REPORT TITLE:
Information Technology


DESCRIPTION:
Establishes legal framework for using digital signatures as a
means of authenticating computer-based information.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                        
THE SENATE                              S.B. NO.           1434
TWENTIETH LEGISLATURE, 1999                                
STATE OF HAWAII                                            
                                                             
________________________________________________________________
________________________________________________________________


                   A  BILL  FOR  AN  ACT

RELATING TO INFORMATION TECHNOLOGY.


BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 1      SECTION 1.  The Hawaii Revised Statutes is amended by adding
 
 2 a new chapter to be appropriately designated and to read as
 
 3 follows:
 
 4                             "CHAPTER
 
 5                   HAWAII DIGITAL SIGNATURE ACT
 
 6                    PART I.  GENERAL PROVISIONS
 
 7      §   -1  Purpose and construction.  This chapter shall be
 
 8 construed liberally to effectuate the following purposes:  
 
 9      (1)  To minimize the incidence of forged digital signatures
 
10           and enable the reliable authentication of computer-
 
11           based information; 
 
12      (2)  To enable and foster the verification of digital
 
13           signatures on computer-based documents;
 
14      (3)  To facilitate commerce by means of computerized
 
15           communications; and
 
16      (4)  To give legal effect to the general import of the
 
17           following and other similar standards:
 
18           (A)  Standard X.509 of the International
 
19                Telecommunication Union;
 
20           (B)  Standard X.9.30 of the American National Standards
 

 
Page 2                                                     
                                     S.B. NO.           1434
                                                        
                                                        

 
 1                Institute; and 
 
 2           (C)  RFC 1421 through 1424 of the Internet Activities
 
 3                Board.
 
 4      §   -2 Definitions.  As used in this chapter:
 
 5      "Accept a certificate" means to either:
 
 6      (1)  Take physical delivery of a certificate; or
 
 7      (2)  Apply for a certificate without canceling or revoking
 
 8           the application by delivering notice of the
 
 9           cancellation or revocation to the certification
 
10           authority, and obtaining a signed, written receipt from
 
11           the certification authority.
 
12      "Asymmetric cryptosystem" means a computer algorithm or
 
13 series of algorithms which utilize two different keys with the
 
14 following characteristics:
 
15      (1)  One key encrypts a given message;
 
16      (2)  One key decrypts a given message; and
 
17      (3)  The keys have the property that, knowing one key, it is
 
18           computationally infeasible to discover the other key.
 
19      "Bit" means a binary digit, or a number, often encoded in a
 
20 computer-readable form, which has a value of either 0 or 1.
 
21      "Certificate" means:
 
22      (1)  A computer-based record identifying a subscriber and
 
23           containing the subscriber's public key; or
 

 
Page 3                                                     
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (2)  If the certificate is issued by a licensed
 
 2           certification authority, a computer-based record
 
 3           identifying a subscriber containing the subscriber's
 
 4           public key, and additional data about the subscriber as
 
 5           specified in section    -3.
 
 6      "Certification authority" means a person who issues one or
 
 7 more certificates.
 
 8      "Certification authority disclosure record" means an on-
 
 9 line, publicly accessible computer record concerning a licensed
 
10 certification authority maintained by the department in
 
11 accordance with section    -13.
 
12      "Certify" means to declare with reference to a certificate,
 
13 that all material facts in the certificate are true.
 
14      "Confirm" means to ascertain through inquiry and
 
15 investigation carried out with all the effort and resources
 
16 commercially reasonable under the circumstances.
 
17      "Correspond" means, when referring to keys, that one key
 
18 belongs to the same key pair as the other.
 
19      "Department" means the department of commerce and consumer
 
20 affairs.
 
21      "Digital signature" means a sequence of bits which a person
 
22 intending to sign creates in relation to a clearly delimited
 
23 message by running the message through a one-way function, then
 

 
Page 4                                                     
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 encrypting the resulting message using an asymmetrical
 
 2 cryptosystem and the person's private key.
 
 3      "Distinguished name" means a sequence of alphanumeric
 
 4 characters uniquely identifying the person bearing the name.  
 
 5      "Forge a digital signature" means to create an apparent
 
 6 digital signature without the authorization of the rightful
 
 7 holder of the private key.
 
 8      "Issue a certificate" means to create and digitally sign a
 
 9 certificate and to deliver a copy of the certificate to the
 
10 subscriber named in the certificate.
 
11      "Key pair" means a private key and its corresponding public
 
12 key which are the keys in an asymmetric cryptosystem having the
 
13 property that one of the pair will decrypt what the other
 
14 encrypts.
 
15      "Licensed certification authority" means a certification
 
16 authority to whom a license has been issued by the department.
 
17      "Material" means germane to and having substantial
 
18 consequences for an actual transaction involving a digital
 
19 signature.
 
20      "Message" means a writing or recording recorded by means of
 
21 any medium and intended to be signed.  For purposes of this
 
22 definition, "writings" and "recordings" consist of letters,
 
23 words, numbers, or their equivalent set down by handwriting,
 

 
Page 5                                                     
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 typewriting, printing, photostating, photographing, magnetic
 
 2 impulse, mechanical or electronic recording, or other form of
 
 3 data compilation.
 
 4      "One-way function" means an algorithm mapping or translating
 
 5 one set of bits into another set in such a way that:
 
 6      (1)  A message yields the same result every time it is
 
 7           passed through the one-way function;
 
 8      (2)  It is computationally feasible that a message passed
 
 9           through the one-way function can be derived or
 
10           reconstituted from the results of the function; and
 
11      (3)  There is at most only a negligible probability that two
 
12           messages passing through the same one-way function will
 
13           produce the same result.
 
14      "Operative personnel" means one or more persons:
 
15      (1)  Acting as a certification authority or its agent;
 
16      (2)  Having managerial or policymaking responsibilities for
 
17           the certification authority; or 
 
18      (3)  Having duties directly involving the issuance of
 
19           certificates, creation of keys, or administration of
 
20           computing facilities.
 
21      "Person" means a natural person, corporation, partnership,
 
22 governmental body, or any other entity capable of signing a
 
23 document.
 

 
Page 6                                                     
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      "Private key" means a sequence of bits in an asymmetric
 
 2 cryptosystem used to affix a digital signature to a message.  A
 
 3 private key is intended to be known only by the rightful holder
 
 4 of the key.
 
 5      "Public key" means a sequence of bits in an asymmetric
 
 6 cryptosystem used to verify a digital signature.  A public key
 
 7 may be known and used by anyone in order to verify a signature.
 
 8      "Publish" means to record or place on file in a repository
 
 9 accessible by multiple persons in the ordinary course of
 
10 business.
 
11      "Recognized repository" means a repository recognized by the
 
12 department pursuant to section    -52.
 
