Lesson 6: Registration
Checklist items 1 through 4 are grouped under the Registration Process, where users establish their accounts in the system. This process typically requires users to provide information about them. The system administrator then reviews this information and provides the users with system privileges and signing credentials. Checklist items 1 through 4 represent CROMERR requirements that this registration process must satisfy.
- Identity-Proofing of Registrant
- Determination of Registrant’s Signing Authority
- Issuance (or Registration) of a Signing Credential in a Way that Protects it from Compromise
- Electronic Signature Agreement
Explore the contents of each section.
1. Identity-Proofing of Registrant
For users who will sign electronic reports, CROMERR requires that the system determine the individual's identity, usually as a part of the registration process. This identity-proofing is the one CROMERR requirement that is more stringent for users who will sign Priority Reports As defined in § 3.3 of CROMERR, the reports listed in Appendix 1 to part 3..
For users who will sign Priority Reports, CROMERR requires that the system establish their identity before accepting reports with their electronic signatures. There are two ways to do this. One is to establish identity through verification by, and attestation of, a disinterested party, based on identifiers—at least one of which is government-issued. The other way is to include the registrant's handwritten signature As defined in § 3.3 of CROMERR, the scripted name or legal mark of an individual, handwritten by that individual with a marking-or writing-instrument such as a pen or stylus and executed or adopted with the present intention to authenticate a writing in a permanent form, where "a writing" means any intentional recording of words in a visual form, whether in the form of handwriting, printing, typewriting, or any other tangible form. The physical instance of the scripted name or mark so created constitutes the handwritten signature. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other media. as part of the electronic signature agreement As defined in § 3.3 of CROMERR, an agreement signed by an individual with respect to an that the individual will use to create his or her electronic signatures requiring such individual to protect the electronic signature device from ; to promptly report to the agency or agencies relying on the electronic signatures created any evidence discovered that the device has been compromised; and to be held as legally bound, obligated, or responsible by the electronic signatures created as by a handwritten signature. (ESA) process. Where the ESA is executed on paper with a handwritten signature, it is called a "subscriber agreement As defined in § 3.3 of CROMERR, an electronic signature agreement signed by an individual with a handwritten signature. This agreement must be stored until five years after the associated electronic signature device has been deactivated.."
For users who sign only Non-Priority Reports, CROMERR does not specify when or how the identity proofing must be done, although either method specified for Priority Reports will satisfy the requirement in the non-priority case.
Reference:
- Review the Regulation Language: § 3.2000(b)(5)(vii)
- Definition of Disinterested Individual As defined in § 3.3 of CROMERR, an individual who is not connected with the person in whose name the electronic signature device is issued. A disinterested individual is not any of the following: The person's employer or employer's corporate parent, subsidiary, or affiliate; the person's contracting agent; member of the person's household; or relative with whom the person has a personal relationship.
- Subscriber Agreement As defined in § 3.3 of CROMERR, an electronic signature agreement signed by an individual with a handwritten signature. This agreement must be stored until five years after the associated electronic signature device has been deactivated.Definition of Local Registration Authority As defined in § 3.3 of CROMERR, an individual who is authorized by a state, tribe, or local government to issue an agreement collection certification, whose identity has been established by notarized affidavit, and who is authorized in writing by a regulated entity to issue agreement collection certifications on its behalf.
- Definition of Agreement Collection Certification As defined in § 3.3 of CROMERR, a signed statement by which a local registration authority certifies that a subscriber agreement has been received from a registrant; the agreement has been stored in a manner that prevents unauthorized access to these agreements by anyone other than the local registration authority; and the local registration authority has no basis to believe that any of the collected agreements have been tampered with or prematurely destroyed.
2. Determination of Registrant’s Signing Authority
CROMERR requires the system to determine that users who will sign reports are actually authorized to do so on behalf of the specified regulated entities. This determination is usually based on some combination of the program's existing knowledge of the regulated entities, information submitted by the users or officials of the regulated entities, and some follow-up verification such as phone calls or as a part of routine inspections.
Reference:
3. Issuance (or Registration) of a Signing Credential in a Way that Protects it from Compromise In relationship to an electronic signature device, refers to when the device's code or mechanism is available for use by any other person.
CROMERR requires the system to provide users who will sign electronic reports with electronic signature devices (or credentials) to execute their electronic signatures. These devices could be passwords, PINs, PKI Enables users of a basically unsecure public network, such as the Internet, to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. certificates associated with private-public key pairs A pair of cryptographic keys-a public key and a private key-used to execute digital signatures by a user. The private key is kept secret, while the public key may be widely distributed., physical tokens such as a USB device, or devices incorporating biometrics (e.g., fingerprints). Whatever device is issued (or registered), there are two basic requirements that need to be met. The first is to ensure that a device intended for a specific, identified user is issued only to that individual. The second is to ensure that the process of issuing that device—and maintaining a record of it on the system—protects the device from compromise.
Reference:
- Review the Regulation Language: § 3.2000(b)(5)(i)
- Definition of Valid Electronic Signature As defined in § 3.3 of CROMERR, an electronic signature on an electronic document that has been created with an electronic signature device that the identified signatory is uniquely entitled to use for signing that document, where this device has not been compromised, and where the signatory is an individual who is authorized to sign the document by virtue of his or her legal status and/or his or her relationship to the entity on whose behalf the signature is executed.
- Definition of Electronic Signature Device As defined in § 3.3 of CROMERR, a code or other mechanism that is used to create electronic signatures. Where the device is used to create an individual's electronic signature, then the code or mechanism must be unique to that individual at the time the signature is created and he or she must be uniquely entitled to use it. The device is compromised if the code or mechanism is available for use by any other person.
4. Electronic Signature Agreement
CROMERR requires that users sign an Electronic Signature Agreement As defined in § 3.3 of CROMERR, an agreement signed by an individual with respect to an electronic signature device that the individual will use to create his or her electronic signatures requiring such individual to protect the electronic signature device from compromise; to promptly report to the agency or agencies relying on the electronic signatures created any evidence discovered that the device has been compromised; and to be held as legally bound, obligated, or responsible by the electronic signatures created as by a handwritten signature., and this is normally part of the registration process. This agreement must include language that obligates the registrant to protect the credential from compromise, and to immediately report any evidence of compromise to the system administrator. The agreement must also include a statement that the registrant understands that any electronic signature executed with the electronic signature device is as legally binding as a handwritten signature.
Reference:
- Review the Regulation Language: § 3.2000(b)(5)(v)
- Definition of Subscriber Agreement As defined in § 3.3 of CROMERR, an electronic signature agreement signed by an individual with a handwritten signature. This agreement must be stored until five years after the associated electronic signature device has been deactivated.Subscriber Agreement As defined in § 3.3 of CROMERR, an electronic signature agreement signed by an individual with a handwritten signature. This agreement must be stored until five years after the associated electronic signature device has been deactivated.