JA7.6       Electronic and Digital Signature Requirements

JA7.6.1 Introduction

This section defines the functional and technical requirements for the use of electronic and digital signatures in the registration of compliance documents. These specifications shall be implemented by a Data Registry as a condition of approval of the Data Registry by the Commission.

JA7.6.2 Overall Description

JA7.6.2.1          Interfaces - Main Users

(a)  Authorized Users of Data Registries who must sign Compliance Documents either as the Documentation Author, or Field Technician, or as the Registration Signer (responsible person).

(b)  Registration Providers who must implement the electronic and digital signature specifications into the Data Registry user interface to provide Electronic Signature capabilities to the Authorized Users of the Data Registry, and must append their digital signature to all registered compliance documents created in their Data Registry.

(c)  Commission Compliance Document Repository which must receive registered documents transmitted from the Data Registries and will process the digital signature to validate the sender and the contents.

(d)  Persons or Software Entities who Validate Electronic Documents who may receive electronic copies of registered documents made available by the Data Registries and will process the digital signature to validate the sender and the contents.

(e)  Compliance Software Tools that export compliance documents for transmittal to the Data Registries that must subsequently be electronically signed and registered in the Data Registry.

JA7.6.2.2          Major Functions

The electronic and digital signature requirements of the Data Registry consist of the following major functions:

JA7.6.2.2.1       Electronic Signature Capability  

The Data Registry shall provide electronic signature capability to authorized users.

JA7.6.2.2.2       Document Data Validation

The Data Registry shall check that compliance documents are complete and the data entered meets the data validation rules for the applicable document before making the documents available for signing or registering.

JA7.6.2.2.3       Signer Review and Signature Actions

The Data Registry shall provide functionality for authorized users to select, review, and sign compliance documents as a Documentation Author, Field Technician, or Registration Signer.

JA7.6.2.2.4       Digital Signatures

The Data Registry shall apply the Registration Provider's Digital Signature to compliance documents electronically signed by the registration signer when concluding the document registration procedure in the Data Registry, and then append the Registration Provider's digital certificate issued by a certificate authority approved by the California Secretary of State.

The function of the Registration Provider's digital certificate is to provide verification from an approved certificate authority that the document came from the Registration Provider's Data Registry and to provide automated document verification to persons or agencies that receive electronic submittals of these registered documents.

JA7.6.2.2.5       Transmittal to Commission Compliance Document Repository

The Data Registry, upon completion of the registration procedure, shall immediately and automatically transmit a copy of the completed registered compliance document to the Commission Compliance Document Repository which will process the Registration Provider's digital certificate to validate the sender and the compliance document contents. 

JA7.6.2.2.6       Document Retention

The Data Registry shall retain a copy of the completed registered electronic compliance document and make the document available for use by authorized users of the registry who may access a copy of the registered document and may subsequently process the Registration Provider's digital certificate to verify the sender and the compliance document contents.

JA7.6.2.2.7       Receive and Process Output From Compliance Software and Other Software Tools

The Data Registry shall process the completed Compliance Registration Package from Compliance software tools or other software tools approved by the Commission for use in the Compliance Document Registration process.

JA7.6.2.3          User Characteristics

There are four categories of users who will participate in the electronic and digital signature functionality:

JA7.6.2.3.1       Users who will use electronic signatures to sign and register compliance documents.

This is a heterogeneous category composed of HERS Raters, building designers, building contractors, installation contractors, energy consultants, home owners, and others. 

JA7.6.2.3.2       Users who use a digital certificate to secure registered compliance documents.

This category consists of each approved Registration Provider.

JA7.6.2.3.3       Users who will receive the electronically transmitted registered compliance documents

These users will need to apply decryption processing using the digital certificate to identify the sender and verify the contents of the received document. The Commission Compliance Document Repository is a main user in this category. Also, users who take advantage of digital signature automated verification capabilities to verify the authenticity of registered compliance documents received as electronic submittals from various other participants in the compliance documentation process will be another main user in this category. 