13      "Recommended reliance limit" means the limit of an issuing
 
14 certification authority's liability and financial responsibility
 
15 specified in a certificate.
 
16      "Record address" means:
 
17      (1)  The address on file with the department for a Hawaii
 
18           corporation, foreign corporation, or other legal entity
 
19           authorized to do business in Hawaii; or
 
20      (2)  The principal, official, or record address on file with
 
21           any other government entity if no address is on file
 
22           with the department; or
 
23      (3)  If no address is reasonably ascertainable with a
 

 
Page 7                                                     
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           government entity, the last known address of the
 
 2           subscriber ascertained, whenever possible,
 
 3           independently of any representations made in applying
 
 4           for a certificate.
 
 5      "Record leaders" are:
 
 6      (1)  The officers and directors or trustees listed for a
 
 7           corporation on the most recent report to the department
 
 8           or its counterpart in another state;
 
 9      (2)  The general partners listed for a limited partnership
 
10           in the records of the department or its counterpart in
 
11           another state; and
 
12      (3)  The natural persons having authority to manage or
 
13           direct the affairs of the subscriber ascertained,
 
14           whenever possible, from information sources other than
 
15           representations made in applying for a certificate.
 
16      "Repository" means a database of certificates accessible on-
 
17 line.
 
18      "Repository operator" means the person operating and
 
19 responsible for the repository.
 
20      "Revoke a certificate" means to make a certificate
 
21 ineffective from a specified time.  Revocation is effected by
 
22 notation or inclusion in a set of revoked certificates and does
 
23 not imply that a revoked certificate is destroyed or made
 

 
Page 8                                                     
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 illegible.  
 
 2      "Rightfully hold a private key" means to know or be able to
 
 3 readily ascertain a private key.
 
 4      "Subscriber" means a person holding a private key which
 
 5 corresponds to a public key listed in a certificate identifying
 
 6 the subscriber.
 
 7      "Suitable guaranty" means either a surety bond executed by a
 
 8 surety firm authorized by the insurance commissioner to do
 
 9 business in this State, or an irrevocable letter of credit issued
 
10 by a financial institution authorized to do business in this
 
11 State by the department, which satisfies all of the following
 
12 requirements:
 
13      (1)  It is issued for the benefit of claimants under this
 
14           chapter and is conditioned upon the certification
 
15           authority conducting business as required by this
 
16           chapter;
 
17      (2)  It is issued in an amount equal to or exceeding the
 
18           greater of either:
 
19           (A)  One hundred per cent of the largest recommended
 
20                reliance limit of a certificate to be issued or
 
21                published by the filing certification authority
 
22                during the term of the certification authority's
 
23                license; or
 

 
Page 9                                                     
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           (B)  At least thirty-five per cent of the recommended
 
 2                reliance limits of all certificates to be issued
 
 3                or published by the filing certification authority
 
 4                which have not expired or been revoked;
 
 5      (3)  It states that it is issued for filing pursuant to this
 
 6           chapter;
 
 7      (4)  It specifies a term of effectiveness extending at least
 
 8           as long as the term of the license to be issued to the
 
 9           certification authority; and
 
10      (5)  It is in a form approved by the department.
 
11      A suitable guaranty may provide that the total annual
 
12 liability on the guaranty to all persons making claims based on
 
13 it may not exceed the face amount of the guaranty.
 
14      "Suspend" means to make the certificate ineffective or void
 
15 temporarily from a specified time forward.  It does not imply
 
16 that the certificate is destroyed or made illegible.
 
17      "Time-stamp" means either:
 
18      (1)  To append to a message a digitally signed notation
 
19           indicating the date, time, and identity of the person
 
20           appending the notation; or
 
21      (2)  The notation appended according to paragraph (1).
 
22      "Verify a digital signature" means:
 
23      (1)  To decrypt a digital signature using the public key
 

 
Page 10                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           listed in a valid certificate;
 
 2      (2)  To pass the message through the one-way function used
 
 3           in affixing the digital signature; and
 
 4      (3)  To then correctly determine that the results of passing
 
 5           the message through the one-way function and the
 
 6           decrypted digital signature are identical.
 
 7      §   -3  Contents of a certificate.(a)  A certificate
 
 8 issued by a licensed certification authority shall contain:
 
 9      (1)  The name by which the subscriber is generally known;
 
10      (2)  The distinguished name of the subscriber;
 
11      (3)  A public key corresponding to a private key held by the
 
12           subscriber;
 
13      (4)  A brief description of any algorithms with which the
 
14           subscriber's public key was intended to be used in a
 
15           form prescribed by the department;
 
16      (5)  The serial number of the certificate which must be
 
17           unique among the certificates issued by the issuing
 
18           certification authority;
 
19      (6)  The date and time on which the certificate was issued
 
20           and accepted which is the date on which the certificate
 
21           takes effect;
 
22      (7)  The date and time on which the certificate expires;
 
23      (8)  The distinguishing name of the certification authority
 

 
Page 11                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           issuing the certificate;
 
 2      (9)  A brief description of the algorithm used to sign the
 
 3           certificate, in a form prescribed by the department;
 
 4     (10)  The recommended reliance limit for transactions relying
 
 5           on the certificate; and
 
 6     (11)  Other items the department requires by rule.
 
 7      (b)  A certificate issued by a licensed certification
 
 8 authority, at the option of the subscriber and certification
 
 9 authority, may contain any of the following:
 
10      (1)  A secondary public key and its identifier or usage
 
11           indicator;
 
12      (2)  Information material to the certificate's reliability
 
13           and to any claims based on it;
 
14      (3)  References incorporating specified and available
 
15           documents material to the certificate, the issuing
 
16           certification authority, or the accepting subscriber;
 
17           and
 
18      (4)  Other items permitted by department rule.
 
19      (c)  The department by rule, may require additional
 
20 information in a certificate, so long as the certificate conforms
 
21 to generally accepted standards for digital signature
 
22 certificates and nothing in the certificate disclaims or limits
 
23 the representations of the subscriber and the certification
 

 
Page 12                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 authority implied in part III.  The certification shall be in a
 
 2 database form specified by department rule.
 
 3      (d)  The department, at the joint request of a subscriber
 
 4 and licensed certification authority, may create a secret field
 
 5 in its database.  The department may disclose the contents of the
 
 6 secret field in its database only to:
 
 7      (1)  The licensed certification authority publishing the
 
 8           certificate;
 
 9      (2)  Authorized personnel of the department; and
 
10      (3)  A circuit court which has received a request for
 
11           suspension of the pertinent certificate.
 
12      The contents of the secret field should be a password or
 
13 fact likely to be known only by the subscriber, and, in the
 
14 discretion of the entity processing a request for suspension, may
 
15 be used to determine the identity of the requester.
 
