Section .0100 - General Administration


Published: 2015

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.
CHAPTER 10 - ELECTRONIC COMMERCE SECTION

 

SECTION .0100 - GENERAL ADMINISTRATION

 

18 NCAC 10 .0101             HOW TO CONTACT THE ELECTRONIC

COMMERCE SECTION

(a)  The Electronic Commerce Section may be contacted by the

following means:  Regular mail may be sent to the Electronic Commerce Section

at the following address: Electronic Commerce Section, Department of the

Secretary of State, PO Box 29622, 2 South Salisbury Street, Raleigh, NC

27626-0622.

(b)  Up-to-date contact information regarding the Electronic

Commerce Section is contained on the Department of the Secretary of State's

Internet site at http://www.state.nc.us/secstate.

 

History Note:        Authority G.S. 66-58.10;

Temporary Adoption Eff. February 23, 1999;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

SECTION .0200 - DEFINITIONS

 

18 NCAC 10 .0201             APPLICABLE DEFINITIONS

In addition to the definitions in the Electronic Commerce

Act, Article 11A of Chapter 66 (G.S. 66-58.1 et seq.), the following apply to

the rules in this Chapter:

(1)           Affiliated Individual.  An "affiliated

individual" means the subject of a certificate that is associated with a

sponsor approved by the Certification Authority (such as an employee affiliated

with an employer).  Certificates issued to affiliated individuals are intended

to be associated with the sponsor and the responsibility for authentication

lies with the sponsor. 

(2)           Asymmetric Cryptosystem.  "Asymmetric

cryptosystem" means a computer-based system that employs two different but

mathematically related keys.  The keys are computer-generated codes having the

following characteristics:

(a)           either key can be used to electronically

sign or encrypt data, such that only the other key in that key pair is capable

of verifying the electronic signature or decrypting the signed data; and

(b)           the keys have the property that, knowing one

key, it is computationally infeasible to discover the other key.

(3)           Authorized Certification Authority. 

"Authorized Certification Authority" means a Certification Authority

that has been issued a Certification Authority license by the North Carolina

Department of the Secretary of State to issue certificates that reference the

rules in this Chapter.

(4)           Certification Authority Revocation List. 

"Certification Authority Revocation List" means a time-stamped list

of revoked Certification Authorities digitally signed by a Certification

Authority or the Electronic Commerce Section.

(5)           Certificate.  "Certificate" means a

record which:

(a)           identifies the certification authority

issuing it;

(b)           names or identifies its subscriber;

(c)           contains a public key that corresponds to a

private key under the control of the subscriber;

(d)           identifies its operational period or period

of validity;

(e)           contains a certificate serial number and is

digitally signed by the Certification Authority issuing it; and

(f)            conforms to the ITU/ISO X.509 Version 3

standards or other standards accepted under the Rules in this Chapter. As used

in the rules in this Chapter the term "Certificate" refers to

certificates that expressly reference the rules in this Chapter in the

"Certificates Policy" filed for an X.509 v.3 certificate.

(6)           Certificate Manufacturing Authority. 

"Certificate Manufacturing Authority" means an entity that is

responsible for the manufacturing and delivery of certificates signed by a

Certification Authority, but is not responsible for identification and

authentication of certificate subjects (i.e., a Certificate Manufacturing

Authority is delegated the certificate manufacturing task by a Certification

Authority).

(7)           Certificate Revocation List.  "Certificate

Revocation List" means a Certification Authority digitally signed,

time-stamped list of revoked certificates.

(8)           Certification Authority.  "Certification

Authority" means an entity authorized by the Secretary of State to

facilitate electronic commerce. A Certification Authority is responsible for

authorizing and causing certificate issuance.  A Certification Authority may

perform the functions of a Registration Authority and a Certificate Manufacturing

Authority, or it may delegate or outsource either of these functions.  A

Certification Authority vouches for the connection between an entity and that

entity’s electronic signature.  A Certification Authority performs two

essential functions:

(a)           First, it is responsible for identifying and

authenticating the intended subscriber named in a certificate, and verifying

the subscriber possesses the private key corresponding to the public key listed

in the certificate; and

(b)           Second, the Certification Authority actually

creates (or manufactures) and digitally signs the certificate. The certificate

issued by the Certification Authority represents the Certification Authority's

statement as to the identity of the person named in the certificate and the binding

of that person to a particular public-private key pair.

(9)           Certification Practice Statement. 

"Certification Practice Statement" means documentation of the

practices, procedures, and controls employed by a Certification Authority

issuing, suspending, or revoking certificates and providing access to same. A

Certification Practice Statement shall contain, at a minimum, detailed

discussions of the following topics:

(a)           technical security controls, including

cryptographic modules and management;

(b)           physical security controls;

(c)           procedural security controls;

(d)           personnel security controls;

(e)           repository obligations, including

registration management, subscriber information protection, and certificate

revocation management; and

(f)            financial responsibility.

(10)         Electronic Commerce Act.  The term "Electronic

Commerce Act" means The North Carolina Electronic Commerce Act, G.S. 66,

Article 11A.

(11)         Electronic Commerce Section.  "Electronic

Commerce Section" means the component of the North Carolina Department of

the Secretary of State responsible for reviewing Certification Authority

license applications and administering the Electronic Commerce Act in North

Carolina.

(12)         Electronic signature.  "Electronic

signature" means any identifier or authentication technique attached to or

logically associated with an electronic record intended by the party using it

to have the same force and effect as the party's manual signature.

(13)         Federal Information Processing Standards.  The term

"Federal Information Processing Standards" means Federal standards

prescribing specific performance requirements, practices, formats,

communications protocols for hardware, software, data, and telecommunications

operation.

(14)         Internet Engineering Task Force.  "Internet

Engineering Task Force" means a large, open international community of

network designers, operators, vendors, and researchers concerned with the

evolution of the Internet architecture and the smooth operation of the

Internet.

(15)         ITS Security Director.  "ITS Security

Director" means the ITS Security Director of North Carolina State

government as designated by the Chief Information Officer for North Carolina

State Government.

(16)         ITU/ISO X.509 Version 3 standards.  "ITU/ISO

X.509 Version 3 standards" means Version three of the X.509 standards

promulgated by the International Telecommunications Union and the International

Organization for Standardization.

(17)         Key pair.  The term "key pair" means two

mathematically related keys, having the properties that one key can be used to

encrypt a message that can only be decrypted using the other key, and even

knowing one key, it is computationally infeasible to discover the other key.

(18)         Object Identifier.  An "object identifier"

means an unambiguous identifying specially formatted number assigned in the

United States by the American National Standards Institute (ANSI).

(19)         Operational Period of a Certificate.  The

"operational period of a certificate" means the period of its

validity.  It begins on the date the certificate is issued (or such later date

as specified in the certificate), and ends on the date and time it expires as

noted in the certificate or as earlier revoked or suspended.

(20)         PKIX.  The term "PKIX" means an Internet

Engineering Task Force Working Group developing technical specifications for a

public key infrastructure components based on X.509 Version 3 certificates.

(21)         Private Key.  "Private key" means the key

of a key pair used to create a digital signature.  This key must be kept a

secret.  It is also known as the confidential key or secret key.

(22)         Public Key.  "Public key" means the key of

a key pair used to verify a digital signature.  The public key is made

available to anyone who will receive digitally signed messages from the holder

of the key pair.  The public key is usually provided in a Certification

Authority issued certificate and is often obtained by accessing a repository. 

A public key is used to verify the digital signature of a message purportedly

sent by the holder of the corresponding private key.  It is also known as the

published key.

(23)         Public Key Cryptography.  "Public Key

Cryptography" means a type of cryptographic technology employing an

asymmetric cryptosystem.

(24)         Registration Authority.  The term "Registration

Authority" means an entity responsible for identification and

authentication of certificate subjects, but that does not sign or issue

certificates (i.e., a Registration Authority is delegated certain tasks on

behalf of a Certification Authority).

(25)         Relying Party.  "Relying party" means a

recipient of a digitally signed message who relies on a certificate to verify

the digital signature on the message.

(26)         Repository.  "Repository" means a

trustworthy system for storing and retrieving certificates and other

information relating to those certificates.

(27)         Repository Services Provider.  "Repository

Services Provider" means an entity that maintains a repository accessible

to the public, or at least to relying parties, for purposes of obtaining copies

of certificates or verifying the status of such certificates.

(28)         Responsible Individual.  "Responsible

Individual" means a person designated by a sponsor to authenticate

individual applicants seeking certificates on the basis of their affiliation

with the sponsor.

(29)         Revoke A Certificate.  "Revoke a

certificate" means to prematurely end the operational period of a

certificate from a specified time forward.

(30)         Secretary.  "Secretary" means the North

Carolina Secretary of State.

(31)         Sponsor.                  "Sponsor" means

an organization with which a subscriber is affiliated (e.g., as an employee,

user of a service, business partner, or customer).

