1. Sections Affected Rulemaking Action
Arizona Administrative Code
Table of Contents
Arizona Secretary of State
http://www.azsos.gov


TITLE 2. ADMINISTRATION

CHAPTER 12. OFFICE OF THE SECRETARY OF STATE

ARTICLE 5. ELECTRONIC SIGNATURES

R2-12-501. Definitions

R2-12-502. Identification of Acceptable Technologies for Electronic Signatures

R2-12-503. Policy Authority

R2-12-504. Certification Authority Approval Application, Suspension, Revocation

ARTICLE 5. ELECTRONIC SIGNATURES

R2-12-501. Definitions

A. "Acceptable Certification Authorities" means authorities that meet the requirements of R2-12-504.

B. "Approved List of Certification Authorities" means the list of Certification Authorities approved by the Secretary of State to issue certificates for electronically signed transactions involving public entities in Arizona.

C. "Asymmetric crypto-system" means an electronically processed algorithm, or series of algorithms, which uses 2 different keys with the following characteristics:

1. One key encrypts a given message;

2. One key decrypts a given message; and

3. The keys have the property that it is infeasible to discover 1 key from merely knowing the other key.

D. "CARAT Guidelines" means the CARAT Guidelines - Guidelines for Constructing Policies Governing the Use of Identity-Based Public Key Certificates drafted by the Certification Authority Rating and Trust (CARAT) Task Force of the National Automated Clearing House Association (NACHA), Version 1 Draft, September 21, 1998, excluding later ammendments or additions, incorporated by reference and on file with the Secretary of State.

E. "Certificate" means an electronic document attached to a public key by a trusted certification authority, which provides proof that the public key belongs to a legitimate subscriber and has not been compromised.

F. "Certification Authority" means a person or entity that issues a certificate.

G. "Electronically signed communication" means a electronic message that has been processed in such a manner that the message is tied to the individual who signed the message.

H. "GITA" means the Government Information Technology Agency, as established by A.R.S. § 41-3501.

I. "Key pair" means a private key and its corresponding public key in an asymmetric crypto-system. The key pair is unique in that the public key can verify a digital signature that the private key creates.

J. "Message" means an electronic representation of information intended to serve as a written communication with a public entity.

K. "Person" means a human being or any organization capable of signing a document, either legally or as a matter of fact.

L. "Policy Authority" means, as defined by CARAT Guidelines, some authoritative party that formulates the guidelines defining the process of electronic signature use.

M. "Private key" means the key of a key pair used to create a digital signature.

N. "Public key" means the key of a key pair used to verify a digital signature.

O. "Public entity" means any budget unit, as defined in A.R.S. § 41-3501.

P. "S.A.S. 70" means the standards set in the American Institute of Certified Public Accounts (AICPA) Statement on Auditing Standards No. 70. Should current S.A.S. 70 standards (or any succeeding version) be superceded, the Secretary of State, in consultation with GITA and the State Treasurer, shall establish a deadline for all affected parties to comply with the replacing standard. This deadline shall be no later than 2 years from the date of issuance of the new S.A.S. standards. GITA will also provide a "roadmap" of how the revised standard fits the current Type 1 and Type 2 S.A.S. 70 designations used elsewhere in these rules.

Q. "Subscriber" means a person who:

1. Is the subject listed in a certificate,

2. Accepts the certificate, and

3. Holds a private key which corresponds to a public key listed in that certificate.

R2-12-502. Identification of Acceptable Technologies for Electronic Signatures

A. The Secretary of State shall accept, and approve for use, technologies for electronic signature, in consultation with the Policy Authority and GITA, provided the technologies meet the standards set forth in the GITA standards for Electronic Signatures, as specified in A.R.S. § 41-3504.

B. Provisions for Adding New Technologies

1. Any individual or company can petition the Secretary of State to review the technology, by providing a written request for review including a full explanation of a proposed technology that meets the requirements established under subsection (A) and meets the requirements of the Policy Authority as identified in R2-12-503.

2. The Secretary of State has 180 days from the date of the request to review the petition and either accept or reject it

a. If the petitioner's proposed technology meets the requirements established under subsection (A) and meets the requirements of the Policy Authority, then GITA shall work with the Policy Authority to incorporate the new technology into electronic signature use by public agencies in Arizona.

b. If the proposed technology is rejected, the petitioner can appeal the decision through the Administrative Procedure Act, A.R.S § 41-1092.08(H).

R2-12-503. Policy Authority

A. The office of the Secretary of State shall serve as the Policy Authority as defined within the CARAT Guidelines. These guidelines provide a prudent operational model that may be applied to new technologies as they are approved.

B. Decisions made by the Policy Authority under A.R.S. §§ R2-12-501, R2-12-502 and R2-12-504 may be appealed pursuant to the Administrative Procedure Act, A.R.S. § 41-1092.08(H).

R2-12-504. Certification Authority Approval Application, Suspension, Revocation

A. Acceptable Certification Authorities

1. The Secretary of State shall maintain an "Approved List of Certification Authorities" authorized to issue certificates for electronically signed communication with public entities in Arizona.

2. Public entities shall only accept certificates from Certification Authorities that appear on the "Approved List of Certification Authorities" and are authorized to issue certificates by the Secretary of State.

B. Registration of Certification Authorities

1. The Secretary of State shall place Certification Authorities on the "Approved List of Certification Authorities" after the Certification Authority provides the Secretary of State with a copy of an unqualified performance audit performed in accordance with standards set in S.A.S. 70 to ensure that the Certification Authorities practices and policies are consistent with the requirements in this Article and any requirements of the Policy Authority.

a. Certification Authorities that have been in operation for 1 year or less shall undergo a S.A.S. 70 type 1 audit - A report of Policies and Procedures placed in operation, receiving an unqualified opinion.

b. Certification Authorities that have been in operation for longer than 1 year shall undergo a SAS 70 type 2 audit - A Report of Policies and Procedures placed in operation and test of operating effectiveness, receiving an unqualified opinion.

c. To remain on the "Approved List of Certification Authorities", a Certification Authority must provide proof of compliance every 2 years after initially being placed on the list and meet any requirements of the Policy Authority in effect at that time.

2. In lieu of completing the auditing requirement in subsection (B)(1), Certification Authorities may be placed on the "Approved List of Certification Authorities" upon providing the Secretary of State with proof acceptable to the Secretary of State that the Certification Authority meets the Policy Authority's criteria for acceptance of a Foreign License (non-Arizona license).

a. Certification Authorities shall be removed from the "Approved List of Acceptable Certification Authorities" unless they provide current proof of accreditation to the Secretary of State at least once per year no later than December 31st of each year.

b. If the Secretary of State is informed a Certification Authority has had its accreditation revoked , the Certification Authority shall be removed from the "Approved List of Certification Authorities" immediately.

 


Arizona Administrative Code
Table of Contents
Questions or Comments:
Publications
Arizona Secretary of State
http://www.azsos.gov