16               PART II.  LICENSING AND REGULATION OF
 
17                      CERTIFICATE AUTHORITIES
 
18      §   -11  Licensure and qualifications of certificate
 
19 authorities.(a)  To obtain or retain a license as a
 
20 certification authority by the department, a certification
 
21 authority must:
 
22      (1)  Be either:
 
23           (A)  An attorney admitted to practice before the courts
 

 
Page 13                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1                of this State, that attorney's partnership which
 
 2                engages principally in the practice of law if the
 
 3                attorney is a partner, or a professional
 
 4                corporation in which the attorney named in the
 
 5                license is a shareholder;
 
 6           (B)  A financial institution, a corporation authorized
 
 7                to conduct a trust business, or an insurance
 
 8                company, if authorized to do business in this
 
 9                State;
 
10           (C)  Any title insurance or abstract company authorized
 
11                to do business in this State; or
 
12           (D)  The governor, a department or division of state
 
13                government, the attorney general, the Hawaii
 
14                judicial council, a state court, the city and
 
15                county or a county, or the legislature; provided
 
16                that:
 
17                (i)  Each of the governmental entities acts
 
18                     through designated officials authorized by
 
19                     ordinance, rule, or statute to perform
 
20                     certification authority functions; and
 
21              (ii)   The State or one of the governmental entities
 
22                     is the subscriber of all certificates issued
 
23                     by the certification authority;
 

 
Page 14                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (2)  Be the subscriber of a certificate published in the
 
 2           repository provided by the department or in a
 
 3           recognized repository;
 
 4      (3)  Qualify and hold an appointment as a notary public or
 
 5           employ at least one notary public;
 
 6      (4)  Employ as operative personnel only persons who have not
 
 7           been convicted of a felony or a crime involving fraud,
 
 8           false statement, or deception;
 
 9      (5)  Employ as operative personnel only persons who have
 
10           demonstrated knowledge and proficiency in following the
 
11           requirements of this chapter;
 
12      (6)  File with the department a suitable guaranty, unless
 
13           the certification authority is a governmental entity
 
14           listed in paragraph (1)(D);
 
15      (7)  Have access to hardware and software suitable for
 
16           fulfilling the requirements of this chapter according
 
17           to department rules;
 
18      (8)  Maintain an office in Hawaii or have established a
 
19           registered agent for service of process in Hawaii; and
 
20      (9)  Comply with all licensing requirements established by
 
21           department rule.
 
22      (b)  The department shall issue a license to a certification
 
23 authority which:
 

 
Page 15                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (1)  Is qualified under subsection (a);
 
 2      (2)  Applies in writing to the department for a license; and
 
 3      (3)  Pays the required filing fee.
 
 4      (c)  A license may specify that its scope is limited to:
 
 5      (1)  A specified number of certificates; or
 
 6      (2)  A specified cumulative maximum of recommended reliance
 
 7           limits in certificates issued by the certification
 
 8           authority.
 
 9      If the scope of a license is limited, a certification
 
10 authority acts as an unlicensed certification authority when
 
11 issuing a certificate exceeding the limits of the license.
 
12      (d)  The department may revoke or suspend a certification
 
13 authority's license for failure to comply with this chapter, or
 
14 for failure to remain qualified under subsection (a).  The
 
15 department's actions under this subsection are subject to the
 
16 procedures for adjudicative proceedings under chapter 91.
 
17      (e)  Unless the parties provide otherwise by contract
 
18 between themselves, the licensing requirements in this section do
 
19 not affect the validity of any certificate or digital signature
 
20 issued by an unlicensed certification authority, except that:
 
21      (1)  The presumptions created in part IV do not apply to a
 
22           certificate issued by an unlicensed certification
 
23           authority; and
 

 
Page 16                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (2)  The limitation of liability created in section    -28
 
 2           does not apply to a certificate issued by an unlicensed
 
 3           certification authority.
 
 4      §   -12  Performance audits and investigations.(a)  A
 
 5 certified public accountant approved by department rule shall
 
 6 audit the operations of each licensed certification authority at
 
 7 least once each year to evaluate compliance with this chapter.
 
 8      (b)  Based on information gathered in the audit, the person
 
 9 performing the audit shall categorize the licensed certification
 
10 authority's compliance as one of the following:
 
11      (1)  Full compliance:  the certification authority appears
 
12           to conform to all applicable statutory and regulatory
 
13           requirements;
 
14      (2)  Substantial compliance:  the certification authority
 
15           generally appears to comply with all applicable
 
16           statutory and regulatory requirements; provided that
 
17           some instances of noncompliance or inability to
 
18           demonstrate compliance were found in the audited sample
 
19           which were likely to be inconsequential;
 
20      (3)  Partial compliance:  the certification authority
 
21           appears to comply with some statutory and regulatory
 
22           requirements, but was found not to have complied or not
 
23           able to demonstrate compliance with one or more
 

 
Page 17                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           statutory regulatory requirements; or
 
 2      (4)  Noncompliance:  the certification authority complies
 
 3           with few or none of the statutory and regulatory
 
 4           requirements, or fails to keep adequate records to
 
 5           demonstrate compliance with more than a few
 
 6           requirements, or refused to submit to an audit.
 
 7      (c)  The department shall publish in the certification
 
 8 authority disclosure record the date of the audit and the
 
 9 resulting categorization of the certification authority.
 
10      (d)  A licensed certification authority is exempt from the
 
11 requirements of subsection (a) if:
 
12      (1)  The certification authority requests exemption in
 
13           writing;
 
14      (2)  The most recent performance audit, if any, of the
 
15           certification authority resulted in a finding of full
 
16           or substantial compliance; and
 
17      (3)  The certification authority states under oath or
 
18           affirmation that one or more of the following is true
 
19           with respect to the certification authority;
 
20           (A)  The certification authority has issued fewer than
 
21                six certificates during the past year and the
 
22                recommended reliance limits of all such
 
23                certificates do not exceed $10,000;
 

 
Page 18                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           (B)  The aggregate lifetime of all certificates issued
 
 2                by the certification authority during the past
 
 3                year is less than thirty days and the recommended
 
 4                reliance limits of all such certificates do not
 
 5                exceed $10,000; or
 
 6           (C)  The recommended reliance limits of all
 
 7                certificates outstanding and issued by the
 
 8                certification authority total less than $1,000.
 
 9      If a licensed certification authority is exempt under this
 
10 subsection, the department shall publish in the certification
 
11 authority disclosure record that the certification authority is
 
12 exempt from the performance audit requirement under subsection
 
13 (a).
 