JA7.6.2.3.4       Users who transmit electronic compliance documentation to the Data Registry. 

Title 24 compliance software tools are the main users in this Category. The electronic compliance documents exported from the compliance tools must be formatted to provide location coordinate information for use when applying the visible aspects of electronic and digital signatures to the compliance documents. The Data Registry must be capable of appending the visible aspects of electronic and digital signatures to the correct locations in the signature blocks on the imported compliance documents during the subsequent electronic signature and registration procedures.

Detailed guidance for electronic and digital signature target coordinate information may be described in the 2013 Alternative Calculation Method (ACM) Reference 'Manual to assist in the implementation of the requirements by compliance software vendors.  The Data Registry shall implement the capability to append the visible aspects of electronic and digital signatures to the signature blocks on compliance documents in these locations.

JA7.6.2.4          Constraints

JA7.6.2.4.1       Schedule Constraint:

The electronic and digital signature capabilities shall be implemented at least six months before the effective date for the 2013 Standards.

JA7.6.2.4.2       Software Constraint:

The digital signature technology including the hash algorithm and asymmetric key encryption used shall be consistent across all Data Registries because the Commission Compliance Document Repository will not support multiple approaches. 

JA7.6.3 Specific requirements

JA7.6.3.1          Interface Requirements

JA7.6.3.1.1       User interfaces  

JA7.6.3.1.1.1     All Data Registries shall utilize the same informational content, graphical layout and formatting unique to the applicable type of compliance document when displaying the completed compliance documents for review and signing as part of the registration process. These document layouts shall conform to the informational content, graphical layout and formatting approved by the Commission. Additional detailed guidance regarding informational content, graphical layout and formatting will be presented in the Data Registry Requirements Manual.

JA7.6.3.1.2       Software interfaces

JA7.6.3.1.2.1     All registered compliance documents transmitted from any Data Registry shall be secured with the Registration Provider digital signature.

JA7.6.3.1.2.1.1  All Data Registries shall use the same hash algorithm to generate the document’s message digest for the digital signature.

JA7.6.3.1.2.1.2  All Data Registries shall use the same asymmetrical key encryption for generating the digital signature private and public keys used to encrypt and decrypt the message digest.

JA7.6.3.1.2.1.3  Registration Providers shall provide their digital certificate which contains their digital signature public key to any other software entity that receives registered compliance documents from their Data Registry, in particular the Commission document repository.

JA7.6.3.1.2.1.4  The Commission document repository, which will receive registered compliance documents electronically from Data Registries, will have to implement digital signature processing capability in order to perform automatic verification and validation processing on received documents. 

JA7.6.3.1.2.1.5  Users who take advantage of digital signature automated verification capabilities to verify the authenticity of registered compliance documents received from Data Registries will have to implement digital signature processing capability in order to perform automatic verification and validation processing on received documents.  The Adobe Reader software tool, which is freeware, has the capability to process the digital signatures for any digitally signed documents that utilize standardized digital signature technology.

JA7.6.3.1.2.2     All Data Registries shall implement the same security protocol for importing completed compliance document transmittals generated by 3rd party software tools. The security protocol shall be approved by the Commission.

JA7.6.3.1.2.2.1  Guidance shall be provided in the 2013 ACM Reference Manual and the 2013 Data Registry Requirements Manual to assist all 3rd party software entities in implementing the required security protocols.

JA7.6.3.2          Functions

JA7.6.3.2.1       Electronic Signature Capability

The Data Registry shall provide electronic signature capability to authorized users who have the role of Documentation Author, Field Technician, or Registration Signer. A Field Technician Signature is required only on Certificate of Acceptance Documentation. A Certificate of Acceptance document requires that there be both a Documentation Author signature and a Field Technician signature prior to registration signing.

JA7.6.3.2.1.1     Any authorized user of a Data Registry can request an electronic signature in order to sign compliance documents as the documentation author, Field Technician, or as the registration signer.

