1.0 TITLE: Certificate Policy for Kansas Public Key Infrastructure
1.1 EFFECTIVE DATE: July 19, 2001 REVISED: July 26, 2007
1.2 TYPE OF ACTION: Update
1.3 KEY WORDS: PKI, Certificate Policy, Certification Authority, Registration Authority, electronic signature, digital signature, identity management.
2.0 PURPOSE: To establish policy for the implementation and use of public key infrastructure within Kansas state government, to provide secure electronic transactions and the ability to sign electronic documents with digital signatures in a secure environment.
3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions and Agencies of state government, hereafter referred to as entities.
4.1 K.S.A. 2005 Supp. 75-7201-7212
4.2 K.S.A. 2005 Supp. 75-7203 Provides that the Information Technology Executive Council shall...designate the ownership of information resource processes and the lead agency for implementation of new technologies and networks shared by multiple entities in different branches of state government.
4.3 K.S.A. 2000 Supp. 16-1601 et seq, Uniform Electronic Transactions Act.
4.4 KAR 7-41-1 through 7-41-33, and 7-43-1 through 7-43-6.
5.1 Certificate Policy - is defined as the cornerstone document that details operational and administrative requirements for a public key infrastructure, intended to provide the highest level of integrity that can be achieved so that users of the infrastructure can rely upon the digital signatures made possible by it
5.2 Certification Authority - is any person or entity providing certification of a digital signature that is, or is certified by, a member of the group of certification authorities approved by and registered with the Kansas Secretary of State.
5.3 Registration Authority - is any person or entity that has been authenticated by a Certification Authority, issued a registration authority certificate, and approved by ITEC to process subscriber applications for certificates and to conduct identification and authentication of subscribers in accordance with the law, this policy, and related agreements.
5.4 Local Registration Authority - is any person or entity that, because of its relationship of trust with subscribers, has a contractual relationship with a Registration Authority to accept applications and conduct identification and authentication of those subscribers. In the conduct of these responsibilities, a Local Registration Authority acts in compliance with the law, the provisions of this policy and the related agreements contained in this p policy pertaining to Registration Authority duties.
5.5 Asymetric Cryptography - is the foundation of public key infrastructure technology which consists of a mathematically related pair of codes (also called keys) used to encrypt and decrypt a message. The user has a private key to sign a message and a public key is available in a repository to allow the message to be verified by the recipient.
6.1 The development and implementation of public key infrastructure within Kansas government entities shall conform to the requirements set forth in the "Certificate Policy for the State of Kansas Public Key Infrastructure", as amended, included as Attachment A to this policy.
7.1 Upon recommendation by the Kansas Secretary of State, the Information Technology Executive Council (ITEC) shall appoint members from various entities within state government to serve on an advisory committee, to be known as the “Information Technology Identity Management Group (ITIMG)".
7.2 This committee shall meet as necessary to recommend and review policies, guidelines, and best practices for the development and implementation of digital signature technologies and public key infrastructure within and by the entities of Kansas state government.
7.3 The practices and procedures for use of public key infrastructure within Kansas government entities shall conform to the requirements set forth in the “Certificate Policy for the State of Kansas Public Key Infrastructure”, as amended, included as Attachment A to this policy.
8.1 Heads of entities are responsible to establish procedures for their organizations to comply with the requirements of this policy.
8.2 The Chief Information Technology Officer, Executive Branch, is responsible for the maintenance of this policy.
9.0 CANCELLATION: Revises and replaces ITEC Policy # 5200