14      §   -13  Contents of a certification authority disclosure
 
15 record.  (a)  A certification authority disclosure record shall
 
16 contain:
 
17      (1)  The name, address, and telephone number of the
 
18           certification authority;
 
19      (2)  The distinguished name of the certification authority;
 
20      (3)  The current public key of the certification authority;
 
21      (4)  The categorization of the certification authority based
 
22           on the most recent performance audit of the
 
23           certification authority's activities, and the date of
 

 
Page 19                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           the most recent performance audit;
 
 2      (5)  If the certification authority's certificate has been
 
 3           revoked since licensure, the public key contained in
 
 4           the revoked certificate, date of revocation, and
 
 5           grounds for revocation;
 
 6      (6)  The amount of the certification authority's suitable
 
 7           guaranty;
 
 8      (7)  If the certification authority's license has been
 
 9           revoked or is currently suspended, the date or
 
10           revocation or suspension and the grounds for revocation
 
11           or suspension;
 
12      (8)  The limits, if any, placed on the certification
 
13           authority's license;
 
14      (9)  Any event or activity which substantially affects the
 
15           certification authority's ability to conduct its
 
16           business, or the validity of more than ten of the
 
17           certificates listed in the repository provided by the
 
18           department or in a recognized repository;
 
19     (10)  If the certificate containing the public key required
 
20           to verify one or more certificates issued by the
 
21           certification authority has been revoked or is
 
22           currently suspended, the date of its revocation or
 
23           suspension;
 

 
Page 20                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1     (11)  A statement dated within one year of the current date,
 
 2           containing additional rules or policies, and not
 
 3           exceeding two kilobytes in length, if the certification
 
 4           authority submits such a statement in a form prescribed
 
 5           by department rule; and
 
 6     (12)  Other information required by department rule.
 
 7      (b)  The department shall maintain an electronic database in
 
 8 its repository containing the disclosure record described in this
 
 9 section for each licensed certification authority.
 
10      §   -14  Enforcement of requirements for licensed
 
11 certification authorities.(a)  Department actions under this
 
12 section must be made in accordance with the procedures for
 
13 adjudicative proceedings under chapter 91.
 
14      (b)  The department may:
 
15      (1)  Investigate the activities of a licensed certification
 
16           authority material to the requirements of this chapter;
 
17           and
 
18      (2)  Issue orders to a certification authority to secure
 
19           compliance with this chapter.
 
20      (c)  Nothing in this section restricts law enforcement
 
21 authorities from investigating and prosecuting violations of
 
22 criminal laws.
 
23      (d)  The department may suspend or revoke the license of a
 

 
Page 21                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 certification authority for serious noncompliance with an order
 
 2 of the department.
 
 3      (e)  A person may obtain punitive damages against a
 
 4 certification authority in a civil action against the
 
 5 certification authority if:
 
 6      (1)  The department has issued an order in accordance with
 
 7           subsection (b) expressly permitting punitive damages to
 
 8           be assessed against the certification authority;
 
 9      (2)  The certification authority has not complied with the
 
10           order;
 
11      (3)  The person has suffered a loss caused by noncompliance
 
12           with the order; and
 
13      (4)  The department has granted permission for punitive
 
14           damages.
 
15      (f)  The department may order a certification authority
 
16 which it has found to have violated a requirement of this chapter
 
17 to pay the costs incurred by the department in prosecuting and
 
18 adjudicating proceedings related to the enforcement of the order.
 
19      (g)  A licensed certification authority may obtain judicial
 
20 review of the department's actions.  The department may seek an
 
21 injunction to compel compliance with any of its orders.
 
22      §   -15  Recordkeeping by certification authorities.  (a)  A
 
23 licensed certification authority shall maintain detailed records
 

 
Page 22                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 documenting compliance with this chapter and all actions taken
 
 2 with respect to each certificate issued by the certification
 
 3 authority.  The records shall include evidence supporting the
 
 4 identification of the person named in a certificate with the
 
 5 distinguished name and public key set forth in the certificate.
 
 6 Except for requests for suspension of a certificate, the licensed
 
 7 certification authority may require a subscriber or agent of a
 
 8 subscriber to submit reasonable documentation sufficient to
 
 9 enable the certification authority to comply with this chapter.
 
10      (b)  A licensed certification authority shall retain its
 
11 records of the issuance, and any suspension or revocation of a
 
12 certificate, for a period of not less than forty years after the
 
13 certificate is issued.
 
14      (1)  The licensed certification authority may:
 
15           (A)  Contract with another licensed certification
 
16                authority for the record retention required by
 
17                this section; or
 
18           (B)  Place the records required by this section into
 
19                the custody of the department upon ceasing to act
 
20                as a certification authority.
 
21      (2)  A licensed certification authority shall secure its
 
22           records in a manner that is commercially reasonable in
 
23           light of the recommended reliance limits of the
 

 
Page 23                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           certificates.
 
 2      §   -16  Cessation of certification authority activities.
 
 3 (a)  Before ceasing to act as a certification authority, a
 
 4 licensed certification authority shall:
 
 5      (1)  Give to the subscriber of each unrevoked or unexpired
 
 6           certificate ninety days' written notice of the
 
 7           certification authority's intention to discontinue
 
 8           acting as a certification authority;
 
 9      (2)  Ninety days after the notice required in paragraph (1),
 
10           revoke all certificates which then remain unrevoked or
 
11           unexpired, regardless of whether the subscriber has
 
12           requested revocation;
 
13      (3)  Give written notice of revocation to the subscriber of
 
14           each certificate revoked pursuant to paragraph (2); and
 
15      (4)  Unless the contract between the certification authority
 
16           and the subscriber provides otherwise, pay reasonable
 
17           restitution to the subscriber for revoking the
 
18           certificate before its expiration date.
 
19      (b)  To provide uninterrupted certification authority
 
20 services, the discontinuing certification authority may arrange
 
21 with another certification authority, including the department,
 
22 for the unexpired term of the remaining certificates or one year,
 
23 whichever is less.  In reissuing a certificate pursuant to this
 

 
Page 24                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 subsection, the succeeding certification authority becomes
 
 2 subrogated to the rights and defenses of the discontinuing
 
 3 certification authority.
 
 4      (c)  The requirements of this section may be varied by
 
 5 contract except that the contract may not permit the licensed
 
 6 certification authority to discontinue its certification
 
 7 authority activities without first:
 
 8      (1)  Giving each subscriber of an unexpired or unrevoked
 
 9           certificate at least ten days' written notice; and
 
10      (2)  Revoking all outstanding certificates upon cessation of
 
11           certification authority activities.
 
12      (d)  A licensed certification authority shall notify the
 
13 department of its intention to terminate acting as a
 
14 certification authority.  The notice shall be in a form specified
 
15 by department rule and shall be submitted to the department at
 
16 least two months, but not more than six months, before the date
 
17 of termination.  The department may by rule or by order in a
 
18 specific case require additional statements to be filed in order
 
19 to track compliance with this section.
 
