Connecticut DSS Requirements for Electronic Signatures

David Shaw dshaw at jabberwocky.com
Wed Jan 3 04:52:58 CET 2007 

On Tue, Jan 02, 2007 at 05:09:59PM -0500, James Platt wrote:
> I'm writing some documentation for a particular application I support  
> that uses GPG as a back end for signing documents.  This particular  
> implementation is subject to regulation from the Connecticut  
> Department of Social Services (link to the regulations below).  While  
> I am confident that my application meets the requirements (especially  
> given the variety of other systems where the vendors have signed off  
> on compliance with this regulation) I want to be sure that my  
> documentation is technically correct for my own satisfaction, if  
> nothing else.  I wonder if readers of this list could comment on how  
> they would interpret the application of these rules to the use of GPG.

I'll preface this by noting that while I have done work similar to
this in "fitting" GPG to set regulations, and could reasonably be
called an authority on OpenPGP/GPG, obviously I'm not an authority
from the Connecticut DSS, or even the Massachusetts one.

> In particular, what would you say is the "unique code?"  Is it just
> the user's private key or is it the private key plus other
> information stored with it?

The "unique code" is the user's private key, plus the passphrase.

> As I understand it, the main input in generating a key pair is the
> output of a random number generator.

Not exactly true, but true enough.  The exact details depend on which
signing algorithm you're using.

> Does information about the user such as their name and email address  
> actually get incorporated into the key in any way or is that  
> information just stored along with it?

The name and email address are just stored along with it.  They are
treated as part of the key for convenience, but are not a factor in
the actual crypto math.

> I would rather not say that the GPG password is part of the unique
> code because the regulations speak of the unique code as being
> something which is assigned to the user by the provider (me).  That
> could then be interpreted as meaning that I would have to assign
> every user a new password every 60 days (requirement 7b).  It makes
> a lot more sense to me to have the users pick their own passwords
> but maybe I'm taking that part too literally.

I'd say the "unique code" includes the passphrase.  It would be hard
to argue otherwise as even the example given in the document shows the
passphrase being included (requirement 1).  That said, I don't see 7b
as requiring you to issue each user a new passphrase every 60 days.
It is sufficient for you to "ensure passphrases are revised
periodically", which would allow for users to change them.

The catch here is that there is no facility in OpenPGP for forcing a
periodic passphrase change.  Since it can't be forced, you may have to
trust your users to do this properly.

David

More information about the Gnupg-users mailing list