(32)         Subscriber.  A "subscriber" means the

person to whom a certificate is issued.  A subscriber means a person who:

(a)           is the subject named or identified in a

certificate issued to such person;

(b)           holds a private key that corresponds to a

public key listed in that certificate; and

(c)           to whom digitally signed messages verified

by reference to such certificate are to be attributed.

(33)         Suspend a certificate.  "Suspend a

certificate" means to temporarily suspend the operational period of a

certificate for a specified time period or from a specified time forward.

(34)         Transaction.  "Transaction" means an

electronic transmission of data between an entity and a public agency, or

between two public agencies, including, but not limited to contracts, filings,

and other legally operative documents not specifically prohibited in the

Electronic Commerce Act.

(35)         Trustworthy System.  "Trustworthy system"

means computer hardware, software, and procedures that:

(a)           are secure from intrusion and misuse;

(b)           provide a level of availability,

reliability, and correct operation;

(c)           are suited to performing their intended

functions; and

(d)           adhere to Federal Information Processing

Standards.

(36)         Valid Certificate.  A "valid certificate"

means one that:

(a)           a Certification Authority has issued;

(b)           the subscriber listed in it has accepted;

(c)           has not expired; and

(d)           has not been suspended or revoked.

A certificate is

not valid until it is both issued by a Certification Authority and accepted by

the subscriber.

(37)         X.500.  "X.500" means a directory standard

/ protocol for connecting local directory services to form one distributed

global directory.  X.500 is an OSI (Open System Interconnection) protocol,

named after the number of the ITU (International Telecommunications Union - a

United Nations Specialized Agency) CCITT (International Telegraph and Telephone

Consultative Committee) Recommendation document containing its specification. 

This document is known as "Recommendation X.500 (03/00) - Information

technology - Open systems interconnection - The Directory: public-key and

attribute frameworks," and is available from International

Telecommunication Union on the World Wide Web, www.itu.int, 183 Swiss Francs,

price subject to change.

(38)         X.509.  "X.509" means a standard /

protocol adopted by the International Telecommunication Union (formerly known

as the International Telegraphy and Telephone Consultation Committee).  For

purposes of the Rules in this Chapter, all references to X.509 shall be

construed as referring to version 3.  Compliance with X.509 versions 1 or 2

shall not be construed as compliance with X.509. This document is known as

"Recommendation X.509 (03/00) - Information technology - Open systems

interconnection - The Directory: public-key and attribute frameworks," and

is available from International Telecommunication Union on the World Wide Web, www.itu.int, 183 Swiss Francs, price subject to

change.

 

History Note:        Authority G.S. 66-58.10(a)(1);

Temporary Adoption Eff. February 23, 1999;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

SECTION .0300 - PUBLIC KEY TECHNOLOGY

 

18 NCAC 10 .0301             PUBLIC KEY TECHNOLOGY

LICENSING, FEES, RENEWAL

(a)  To be considered for licensure under this subsection, a

Certification Authority shall utilize certificate-based public key

cryptography.

(b)  Any applicant seeking licensure must demonstrate

compliance with the North Carolina Electronic Commerce Act, G.S. 66, Article

11A, and the rules in this Chapter.

(c)  To request licensure, a Certification Authority shall

provide the Electronic Commerce Section with a copy of its current

Certification Practice Statement and most recent reports of compliance audit(s)

as required by 18 NCAC 10 .0303 (k).

(d)  A Certification Authority shall adhere to its

Certification Practice Statement.  If a Certification Authority modifies its

Certification Practice Statement, it shall provide an updated copy of the

Certification Practice Statement to the Electronic Commerce Section as soon as

is practicable, and no later than the date the updated Certification Practice

Statement is put into operation.  As a condition of continued licensure, the

Electronic Commerce Section may require the Certification Authority to undergo

an audit to document compliance with its updated Certification Practice

Statement and the rules in this Chapter.

(e)  An initial licensing fee of two thousand dollars

($2,000 US) shall accompany an initial application. 

(f)  A renewal fee of two thousand dollars ($2,000 US) shall

accompany an application for renewal by a licensed Certification Authority.

(g)  A license issued by the Electronic Commerce Section

pursuant to this Section shall expire one year after its effective date, unless

timely renewed.

(h)  Financial Responsibility.

(1)           As precondition of licensure a

Certification Authority shall obtain a bond issued by a surety company

authorized to do business in North Carolina.  A copy of the bond shall be filed

with the Electronic Commerce Section prior to licensure.  The amount of the

bond shall not be less than twenty-five thousand dollars ($25,000 US).  The

bond shall be in favor of the State of North Carolina.  The bond shall be

payable for any penalties assessed by the Electronic Commerce Section pursuant

to the Rules in this Chapter and for any losses the State encounters

resulting from a Certification Authority's conduct of activities subject to the

Electronic Commerce Act or arising out of a violation of the Electronic

Commerce Act or any Rule promulgated thereunder;

(2)           As precondition of licensure a

Certification Authority shall obtain indemnity insurance coverage (e.g.

"errors and omissions" or "cyber coverage" or similar

coverage) to protect subscribers, relying parties and the State for any losses

resulting from the Certification Authority's conduct of activities subject to

the Electronic Commerce Act or arising out of a violation of the Electronic

Commerce Act or any Rule promulgated thereunder.  Indemnity coverage shall be

obtained and maintained in the amount of not less than one hundred thousand

dollars ($100,000 US) per occurrence and not less than one million dollars

($1,000,000 US) for all occurrences;

(3)           The failure of a Certification

Authority to continuously maintain this surety bond and indemnity insurance

coverage may be the basis for revocation or suspension of its license.

 

History Note:        Authority G.S. 66-58.3; 66-58.10(a)(2);

Temporary Adoption Eff. February 23, 1999;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

18 NCAC 10 .0302             PUBLIC

KEY TECHNOLOGY. CERTIFICATION AUTHORITY:  CERTIFICATE

ISSUANCE AND MANAGEMENT - OVERVIEW.

(a)  Overview.  The Rules in this Section specify minimum

requirements for issuance and management of certificates that may be used in verifying

digital signatures.  The digital signatures may be used on categories of

electronic communications specified as suitable applications in 18 NCAC 10

.0302(b)(5).  Each item in the Rules in this Section must be

specifically addressed by the Certification Authority in the Certification

Authority's Certification Practice Statement filed with the North Carolina

Department of the Secretary of State at the time the Certification Authority

submits an application for licensure or renewal.

(b)  Community and Applicability.

(1)           Certification Authorities.  The Rules in

this Chapter are binding on each licensed Certification Authority issuing

certificates identifying them, and govern Certification Authority performance

with respect to all certificates it issues referencing the Rules.  Specific

Certification Authority Practice Statements and procedures implementing the

requirements of the Rules in this Chapter shall be set forth in the

Certification Authority Certification Practice Statement;

(2)           Certification Authorities Authorized to

Issue Certificates Under the Rules in this Chapter.  Any Certification

Authority may issue certificates identifying the Rules in this Chapter if

licensed in the State of North Carolina and the Certification Authority agrees to

be bound by and comply with the undertakings and representations of the Rules

in this Chapter with respect to such certificates.  Issuance of a certificate

referencing this Item shall constitute issuing the agreement of the

Certification Authority to be bound by terms of the Rules for all certificates

referencing them;

(3)           Subscribers. A Certification Authority may

issue certificates that reference the Rules in this Chapter to the following

classes of subscribers:

(A)          individuals (unaffiliated);

(B)          individuals associated with a sponsor recognized by

the Certification Authority ("affiliated individuals"), provided the

sponsor is the subscriber of a valid certificate issued by the Certification

Authority in accordance with the Rules in this Chapter;

(C)          public agencies, as defined in .G.S. 66-58.2; and

(D)          organizations and businesses

qualified as legal entities;

(4)           Relying Parties. The Rules in this Chapter

benefit the following persons, who may rely on certificates issued to others

referencing them ("Qualified Relying Parties"):

(A)          individuals intending to engage in a transaction

with a public agency;

(B)          public agencies, as defined in G.S. 66-58.2;

(C)          organizations and businesses, qualified as legal

entities, engaged in a transaction with a public agency; and

(D)          other parties to a transaction with the entity and a public agency;

(5)           Suitable Applications.  Certificates

referencing this Item are intended to provide a level of identity binding

assurance and the protection of document encryption, and are typically suitable

for:

(A)          System Access / Systems Security

(i)            Verifying the identity of electronic mail

correspondents for non-critical communications;

(ii)           Obtaining access to databases, applications and

systems;

(iii)          Message / document encryption for protection of

contents/identities.

(B)          Digital Signature Activity

(i)            Commerce involving various goods or services

with various values;

(ii)           Obtaining personal data relating to the

subscriber.

(C)          Message / Document Encryption: Documents encrypted

to protect contents (e.g. privacy of subscriber);

(6)           Some sample applications of the Rules in

this Chapter are:

(A)          Computing applications providing access to the

certificate holder's own personal information;

(B)          Request and distribution of text information or

other types of copyrighted content for which fees are charged or subscriptions

are required;

(C)          Verifying the identity of communicating parties;

(D)          Verifying signatures on contracts, government

benefits statements, and other documentation;

(E)           Signing of electronic messages; e.g. official

reports, employee leave and travel reporting, tax withholding; and

(F)           Secure transport of individual, patient specific

medical / other privileged information over public networks.