20      (e)  If a certification authority dies while licensed, the
 
21 estate of the certification authority shall comply with the
 
22 procedures of this section for termination of the deceased
 
23 certification authority's activities.
 

 
Page 25                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (f)  If a certification authority becomes incapacitated, a
 
 2 court may either appoint a guardian as provided in chapter 560,
 
 3 or, on the petition of an interested party, appoint a receiver to
 
 4 terminate the incapacitated certification authority's business as
 
 5 provided in this section.
 
 6      (g)  The department may adopt rules under chapter 91 to
 
 7 facilitate termination of certification authority activities or
 
 8 to protect subscribers and others in cases where the
 
 9 certification authority dies or becomes incapacitated.
 
10      §   -17  Hazardous activities by any certification authority
 
11 prohibited.(a)  A certification authority, whether licensed or
 
12 not, may not conduct its business in a manner that creates a
 
13 commercially unreasonable risk of loss to:
 
14      (1)  Subscribers of the certification authority;
 
15      (2)  Persons relying on certificates issued by certification
 
16           authority; or
 
17      (3)  Any repository recognized pursuant to section    -52.
 
18      (b)  The department may publish in the repository it
 
19 provides or elsewhere statements advising subscribers, persons
 
20 relying on digital signatures, or public repositories about
 
21 activities of a certification authority, whether licensed or not,
 
22 that create a risk prohibited by subsection (a).
 
23      The certification authority named in a statement as creating
 

 
Page 26                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 or causing a risk may protest the publication of the statement.
 
 2 Upon receipt of a protest, the department shall:
 
 3      (1)  Include with its statement a comment that a protest has
 
 4           been received; and
 
 5      (2)  Promptly give the protesting certification authority
 
 6           notice and an opportunity to be heard.
 
 7      (c)  Following the hearing, the department shall:
 
 8      (1)  Rescind the advisory statement if its publication was
 
 9           unwarranted;
 
10      (2)  Cancel it if its publication is no longer warranted;
 
11      (3)  Continue or amend it if it remains warranted; or
 
12      (4)  Take further legal action to eliminate or reduce a risk
 
13           prohibited by subsection (a).
 
14 The department shall publish its decision in the repository it
 
15 provides.
 
16      (d)  In the manner provided by chapter 91, the department
 
17 may issue orders and obtain injunctions or other civil relief to
 
18 prevent or restrain a certification authority from violating this
 
19 section, regardless of whether the certification authority is
 
20 licensed.  This section does not create a right of action in any
 
21 person other than the department.  
 
22                PART III.  DUTIES OF CERTIFICATION
 
23                     AUTHORITY AND SUBSCRIBER
 

 
Page 27                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      §   -21  Issuing a certificate.(a)  A licensed
 
 2 certification authority may issue a certificate to a subscriber
 
 3 only after all of the following conditions are satisfied:
 
 4      (1)  The certification authority has received a signed
 
 5           request for issuance of a certificate by the
 
 6           prospective subscriber;
 
 7      (2)  The certification authority confirms that:
 
 8           (A)  The prospective subscriber is the person
 
 9                identified in the request and the person to be
 
10                identified in the certificate to be issued;
 
11           (B)  If the prospective subscriber is acting through an
 
12                agent, the subscriber duly authorized the agent to
 
13                have custody of the subscriber's private key and
 
14                to request issuance of a certificate listing the
 
15                corresponding public key;
 
16           (C)  The prospective subscriber bears a distinguished
 
17                name; and
 
18           (D)  The prospective subscriber rightfully holds the
 
19                private key corresponding to the public key to be
 
20                listed in the certificate;
 
21      (3)  The certification authority confirms that the
 
22           prospective subscriber holds a key pair capable of:
 
23           (A)  Affixing a digital signature by the private key
 

 
Page 28                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1                corresponding to the public key to be listed in
 
 2                the certificate; and
 
 3           (B)  Verifying that a digital signature has been
 
 4                affixed by the corresponding private key through
 
 5                the use of the public key.
 
 6      The requirements of this subsection may not be waived or
 
 7 disclaimed by the licensed certification authority or the
 
 8 subscriber.
 
 9      (b)  If a certificate is requested by an agent or an
 
10 apparent agent of the subscriber, the certification authority may
 
11 not issue the certificate until after the certification authority
 
12 has given ten days' written notice to the prospective subscriber
 
13 through all of its record leaders at its record address.  The
 
14 notice shall express the certification authority's intent to
 
15 issue a certificate for the prospective subscriber to the
 
16 requesting agent and the date on which the certificate is to be
 
17 issued. 
 
18      The requirement of notice in this subsection may be waived
 
19 or disclaimed only by:
 
20      (1)  A writing signed by all of the record leaders of the
 
21           prospective subscriber; and
 
22      (2)  Confirmation of the authenticity of the waiver by the
 
23           certification authority.
 

 
Page 29                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (c)  If the subscriber accepts the certificate, the
 
 2 certification authority shall publish a signed copy of the
 
 3 certificate in the repository provided by the department or in
 
 4 one or more record repositories agreed upon by the certification
 
 5 authority and the subscriber named in the certificate.  The
 
 6 contract between the certification authority and the subscriber
 
 7 may provide that the certificate may not be published.  If the
 
 8 subscriber does not accept the certificate, a licensed
 
 9 certification authority may not publish the certificate in the
 
10 repository provided by the department.  
 
11      (d)  Nothing in this section precludes a licensed
 
12 certification authority from conforming to standards, security
 
13 policies, or contractual requirements more rigorous than, but
 
14 consistent with this section.
 
15      (e)  If a licensed certification authority confirms that a
 
16 certificate was not issued as required by this section, the
 
17 certification authority may:
 
18      (1)  Immediately revoke the certificate; or
 
19      (2)  Suspend the certificate while investigating to confirm
 
20           grounds for revocation.
 
21      The certification authority shall give notice as soon as
 
22 practicable to the subscriber of a certificate revoked or
 
23 suspended pursuant to this subsection.
 

 
Page 30                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (f)  The department may order the licensed certification
 
 2 authority to suspend or revoke a certificate which the
 
 3 certification authority issued if, after notice and an
 
 4 opportunity for the certification authority and subscriber to be
 
 5 heard under chapter 91, the department determines that:
 
 6      (1)  A certificate was issued without substantial compliance
 
 7           to this section; and 
 
 8      (2)  The noncompliance poses a significant hazard to parties
 
 9           relying on the certificate.
 
