JA7.6       Electronic and Digital Signature Requirements

JA7.6.1 Introduction

This section defines the functional and technical requirements for the use of electronic and digital signatures in the registration of compliance documents. These specifications shall be implemented by a Data Registry as a condition of approval of the Data Registry by the Commission.

JA7.6.2 Overall Description

JA7.6.2.1    Interfaces - Main Users

(a)  Authorized Users of Data Registries who must sign Compliance Documents either as the Documentation Author, or Field Technician, or as the Registration Signer (responsible person).

(b)  Registration Providers who must implement the electronic and digital signature specifications into the Data Registry user interface to provide Electronic Signature capabilities to the Authorized Users of the Data Registry, and must append their digital signature to all registered compliance documents created in their Data Registry.

(c)  Commission Compliance Document Repository which must receive registered documents transmitted from the Data Registries and will process the digital signature to validate the sender and the contents.

(d)  Persons or Software Entities who Validate Electronic Documents who may receive electronic copies of registered documents made available by the Data Registries and will process the digital signature to validate the sender and the contents.

(e)  Compliance Software Tools that export compliance documents for transmittal to the Data Registries that must subsequently be electronically signed and registered in the Data Registry.

JA7.6.2.2    Major Functions

The electronic and digital signature requirements of the Data Registry consist of the following major functions:

JA7.6.2.2.1           Electronic Signature Capability

The Data Registry shall provide electronic signature capability to authorized users.

JA7.6.2.2.2           Document Data Validation

The Data Registry shall ensure that compliance documents are complete and the data entered conforms to the data validation rules for the applicable document prior to making the documents available for registration signing.

JA7.6.2.2.3           Signer Review and Signature Actions

The Data Registry shall provide functionality for authorized users to select, review, and sign compliance documents as a Documentation Author, Field Technician, or Registration Signer.

JA7.6.2.2.4           Digital Signatures

The Data Registry shall apply the Registration Provider's Digital Signature to compliance documents electronically signed by the registration signer when concluding the document registration procedure in the Data Registry.  The Registration Provider's digital signature shall be based on a digital certificate issued by a certificate authority approved by the California Secretary of State.

The function of the Registration Provider's digital certificate is to provide verification from an approved certificate authority that the document came from the Registration Provider's Data Registry and to provide automated document verification to persons or agencies that receive electronic submittals of these registered documents.

Additional guidance for use of digital signatures and digital certificates shall be given in the Data Registry Requirements Manual.

JA7.6.2.2.5           Transmittal to Commission Compliance Document Repository

The Data Registry, upon completion of the registration procedure, shall immediately and automatically transmit a copy of the completed registered compliance document to the Commission Compliance Document Repository which will process the Registration Provider's digital certificate to validate the sender and the compliance document contents.

Additional guidance for use of digital certificates for validation of document authenticity shall be given in the Data Registry Requirements Manual.

JA7.6.2.2.6           Document Retention

The Data Registry shall retain a copy of the completed registered electronic compliance document and make the document available for use by authorized users of the registry who may access a copy of the registered document and may subsequently process the Registration Provider's digital certificate to verify the sender and the compliance document contents.

JA7.6.2.2.7           Receive and Process Output From Compliance Software and External Digital Data Sources

The Data Registry shall process the completed Compliance Registration Package from Compliance software tools approved by the Energy Commission for use in the Compliance Document Registration process in accordance with the specifications in Section JA7.7.1.6.

If the Data Registry allows use of External Digital Data Sources (EDDS) as an alternative to keyed-in data input for document registration procedures, the requirements in Section JA7.7.1.2 shall be met.

Additional guidance for receiving and processing output from compliance software and EDDS shall be given in the Data Registry Requirements Manual.

JA7.6.2.3    User Characteristics

There are four categories of users who will participate in the electronic and digital signature functionality:

JA7.6.2.3.1           Users who will use electronic signatures to sign and register compliance documents.

This is a heterogeneous category composed of HERS Raters, building designers, building contractors, installation contractors, energy consultants, home owners, and others.

JA7.6.2.3.2           Users who use a digital certificate to secure registered compliance documents.

