We are requesting comments on a draft NARA Bulletin entitled “Guidance on Managing Digital Identity Authentication Records.” The draft is available here (.pdf).
This draft Bulletin will provide guidance on the records management requirements related to digital identification records. Specifically, this guidance will provide guidance on managing digital identity authentication-related transactional records, such as digital certificates and Public Key Infrastructure (PKI) files created or used in the course of agency business. This Bulletin will also supersede several of NARA’s records management guidance for PKI digital signature authenticated and secured transaction records.
Agencies use digital identity authentication to protect sensitive records, authenticate employee sign-ins, identify ownership of websites, and many other purposes. They use a wide variety of software. Because of the wide variety of uses and software, the Bulletin provides agencies flexibility in using digital identity authentication technology to manage temporary records. However, when agencies transfer permanent electronic records to NARA, the records must be free of encryption or other forms of security (unless permanent records must be encrypted during transfer to NARA).
Please make your comments about the draft Bulletin by June 12, 2015. Please comment below or email comments to Lisa Haralampus at Lisa.Haralampus@nara.gov. We will review all the comments we receive. Thank you.
I have one comment that would clarify this bulletin. As a practical matter my organization relies on what we call digital approval, particlularly for workflow and approvals within electronic systems. We rely on a user’s authentication on teh network and then authentication into a system. Once in the context of the electronic system we use the systems record of user approval for the record in the system. For example a work management system that generates tasks that users approve or complete, where the approavl or completion is recorded within the system.
This is not specifically a password or digital signature. But is is our record to attest to the electronic records trustworthiness.
My position would be that these electronic approval records must be preserved and retained for as long as the underlaying record that they apply to. Even thought they are not a part of the record as a password or digital signature would be. Is this NARA’s intent.
I think they did a good job identifying and answering most of the records management questions that one may have. However, are there challenges to maintaining digital identity authentication records? Are there potential for issues should these records be lost or improperly transferred?