10      §   -22  Representations by the subscriber accepting a
 
11 certificate.  (a)  By accepting a certificate issued by a
 
12 licensed certification authority, the subscriber identified in
 
13 the certificate certifies to all who justifiably rely on the
 
14 information contained in the certificate that:
 
15      (1)  Each digital signature affixed by means of the private
 
16           key corresponding to the public key listed in the
 
17           certificate is a legally valid signature of the
 
18           subscriber, unless the certificate:
 
19           (A)  Is suspended;
 
20           (B)  Is revoked by the certification authority; or
 
21           (C)  Has expired;
 
22      (2)  No unauthorized person has access to the private key
 
23           corresponding to the public key listed in the
 

 
Page 31                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           certificate;
 
 2      (3)  All representations made by the subscriber to the
 
 3           certification authority which are material to
 
 4           information contained in the certificate are true; and
 
 5      (4)  The information contained in the certificate is true.
 
 6      (b)  By requesting on behalf of a principal the issuance of
 
 7 a certificate naming the principal as subscriber, a person
 
 8 certifies to all who justifiably rely on the information
 
 9 contained in the certificate that:
 
10      (1)  The person holds all authority legally required for
 
11           issuance of a certificate naming the principal as
 
12           subscriber; and
 
13      (2)  The person has authority to sign digitally on behalf of
 
14           the principal, and, if that authority is limited in any
 
15           way, safeguards exist to prevent a digital signature
 
16           exceeding the bounds of the person's authority.
 
17      (c)  A person may not disclaim or rebut the representations
 
18 implied in this section or obtain indemnity for them, if the
 
19 effect of the disclaimer or indemnity is to limit liability for
 
20 wrongful issuance of a certificate as against persons justifiably
 
21 relying on the certificate.
 
22      (d)  If a subscriber makes a false, material, and written
 
23 representation of fact, or fails to disclose a material fact,
 

 
Page 32                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 with either the intent to deceive the certification authority or
 
 2 a person relying on the certificate, or with negligence, the
 
 3 subscriber, by accepting a certificate, becomes obligated to
 
 4 indemnify the issuing certification authority for any loss or
 
 5 damage caused by the misrepresentation or negligence. 
 
 6      If the certification authority issued the certificate at the
 
 7 request of agents of the subscriber, both the agents and the
 
 8 subscriber shall indemnify the certification authority in
 
 9 accordance with this subsection.
 
10      The indemnity provided in this subsection may not be
 
11 disclaimed or superseded by contract between the certification
 
12 authority and the subscriber.
 
13      (e)  To obtain information required for issuance of a
 
14 certificate, the certification authority may require a subscriber
 
15 to testify under oath or an affirmation of truthfulness.
 
16      §   -23  Control of the private key.(a)  By accepting a
 
17 certificate issued by a licensed certification authority, the
 
18 subscriber identified in the certificate assumes a duty to
 
19 exercise reasonable care in retaining control of the private key
 
20 and keeping it confidential.
 
21      (b)  A private key is the property of the subscriber who
 
22 rightfully holds it.
 
23      (c)  If a certification authority holds the private key
 

 
Page 33                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 corresponding to a public key listed in a certificate which it
 
 2 issued, it holds the private key as a fiduciary of the subscriber
 
 3 named in the certificate, regardless of any provision to the
 
 4 contrary in a contract between the subscriber and the
 
 5 certification authority.
 
 6      A certification authority holding the subscriber's private
 
 7 key may use it only upon the prior written consent of the
 
 8 subscriber.
 
 9      §   -24  Duties of a licensed certification authority in
 
10 issuing a certificate.(a)  By issuing a certificate, a licensed
 
11 certification authority warrants to the subscriber named in the
 
12 certificate that:
 
13      (1)  The certificate contains no information known to the
 
14           certification authority to be false;
 
15      (2)  The certificate satisfies the requirements of this
 
16           chapter and does not exceed any limitations of the
 
17           certification authority's license; and
 
18      (3)  The certification authority has not exceeded any
 
19           limitation of its license in issuing the certificate.
 
20      The warranties described in this subsection shall not be
 
21 limited or disclaimed by contract.
 
22      (b)  Unless the parties otherwise agree, a certification
 
23 authority, by issuing a certificate, promises to the subscriber:
 

 
Page 34                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (1)  To notify the subscriber within a reasonable time of
 
 2           any facts known to the certification authority which
 
 3           affect the validity or reliability of the certificate
 
 4           once it is issued; and
 
 5      (2)  To act promptly to suspend or revoke a certificate in
 
 6           accordance with section    -25.
 
 7      (c)  By issuing a certificate, a licensed certification
 
 8 authority certifies to all who justifiably rely on the
 
 9 information contained in the certificate that the certification
 
10 authority has complied with all applicable requirements for
 
11 issuance of the certificate.
 
12      (d)  By publishing a certificate, a licensed certification
 
13 authority certifies to the repository and to all who justifiably
 
14 rely on the information contained in the certificate that the
 
15 certification authority has issued the certificate to the
 
16 subscriber.
 
17      §   -25  Suspension of a certificate.(a)  Unless the
 
18 certification authority and the subscriber otherwise agree, the
 
19 licensed certification authority which issued a certificate shall
 
20 suspend the certificate for a period of forty-eight hours:
 
21      (1)  Upon request by a person identifying the person's self
 
22           as:
 
23           (A)  The subscriber named in the certificate;
 

 
Page 35                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           (B)  An agent of the subscriber;
 
 2           (C)  A business associate of the subscriber;
 
 3           (D)  An employee of the subscriber; or
 
 4           (E)  A member of the immediate family of the
 
 5                subscriber; or
 
 6      (2)  Upon order of the department pursuant to
 
 7           section    -21(f).
 
 8      The certification authority need not confirm the identity or
 
 9 department of the person requesting suspension.
 
10      (b)  Unless the certificate or other records in the
 
11 repository indicate otherwise, the department or the circuit
 
12 court may suspend a certificate issued by a licensed
 
13 certification authority for a period of forty-eight hours if:
 
14      (1)  A person identifying the person's self as the
 
15           subscriber named in the certificate, or as an agent,
 
16           business associate, employee, or member of the
 
17           immediate family of the subscriber requests suspension;
 
18           and
 
19      (2)  The requester represents that the certification
 
20           authority which issued the certificate is unavailable.
 
21      (c)  The department or court may:
 
22      (1)  Require the requester to provide evidence of the
 
23           requester's identity, authorization, and the
 

 
Page 36                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           unavailability of the issuing certification authority;
 
 2      (2)  Inquire of the contents of the certificate and the
 
 3           secret field described in section    -3(d); and
 
 4      (3)  Decline to suspend the certificate with or without
 
 5           cause.
 
 6      (d)  The department or court may investigate multiple
 
 7 suspensions by the department or court for possible wrongdoing.
 