This category consists of each approved Registration Provider.

JA7.6.2.3.3           Users who will receive the electronically transmitted registered compliance documents

These users will need to apply decryption processing using the digital certificate to identify the sender and verify the contents of the received document. The Commission Compliance Document Repository is a main user in this category. Also, users who take advantage of digital signature automated verification capabilities to verify the authenticity of registered compliance documents received as electronic submittals from various other participants in the compliance documentation process will be another main user in this category.

JA7.6.2.3.4           Users who transmit electronic compliance documentation to the Data Registry.

Title 24 compliance software tools are the main users in this Category.

The electronic compliance documents exported from the compliance software tools that are approved by the Energy Commission must be formatted to provide a standardized location for the visible aspects of electronic signatures, digital signature appearances, and other aspects of registration information such as registration numbering, and registration date/time stamps.

The Data Registry shall be capable of appending the visible aspects of electronic and digital signatures and other required registration information to the correct locations in the signature blocks and footers on the imported compliance documents during the subsequent electronic signature and registration procedures.

The Data Registry shall implement the capability to append the visible aspects of the required document registration information to the signature blocks and footers on compliance documents in these locations.

Detailed guidance for appending the required document registration information may be described in the Data Registry Requirements Manual.

JA7.6.2.4      Constraints

JA7.6.2.4.1 Software Constraint:

The digital signature technology including the hash algorithm and asymmetric key encryption used shall be consistent across all Data Registries because the Commission Compliance Document Repository will not support multiple approaches.

Detailed guidance for use of digital signature technology and digital certificates shall be given in the Data Registry Requirements manual.

JA7.6.3 Specific requirements

JA7.6.3.1    Interface Requirements

JA7.6.3.1.1           User interfaces

JA7.6.3.1.1.1        

All Data Registries shall utilize the same informational content, graphical layout and formatting unique to the applicable type of compliance document when displaying the completed compliance documents for review and signing as part of the registration process. These document layouts shall conform to the informational content, graphical layout and formatting approved by the Commission. Additional detailed guidance regarding informational content, graphical layout and formatting will be presented in the Data Registry Requirements Manual.

JA7.6.3.1.2           Software interfaces

JA7.6.3.1.2.1

All registered compliance documents transmitted from any Data Registry shall be secured with the Registration Provider digital signature.

JA7.6.3.1.2.1.1

All Data Registries shall use the same hash algorithm to generate the document’s message digest for the digital signature.

JA7.6.3.1.2.1.2

All Data Registries shall use the same asymmetrical key encryption for generating the digital signature private and public keys used to encrypt and decrypt the message digest.

JA7.6.3.1.2.1.3

Registration Providers shall provide their digital certificate which contains their digital signature public key to any other software entity that receives registered compliance documents from their Data Registry, in particular the Commission document repository.

JA7.6.3.1.2.1.4

The Commission Compliance Document Repository, which will receive registered compliance documents electronically from Data Registries, will implement digital signature processing capability in order to perform automatic verification and validation processing on received documents.

JA7.6.3.1.2.1.5

Users who take advantage of automated software capabilities to verify the authenticity of registered compliance documents received from Data Registries will have to implement digital signature processing capability in order to perform automatic digital signature verification processing on received documents.  Numerous PDF reader freeware tools are available that have the capability to process digital signatures that utilize standardized digital signature technology.

JA7.6.3.1.2.2

All Data Registries shall implement the same security protocol for importing completed compliance document transmittals as described in Section JA7.7.1.6.

JA7.6.3.2    Functions

JA7.6.3.2.1           Electronic Signature Capability

The Data Registry shall provide electronic signature capability to authorized users who have the role of Documentation Author, Field Technician, or Registration Signer. A Field Technician Signature is required only on Certificate of Acceptance Documentation. A Certificate of Acceptance document requires that there be both a Documentation Author signature and a Field Technician signature prior to registration signing.

JA7.6.3.2.1.1

Any authorized user of a Data Registry can request an electronic signature in order to sign compliance documents as the documentation author, Field Technician, or as the registration signer.