JA7.6.3.2.1.2 Registration Providers shall gather and verify any and all information necessary to validate a user applicant's identity and applicable qualifications as prerequisite to authorizing assignment to a user applicant an electronic signature, or permissions as a documentation author, Field Technician, or Registration Signer. 

JA7.6.3.2.1.3 Authorized users shall provide to the Data Registry an electronic image of their handwritten signature for use in displaying their electronic signature.

JA7.6.3.2.2       Document Data Validation

The Data Registry shall check that compliance documents are complete and shall perform the required data validation for the document before making them available for signing and/or registering. The guidance for the data validation for each document shall be provided in the Data Registry Requirements Manual.

Any applicable error messages shall be posted indicating the actions necessary as prerequisite to completion of the registration process

JA7.6.3.2.2.1     When a documentation author indicates that the compliance document is complete and he/she is ready to sign it, the Data Registry shall verify that all information necessary to complete the document has been provided as prerequisite to making the signing functionality available to the documentation author.

JA7.6.3.2.2.2     The Data Registry shall verify that a compliance document is complete and has received the documentation author’s signature as prerequisite to making the compliance document available for registration signing. For Certificate of Acceptance documents, both the Documentation Author and the Field Technician signatures shall be provided as prerequisite to making the document available for registration signing.

JA7.6.3.2.3       Signer Review and Signature Actions

The Data Registry shall provide functionality for authorized users to select, review and sign compliance documents as a documentation author, field technician, or registration signer.

JA7.6.3.2.3.1     The documentation author can electronically sign a compliance document if it has been verified as complete by the Data Registry. 

JA7.6.3.2.3.2     The Field Technician can electronically sign a Certificate of Acceptance document if it has been verified as complete by the Data Registry and has the documentation author’s signature.

JA7.6.3.2.3.3     The registration signer can electronically sign a compliance document if it has been verified as complete by the Data Registry and has the documentation author’s signature. For Certificate of Acceptance documents both the Documentation Author signature and the Field Technician signature are prerequisite to allowing registration signing.

JA7.6.3.2.3.4     When an authorized user selects to sign a compliance document, the Data Registry provides a display of the compliance document layout that allows the user access to any part of the compliance document for review, as well as a display of the declaration statement. 

JA7.6.3.2.3.4.1  All compliance documents shall include a declaration statement applicable to the documentation author signature. The declaration statement language shall be approved by the Commission.

JA7.6.3.2.3.4.2  All Certificate of Acceptance documents shall include a declaration statement applicable to the field technician signature. The declaration statement language shall be approved by the Commission.

JA7.6.3.2.3.4.3  All compliance documents shall include a declaration statement applicable to the registration signer signature. The declaration statement language shall be approved by the Commission.

JA7.6.3.2.3.4.4  All compliance document layouts displayed shall conform to the same format, informational order, and content approved by the Commission. Guidance for data and layout specifications shall be published in the Data Registry requirements manual.

JA7.6.3.2.3.5 When the documentation author activates the signing control to sign the compliance document, the Data Registry shall display the completed documentation author signature block including the documentation author’s electronic signature utilizing the visible image of his or her hand written signature, applicable professional qualifications, licenses and/or certificates the documentation author holds, and the date and time the document was signed.

JA7.6.3.2.3.6 When the Field Technician activates the signing control to sign the Certificate of Acceptance document, the Data Registry shall display the completed field technician's signature block including the Field Technician's electronic signature utilizing the visible image of his or her hand written signature, applicable professional qualifications, licenses and/or certificates the Field Technician holds, and the date and time the document was signed.

JA7.6.3.2.3.7 When the registration signer activates the signing control to register the compliance document, the Data Registry shall display the completed signature block including the registration signer’s electronic signature utilizing the visible image of his or her hand written signature, applicable professional qualifications, licenses or certificates the registration signer holds, the date and time the document was signed, with the newly generated registration number appended to the footer of each of the pages of the document. The registration numbering convention shall conform to the requirements given Reference Joint Appendix JA7.5.4.