 8      (e)  Immediately upon suspension of a certificate, the
 
 9 suspending certification authority or court shall publish signed
 
10 notice of the suspension in all repositories in which the
 
11 certificate was published.  If the repository no longer exists,
 
12 or if the person suspending the certificate does not know all the
 
13 repositories in which the certificate was published, the
 
14 certification authority shall publish the notice of suspension in
 
15 the repository provided by the department.
 
16      (f)  A certification authority shall terminate the
 
17 suspension of a certificate that was suspended by request if:
 
18      (1)  The subscriber named in the suspended certificate
 
19           requests that the suspension be terminated and, the
 
20           certification authority confirms the identity of the
 
21           person making the request, and when the requester is
 
22           acting as agent, the agent's authorization by the
 
23           subscriber; or
 

 
Page 37                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (2)  The certification authority discovers and confirms that
 
 2           the request for the suspension was made without
 
 3           authorization by the subscriber.
 
 4      This subsection does not obligate the certification
 
 5 authority to confirm a request for suspension.
 
 6      (g)  The contract between a subscriber and a licensed
 
 7 certification authority may:
 
 8      (1)  Limit or eliminate suspension by the certification
 
 9           authority upon request; or
 
10      (2)  Provide for termination of a suspension or disclosure
 
11           of information about a suspension that varies from the
 
12           requirements of this subsection and subsections (a),
 
13           (b), and (f),
 
14 except that if the contract varies from the requirements of this
 
15 section, the certificate must indicate the differences for the
 
16 contractual variation to be valid.
 
17      (h)  No person may knowingly or intentionally misrepresent
 
18 to a certification authority the person's identity, name,
 
19 distinguished name, or authorization when requesting suspension
 
20 of a certificate.
 
21      Violation of this subsection is a misdemeanor.
 
22      (i)  The subscriber is released from the duty to keep the
 
23 private key secure pursuant to section     -23 during the period
 

 
Page 38                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 the certificate is suspended.
 
 2      §   -26  Revocation of a certificate.(a)  A licensed
 
 3 certification authority shall revoke a certificate which it
 
 4 issued after receiving and confirming a request for revocation by
 
 5 the subscriber named in the certificate.  A licensed
 
 6 certification authority shall confirm a request for revocation
 
 7 and revoke a certificate within one business day after:
 
 8      (1)  Receiving a subscriber's written request accompanied by
 
 9           evidence reasonably sufficient to confirm the request;
 
10           and
 
11      (2)  Receiving any required fee.
 
12      (b)  A licensed certification authority shall revoke a
 
13 certificate which it issued upon receiving a certified copy of
 
14 the subscriber's death certificate or upon confirming by other
 
15 evidence that the subscriber is dead.
 
16      (c)  A licensed certification authority may revoke one or
 
17 more certificates which it issued if the certificates are or
 
18 become unreliable regardless of whether the subscriber consents
 
19 to the revocation.
 
20      Unless the contract between the certification authority and
 
21 the subscriber provides otherwise, the certification authority
 
22 shall pay reasonable restitution to the subscriber and compensate
 
23 the subscriber for any interruption to the subscriber's business
 

 
Page 39                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 due to the revocation of the certificate under the circumstances
 
 2 described in this subsection.
 
 3      (d)  Immediately upon revocation of a certificate, the
 
 4 revoking certification authority shall publish signed notice of
 
 5 the revocation in all repositories in which the certification
 
 6 authority published the certificate.  If the repositories no
 
 7 longer exist or if all are unrecognized repositories, the
 
 8 certification authority shall publish the notice in the
 
 9 repository provided by the department.
 
10      (e)  A subscriber ceases to certify as provided in
 
11 section    -22, and has no further duty to keep the private key
 
12 secure as required by section    -23 when either:
 
13      (1)  Notice of the revocation is published as required in
 
14           subsection (d); or
 
15      (2)  The certification authority is required to revoke under
 
16           subsection (a).
 
17      (f)  Upon publication as required by section   -25(e), a
 
18 licensed certification authority is:
 
19      (1)  Discharged of its warranties based on issuance of the
 
20           revoked certificate; and
 
21      (2)  Ceases to certify as provided in section    -24(b) and
 
22           (c) in relation to the revoked certificate.
 
23      §   -27  Expiration of a certificate.(a)  A certificate
 

 
Page 40                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 shall indicate the date on which it expires.  A certificate's
 
 2 expiration date shall be no later than three years after its
 
 3 issuance.
 
 4      (b)  When a certificate expires:
 
 5      (1)  The subscriber and certification authority cease as
 
 6           provided in sections    -22 and    -24; and
 
 7      (2)  The certification authority is discharged of its duties
 
 8           based on issuance, in relation to the expired
 
 9           certificate.
 
10      §   -28  Liability of a licensed certification authority.
 
11 (a)  By specifying a recommended reliance limit in a certificate,
 
12 the issuing certification authority and accepting subscriber
 
13 recommend that persons rely on the certificate only in
 
14 transactions in which the total amount at risk does not exceed
 
15 the recommended reliance limit.
 
16      (b)  Except as designated in section    -11(e):
 
17      (1)  A licensed certification authority is not liable for
 
18           any loss caused by a false or forged digital signature
 
19           of a subscriber, if, with respect to the false or
 
20           forged digital signature, the certification authority
 
21           complied with the requirements of this chapter;
 
22      (2)  A licensed certification authority is not liable for a
 
23           misrepresentation in the certificate, or for error in
 

 
Page 41                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           issuing the certificate in excess of the amount
 
 2           specified in the certificate as the recommended
 
 3           reliance limit; and
 
 4      (3)  A licensed certification authority is not liable for
 
 5           punitive or exemplary damages, except as provided in
 
 6           section    -14.
 
 7      §   -29  Collection based on suitable guaranty.(a)
 
 8 Notwithstanding any provision in the suitable guaranty to the
 
 9 contrary:
 
10      (1)  If the suitable guaranty is a surety bond, a person may
 
11           recover from the bond surety the full amount of a claim
 
12           against the bond principal or, if there is more than
 
13           one such claim during the term of the bond, a ratable
 
14           share, up to a maximum total liability of the surety
 
15           equal to the face amount of the bond; or
 
16      (2)  If the suitable guaranty is a letter of credit, a
 
17           person may recover from the issuing financial
 
18           institution a claim against the customer named in the
 
19           credit, or, if there is more than one claim during the
 
20           term of the letter of credit, a ratable share, up to a
 
21           maximum total liability of the issuer equal to the face
 
22           amount of the credit.
 
23      Claimants may recover successively on the same suitable
 

 
Page 42                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 guaranty; provided that the total liability on the guaranty to
 
 2 all persons making claims during its term may not exceed the face
 
 3 amount of the guaranty.
 