JA7.6.3.2.1.2

Registration Providers shall gather and verify any and all information necessary to validate a user applicant's identity and applicable qualifications as prerequisite to authorizing assignment to a user applicant an electronic signature, or permissions as a documentation author, Field Technician, or Registration Signer.

JA7.6.3.2.1.3

Authorized users shall provide to the Registration Provider an electronic image of their handwritten signature for use in displaying their electronic signature. The Registration Provider may make available alternative methods for creating an electronic image for displaying electronic signatures

JA7.6.3.2.2           Document Data Validation

The Data Registry shall check that compliance documents are complete and shall perform the required data validation for the document before making them available for signing and/or registering. The guidance for the data validation for each document shall be provided in the Data Registry Requirements Manual.

Any applicable error messages shall be posted indicating the actions necessary as prerequisite to completion of the registration process.

JA7.6.3.2.2.1

When a documentation author indicates that the compliance document is complete and he/she is ready to sign it, the Data Registry shall verify that all information necessary to complete the document has been provided as prerequisite to making the signing functionality available to the documentation author.

JA7.6.3.2.2.2

The Data Registry shall verify that a compliance document is complete and has received the documentation author’s signature as prerequisite to making the compliance document available for registration signing. For Certificate of Acceptance documents, both the Documentation Author and the Field Technician signatures shall be provided as prerequisite to making the document available for registration signing.

JA7.6.3.2.3           Signer Review and Signature Actions

The Data Registry shall provide functionality for authorized users to select, review and sign compliance documents as a documentation author, field technician, or registration signer.

JA7.6.3.2.3.1

The documentation author can electronically sign a compliance document if it has been verified as complete by the Data Registry.

JA7.6.3.2.3.2

The Field Technician can electronically sign a Certificate of Acceptance document if it has been verified as complete by the Data Registry and has the documentation author’s signature.

JA7.6.3.2.3.3

The registration signer can electronically sign a compliance document if it has been verified as complete by the Data Registry and has the documentation author’s signature. For Certificate of Acceptance documents both the Documentation Author signature and the Field Technician signature are prerequisite to allowing registration signing.

JA7.6.3.2.3.4

When an authorized user selects to sign a compliance document, the Data Registry provides a display of the compliance document layout that allows the user access to any part of the compliance document for review, as well as a display of the declaration statement.

JA7.6.3.2.3.4.1

All compliance documents shall include a declaration statement applicable to the documentation author signature. The declaration statement language shall be approved by the Commission.

JA7.6.3.2.3.4.2

All Certificate of Acceptance documents shall include a declaration statement applicable to the field technician signature. The declaration statement language shall be approved by the Commission.

JA7.6.3.2.3.4.3

All compliance documents shall include a declaration statement applicable to the registration signer signature. The declaration statement language shall be approved by the Commission.

JA7.6.3.2.3.4.4

All compliance document layouts displayed shall conform to the same format, informational order, and content approved by the Commission. Guidance for data and layout specifications shall be published in the Data Registry requirements manual.

JA7.6.3.2.3.5

When the documentation author activates the signing control to sign the compliance document, the Data Registry shall display the completed documentation author signature block including the documentation author’s electronic signature utilizing the visible image of his or her hand written signature, applicable professional qualifications, licenses and/or certificates the documentation author holds, and the date and time the document was signed.

JA7.6.3.2.3.6

When the Field Technician activates the signing control to sign the Certificate of Acceptance document, the Data Registry shall display the completed field technician's signature block including the Field Technician's electronic signature utilizing the visible image of his or her hand written signature, applicable professional qualifications, licenses and/or certificates the Field Technician holds, and the date and time the document was signed.

JA7.6.3.2.3.7

When the registration signer activates the signing control to register the compliance document, the Data Registry shall display the completed signature block including the registration signer’s electronic signature utilizing the visible image of his or her hand written signature, applicable professional qualifications, licenses or certificates the registration signer holds, the date and time the document was signed, with the newly generated registration number appended to the footer of each of the pages of the document. The registration numbering convention shall conform to the requirements in Appendix JA7.5.4.

