, the handwriting measurements can allow an expert handwriting and document examiner to assess the authenticity of a signature.

(4) California Government Code Section 16.5 requires that a digital signature remain 'under the sole control of the person using it.' A signature digest is under the sole control of the person using it if:
(A) The signature digest captures the handwriting measurements and cryptographically binds them to the message directed by the signer and to no other message; and

(B) The signature digest makes it computationally infeasible for the handwriting measurements to be bound to any other message.

(5) The signature digest produced by signature dynamics technology must be linked to the message in such a way that if the data in the message are changed, the signature digest is invalidated.

1. New section filed 6-12-98; operative 6-12-98 pursuant to Government Code section 11343.4(d) (Register 98, No. 24).
2. Amendment of section heading and section filed 4-22-2020 as an emergency; operative 4-22-2020 (Register 2020, No. 17). A Certificate of Compliance must be transmitted to OAL by 10-19-2020 or emergency language will be repealed by operation of law on the following day.
3. Emergency filed 4-22-2020 extended 60 days pursuant to Executive Order N-40-20 and an additional 60 days pursuant to Executive Order N-71-20. A Certificate of Compliance must be transmitted to OAL by 2-16-2021 or emergency language will be repealed by operation of law on the following day.
4. Certificate of Compliance as to 4-22-2020 order transmitted to OAL 1-5-2021 and filed 2-17-2021 (Register 2021, No. 8).

Note: Authority cited: Section 16.5, Government Code. Reference: Section 16.5, Government Code.

Disclaimer: These regulations may not be the most recent version. California may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.