I'm writing some documentation for a particular application I support that uses GPG as a back end for signing documents. This particular implementation is subject to regulation from the Connecticut Department of Social Services (link to the regulations below). While I am confident that my application meets the requirements (especially given the variety of other systems where the vendors have signed off on compliance with this regulation) I want to be sure that my documentation is technically correct for my own satisfaction, if nothing else. I wonder if readers of this list could comment on how they would interpret the application of these rules to the use of GPG.
In particular, what would you say is the "unique code?" Is it just the user's private key or is it the private key plus other information stored with it? As I understand it, the main input in generating a key pair is the output of a random number generator. Does information about the user such as their name and email address actually get incorporated into the key in any way or is that information just stored along with it? I would rather not say that the GPG password is part of the unique code because the regulations speak of the unique code as being something which is assigned to the user by the provider (me). That could then be interpreted as meaning that I would have to assign every user a new password every 60 days (requirement 7b). It makes a lot more sense to me to have the users pick their own passwords but maybe I'm taking that part too literally. http://www.ctmedicalprogram.com/bulletin/pb05_50.pdf James Platt C&IS Support Specialist Dermatology, Yale Cancer Center Yale University School of Medicine, New Haven, CT _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
