Arizona Secretary of State - Ken Bennett


 
Arizona Secretary of State Logo AZ.gov Arizona's Official Web Site

Digital Signatures?

What are they? What do I need to do?
What is Arizona doing?
And why is the Secretary of State in the middle of it?

The Short Answer:
Arizona passed legislation enabling the use of digital signatures by and with state agencies (A.R.S. 41-132). That legislation gave the Secretary of State a statutory duty to "Accept, and approve for use, electronic and digital signatures that comply with section 41-132, for documents filed with and by all state agencies, boards and commissions." And it defined an electronic signature: "An electronic signature shall be unique to the person using it, shall be capable of reliable verification and shall be linked to a record in a manner so that if the record is changed the electronic signature is invalidated."

Which leads to
The Long Answer:
It can be confusing to wade into the range of documents that describe Arizona's Digital Signature policy and practices. This introduction is intended to provide a "mental picture" of how the policy of electronic signature use fits with a range of business needs for signatures and how a range of technologies have been organized within that policy framework to flexibly satisfy that range of business needs.

The Secretary of State has a statutory duty to "Accept, and approve for use, electronic and digital signatures that comply with section 41-132, for documents filed with and by all state agencies, boards and commissions." The Policy Authority is how the Secretary of State establishes "policies and procedures for the use of electronic and digital signatures by all state agencies, boards and commissions for documents filed with and by all state agencies, boards and commissions." (A.R.S. 41-121, Duties of the Secretary of State). The Policy Authority is designed to provide a "technology neutral" policy framework for electronic signing processes and then to build within that framework more specific specifications for using particular technologies.

Arizona was one of several states that passed electronic signature statutes in the late 1990's. Arizona was unusual in that we limited the statute to signing documents filed with and by state agencies. This was followed by many states have passing the Uniform Electronic Transactions Act (UETA), most states enacted a version in 2000 and 2001. Arizona passed UETA in 2000. UETA establishes a more common recognition of electronic signature. The U.S. Federal government also passed an electronic signatures act known as E-SIGN. E-SIGN had some implications to how states interpreted and implemented state electronic signature statutes (UETA or otherwise) and several states collaborated to review those implications and other state issues with electronic signatures. Russ Savage of Arizona's Office of Secretary of State chaired a multi-state workgroup in 2001 that developed a general framework for electronic signing processes and the Arizona Policy Authority's framework now includes many elements that came out of that multi-state effort.

The core multi-state documents are a good introduction into the process of establishing what is a good electronic signing practice and how to determine which technology to implement for particular uses. They are located here among several unrelated papers published that year by NECCC. They are in PDF format and are linked to below along with an Introduction document that inadvertently was not published.
Multi-state Electronic Signature/Record Reciprocity papers:

Now, for what Arizona's Electronic Signature framework looks like. As mentioned, there is a specific statute for state agencies that places responsibiltiy on the Secretary of State to establish policy, procedures and approve signing processes used by agencies. The Admistrative Rules for that legislation establish a Policy Authority (PA) within the Secretary of State which handles this responsibility according to defined PA practices.

Many of the documents on this website define the rules for using particular technologies for signing processes, for example:

Public Key Cryptography (PKC) technologies:

PKI Certificate Policy
PGP Certificate Policy
 PKI & PGP technical standards are established by GITA  (with the Policy Authority collaborating)

Signature Dynamics technologies

Signature Dynamics Electronic Signing Policy
 (conceptually similar to a Certificate Policy - except there is no certificate)

Note that other technologies, such as the use of PIN or password are unique  applications and a generalized policy defining the security and audit requirements can not  be developed. The state does permit (and have in use) electronic signing processes that do  not conform to established technical standards or have an established audit evaluation  process. These signing processes require specific review and specific policies for them to  be approved by the Secretary of State.

There are also agency, project and vendor related documents, for example:

Application Form for Certification Authority Approval
Certificate Authorities  Approved to issue Certificates
 Agency Guidelines
 Miscellaneous Exhibits
 Definitions and Acronyms

There are also links to various statutes, administrative rules and projects related to electronic signing processes

AZ Electronic Transaction Act
AZ Electronic Notary

The Federal electronic signature and e-authentication efforts can be explored online as well.

Hopefully this introduction gives you a good sense of why the Policy Authority exists and how its policies facilitate the state's use of electronic signatures. Electronic signatures allow agencies to move, as appropriate, from paper based records to more efficient and timely electronic records. Some current electronic signing processes are described here.