Connecticut DSS Requirements for Electronic Signatures
James Platt
james.platt at yale.edu
Tue Jan 2 23:09:59 CET 2007
I'm writing some documentation for a particular application I support
that uses GPG as a back end for signing documents. This particular
implementation is subject to regulation from the Connecticut
Department of Social Services (link to the regulations below). While
I am confident that my application meets the requirements (especially
given the variety of other systems where the vendors have signed off
on compliance with this regulation) I want to be sure that my
documentation is technically correct for my own satisfaction, if
nothing else. I wonder if readers of this list could comment on how
they would interpret the application of these rules to the use of GPG.
In particular, what would you say is the "unique code?" Is it just
the user's private key or is it the private key plus other
information stored with it? As I understand it, the main input in
generating a key pair is the output of a random number generator.
Does information about the user such as their name and email address
actually get incorporated into the key in any way or is that
information just stored along with it? I would rather not say that
the GPG password is part of the unique code because the regulations
speak of the unique code as being something which is assigned to the
user by the provider (me). That could then be interpreted as meaning
that I would have to assign every user a new password every 60 days
(requirement 7b). It makes a lot more sense to me to have the users
pick their own passwords but maybe I'm taking that part too literally.
http://www.ctmedicalprogram.com/bulletin/pb05_50.pdf
James Platt
C&IS Support Specialist
Dermatology, Yale Cancer Center
Yale University School of Medicine, New Haven, CT
More information about the Gnupg-users
mailing list