 

History Note:        Authority G.S. 66-58.10;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

18 ncac 10

.0303             PUBLIC KEY TECHNOLOGY:  CERTIFICATE POLICY GENERAL PROVISIONS

(a)  Certification Authority

Obligations.  The Certification Authority is responsible for all aspects of

certificate issuance and management, including control over:

(1)           the application / enrollment process;

(2)           the identification and authentication

process;

(3)           the actual certificate manufacturing

process;

(4)           certificate publication;

(5)           certificate suspension and revocation,

publication of the Certificate Revocation List and Certification Authority

Revocation Lists, as pertinent;

(6)           certificate renewal;

(7)           ensuring that all aspects of the

Certification Authority services and Certification Authority operations and

infrastructure related to certificates issued under the Rules in this Chapter

are performed in accordance with the requirements, representations, and

warranties of the Rules in this Chapter; and

(8)           Delivering certificate updates and

revocation transactions to the NC ITS directory, where pertinent.

(b)  Representations by Certification Authority.  By issuing

a certificate referencing the Rules in this Chapter, a Certification

Authority certifies to subscriber and all Qualified Relying Parties (who

reasonably and in good faith rely on a certificate's information during its

operational period in accordance with the Rules in this Chapter) that:

(1)           the Certification Authority has verified

certificate information unless otherwise noted in its Certification Practice

Statement;

(2)           the Certification Authority has issued, and

will manage, the certificate in accordance with the Rules in this Chapter;

(3)           the Certification Authority has complied

with the requirements of the rules in this Chapter and its applicable

Certification Practice Statement when authenticating the subscriber and issuing

the certificate;

(4)           there are no misrepresentations of  fact in

the certificate known to the Certification Authority, and the Certification

Authority has verified additional information in the certificate unless

otherwise noted in its Certification Practice Statement;

(5)           subscriber-provided information in the

certificate application has been accurately transcribed to the certificate; and

(6)           the certificate meets all material

requirements of the rules in this Chapter and the Certification Authority's

certification practice statement.

(c)  Registration Authority and Certificate Manufacturing

Authority Obligations:  The Certification Authority shall be responsible for

performing all identification and authentication functions and all certificate

manufacturing and issuing functions.  However, the Certification Authority may

delegate performance of these obligations to an identified Registration

Authority or Certificate Manufacturing Authority, provided the Certification

Authority remains primarily responsible for performance of those services by

such third parties in a manner consistent with requirements of the rules in

this Chapter.

(d)  Repository Obligations:  The Certification Authority

shall be responsible for providing a repository, performing / providing

certificate updates as required and performing all associated functions. 

However, the Certification Authority may delegate performance of this

obligation to an identified Repository Services Provider, provided the

Certification Authority remains primarily responsible for performance of those

services by such third party in a manner consistent with the requirements of

the rules in this Chapter.

(e)  Subscriber Obligations.  In

all cases, the Certification Authority shall require the subscriber to enter an

enforceable contractual commitment for the benefit of Qualified Relying Parties

obligating the subscriber to:

(1)           take precautions to prevent any loss,

disclosure, or unauthorized use of the private key;

(2)           acknowledge that by accepting the

certificate the subscriber is warranting all information and representations

made by the subscriber included in the certificate are true;

(3)           use the certificate exclusively for

authorized and legal purposes, consistent with the rules in this Chapter; and

(4)           immediately contact the Certification

Authority and instruct the Certification Authority to revoke the certificate

promptly upon any actual or suspected loss, disclosure, or other subscriber

private key compromise.

(f)  Relying Party Obligations. 

A Qualified Relying Party may rely on a certificate referencing this Item only

if the certificate was used and relied upon for lawful purposes and under

circumstances where:

(1)           the reliance was reasonable and in good

faith in light of all circumstances known to the relying party at the time of

reliance;

(2)           the purpose for which the certificate was

used was appropriate under the rules in this Chapter; and

(3)           the relying party checked the certificate

status certificate prior to reliance, or a check of the certificate's status

would have indicated the certificate was valid.

(g)  Interpretation &

Enforcement.

(1)           Governing Law.  The laws of the State of

North Carolina shall govern the enforceability, construction, interpretation,

and validity of the rules in this Chapter.

(2)           The holders of North Carolina Certification

Authority licenses are not guaranteed any business by public agencies in North

Carolina.  All other state laws required to engage in business with public

agencies in North Carolina must be complied with by the Certification Authority

and public agencies.

(h)  Fees.  A Certification

Authority shall not impose any fees for reading the rules in this Chapter or

its Certification Practice Statement.  A Certification Authority may charge

access fees on certificates, certificate status information, or certificate

revocation lists, subject to agreement between the Certification Authority and

subscriber, and in accordance with a fee schedule published by the

Certification Authority in its Certification Practice Statement or otherwise.

(i)  Publication and Repositories:

(1)           Publication of Certification Authority

Information. Each authorized Certification Authority shall operate a secure

online repository available to Qualified Relying Parties.  The repository shall

contain:

(A)          issued certificates

that reference the rules in this Chapter;

(B)          a Certificate

Revocation List or on-line certificate status database;

(C)          the Certification

Authority's certificate for its signing key;

(D)          past and current

versions of the Certification Authority's Certification Practice Statement; and

(E)           a copy of the rules

in this Chapter.

(2)           Frequency of

Publication. All information to be published in the repository shall be

published promptly after such information is available to the Certification

Authority.  In no case shall more than 24 hours pass between certification

authority awareness of a change and the Certification Authority publishing of

the change.  Certificates issued by the Certification Authority referencing the

rules in this Chapter shall be published promptly upon acceptance of such

certificate by the subscriber.  Certificate revocations and suspensions shall

be published contemporaneously with the act of revocation or suspension. 

Information relating to revocation or suspension of a certificate shall be

published in accordance with 18 NCAC 10 .0305(f)(2) and 18 NCAC 10 .0305(h).

(j)  Access Controls.  The

repository shall be available to Qualified Relying Parties and subscribers 24

hours per day, 7 days per week, subject to published, scheduled maintenance and

the Certification Authority's then-current terms of access.  A Certification

Authority shall not impose any access controls on the rules in this Chapter,

the Certification Authority's certificate for its signing key, and past and

current versions of the Certification Authority's Certification Practice

Statement.  A Certification Authority may impose access controls on

certificates, certificate status information, or Certificate Revocation Lists

at its discretion, subject to agreement between the Certification Authority and

subscriber, in accordance with provisions published in its Certification

Practice Statement or otherwise.

(k)  Required Compliance Audits:

(1)           The Certification Authority must submit to

audit to determine its stability, prospects for longevity and adequacy of its

security practices and conditions.  The audits must result in unqualified

compliance reports.  When a Certification Authority is licensed in North

Carolina based on a reciprocity agreement between North Carolina and another

state, the Certification Authority may submit certified copies of audit reports

required by the other jurisdiction.  After review by the Electronic Commerce

Section, audit reports may be determined to meet North Carolina Certification

Authority audit requirements.

(2)           A Certification Authority shall adhere to

its Certification Practice Statement.  If a Certification Authority modifies

its Certification Practice Statement, it shall provide an updated copy of the

Certification Practice Statement to the Electronic Commerce Section as soon as

practicable and no later than the date the updated Certification Practice

Statement is put into operation.  At the discretion of the Electronic Commerce

Section, the Certification Authority may be required to undergo additional /

other audits for license renewal.

(3)           Stability and Longevity Prospects Audit:

(A)          Before initial approval as a licensed Certification

Authority, the Certification Authority (and each Registration Authority,

Certificate Manufacturing Authority, and Repository Services Provider, as

applicable) shall submit to audit by an independent Certified Public Accounting

firm.  The audit must address the American Institute of Certified Public

Accountants (AICPA) Section 341, "The Auditor's Consideration of an

Entity's Ability to Continue as a Going Concern".

(B)          The audit must produce an unqualified report from

the CPA firm to the Certification Authority.  A certified copy of the audit

report must be attached by the Certification Authority to the application for a

new Certification Authority license or renewal license, and submitted to the

Electronic Commerce Section.

(C)          As a condition of continued licensure, the

Electronic Commerce Section may require the Certification Authority to undergo

audit to document compliance with expectations for secure operations, an

updated Certification Practice Statement, or to document continuing compliance

with the ITU/ISO X.509 Version 3 standards and the

rules in this Chapter.

(D)          A Certification Authority operated by an Agency of

the State of North Carolina is exempt from this requirement.

(4)           Security Audit.  The purpose of a security

audit is to verify:

(A)          The Certification

Authority has in place a secure system assuring quality of Certification

Authority Services provided; and

(B)          the Certification

Authority's system complies with all security requirements of the rules in this

Chapter, the Certification Authority's Certification Practice Statement and

ITU/ISO X.509 Version 3 standards.

