Amendment offered (and withdrawn) by Rep.
Bart Gordon (D-TN).
Hearing: House Telecommunications Subcommittee.
Re: HR 1714, an electronic signatures bill.
Date: July 29, 1999.
Source: House Commerce Committee.
AMENDMENT TO H.R. 1714
OFFERED BY MR. GORDON
(electronic authentication)
At the end of the bill add the following new title:
SEC. 401. ELECTRONIC AUTHENTICATION INFRASTRUCTURE.
(a) ELECTRONIC AUTHENTICATION INFRASTRUCTURE.---
(1) GUIDELINES.---Not later than 1 year after the date of the enactment of this Act, the Secretary, in consultation with industry, shall develop electronic authentication infrastructure guidelines for use by Federal agencies to enable those agencies to effectively utilize electronic authentication technologies in a manner that is---
(A) sufficiently secure to meet the needs of those agencies and their transaction partners; and
(B) interoperable, to the maximum extent possible.
(2) ELEMENTS.---The guidelines developed under paragraph (1) shall include---
(A) protection profiles for cryptographic and noncryptographic methods of authenticating identity for electronic authentication products and services;
(B) minimum interoperability specifications for the Federal acquisition of electronic authentication products and services; and
(3) validation criteria to enable Federal agencies to select cryptographic electronic authentication products and services appropriate to their needs.
(3) COORDINATION WITH NATIONAL POLICY PANEL.---The Secretary shall ensure that the development of guidelines with respect to cryptographic electronic authentication products and services under this subsection is carried out in coordination with the efforts of the National Policy Panel for Digital Signatures under subsection (e).
(d) REVISIONS.---The Secretary shall periodically review the guidelines developed under paragraph (1) and revise them as appropriate.
(b) VALIDATION OF PRODUCTS.---Not later than 1 year after the date of the enactment of this Act, and thereafter, the Secretary shall maintain and make available to Federal agencies and to the public a list of commercially [begin page 3] available electronic authentication products, and other such products used by Federal agencies, evaluated as conforming with the guidelines developed under subsection (a).
(c) ELECTRONIC CERTIFICATION AND MANAGEMENT SYSTEMS.---
(1) CRITERIA.---Not later than 1 year after the date of the enactment of this Act, the Secretary shall establish minimum technical criteria for the use by Federal agencies of electronic certification and management systems.
(2) EVALUATION.---The Secretary shall establish a program for evaluating the conformance with the criteria established under paragraph (1) of electronic certification and management systems, developed for use by Federal agencies or available for such use.
(3) MAINTENANCE OF LIST.---The Secretary shall maintain and make available to Federal agencies a list of electronic certification and management systems evaluated as conforming to the criteria established under paragraph (1).
(d) REPORTS.---Not later than 18 months after the date of the enactment of this Act, and annually thereafter, the Secretary shall transmit to the Congress a report that includes---
(1) a description and analysis of the utilization by Federal agencies of electronic authentication technologies;
(2) an evaluation of the extent to which Federal agencies' electronic authentication infrastructures conform to the guidelines and standards developed under section (a)(1);
(3) an evaluation of the extent to which Federal agencies' electronic certification and management systems conform to the criteria established under subsection (c)(1);
(4) the list described in subsection (c)(3); and
(5) evaluations made under subsection (b).
(e) NATIONAL POLICY PANEL FOR DIGITAL SIGNATURES.---
(1) ESTABLISHMENT.---Not later than 90 days after the date of the enactment of this Act, the Secretary shall establish a National Policy Panel for Digital Signatures. The Panel shall be composed of government, academic, and industry technical and legal experts on the implementation of digital signature technologies, State officials, including officials from States which have laws recognizing the [begin page 5] use of digital signatures, and representative individuals from the interested public.
(2) RESPONSIBILITIES.---The Panel shall serve as a forum for exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform guidelines to enable the widespread availability and use of digital signature systems. The Panel shall develop---
(A) model practices and procedures for certification authorities to ensure the accuracy, reliability, and security of operations associated with issuing and managing digital certificates;
(B) guidelines to ensure consistency among jurisdictions that license certification authorities; and
(C) audit procedures for certification authorities.
(3) COORDINATION.---The Panel shall coordinate its efforts with those of the Secretary under subsection (a).
(4) ADMINISTRATIVE SUPPORT.---The Secretary shall provide administrative support to enable the Panel to carry out its responsibilities.
(5) REPORT.--- Not later than 1 year after the date of the enactment of this Act, the Secretary shall transmit to the Congress a report containing the recommendations of the Panel.
(f) DEFINITIONS.---For purposes of this section---
(1) the term "certification authorities" means issuers of digital certificates;
(2) the term "digital certificate" means an electronic document that binds an individual's identity to the individual's key;
(3) the term "digital signature" means a mathematically generated mark utilizing asymmetric key cryptography techniques that is unique to both the signatory and the information signed;
(4) the term "digital signature infrastructure" means the software, hardware, and personnel resources, and the procedures, required to effectively utilize digital certificates and digital signatures;
(5) the term "electronic authentication" means cryptographic or noncryptographic methods of authenticating identity in an electronic communication;
(6) the term "electronic authentication infrastructure" means the software, hardware, and personnel resources, and the procedures, required to effectively utilize electronic authentication technologies;
[begin page 7]
(7) the term "electronic certification and management systems" means computer systems, including associated personnel and procedures, that enable individuals to apply unique digital signatures to electronic information;
(8) the term "protection profile" means a list of security functions and associated assurance levels used to describe a product; and
(9) the term "Secretary" means the Secretary of Commerce.