JA7.6.3.2.4         Digital Signatures

The Data Registry shall apply the Registration Provider digital signature to compliance documents electronically signed by the registration signer

The Registration Provider shall ensure that PDF reader freeware can verify the digital signature of the registered PDF documents. The Registration Provider shall make available a procedure that allows users to securely acquire the digital certificate issued by the Data Registry's approved certificate authority. The procedure may add the certificate to the user's local root certificate store if necessary. 

JA7.6.3.2.4.1

When a compliance document is electronically signed by the registration signer, the Data Registry shall apply a visible indication of the Registration Provider's digital signature (digital signature appearance) to the document which shall inclde the following statement:

“Digitally signed by [Data Registry Provider’s name]. This digital signature is provided in order to secure the content of this registered document, and in no way implies Registration Provider responsibility for the accuracy of the information".

Other information such as graphic(s), watermark(s), date, or time stamps are not required for the digital signature appearance.

JA7.6.3.2.4.1.1

The Data Registry digital signature software generates a hash number from the contents of the registered compliance document to create the message digest part of the digital signature.

JA7.6.3.2.4.1.2

The Data Registry digital signature software encrypts the message digest using the Registration Provider's digital signature private key to produce the digital signature.

JA7.6.3.2.4.1.3

The Data Registry digital signature software attaches the Registration Provider's digital certificate which contains their digital signature public key to the compliance document.

JA7.6.3.2.4.1.4

The digital signature appearance shall be placed at the end of the compliance document in a location that is just after the responsible person’s signature block.

JA7.6.3.2.5           Transmittal to Commission Compliance Document Repository

The Data Registry, upon completion of the registration procedure, shall immediately and automatically transmit a copy of the completed registered compliance document to the Commission Compliance Document Repository which will process the Registration Provider's digital signature using the Registration Provider's digital certificate to verify the sender and the compliance document contents.

JA7.6.3.2.5.1

The Data Registry shall transmit the digitally signed and registered compliance document to the Commission document repository using a secure transmission protocol. Detailed guidance for the secure transmission protocol may be specified in the Data Registry Requirements Manual.

JA7.6.3.2.6           Document Retention

The Registration Provider shall retain a copy of the completed registered compliance document and make the document available for use by authorized users of the registry who may print a hard copy, or access an electronic copy of the registered document and may subsequently process the Registration Provider's digital signature using their digital certificate to verify the sender and the compliance document contents.

JA7.6.3.2.6.1

The Data Registry shall provide users the functionality to either view registered documents in their web browser or download the document file to their personal computer.

JA7.6.3.2.6.2

The Data Registry shall provide functionality to transmit electronic copies of registered compliance documents to enforcement agencies or other parties to the construction project.

JA7.6.3.2.6.3

The Data Registry shall make their digital signature public key available for use for electronic validation of the authenticity of the registered documents.

JA7.6.3.2.7           Receive and Process Output From Compliance Software or External Digital Data Sources

The Data Registry shall process the Compliance Registration Package transmitted from Title 24, Part 6 performance compliance software tools approved by the Energy Commission , and shall process transmittals from external digital data sources described in Section JA7.7.1.2 when approved in accordance with the requirements in Section JA7.8 for use in compliance document registration processes.

JA7.6.3.2.7.1

The Data Registry shall have functionality to receive data containing electronic documents and data exported from performance compliance software tools approved by the Energy Commission in accordance with the specifications in Section JA7.7.1.6. If the Data Registry makes available use of External Digital Data Sources (EDDS) as an alternative to keyed-in data input for document registration procedures, the requirements in Section JA7.7.1.2 shall be met.

There may be alternate means by which Compliance Software tools or other external digital data sources communicate with Data Registries, such as by data streaming. Use of such alternate means shall not be allowed unless approved by the Energy Commission.

JA7.6.3.2.7.2

The Data Registry shall have functionality to decrypt data files it receives that contain completed compliance documents exported from compliance software tools that are approved by the Energy Commission in accordance with the requirements in Section JA7.7.1.6.

 

JA7.6.3.2.7.3

The Data Registry shall only allow the transmission of data between compliance software tools or external data sources approved by the Energy Commission using secure data transfer protocols. Detailed guidance for secure data transfer protocols may be given in the Data Registry Requirements Manual.