Before initial approval as a

licensed Certification Authority, and thereafter at least once every year, the

Certification Authority shall submit to a security compliance audit by a

security firm. The audit must evidence compliance with Federal Information

Processing Standards 140-1 "Security: Cryptographic Modules" Level 2

and TSEC (The Orange Book) C2 criteria or comply with contemporary

Certification Authority security criteria as expressed in terms of the

"Common Criteria" – ISO 15408-1:1999.  In order for an audit firm to

be approved by the Electronic Commerce Section, it must engage or employ at

least one Certified Information Systems Auditor (CISA) certified by the

Information Systems Audit and Control Association (CISACA), 3701 Algonquin

Road, Rolling Meadows, Illinois, 60008, www.ISACA.org.  A certified copy of the

current unqualified security audit report must be attached to an application

for a new certification authority license or renewal license, and submitted to

the NC Department of Secretary of State, Electronic

Commerce Section.

(l)  Confidentiality Policy.  Subscriber consent must be

obtained for each incident of disclosure and for each item of information

unless required otherwise by law.  The Certification Authority may not sell or

exchange information in any circumstance that is not specifically allowed by

the Rules in this Chapter or otherwise required by law.

(1)           A Certification Authority may not use data

gathered in fulfilling its Certification Authority role for any other purpose. 

A Certification Authority shall not gather information beyond that necessary to

authenticate a subscriber nor shall it use information gathered in its

Certification Authority role to assemble further information about subscribers;

and

(2)           Under no circumstance shall a Certification

Authority (or any Registration Authority, Repository Services Provider, or

Certificate Manufacturing Authority) have access to the signing private key(s)

(versus encryption key(s)) of any subscriber to whom it issues a certificate

referencing the Rules in this Chapter, except for initial creation of the

signing/secret key where the key is not accessed and no enduring record is made

of the key.

(m)  Information Not Considered Confidential.

(1)           Information appearing on certificates is

not confidential.

(2)           Disclosure of Certificate Revocation /

Suspension Information. Information regarding the revocation or suspension

status of a certificate is not confidential and is disclosed in the normal

course of public key infrastructure activity.

(3)           Any information

may be disclosed upon owner's request.

 

History Note:        Authority G.S. 66-58.10;

Codifier determined on November 23, 1999, agency findings

did not meet criteria fo temporary rule;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

18 ncac 10 .0304             PUBLIC KEY

TECHNOLOGY; IDENTIFICATION AND AUTHENTICATION

(a)  Initial Registration:

(1)           Subject to the requirements of this Rule,

certificate applications may be communicated from the applicant to

Certification Authority or Registration Authority, and authorizations to issue

certificates may be communicated from a Registration Authority to the

Certification Authority, electronically, via E-mail or a web site, provided all

communication is secured by SSL or a similar security protocol, by first class

U.S. Mail or similar service.

(2)           North Carolina deploys two levels / classes

of authentication certificate:

(A)          North Carolina Basic

Authentication Certificate:  A North Carolina Basic Authentication Certificate

is a digital certificate manufactured by a licensed Certificate Authority

intended to be used to sign routine internal North Carolina government business

documents (e.g. personnel leave documents, travel reimbursement requests and

similar documents) and to gain access to State systems when deemed appropriate

by information technology security policy.

(B)          North Carolina Strong Authentication Certificate:  A

North Carolina Strong Authentication Certificate is a digital certificate

manufactured by a North Carolina licensed Certificate Authority intended to be

used with a high degree of confidence to sign any document.

(b)  Types of Names.  The subject name used for certificate

applicants shall be the X.509 Distinguished Name.  The name shall be unique for

each entity certified by a Certification Authority.  A Certification Authority

may issue more than one certificate with the same subject name for the same

subject entity.

(c)  Name Meanings.  The subject

name listed in a certificate must have a reasonable association with the

authenticated name of the subscriber.  In the case of an individual, this shall

be a combination of first name or initials and surname.  In the case of an

organization, the name shall reflect the legal name of the organization or

unit.

(d)  Name Uniqueness.  The

subject name listed in a certificate shall be unambiguous and unique for all

certificates issued by the Certification Authority and shall conform to X.500

standards for name uniqueness.  If necessary, additional numbers or letters may

be appended to the real name to ensure the name's uniqueness within the domain

of certificates issued by the Certification Authority and detailed in the

Certification Practice Statement.

(e)  Verification of Key Pair.  The Certification Authority

shall establish that the applicant is in possession of the private key

corresponding to the public key submitted with the application.

(f)  Authentication of an

Organization.  An organization may be issued a North Carolina Strong

Authentication Certificate.  An organization shall not be issued a North

Carolina Basic Authentication Certificate.

(1)           Identification.  A Certification Authority

shall be presumed to have confirmed that the prospective subscriber

organization is the organization to be listed in a certificate where the

Certification Authority has assured by investigation:

(A)          The organization exists and conducts business at the

address listed in the certificate application;

(B)          A duly authorized representative of the applicant

organization signed the certificate application;

(C)          The information contained in the certificate

application is correct; and

(D)          If required by State law, the organization is

authorized to transact business by the Corporations Division of the North

Carolina Department of the Secretary of State.

(2)           A Certificate Authority or Registration

Authority, when authenticating an applicant who is an organization, shall

require the following information on a notarized affidavit:

(A)          Organization Name;

(B)          Street address and mailing address, if different;

(C)          City;

(D)          State;

(E)           Zip;

(F)           Tax Payer Identification Number / Employer

Identification Number (EIN);

(G)          Corporate

Identification Number (Issued by Secretary of State);

(H)          Date of incorporation or creation;

(I)            State or country of incorporation or creation;

(J)            Telephone number (optional);

(K)          E-mail address (optional);

(L)           Post data element (e.g. password) to be a secret

shared with the Certification Authority / Registration Authority and used later

for authentication in the absence of the digital signature.  This element may

be used along with additional information to authenticate a request for

certificate revocations; and

(M)         Name of officially authorized agent, if applicable.

(3)           Authentication and Confirmation Procedure. 

In conducting its review and investigation, the Certification Authority shall

review official government records or engage the services of a third party

vendor of business information to do so.  The Certification Authority or third

party review shall provide validation information concerning each organization

applying for a certificate, including legal company name, type of entity, year

of formation, names of directors and officers, address, telephone number, and

good standing in the jurisdiction where the applicant was incorporated or otherwise

organized.

(g)  Authentication of Individual --

No Affiliation:  An unaffiliated individual may be issued a North Carolina

Strong Authentication Certificate, North Carolina Basic Authentication

Certificate, or both.  In determining the type of certificate required,

agencies shall evaluate the application's risk of loss involved and nature of

business with which the certificate holder shall be associated. Based on the

evaluation, a NC Basic Authentication Certificate may be appropriate. In other

cases, it may be appropriate to require a North Carolina Strong Authentication

Certificate may be appropriate.  In other cases, it may be appropriate to

require a North Carolina Strong Authentication Certificate.

(1)                

Identification:

(A)          North Carolina Strong Authentication Certificate.  A

Certification Authority shall be presumed to have confirmed that the

prospective subscriber is the person to be listed in a certificate where the

Certification Authority has been presented with at least two identification

documents.  At least one piece of identification shall be a current federal or

state government-issued picture-type identification such as a military or

government identification card, driver's license, or similar identification

document issued under authority of another country, or passport.  The

Certification Authority or Registration Authority shall initial, date and

archive copies of identification used to establish the subscriber's identity.

(2)           Authentication for a North Carolina Strong

Authentication Certificate.  Authenticating an unaffiliated individual

applicant, the Certification Authority or Registration Authority shall require

the following elements of information from the applicant on a notarized

affidavit:

(A)          Last name (family name);

(B)          First name (given name);

(C)          Middle Name(s);

(D)          Street address and mailing address, if different;

(E)           City;

(F)           State;

(G)          Zip;

(H)          Social Security Number (SSN), national

identification number or passport number;

(I)            Driver's license number, or state identification

card number;

(J)            Date of birth;

(K)          Place of birth;

(L)           Telephone number (optional);

(M)         E-mail address (optional);

(N)          Post data element (e.g. mother's maiden name,

password) to be used later for authenticating an individual in the absence of

their digital signature.  This element may be used along with additional

information to authenticate a request for certificate revocations; and

(O)          Name of officially authorized agent, if applicable.

(3)           Authentication for a North Carolina Basic

Authentication Certificate.  Certification Authorities or Registration

Authorities shall require a notarized affidavit from the applicant's personnel

officer, signed by the applicant including:

(A)          Last name (family name);

(B)          First name (given name);

(C)          Middle name(s);

(D)          Street address and mailing address, if different;

(E)           City;

(F)           State;

(G)          Zip;

(H)          Social Security Number (SSN), national

identification number or passport number;

(I)            Driver's license number, or state identification

card number;

(J)            Date of birth;

(K)          Place of birth;

(L)           Business Telephone number (optional);

(M)         Business E-mail address (optional) as assigned by

agency;

(N)          Post data element (e.g. mother's maiden name,

password) to be used later for authenticating an individual in the absence of

their digital signature.  This element may be used along with additional

information to authenticate a request for certificate revocations;

(O)          Name of officially authorized agent, if applicable;

(P)           Beginning date of employment; and

(Q)          Ending date of employment (if known).

