1 / 15

The Government Paperwork Elimination Act (PL105-277)

The Government Paperwork Elimination Act (PL105-277). Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering Committee. Richard.Guida@cio.treas.gov; 202-622-1552 http://gits-sec.treas.gov. Background. Enacted October 1998

seoras
Télécharger la présentation

The Government Paperwork Elimination Act (PL105-277)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Government Paperwork Elimination Act (PL105-277) Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering Committee Richard.Guida@cio.treas.gov; 202-622-1552 http://gits-sec.treas.gov

  2. Background • Enacted October 1998 • With some qualifications, requires agencies by October 2003 to: • Accept forms (>50K copies/year) electronically • Accept electronic signatures on forms and documents • Encourageselectronic filing and electronic recordkeeping, particularly by employers

  3. Background (continued) • Gives electronic signatures full legal effect • Technology neutral - agencies select based on specifics of applications (e.g., risk) • But recognizes that technology neutrality does NOT mean all technologies are created equally • Focus: transactions with Federal agencies • Draft OMB Guidance 3/99; final 4/00 (will meet GPEA statutory deadlines)

  4. Clinger-Cohen PRA NPR GPRA GPEA CUSTOMER SERVICE The Legal Venn Diagram • Need to reduce burden to the public • Provide customer service in a fundamentally better way • Electronic forms, by themselves, are not necessarily enough • LESS TIME TO ACCESS • EASIER TO FILL • FASTER TO SUBMIT • QUICKER RESPONSE AND PROCESSING

  5. Electronic Commerce Trust Requirements • Authentication - ensure that transmissions and their originators are authentic (identity). • Data integrity - ensure that exchanged data is not intentionally or unintentionally altered. • Non-repudiation - ability to “prove” to third party that transacting parties are bound by transaction. • Confidentiality - limit data access to authorized entities.

  6. Electronic Signatures Under GPEA Guidance • OMB GPEA guidance recognizes several ways to effect “electronic signature” • PINs/passwords • Digitized signatures • Biometrics • Digital signatures • Each approach has advantages and disadvantages, some more acute than others

  7. PINs/Passwords • Advantages: • Simple • Used ubiquitously, no “learning curve” • Disadvantages: • Shared secret means other party can compromise • Hard to achieve non-repudiation • Does not scale well - PINs/passwords proliferate • Can be very susceptible to remote attack • Parties must know each other beforehand

  8. Digitized Signatures • Advantages: • Closest in appearance to “wet signature” • Disadvantages: • Form of shared secret • No open standards, templates are usually proprietary • Can be vulnerable to replay attack • No cryptographic binding of identity to document • Hard to achieve non-repudiation • Requires additional hardware (stylus/pad)

  9. Biometrics • Advantages: • Fingerprints, iris images impossible to “forget” • Disadvantages: • Form of shared secret • No open standards, templates are usually proprietary • Can be vulnerable to replay attack • No cryptographic binding of identity to document • Requires additional hardware (camera, pad) • Can be hard to revoke old identity and issue new one

  10. Digital Signatures • Advantages: • No shared shared secrets between remote parties • Cryptographic binding between identity and document • Scales well, interoperates reasonably well • Disadvantages: • Requires infrastructure (PKI) • Is more complex than PINs/passwords • Can require additional hardware (if smartcards are used)

  11. Summary • Digital signatures represent strongest single solution • Also most scalable and interoperable - cutting across agency stovepipes • Best solution may be combination: • Digital signature to bind digitized signature • Digital signature with biometric identifier to unlock private signing key • But bottom line: PINs/passwords may be sufficient for some applications

  12. Privacy/ Disclosure: Basic Principles • Electronic authentication should only be required where needed • Tailor authentication needs to the transaction and the participants • Avoid collecting information that is more detailed than required • Inform participants that information will be managed pursuant to the Privacy Act, Computer Security Act, and other laws.

  13. Legal Effect and Validity Electronic records submitted or maintained in accordance with procedures developed under this title, or electronic signatures or other forms of electronic authentication used in accordance with such procedures, shall not be denied legal effect, validity, or enforceability because such records are in electronic form. -GPEA, section 1707

  14. Additional Legal Considerations • “Intent” at time of signing critical • Need for banners or other indicia • Need to capture entire document with signature - not just HTML “tags” • Need to retain ability to validate signature at later date (either directly or through “digital notary” • Electronic records management big issue - with or without electronic signatures

  15. Access Certificates for Electronic Services (ACES) • GSA’s ACES provides convenient and centralized mechanism to get digital certificates to the public and trading partners • Contractors involved in ACES include many prominent in the PKI field: VeriSign, Entrust, Baltimore, Microsoft, Netscape, Xcert • Agencies should contact GSA for more information regarding use of ACES to meet PKI needs (http://www.gsa.gov/aces)

More Related