JA7.6.3.2.4       Digital Signatures

The Data Registry shall apply the Registration Provider digital signature to compliance documents electronically signed by the registration signer and then append the Registration Provider's digital certificate containing their public key, when concluding the document registration procedure in the Data Registry. 

JA7.6.3.2.4.1 When a compliance document is electronically signed by the registration signer, the Data Registry shall apply a visible indication of the Registration Provider's digital signature to the document which shall include the following statement:  "This digital signature is provided in order to secure the content of this registered document, and in no way implies Registration Provider responsibility for the accuracy of the information".

JA7.6.3.2.4.1.1  The Data Registry digital signature software generates a hash number from the contents of the registered compliance document to create the message digest part of the digital signature.

JA7.6.3.2.4.1.2  The Data Registry digital signature software encrypts the message digest using the Registration Provider's digital signature private key to produce the digital signature.

JA7.6.3.2.4.1.3  The Data Registry digital signature software attaches the Registration Provider's digital certificate which contains their digital signature public key to the compliance document, displays the Registration Provider name and logo on each page of the document, and the digital signature's date and time stamp in the footer of each page of the compliance document.

JA7.6.3.2.5       Transmittal to Commission Compliance Document Repository

The Data Registry, upon completion of the registration procedure, shall immediately and automatically transmit a copy of the completed registered compliance document to the Commission Compliance Document Repository which will process the Registration Provider's digital signature using the Registration Provider's digital certificate to verify the sender and the compliance document contents.

JA7.6.3.2.5.1 The Data Registry shall transmit the digitally signed and registered compliance document to the Commission document repository using a secure transmission protocol. Detailed guidance for the secure transmission protocol may be specified in the Data Registry Requirements Manual.

JA7.6.3.2.6       Document Retention

The Registration Provider shall retain a copy of the completed registered compliance document and make the document available for use by authorized users of the registry who may print a hard copy, or access an electronic copy of the registered document and may subsequently process the Registration Provider's digital signature using their digital certificate to verify the sender and the compliance document contents. 

JA7.6.3.2.6.1     The Data Registry shall provide users the functionality to either view registered documents in their web browser or save the document file to their desktop.

JA7.6.3.2.6.2     The Data Registry shall provide functionality to transmit registered compliance documents to authorized requesters. 

JA7.6.3.2.6.3     The Data Registry shall make their digital signature public key available for all types of authorized access to these registered documents.

JA7.6.3.2.7       Receive and Process Output From Compliance Software or Other Software Tools

The Data Registry shall process the Compliance Registration Package transmitted from compliance software tools or other software tools approved by the Commission for use in compliance document registration processes.

JA7.6.3.2.7.1 The Data Registry shall have functionality to receive data containing electronic documents and data exported from compliance software tools or other software tools approved by the Commission. When data is received using a password protected encrypted file, the file password shall be made available to the Data Registry by the software vendor in a separate secure communication. Additional guidance may be provided in the Data Registry Requirements Manual. The passwords for encrypted data files shall not be made available to the software users or the Data Registry authorized users, or others who do not have the authority to administer the security measures for the compliance software or the registries.

There may be alternate means by which Compliance Software tools or other software tools approved by the Commission could communicate with Data Registries such as by a Web Service application that may not use encrypted data files, but rather data streaming. Use of such alternate means shall not be allowed unless approved by the Commission.

JA7.6.3.2.7.2 The Data Registry shall have functionality to decrypt data files it receives that contain completed compliance documents exported from compliance software tools or other software tools approved by the Commission using the password provided by the software vendor. If the password successfully decrypts the file, the Data Registry shall add the compliance document to the registry. Additional guidance describing methods for decrypting data files will be given in the Data Registry Requirements 'Manual. If the password fails to decrypt the transmitted file, the Data Registry shall display an error message to that effect, and flag any other applicable corrective actions as may be described in the Data Registry Requirements Manual.

JA7.6.3.2.7.3 The Data Registry shall only allow the transmission of data between compliance software tools or other software tools approved by the Commission using secure data transfer protocols.  Detailed guidance for secure data transfer protocols may be given in the Data Registry Requirements Manual.