(4)           Investigation and Confirmation. 

Verification of the name and SSN and the Name and Driver's License (or ID

Number) data elements may be accomplished via checks with the Social Security

Administration and the appropriate state motor vehicle administration. 

Verification of the name and address data elements may be accomplished through

access to either a commercial or governmental data source (e.g. Department of

Motor Vehicles, personnel office, etc.).  The address confirmation data sources

may consist of either online databases or local business records (e.g., a

bank's customer records, the U.S. Postal Service, state motor vehicle

department records, state personnel office).

(5)           Personal Presence.  Authentication of an

unaffiliated individual requires the applicant must either:

(A)          personally present himself or herself to a

Registration Authority to be authenticated prior to certificate issuance.  An

individual may meet expectations for personal presence by an attorney-in-fact,

trustee or other court appointed fiduciary; or

(B)          securely deliver signed and notarized copies of the

requisite identification to the Certification Authority [in which case, once

notarized copies are delivered parties may communicate electronically]. Where

the applicant delivers notarized copies of identification to the Certification

Authority, authentication of such identification shall be confirmed through the

use of a shared secret [such as a personal identification number].  The shared

secret is separately communicated to the applicant in a manner that assures its

confidentiality and included with the documents delivered as part of the

certificate application process.

(h)  Authentication of Individual – Affiliated Certificate.

(1)           Identification.

(A)          The Certification Authority may establish a

trustworthy procedure whereby a sponsoring organization that has been

authenticated by the Certification Authority and issued a certificate may

designate one or more Responsible Individuals, and authorize them to represent

the sponsoring organization concerning the issuance and revocation of

certificates for affiliated individuals.  The Certification Authority may rely

on a designated Responsible Individual appointed by the sponsor to properly

authenticate the individual applicant, if the Certification Authority has

previously authenticated the sponsor as an organization and the Responsible

Individual as an unaffiliated individual, in accordance with the rules in this

Chapter.  A Certification Authority shall be presumed to have confirmed a

prospective subscriber is the person to be listed in a certificate where the

Certification Authority relies on a designated Responsible Individual appointed

by the sponsor to properly authenticate the individual applicant, if the

Certification Authority has previously authenticated the sponsor as an

organization and the Responsible Individual as an unaffiliated individual, in

accordance with the rules in this Chapter.

(B)          In the absence of a trustworthy procedure, If the

requirements of 18 NCAC 10 .0304(h)(1)(A)

cannot be met, then affiliated individuals shall be authenticated in the same

manner as unaffiliated individuals.

(2)           Authentication Confirmation Procedure. 

Authentication of the individual shall be confirmed through the use of a shared

secret [such as a Personal Identification Number].  The shared secret is

distributed by an out of band communication to the applicant (either directly

or via the sponsor) and included in the application process as part of the

certificate enrollment process.

(3)           Personal Presence.

(A)          Applicants affiliated with an approved sponsor may

be authenticated through an electronically submitted application, based on an

agreement with the sponsor, the approval of a designated Responsible

Individual, and the distribution of Personal Identification Numbers or a

similar security device.

(B)          If a Certification Authority elected to use an

online commercial database, the application may be filled out and submitted via

the Internet from a home or business computer.  In the case where a

Certification Authority elects to use a local record check, the application

process may take place over the Internet, or alternatively, the Certification

Authority may require the applicant personally appear at a designated business

site in order to enter required information at a local terminal.

(4)           Duties of Responsible Individual.  The

Responsible Individual represents the sponsoring organization with respect to

the issuance and management of certificates.  In that capacity he or she is

responsible for properly indicating which subscribers are to receive

certificates.

(i)  Renewal Applications (Routine

Re-key).  A subscriber may request issuance of a new certificate for a new

key pair from the Certification Authority issuing the original certificate.  The

request may be made electronically by a digitally signed message based on the

old key pair in the original certificate under these conditions:

(1)           The request must occur during the period

two months prior to normal scheduled certificate expiration;

(2)           The subscriber must be authenticated

following the principles of the rules in this Chapter; and

(3)           The original certificate has not been

suspended or revoked.

(j)  Re-key after Revocation. 

Revoked or expired certificates shall not be renewed under any conditions. 

Applicants without a valid certificate from the Certification Authority that

references the rules in this Chapter shall be re-authenticated by the

Certification or Registration Authority on certificate application, just as

with a first-time application.

(k)  Revocation Request.

(1)           Electronic Revocation Request.

(A)          A revocation request submitted electronically may be

authenticated by digital signature using the "old" key pair.

(B)          Electronic revocation requests authenticated on the

basis of the old (compromised) key pair shall always be accepted as valid. 

Other revocation request authentication mechanisms are acceptable. These

authentication mechanisms balance the need to prevent unauthorized revocation

requests against the need to quickly revoke certificates.

(2)           Non-Electronic Revocation Request.

(A)          Organization initiated revocation of affiliated

certificate(s) shall be authenticated by communication from a known person or

official authorized to initiate revocations on behalf of an organization.

(B)          Subscriber initiated requests for revocation of

certificate(s) shall be authenticated by presentation of a signed and notarized

request for revocation.

(C)          Subscriber initiated requests for revocation of

certificates via an attorney-in-fact shall be authenticated by presentation of

(i)            a notarized request for revocation by the

attorney-in-fact; and

(ii)           a certified copy of the power of attorney.

(D)          Revocation by a court of competent jurisdiction may

be made by presentation of a certified court order.

 

History Note:        Authority G.S. 66-58.10;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

18 ncac 10 .0305             PUBLIC KEY

TECHNOLOGY: OPERATIONAL REQUIREMENTS

(a)  Certificate Application.  A

certificate applicant shall complete a certificate application in a form

prescribed by the Certification Authority Certificate Policy and enter into a subscriber

agreement with the Certification Authority.  All applications are subject to

Certification Authority review, approval, and acceptance.  A Certificate Policy

shall define the minimum content to be used for a certificate application.  The

Certificate Policy shall also specify that all applications are subject to

review, approval, and acceptance by the Policy Authority

in addition to the Issuer.

(b)  Certificate Issuance.  Upon successful completion of

the subscriber identification and authentication process in accordance with the

rules in this Chapter and complete and final approval of the certificate

application, the Certification Authority shall:

(1)           issue the requested certificate;

(2)           notify the applicant thereof; and

(3)           make the certificate available to the

applicant using a procedure that:

(A)          assures the certificate is only delivered to or

available for subscriber pickup; and

(B)          provides adequate proof of subscriber identification

in accordance with the Rules in this Chapter.

A Certification Authority shall not issue a certificate

without the consent of the applicant and, if applicable, the

applicant's sponsor.

(c)  Certificate Acceptance.  Following certificate

issuance, the Certification Authority shall continually require the subscriber

to expressly indicate certificate acceptance or rejection to the Certification

Authority, in accordance with established Certification Authority Certification

Practice Statement procedures.

(d)  Circumstances for

Revocation of Certificate.

(1)           Permissive Revocation.  A subscriber may

request revocation of his, her, or its certificate at any time for any reason. 

A sponsoring organization, where applicable, may request certificate revocation

of any affiliated individual at any time for any reason.  The issuing

Certification Authority may also revoke a certificate upon failure of the

subscriber, or where applicable, sponsoring organization failure to meet its

obligations under the rules in this Chapter, the applicable Certification

Practice Statement, or any other agreement, regulation, or law applicable to

the certificate that may be in force.

(2)           Required Revocation.  A subscriber or

sponsoring organization, where applicable, shall promptly request revocation of

a certificate when:

(A)          any information on the certificate changes or

becomes obsolete;

(B)          the private key, or the media holding the private

key associated with the certificate is, or is suspected of having been

compromised; or

(C)          an affiliated individual is no longer affiliated

with the sponsor.

(3)           The issuing Certificate Authority shall

revoke a certificate:

(A)          upon request of the subscriber or sponsoring

organization;

(B)          upon failure of the subscriber (or the sponsoring

organization, where applicable) to meet its material obligations under the Rules

in this Chapter, any applicable Certification Practice Statement, or any other

agreement, regulation, or law applicable to the certificate that may be in

force;

(C)          if knowledge or reasonable suspicion of compromise

is obtained; or

(D)          if the Certification Authority determines that the

certificate was not properly issued in accordance with the rules in this

Chapter and any applicable Certification Practice Statement.

(4)           Notice of the Certification Authority

ceasing operation shall be posted to the Certification Authority Revocation

List maintained by the Electronic Commerce Section of the Department of the

Secretary of State.

(e)  Who Can Request Revocation. 

The only persons permitted to request revocation of a certificate issued

pursuant to the Rules in this Chapter are:

(1)           the subscriber;

(2)           the sponsoring organization (where

applicable); and

(3)           the issuing Certification Authority.

