0045 Supporting Statement March 2015 Draft

0045 Supporting Statement March 2015 Draft.docx

Public Key Infrastructure (PKI)

OMB: 0651-0045

Document [docx]
Download: docx | pdf

SUPPORTING STATEMENT

United States Patent and Trademark Office

Public Key Infrastructure (PKI) Certificate Action Form

OMB CONTROL NUMBER 0651-0045

(March 2015)

A. JUSTIFICATION


1. Necessity of Information Collection


The United States Patent and Trademark Office (USPTO) uses Public Key Infrastructure (PKI) technology to support electronic commerce between the USPTO and its customers. PKI is a set of hardware, software, policies, and procedures that provide important security services for the electronic business activities of the USPTO, including protecting the confidentiality of unpublished patent applications in accordance with 35 U.S.C. § 122 and 37 CFR 1.14, as well as protecting international patent applications in accordance with Article 30 of the Patent Cooperation Treaty.


In order to provide the necessary security for its electronic commerce systems, the USPTO uses PKI technology to protect the integrity and confidentiality of information submitted to the USPTO. PKI employs public and private encryption keys to authenticate the customer’s identity and support secure electronic communication between the customer and the USPTO. Customers may submit a request to the USPTO for a digital certificate, which enables the customer to create the encryption keys necessary for electronic identity verification and secure transactions with the USPTO. This digital certificate is required in order to access secure online systems that are provided by the USPTO for transactions such as electronic filing of patent applications and viewing confidential information about unpublished patent applications.


For electronic commerce, particularly electronic filing, to be successful at the USPTO, the public must be confident that their information will be secure both during the transaction and while it is in residence in the USPTO systems, that the integrity of the information will be assured, that their information will be released only to those who are authorized to access such information, and that measures are taken to authenticate the identity of persons submitting or trying to access the application and related information.


This information collection includes the Certificate Action Form (PTO-2042), which is used by the public to request a new digital certificate, the revocation of a current certificate, or the recovery of a lost or corrupted certificate. Customers may also change the name listed on the certificate or associate the certificate with one or more Customer Numbers. A certificate request must include a notarized signature in order to verify the identity of the applicant. The Certificate Action Form has an accompanying subscriber agreement to ensure that customers understand their obligations regarding the use of the digital certificates and cryptographic software. When generating a new certificate, customers register to get a set of seven codes that will enable customers to recover a lost certificate online without having to contact USPTO support staff.


Table 1 provides the specific statutes and regulations authorizing the USPTO to collect the information discussed above:


Table 1: Information Requirements

Requirement

Statute

Rule

PKI Certificate Request and Subscriber Agreement

35 U.S.C. §§ 2 and 122, Article 30 of the Patent Cooperation Treaty, and the

Government Paperwork Elimination Act

37 CFR 1.14


2. Needs and Uses


This collection allows for public access to secure USPTO online systems that require customers to obtain a digital certificate. This collection is used by the public to request a new digital certificate, the revocation of a current certificate, or the recovery of a lost certificate. The USPTO uses the information in this collection to issue digital certificates and to process requests for certificate revocation and recovery of lost certificates.


This collection contains the Certificate Action Form (PTO-2042), which is provided by the USPTO to ensure that customers submit the necessary information for certificate requests. The accompanying subscriber agreement explains the regulations governing the use of the digital certificates and the software that creates and validates the encryption keys.


The information collected, maintained and used in this collection is based on OMB and USPTO guidelines. This includes the basic information quality standards established in the Paperwork Reduction Act (44 U.S.C. Chapter 35), in OMB Circular A-130, and in the OMB information quality guidelines.


Table 2 outlines how this collection of information is used by the public and the USPTO:


Table 2: Needs and Uses


Form and Function

Form #

Needs and Uses

Certificate Action Form and Subscriber Agreement

PTO-2042

  • Used by the public to apply for a digital certificate, to request the revocation of a certificate, or to request recovery of an encryption key.

  • The Subscriber Agreement is used by the public to acknowledge acceptance of the regulations, terms, and conditions governing the use of digital certificates.

  • Used by the USPTO to issue a digital certificate and to process requests for certificate revocation and key recovery.

  • Used by the USPTO to create the unique name needed for encryption key generation and certificate management.

  • Used by the USPTO to communicate with the customer about the certificate grant, revocation, or key recovery.

  • The Subscriber Agreement is used by the USPTO as a legally binding document indicating that the customer has read and agreed to the regulations governing the use of the digital certificate.


