Connecticut DSS Requirements for Electronic Signatures

[James Platt]

I'm writing some documentation for a particular application I support  
that uses GPG as a back end for signing documents.  This particular  
implementation is subject to regulation from the Connecticut  
Department of Social Services (link to the regulations below).  While  
I am confident that my application meets the requirements (especially  
given the variety of other systems where the vendors have signed off  
on compliance with this regulation) I want to be sure that my  
documentation is technically correct for my own satisfaction, if  
nothing else.  I wonder if readers of this list could comment on how  
they would interpret the application of these rules to the use of GPG.

In particular, what would you say is the "unique code?"  Is it just  
the user's private key or is it the private key plus other  
information stored with it?  As I understand it, the main input in  
generating a key pair is the output of a random number generator.   
Does information about the user such as their name and email address  
actually get incorporated into the key in any way or is that  
information just stored along with it?  I would rather not say that  
the GPG password is part of the unique code because the regulations  
speak of the unique code as being something which is assigned to the  
user by the provider (me).  That could then be interpreted as meaning  
that I would have to assign every user a new password every 60 days  
(requirement 7b).  It makes a lot more sense to me to have the users  
pick their own passwords but maybe I'm taking that part too literally.

http://www.ctmedicalprogram.com/bulletin/pb05_50.pdf


James Platt
C&IS Support Specialist
Dermatology, Yale Cancer Center
Yale University School of Medicine, New Haven, CT