(f)  Procedure for Revocation

Request.

(1)           A certificate revocation request shall be

promptly communicated to the issuing Certification Authority, either directly

or through a Registration Authority.  A certificate revocation request may be

communicated electronically if it is digitally signed with the private key of

the subscriber, or where applicable, the sponsoring organization.  Requests

digitally signed by the subscriber, or by the sponsoring organization, are

considered authenticated when received by the Certification Authority or

Registration Authority.  Alternatively, the subscriber, or where applicable,

the sponsoring organization, may request revocation by contacting the

Certification Authority or an authorized Registration Authority in person and

providing adequate proof of identification to authenticate the request in

accordance with 18 NCAC 10 .0304(f)(1) or (g)(1).  Copies of the digitally

signed request must be archived by the Certification Authority or Registration

Authority.  Other identification used to establish the subscriber's identity

shall be photocopied and initialed by an authorized representative of the

Certification Authority or Registration Authority and archived.

(2)           Repository/Certificate Revocation List

Update. Promptly, within less than 2 hours of revocation, the Certificate

Revocation List, or certificate status database in the repository, as applicable,

shall be updated.  All revocation requests and the resulting actions taken by

the Certification Authority shall be archived.

(g)  Revocation Request Grace Period.

Certificate revocation requests shall be authenticated and processed within 2

hours of receipt by the Certification Authority.

(h)  Certificate Suspension. The procedures and requirements

stated for certificate revocation must also be followed for certificate

suspension, where implemented.

(i)  Certificate Revocation List Issuance Frequency. When

Certificate Revocation Lists are used, an up-to-date Certificate Revocation

List shall be issued to the repository at least every 2 hours.  If no change

has been made to the Certificate Revocation List, an update to the Certificate

Revocation List in the repository is not necessary.

(j)  Online Revocation / Status Checking Availability.

Whenever an online certificate status database is used as an alternative to a

Certificate Revocation List, such database shall be updated no later than 2

hours after certificate revocation.

(k)  Computer Security Audit Procedures.  All security

events, including but not limited to:

(1)           corruption of computing resources, software

or data;

(2)           revocation of the entity public key;

(3)           compromise of the entity key; or

(4)           the invocation of a disaster recovery plan,

on the Certification Authority system shall be automatically recorded in audit

trail files.  The audit log shall be processed and archived at least once a

week. 

Such files shall be retained for at least 6 months onsite,

and thereafter shall be securely archived.

(l)  Records, Archival.

(1)           Types of Records Archived.  The following

data and files must be archived by (or on behalf of) the Certification

Authority:

(A)          All computer security audit data;

(B)          All certificate application data;

(C)          All certificates, and all Certificate Revocation

Lists or certificate status records generated;

(D)          Key histories; and

(E)           All correspondence between the Certification

Authority and Registration Authority, Certificate Manufacturing Authority,

Repository Services Provider, and subscriber.

(2)           Retention Period for Archive.  Key and

certificate information and archives of audit trail files must be retained for

at least 30 years.

(3)           Protection of Archive.  The archive media must

be protected either by physical security alone, or a combination of physical

security and cryptographic protection.  The archive must be protected from

environmental threats such as temperature, humidity, and magnetism.  The

Certification Practice Statement must address the procedure for transferring

and preserving the archive media in the case of the Certification Authority ceasing operation in this State.

(4)           Archive Backup Procedures.  Adequate backup

procedures must be in place.  In event of loss or destruction of primary

archives, a complete set of backup copies shall be readily available within no

more than 24 hours.  Back up procedures must be tested

regularly.

(m)  Procedures to Obtain and Verify

Archive Information.  During the compliance audit required by the rules in

this Chapter, the auditor shall verify integrity of the archives.  Either copy

of the archive media determined corrupted or damaged in any way, shall be

replaced with the backup copy held in the separate location and noted in the compliance

audit report.

(n)  Compromise and Disaster

Recovery.

(1)           Disaster Recovery Plan:

(A)          The Certification Authority must have a disaster

recovery/business resumption plan in place.  The Certification Authority must

set up and render operational a facility located in a geographic area not

affected or disrupted by the disaster.  The facility must provide Certification

Authority Services in accordance with the Rules in this Chapter.  The alternate

facility must be operational within 24 hours of an unanticipated emergency.

Disaster recovery planning shall include a complete and periodic test of

facility readiness. Such plan shall be identified and referenced within the

Certification Practice Statement available to Qualified Relying Parties.

(B)          The disaster recovery plan shall have been reviewed

during Certification Authority initial and subsequent third party audits.

(2)           Key Compromise Plan. 

The Certification Authority must have a key compromise plan in place.  The plan

must address procedures to be followed in the event the Certification

Authority's private signing key used to issue certificates is compromised or in

the event the private signing key of any Certification Authority higher in the

chain of trust is compromised.  Such plan shall include procedures for revoking

all affected certificates and promptly notifying all subscribers and all

Qualified Relying Parties.

(o)  Certification Authority

Termination.  In the event that the Certification Authority ceases

operation, the North Carolina Department of the Secretary of State Electronic

Commerce Section, North Carolina Information Technology Services, all

subscribers, sponsoring organizations, Registration Authorities, Certificate

Manufacturing Authorities, Repository Service Providers, and Qualified Relying

Parties shall be promptly notified of the termination.  In addition, all

Certification Authorities with which cross-certification authority agreements

are current at the time of cessation must be promptly informed of the

termination.  All certificates issued by the Certification Authority

referencing the rules in this Chapter shall be revoked no later than the time

of termination.

 

History Note:        Authority G.S. 66-58.10;

Temporary Adoption Eff. February 23, 1999;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

Recodified to Rule .0701 Eff. December 3, 1999;

Eff. March 26, 2001.

 

18 ncac 10 .0306             PUBLIC KEY TECHNOLOGY: PHYSICAL,

PROCEDURAL, AND PERSONNEL SECURITY CONTROLS

(a)           Physical Security --

Access Controls.

(1)           The Certification Authorities, and all

Registration Authorities, Certificate Manufacturing Authorities and Repository

Services Providers, shall implement physical security controls to restrict

access to hardware and software (including the server, workstations, and any

external cryptographic hardware modules or tokens) used in connection with

providing Certification Authority Services.  Access to such hardware and

software shall be limited to personnel performing in a Trusted Role as

described in this Rule.  Access shall be controlled through the use of

electronic access controls, mechanical combination lock sets, or deadbolts. 

Such access controls must be manually or electronically monitored for

unauthorized intrusion at all times.

(2)           Breach of physical security or access

control expectations may result in revocation of the Certification Authority's

license.

(b)           Procedural Controls.

(1)           Trusted Roles. All employees, contractors,

and consultants of a Certification Authority (collectively

"personnel") having access to or control over cryptographic

operations that may materially affect the Certification Authority's issuance,

use, suspension, or revocation of certificates shall, for purposes of the rules

in this Chapter, be considered as serving in a trusted role. This includes

access to restricted operations of the Certificate Authority's repository. 

Such personnel include, but are not limited to, system administration

personnel, operators, engineering personnel, and executives who are designated

to oversee the Certification Authority's operations.

(2)           Multiple Roles (Number of Persons Required

Per Task). To ensure that one person acting alone cannot circumvent safeguards,

multiple roles and individuals shall share Certification Authority server

responsibilities.  Each account on the Certification Authority server shall

have limited capabilities commensurate with the role of the account holder.

(c)           Personnel Security Controls.

(1)           Background and

Qualifications.  Certification Authorities, Registration Authorities,

Certificate Manufacturing Authorities and Repository Service Providers shall

formulate and follow personnel and management policies sufficient to provide

assurance of the trustworthiness and competence of their employees and of the

satisfactory performance of their duties in manner consistent with the rules in this Chapter.

(2)           Background Investigation.

(A)          Certification Authorities shall conduct a background

investigation of all personnel who serve in trusted roles (prior to their

employment and at least every five years thereafter) to verify their

trustworthiness and competence in accordance with the requirements of the rules

in this Chapter and the Certification Authority's personnel Practice Statements

or their equivalent.  All personnel who fail an initial or periodic

investigation shall not serve or continue to serve in a trusted role.

(B)          Operative personnel shall not ever have been

convicted of a felony or a crime involving fraud, false statement or deception.

(C)          Any civil or administrative findings involving

fraud, false statement or deception involving operative personnel must be

disclosed.

(3)           Training

Requirements.  All Certification Authority, Registration Authority,

Certificate Manufacturing Authority and Repository Services Provider personnel

must receive training in order to perform their duties, and update briefings

thereafter as necessary to remain current.

(4)           Documentation Supplied to Personnel. All

Certification Authority, Registration Authority, Certificate Manufacturing

Authority, and Repository Services Provider personnel must receive

comprehensive user manuals detailing the procedures for certificate creation,

update, renewal, suspension, revocation, and software functionality.