3. Use of Information Technology


PKI is a security technology that uses public/private key cryptography to enable secure online communication between the USPTO and its customers. PKI involves a package of hardware, software, policies, and procedures used to manage the implementation and use of the public/private keys that serve as the basis for the security services that PKI provides to the USPTO and its customers. These services include authentication, integrity, non-repudiation, confidentiality, and access control that are necessary to support secure communication for electronic commerce. This security is crucial to the creation of a trusted environment for transactions between the USPTO and its customers. PKI has also been identified as a security “best practice” for assurance in electronic commerce in both the commercial and Federal sectors.


The USPTO uses PKI technology to create the digital certificates and encryption keys. Customers may download the Certificate Action Form in PDF format from the USPTO Web site. The customer must complete and submit an original paper Certificate Action Form to the USPTO with a “wet” notarized signature after providing acceptable proof of identity. The Certificate Action Form must be mailed or hand delivered to the USPTO; it cannot be faxed or submitted electronically because it requires an original notarized signature. The USPTO requires two forms of official identification, such as a driver’s license, U.S. passport, government ID badge, military ID card, or a current student ID card, and at least one of these forms of ID must include a picture of the customer. This physical proof of identity is necessary in order to tie the customer’s identity to internal access verification systems and would not be possible if the information were submitted electronically.



The certificate self-recovery feature allows customers to recover a lost certificate without having to contact USPTO support staff. At key generation or in a later secure session, customers may download a set of single-use complex passwords that can be invoked later as part of the verification process to recover their own lost certificates online.


When the USPTO receives the request for a digital certificate, the customer information from the completed certificate action form is added to the PKI software database, which enables customers to create their user profiles and obtain their private encryption keys. After the USPTO processes the request for a digital certificate, a reference number and authorization code are sent to the customer separately. The authorization code is emailed to the customer, while the reference number is provided by U.S. mail and/or telephone contact with a representative from the USPTO Electronic Business Center. Upon receiving the reference number and authorization code from the USPTO, the customer may then use this information to create the encryption keys through the USPTO Web site. The PKI software is provided as a web browser applet that does not require a separate installation or software package.


The public and private keys are linked to each other and must be used as a pair. For example, the public key will only validate signatures that are created by its corresponding private signing key. The private key is kept private and is unique to a single user. The public key, however, is available to other users and is used to validate transactions marked by the sender’s private key. The public key signature and encryption keys are incorporated in digital certificates issued by the USPTO Certificate Authority.


The USPTO expects to implement PKI security services for other automated information systems that are currently in use or in development to support additional electronic filing, processing, and commerce initiatives. PKI enables the USPTO to offer a secure environment for electronic communication and commerce with the patent applicant community, registered patent attorneys and agents, international business partners and Intellectual Property Offices, the Patent and Trademark Depository Libraries, USPTO employees and support contractors, and others with whom the USPTO does business requiring a guarantee of authenticity and confidentiality. By implementing PKI, the USPTO has demonstrated to the patent and trademark community its commitment to the integrity, security, and confidentiality of its electronic transactions.


4. Efforts to Identify Duplication


This information is not collected elsewhere and does not result in a duplication of effort.


5. Minimizing Burden to Small Entities


This collection does not impose a significant economic burden on small entities or small businesses. The USPTO expects that the burden will be the same whether the application originates from a small entity or a large corporation because the digital certificates are granted only to individuals. The same information is required from every customer and is not available from any other source.


6. Consequences of Less Frequent Collection


This information is collected only when a customer applies for a digital certificate, requests that their certificate be revoked, or requests recovery of lost keys. This information is collected only when a customer requests the relevant service from the USPTO and could not be conducted less frequently. If the information were not collected, the USPTO would not be able to issue or revoke digital certificates, and subscribers would not be able to recover lost keys. If customers do not obtain a digital certificate, they cannot use secure electronic systems at the USPTO for filing patent applications or accessing confidential patent application information online.


7. Special Circumstances in the Conduct of Information Collection


There are no special circumstances associated with this collection of information.


8. Consultation Outside the Agency


The 60-Day Notice was published in the Federal Register on January 2, 2015 (80 Fed. Reg. 32). The comment period ended on March 3, 2015. No public comments were received.


The USPTO has long-standing relationships with groups from whom patent application data is collected, such as the American Intellectual Property Law Association (AIPLA), as well as patent bar associations, independent inventor groups, and users of our public facilities. Their views are expressed in regularly scheduled meetings and considered in developing proposals for information collection requirements. There have been no comments or concerns expressed by these or similar organizations concerning the time required to provide the information covered under this program.

9. Payment or Gifts to Respondents


This information collection does not involve a payment or gift to any respondent.