 

History Note:        Authority G.S. 66-58.10;

Temporary Adoption Eff. February 23, 1999;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

18 ncac 10 .0307             PUBLIC KEY TECHNOLOGY: TECHNICAL SECURITY CONTROLS

(a)  Key Pair Generation and

Installation.

(1)           Key Pair Generation.  Key pairs for

Certification Authorities, Registration Authorities, Certificate Manufacturing

Authorities, Repository Services Providers, and subscribers must be generated

in such a way that the private key is not known by other than the authorized

user of the key pair.  Acceptable methods include:

(A)          Having all users (Certification Authorities,

Certificate Manufacturing Authorities, Registration Authorities, Repository

Services Providers and subscribers) generate their own keys on a trustworthy

system, and not reveal the private keys to anyone else; or

(B)          Having keys generated in hardware tokens from which

the private key cannot be extracted.

(2)           Certification Authority, Registration

Authority, and Certificate Manufacturing Authority keys must be generated in

hardware tokens.  Key pairs for Repository Services Providers, and end-entities

may be generated in either hardware or software as detailed in the Certification Practice Statement.

(b)  Private Key Delivery to Entity.  The private (secret)

key shall be delivered to the subscriber in an "out of band"

transaction.  The secret key may delivered to the subscriber in a tamper-proof

hardware or software container.  The secret key may be delivered to the

subscriber embedded in a hardware token protected by encryption and password

protected.

(c)  Subscriber Public Key Delivery

to Certification Authority.  The subscriber's public key must be

transferred to the Registration Authority or Certification Authority in a way

that ensures:

(1)           it has not been changed during transit;

(2)           the sender possesses the private key that

corresponds to the transferred public key; and

(3)           the sender of the public key is the

legitimate user claimed in the certificate application.

(d)  Certification Authority Public Key Delivery to Users. 

The public key of the Certification Authority signing key pair may be delivered

to subscribers in an on-line transaction in accordance with Internet

Engineering Task Force Public Key Infrastructure Part 3, or by another mechanism which assures the Certification Authority public

key is delivered in a manner that assures the key originates with the

Certification Authority and that assures the Certification Authority public key

has not been altered in transit.

(e)  Key Sizes – Asymmetric Cryptographic Applications.

(1)           Minimum key length for other than elliptic

curve based algorithms is 1024 bits;

(2)           Minimum key length for elliptic curve group

algorithms is 170 bits.

(f)  Acceptable algorithms for public key cryptography

applications include, but are not limited to:

(1)           RSA (Rivest, Shamir, Adelman) -- digital

signature and information security;

(2)           ElGamal -- digital signature and

information security;

(3)           Diffie – Hellman -- digital signature and

information security; and

(4)           DSA /DSS (Digital Signature Algorithm) --

digital signature applications.

(g)  Certification Authority Private Key Protection.  The

Certification Authority (and the Registration Authority, Certificate

Manufacturing Authority and Repository Services Provider) shall each protect

its private key(s) in accordance with the provisions of the

rules in this Chapter.

(1)           Standards for Cryptographic Module. 

Certification Authority signing key generation, storage and signing operations

shall be on a hardware crypto module rated at Federal Information Processing

Standards 140-1 Level 2 (or higher).  Subscribers shall use Federal Information

Processing Standards 140-1 Level 1 approved cryptographic modules (or higher)

and related pertinent cryptographic module security requirements of the Common

Criteria – ISO 15408-1 "Evaluation Criteria".

(2)           Private Key Escrow:

(A)          Certification Authority signing private keys shall

not be escrowed;

(B)          Keys used solely for encryption purposes within and

by employees of the State of North Carolina shall be escrowed, unless otherwise

provided by law.

(3)           Private Key Backup.

An entity may back up its own private key.

(4)           Private Key Archival. An entity may archive

its own private key.

(5)           Other Aspects of

Key Pair Management.  Key Replacement.

Certification Authority key pairs must be replaced at least every three years. 

Registration Authority and subscriber key pairs must be replaced not less than

every two years and a new certificate issued.

(6)           Restrictions on

Certification Authority's Private Key Use.

(A)          The Certification Authority's signing key used for

issuing certificates conforming to the Rules in this Chapter shall be used only

for signing certificates and, optionally, Certificate Revocation Lists.

(B)          A private key used by a Registration Authority or

Repository Services Provider for purposes associated with its Registration or

Repository Services Provider function shall not be used for any other purpose

without the express written permission of the Certification Authority.

(C)          A private key held by a Certificate Manufacturing

Authority and used for purposes of manufacturing certificates for the

Certification Authority:

(i)            is considered the Certification Authority's

signing key;

(ii)           is held by the Certificate Manufacturing

Authority as a fiduciary for the Certification Authority; and

(iii)          shall not be used for any reason without the

express written permission of the Certification Authority.

(D)          Any other private key used by a Certificate

Manufacturing Authority for purposes associated with its Certificate

Manufacturing Authority function shall not be used for any other purpose

without the express written permission of the Certification Authority.

(h)  Computer Security Controls.

All Certification Authority servers must include the functionality satisfying

Federal Information Processing Standards 140-1 Level 2 (or higher) and

pertinent cryptographic module security requirements of the Common Criteria –

ISO 15408-1 "Evaluation Criteria" for IT Security either through the

operating system, or combination of operating system, public key infrastructure

application, and physical safeguards.

(i)  Life Cycle Technical Controls - System Development Controls. System design and

development shall be conducted using an industrial standard methodology, e.g.

systems development life cycle approach (SDLC).

 

History Note:        Authority G.S. 66-58.10;

Temporary Adoption Eff. February 23, 1999;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

18 NCAC 10 .0308             PUBLIC KEY TECHNOLOGY: CERTIFICATE

AND CERTIFICATE REVOCATION LIST PROFILES

(a)  Certificate Profile:

(1)           Certificates referencing the Rules in this

Chapter shall contain public keys used for authenticating the sender of an

electronic message and verifying the integrity of such messages, i.e. public

keys used for digital signature verification;

(2)           All certificates referencing the Rules in

this Chapter shall be issued in the X.509 version 3 format and shall

include a reference to the Object Identifier for the rules in this Chapter, when

assigned, within the appropriate field.  The Certification Practice Statement

shall identify the certificate extensions supported, and the level of support

for those extensions.

(b)  Certificate Revocation List

Profile. If utilized, Certificate Revocation Lists shall be issued in the

X.509 version 2 format.  The Certificate Practice Statement shall identify the

Certificate Revocation List extensions supported and the level of support for

these extensions.

 

History Note:        Authority G.S. 66-58.10;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

18 NCAC 10 .0309             PUBLIC KEY TECHNOLOGY: RULE

ADMINISTRATION

(a)  List of Items. Notice of

all proposed changes to the Rules in this Chapter under consideration by

the Department of the Secretary of State, that may affect users of the Rules

(other than editorial or typographical corrections, or changes to the contact

details) shall be provided to licensed Certification Authorities. Notice

shall be posted on the World Wide Web site of the North Carolina Department of

the Secretary of State.  Authorized Certification Authorities shall post notice

of such proposed changes in their repositories and shall advise their

subscribers, in writing or by e-mail, of such proposed changes.

(b)  Publication and Notification

Procedures:

(1)           A copy of the rules in this Chapter is

available in electronic form on the Internet at

www.secretary.state.nc.us/ecomm/;

(2)           Authorized Certification Authorities shall

post copies of the rules in this Chapter in their repositories.

 

History Note:        Authority G.S. 66-58.10;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

SECTION .0400 - BIOMETRICS (RESERVED)

 

Editor's Note: Temporary Rules .0401 and .0402

effective February 23, 1999 were recodified as Rules .0801 and .0802.

 

 

 

 

SECTION .0500 - SIGNATURE DYNAMICS (RESERVED)

 

Editor's Note: Temporary Rule .0501 effective

February 13, 1999 was recodified as Rule .0901.

 

 

 

SECTION .0600 - RESERVED FOR FUTURE CODIFICATION

 

 

 

 

SECTION .0700 – ALTERNATE TECHNOLOGIES

 

18 ncac 10 .0701             ALTERNATE TECHNOLOGIES AND

PROVISIONAL LICENSING

Alternate Technologies: Any person may petition the

Electronic Commerce Section to initiate rulemaking to recognize a technology

not currently recognized under the rles in this Chapter.  The petition shall be

made pursuant to G.S. 150B-20.  G.S. 150B-20 and other statutes may be viewed

at the North Carolina General Assembly's Internet site at

http://www.ncga.state.nc.us/.  In addition to the requirements of G.S. 150B-20,

in order to enable the Electronic Commerce Section to best consider the

petition, the petitioner shall also provide a detailed explanation of the

proposed technology, and a discussion of how the technology complies with the

substantive intent of the Electronic Commerce Act.