10. Assurance of Confidentiality


In order for the USPTO to issue or revoke a digital certificate or to recover a lost encryption key, the USPTO must collect personal information from customers. The USPTO uses the Certificate Action Form to collect the necessary personal information such as the customer’s name, mailing address, phone number, and email address. The information collected on the Certificate Action Form is used by the USPTO to authorize the creation and revocation of a digital certificate and to perform key recovery. The customer’s name is used by the USPTO to create the distinguished name, which is a unique identifier used to identify a digital certificate holder. The email address is an essential piece of information for communicating with the customer. For the certificate self-recovery option, customers are provided with a set of single-use complex passwords to facilitate later online recovery of a lost certificate. The USPTO issues these passwords to customers when they enter their email address to enroll in the self-recovery option. The email addresses and passwords are maintained in a secure database.


Due to security and privacy concerns regarding the digital certificates, private signing keys, and other private customer information, the USPTO does not plan to disseminate the information in this collection to the public in any form, paper or electronic. Distribution of this information could support attacks such as “identity spoofing” on the USPTO system, where someone could attempt to use another certificate holder’s private information to revoke a certificate or recover a lost encryption key.


The personal information collected on the Certificate Action Form is stored in a system of records in which information can be retrieved by a personal identifier. This information is subject to the Privacy Act of 1974 and is covered by a system of records notice entitled “PAT/TM-16 USPTO PKI Registration and Maintenance System” that was published in the Federal Register on April 25, 2000 (65 Fed. Reg. 24178). The Certificate Action Form also has an associated Privacy Act Statement to inform applicants of the reasons for collecting the information and how the information they are providing will be used by the USPTO. Personal information collected from subscribers during the process of issuing or revoking digital certificates or during key recovery is stored locally and handled as sensitive information. The USPTO stores paper records in lockable file cabinets or in file cabinets in secure areas. Electronic records are stored in secured premises with appropriate measures taken to limit electronic access to authorized personnel who require access for the performance of their official duties.


The information in this collection is treated confidentially to the extent allowed under the Privacy Act (5 U.S.C. § 552a), the Freedom of Information Act (5 U.S.C. § 552), and the Government Paperwork Elimination Act (GPEA). The confidentiality of patent applications is governed by statute (35 U.S.C. § 122) and regulation (37 CFR 1.11 and 1.14). The USPTO has a legal obligation to maintain the confidentiality of the contents of unpublished patent applications and related documents. Applications for digital certificates and associated records for the renewal or suspension of digital certificates are considered to be related documents. This information is also protected under the mandates of the GPEA, which instructs agencies that the information collected from the public to facilitate the issuance of digital certificates cannot be used for any purpose other than facilitating communication with the USPTO and that only the information needed to process the request should be collected.


Since PKI is instrumental for secure electronic communication between the USPTO and its customers, the USPTO has implemented additional technological measures to protect the security and integrity of this information. The servers that house this information operate in security zones that are protected by firewalls. Server directories that are accessible from outside the USPTO do not contain information about patent applicants who have USPTO digital certificates. These directories only contain information for those USPTO entities that are authorized to correspond or interact with USPTO external customers or contacts. The encryption keys are protected by software on the USPTO servers and the customers’ client machines. The authorization code and reference number required for subscribers to generate their encryption keys using the PKI software are sent to customers by separate methods for additional security. The USPTO sends the authorization code to the customer by email and the reference number by regular U.S. mail or telephone.


11. Justification for Sensitive Questions


None of the required information in this collection is considered to be sensitive.


12. Estimate of Hour and Cost Burden to Respondents


Table 3 calculates the burden hours and costs of this information collection to the public, based on the following factors:


  • Respondent Calculation Factors

The USPTO estimates that it will receive approximately 4,500 responses per year for this collection. None of the responses will be submitted electronically due to the notarization requirement.


  • Burden Hour Calculation Factors

The USPTO estimates that it will take the public approximately 30 minutes (0.5 hours) to read the instructions and subscriber agreement, gather the necessary information, prepare the Certificate Action Form, and submit the completed request.


  • Cost Burden Calculation Factors

The USPTO uses a professional rate of $389 per hour for respondent cost burden calculations, which is the median rate for attorneys in private firms as shown in the 2013 Report of the Economic Survey published by the American Intellectual Property Law Association (AIPLA). The USPTO uses a paraprofessional rate of $125 per hour for respondent cost burden calculations, which is the average rate for paralegals as shown in the 2015 National Utilization and Compensation Survey published by the National Association of Legal Assistants (NALA). The USPTO uses an estimated rate of $30 per hour for independent inventors.