 

History Note:        Authority G.S. 66-58.10;

Temporary Adoption Eff. February 23, 1999;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Recodified from 18 NCAC 10 .0305 Eff. December 3, 1999;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

SECTION .0800 – SANCTIONS AND ENFORCEMENT

 

18 ncac 10 .0801             CIVIL SANCTIONS

(a)  If, upon investigation, the Electronic Commerce Section

finds that a Certification Authority has violated any provision of the

Electronic Commerce Act or the rules in this Chapter, or finds that the

Certification Authority has had a license revoked or suspended in any other

jurisdiction, the Electronic Commerce Section may revoke or suspend any license

issued under the Electronic Commerce Act and the rules in this Chapter.  The

revocation or suspension may be in addition to any civil monetary penalty

issued against the Certification Authority.  As a condition of license

reinstatement following a period of suspension, the Electronic Commerce Section

may require that the Certification Authority submit updated or additional

documentation or assurances regarding its operations.

(b)  If, upon investigation, the Electronic Commerce Section

finds that a Certification Authority has violated any provision of the

Electronic Commerce Act or the rules in this Chapter, the Electronic Commerce

Section may assess a civil monetary penalty of not more than five thousand

dollars ($5,000 US) for each violation.  The civil monetary penalty may be in

addition to any revocation or suspension of the Certification Authority's

license.  As a condition of continued licensure following assessment of a civil

monetary penalty, the Electronic Commerce Section may require that the

Certification Authority submit updated or additional documentation or assurances

regarding its operations.

(c)  Adjustment factors.  In determining the length of any

suspension or amount of any civil monetary penalty, the Electronic Commerce

Section shall consider:

(1)           The organizational size of the

Certification Authority cited for violating the provisions of the Electronic

Commerce Act;

(2)           The good faith of the Certification

Authority cited, including but not limited to any procedures or processes

implemented by the violator to prevent the violation from recurring;

(3)           The gravity of the violation;

(4)           The prior record of the violator in

complying or failing to comply with the Electronic Commerce Act or the rules in

this Chapter; and

(5)           The risk of harm cause by the violation.

(d)  Continuing Violations. After the receipt of notice of a

violation, if any Certification Authority willfully continues to violate by

action or inaction the Electronic Commerce Act or the rules in this Chapter,

each day or transaction the violation continues or is repeated may be

considered a separate violation.

(e)  Civil Sanction Notification.  When the Electronic

Commerce Section determines that a civil sanction shall be assessed, the

Electronic Commerce Section shall notify the Certification Authority of the

following information by electronic mail, if possible, and by any means

permitted under Rule 4 of the North Carolina Rules of Civil Procedure:

(1)           The nature of the violation;

(2)           The proposed civil sanction;

(3)     That the

proposed civil sanction will become final unless within 60 days after receiving

notice of the proposed sanction the Certification Authority either:

(A)          takes exception to the proposed sanction by filing a

contested case petition with the Office of Administrative Hearings; or

(B)          submits a written request for the reduction of the

proposed sanction; and

(4)           The procedure for taking exception to the

violation or seeking the reduction of the proposed sanction.

(f)  Civil Sanction Finality. The Certification Authority

must file a contested case petition pursuant to G.S. 150B-23 or submit a written

request for the reduction of the proposed sanction within 60 days of receipt of

the notice of the proposed civil sanction or the proposed sanction shall become

the sanction imposed.  Notice shall be deemed received at the time of service

by any method permitted under Rule 4 of the North Carolina Rules of Civil

Procedure.

(g)  Request for Reduction of Proposed Civil Sanction. A

Certification Authority that admits a cited violation but wishes to seek

reduction of the length of a proposed suspension or the amount of a proposed

civil monetary penalty may request reduction of the proposed civil sanction.

(1)           Any request for reduction of a proposed

civil sanction shall be submitted to the Electronic Commerce Section in writing

and must include a written statement supporting the reduction request. Requests

for reduction of a proposed sanction are solely for the purpose of allowing the

Certification Authority to contest the reasonableness of the proposed civil

sanction arising under this Rule.  The Certification Authority shall not

attempt to contest the existence of a violation or raise questions of law in

the request for reduction of the proposed sanction.

(2)           The Electronic Commerce Section shall

determine if the proposed sanction is to be reduced pursuant to a reduction

request and shall notify the Certification Authority of its decision in

writing.

(3)           If the Electronic Commerce Section

determines that the reduction request raises issues of fact or questions of

law, the Electronic Commerce Section may decline to consider the reduction

request, and shall notify the Certification Authority by certified or

registered mail that it must file a contested case petition with the Office of

Administrative Hearings in order to preserve its claim and legal rights. The Certification

Authority must file a contested case petition with the Office of Administrative

Hearings within 60 days of receipt of notice or the sanction assessed shall be

final.

(4)           If the reduction request does not raise

issues of fact or questions of law, the Electronic Commerce Section shall

determine if the proposed sanction is to be reduced, and shall notify the

Certification Authority of its decision in writing by electronic mail, if

possible, and by any other means permitted under Rule 4 of the North Carolina

Rules of Civil Procedure. In the event the Electronic Commerce Section denies

the reduction request, or grants the reduction request in an amount

unacceptable to the Certification Authority, the Certification Authority must

file a contested case petition with the Office of Administrative Hearings

within 60 days of receipt of notice of the Electronic Commerce Section's

decision, or the decision shall become the final decision. Notice shall be

deemed received at the time of service by any method permitted under Rule 4 of

the North Carolina Rules of Civil Procedure.

(h)  Payment. Any civil monetary penalty shall be due within

60 days of the date of the initial assessment of the penalty, except that if

the Certification Authority files a contested case petition pursuant to G.S.

150B-23 or submits a written request for reduction of the penalty, the penalty

shall be due within 60 days of the date of the final decision. The penalty

shall be paid with cash or certified funds by personal delivery or certified

mail to the Electronic Commerce Section. In the event the Certification

Authority fails to pay the penalty assessed within the time periods set forth

in this Rule, the Electronic Commerce Section may collect the amount of the

penalty from the bond required by the rules in this Chapter.

 

History Note:        Authority G.S. 66-58.6; 66-58.10;

Temporary Adoption Eff. February 23, 1999;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Recodified from 18 NCAC 10 .0401 Eff December 3, 1999;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001.

 

18 NCAC 10 .0802             CRIMINAL PENALTIES AND INJUNCTIVE

RELIEF

 

History Note:        Authority G.S. 66-58.6; 66-58.8;

66-58.10;

Temporary Adoption Eff. February 23, 1999;

Recodified from Rule .0402;

Codifier determined on November 23, 1999 that agency

findings did not meet criteria for temporary rule;

Temporary Adoption Eff. December 3, 1999;

RRC Objection May 18, 2000 due to lack of necessity;

RRC returned rule to agency on July 20, 2000;

Temporary Adoption Expired on July 20, 2000.

 

section .0900 - reciprocity

 

18 ncac 10 .0901             RECIPROCAL AGREEMENTS AND LICENSURE

BY RECIPROCITY

(a)  Certification Authorities licensed by other

jurisdictions may request North Carolina licensure by the North Carolina

Electronic Commerce Section.  The applicant must be currently licensed in good

standing with another jurisdiction.

(b)  To seek reciprocal licensure in North Carolina,

Certification Authorities licensed by other jurisdictions shall do the

following:

(1)           Pay the licensing fee as described in the

Rules in this Chapter and comply with 18 NCAC 10 .0301(a), (c), (d), (e), (f),

(g) and (h);

(2)           Provide the Electronic Commerce Section

with evidence of licensure in good standing from the other licensing

jurisdiction;

(3)           Provide the Electronic Commerce Section

with a complete copy of the licensing application that led to the Certification

Authority becoming licensed in the other jurisdiction, including any amendments

thereto;

(4)           Provide full disclosure of any former,

current or proposed disciplinary action or criminal proceeding arising from or

related to the Certification Authority's license or activities as a

Certification Authority;

(5)           Provide a complete history of licensure in

all other jurisdictions, whether continuous or disrupted, and if disrupted the

length of the disruption and basis therefore; and

(6)           Provide any additional information

necessary to substantiate compliance with the audit requirements identified in

18 NCAC 10 .0303(k), as may be required by the Electronic Commerce Section.

(c)  The Electronic Commerce Section may impose civil

sanctions against a reciprocal licensee on the same basis that the Electronic

Commerce Section can impose civil sanction against a Certification Authority

license otherwise issued, or upon finding that the Certification Authority has

had a license revoked or suspended in another jurisdiction.

(d)  Any Certification Authority that obtains a reciprocal

license under the Rules in this Chapter shall inform the Electronic Commerce

Section in writing of any civil or criminal proceeding that arises from or

relates to the Certification Authority's license or any disciplinary action

commenced against the Certification Authority in any other jurisdiction within

ten days of notice of the proceeding or action.

 

History Note:        Authority G.S. 66-58.3; 66-58.6; 66-58.7;

66-58.8; 66-58.10; 66-58.11;

Temporary Adoption Eff. February 23, 1999;

Codifier determined on November 23, 1999, agency findings

did not meet criteria for temporary rule;

Recodified from 18 NCAC 10 .0501 Eff. December 3, 1999;

Temporary Adoption Eff. December 3, 1999;

Eff. March 26, 2001;

Amended Eff. April 1, 2001.

 

 

Related Laws