The USPTO expects that approximately 70% of the submissions for this information collection will be prepared by paraprofessionals, 15% by attorneys, and 15% by independent inventors. Using those proportions and the estimated rates above, the USPTO estimates that the average rate for all respondents will be approximately $150.35 per hour.


Table 3: Burden Hour/Burden Cost to Respondents

Item

Minutes

(a)

Responses

(yr)

(b)

Burden

(hrs/yr)

(c)

(a) x (b)

Rate

($/hr)

(d)

Total Cost

($/yr)

(e)

(c) x (d)

Certificate Action Form (including Subscriber Agreement) (PTO-2042)

30

4,500

2,250

$150.35

$338,287.50

Totals

---------

4,500

2,250

------------

$338,287.50


13. Total Annual (Non-hour) Cost Burden


The total (non-hour) respondent cost burden for this collection is estimated to be $11,025 per year, which includes $9,000 in notarization fees and $2,025 in postage.


Notarization Fees


There are costs associated with the notarization requirement for authenticating the signatures on the Certificate Action Form, for a total of $9,000 per year:


  • 4,500 responses for Certificate Action Forms, at $2 each for notarization: $9,000


Postage Costs


The non-electronic items in this collection have associated first-class postage costs when submitted by mail, for a total of $2,025 per year:


  • 4,500 Certificate Action Forms, at $0.49 postage: $2,205


The Certificate Action Form cannot be faxed or submitted electronically because it requires an original notarized signature.


14. Annual Cost to the Federal Government


Certificate Action Forms are processed at the USPTO by government contractors at an average cost to the USPTO of $50.50 per hour, based upon the Bureau of Labor Statistics’ Occupational Employment Statistics in May 2013 for “Management, Scientific, and Technical Consulting Services”. The USPTO estimates that it takes approximately 5 minutes (0.08 hours) to process a Certificate Action Form request.


Table 4 calculates the burden hours and costs to the Federal Government for processing this information collection:

Table 4: Burden Hour/Burden Cost to the Federal Government

Item

Minutes

(a)

Responses

(yr)

(b)

Burden

(hrs/yr)

(c)

(a) x (b)

Rate

($/hr)

(d)

Total Cost

($/yr)

(e)

(c) x (d)

Certificate Action Form (including Subscriber Agreement) (PTO-2042)

5

4,500

375

$50.50

$18,937.50

Totals

----------

4,500

375

-----------

$18,937.50


PKI also involves additional costs to the USPTO of approximately $450,000 per year for software and license fees. Therefore, this information collection has a total government processing cost of approximately $468,937.50


15. Summary of Changes in Burden Since the Previous Renewal


Change in Respondent Cost Burden


The total respondent cost burden for this collection has increased by $21,037.50, from $317,250 to $338,287.50, from the previous renewal of this collection in February 2009, due to:


  • Increases in estimated hourly rates. The 2009 renewal used an estimated rate of $141 per hour for respondents to this collection, which was based on the expectation that 70% of submissions will be prepared by paraprofessionals at an estimated rate of $100 per hour, 15% by attorneys at $340 per hour, and 25% by independent inventors at $30 per hour. For the current renewal, the USPTO is using updated rates of $125 per hour for paraprofessionals and $389 per hour for attorneys, which yields a revised average estimated rate of $150.35 per hour for respondents.


Changes in Annual (Non-hour) Costs


For this renewal, the USPTO estimates that the total annual (non-hour) costs will increase by $180 (from $11,025 to $11,205) due to administrative adjustments, as follows:


  • Increase of $180 in postage fees. This collection is currently approved with a total of $2,025 in postage costs associated with mailing responses to the USPTO. For this renewal, the USPTO estimates that the postage costs for mailed items will increase by $2,205 due to an increase in first-class postage rates from $0.45 to $0.49 per response.


16. Project Schedule


The USPTO does not plan to publish this information for statistical use or any other purpose. Due to privacy and confidentiality requirements for the encryption keys and recovery passwords, the USPTO does not plan to publish specific information about the digital certificates. Internal records will be kept for reporting and tracking purposes.


17. Display of Expiration Date of OMB Approval


The form in this information collection will display the OMB Control Number and the expiration date of OMB approval.


18. Exceptions to the Certificate Statement


This collection of information does not include any exceptions to the certificate statement.



B. COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS


This collection of information does not employ statistical methods.


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title0045 Supporting Statement March Draft
AuthorFlax, Rob
File Modified0000-00-00
File Created2021-01-25

© 2024 OMB.report | Privacy Policy