 4      (b)  In addition to the actual damages suffered by the
 
 5 claimant, the claimant may recover from the proceeds of a
 
 6 suitable guaranty, until depleted, reasonable attorney fees, and
 
 7 court costs incurred by the claimant in collecting the claim.
 
 8      (c)  A claim against a surety or issuer of a suitable
 
 9 guaranty must be filed in writing with the department and the
 
10 surety or issuer, within one year after the claim arose.  A claim
 
11 must include a statement of the amount claimed and the basis for
 
12 the claim.
 
13      An action or suit against the surety or issuer of the
 
14 suitable guaranty must be filed with the court within one year
 
15 after the claim is filed with the department.  Except as
 
16 prohibited by department rule, a suitable guaranty, by contract,
 
17 may alter the obligations under this subsection.
 
18              PART IV.  EFFECT OF A DIGITAL SIGNATURE
 
19      §   -41  Presumptions established by a digital signature.
 
20 (a)  The presumptions established in this section, section
 
21    -42, and section    -43 do not apply to a certificate issued
 
22 by an unlicensed certification authority.
 
23      (b)  A certificate is presumed to be an acknowledgment of
 

 
Page 43                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 any digital signature verified using the public key listed in the
 
 2 certificate, regardless of whether words of an express
 
 3 acknowledgment appear with the digital signature in any document,
 
 4 or in relation to the message if:
 
 5      (1)  The certificate is in the repository provided by the
 
 6           department or in a recognized repository; and
 
 7      (2)  The certificate was not revoked, suspended, or expired
 
 8           at the time of signature.
 
 9      (c)  A digital signature verified using a public key is
 
10 presumed to have been affixed with the intention of the
 
11 subscriber to authenticate the message and to be bound by the
 
12 contents of the message if:
 
13      (1)  The public key is listed in a certificate that is in
 
14           the repository provided by the department or a
 
15           recognized repository; and
 
16      (2)  The certificate was not revoked, suspended, or expired
 
17           at the time of signature.
 
18      (d)  If a signature is time-stamped by the department or a
 
19 recognized repository, and unless the message otherwise provides,
 
20 the time-stamp is prima facie evidence that the time-stamped
 
21 signature took effect as of the date and time indicated in the
 
22 time-stamp.
 
23      This subsection does not preclude a finder of fact from
 

 
Page 44                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 concluding, based on other evidence, that the date and time of
 
 2 signature are other than as shown in a time-stamp of the
 
 3 department or a recognized repository.
 
 4      (e)  The presumptions established in this section may be
 
 5 rebutted by:
 
 6      (1)  Evidence indicating that a digital signature cannot be
 
 7           verified by reference to a certificate issued by a
 
 8           licensed certification authority;
 
 9      (2)  Evidence that the rightful holder of the private key by
 
10           which the digital signature was affixed had lost
 
11           exclusive control of the private key, without violating
 
12           any duty imposed by this chapter, at the time when the
 
13           digital signature was affixed;
 
14      (3)  Evidence showing a lack of a signature at common law;
 
15           or
 
16      (4)  A showing that reliance on the presumption was not
 
17           commercially reasonable under the circumstances.
 
18      §   -42  Digitally signed document is written.  A digitally
 
19 signed document is as valid as if it had been written on paper.
 
20 This section does not limit the authority of the department of
 
21 taxation to prescribe the form of tax returns or other documents
 
22 filed with the department of taxation.
 
23      §   -43  Digital signatures making instruments payable to
 

 


 

Page 45                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1 bearer.  Notwithstanding any other provisions of this chapter, a
 
 2 digital signature which would make a negotiable instrument
 
 3 payable to bearer is void, unless the digital signature
 
 4 effectuates either a funds transfer, or a transaction between
 
 5 banks or other financial institutions.
 
 6        PART V.  STATE SERVICES AND RECOGNIZED REPOSITORIES
 
 7      §   -51  Department duties; rulemaking; fees; special fund.
 
 8 (a)  The department shall be a certification authority, and may
 
 9 issue, suspend, and revoke certificates in the manner prescribed
 
10 for licensed certification authorities.  The provisions of
 
11 part IV apply to the department with respect to the certificates
 
12 it issues.
 
13      (b)  The department shall provide for an on-line, publicly
 
14 accessible database as a repository containing:
 
15      (1)  Certificates published in the repository by licensed
 
16           certification authorities;
 
17      (2)  All orders and advisory statements designated for
 
18           publication by the department;
 
19      (3)  Certification authority disclosure records for all
 
20           currently or formerly licensed certification
 
21           authorities;
 
22      (4)  Notices of suspended or revoked certificates published
 
23           by licensed certification authorities;
 

 
Page 46                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (5)  References to recognized repositories;
 
 2      (6)  Information required to be kept by a recognized
 
 3           repository; and
 
 4      (7)  Other information as determined by department rule.
 
 5      (c)  In conjunction with the repository it provides, the
 
 6 department shall make available a system for reliably time-
 
 7 stamping digital signatures.
 
 8      (d)  The department may adopt rules under chapter 91
 
 9 consistent with this chapter in order to:
 
10      (1)  Govern licensed certification authorities and their
 
11           licensure;
 
12      (2)  Approve asymmetric cryptosystems for use in signing
 
13           certificates issued by licensed certification
 
14           authorities; and
 
15      (3)  Maintain the database required by section    -13.
 
16      (e)  The department's rules shall address at least the
 
17 following:
 
18      (1)  Design and implementation requirements limiting the
 
19           equipment and software to fulfill the requirements of
 
20           this chapter;
 
21      (2)  Validating that the hardware and software to be used
 
22           are limited to those determined to meet the design and
 
23           implementation requirements;
 

 
Page 47                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (3)  Suitability of algorithms for use in fulfilling the
 
 2           requirements of this chapter;
 
 3      (4)  The form of suitable guarantees in accordance with this
 
 4           chapter;
 
 5      (5)  Items included in certificates issued by licensed
 
 6           certification authorities in accordance with
 
 7           section    -3(b);
 
 8      (6)  Approval of persons authorized to audit licensed
 
 9           certification authorities under section    -12;
 
10      (7)  The contents of a certification authority disclosure
 
11           record required in section    -13;
 
12      (8)  The termination of certification authority activities
 
13           under section    -16, including the form of notice and
 
14           required statements; and
 
15      (9)  Prohibitions against altering obligations under
 
16           section    -(c).
 
17      (f)  The department may establish fees as follows:
 
18      (1)  For the use of the repository provided for in
 
19           subsection (b), but only to the extent that the fees
 
20           reflect the cost to provide access to the public,
 
21           excluding the costs to develop the repository;
 
22      (2)  For licensing certification authorities;
 
23      (3)  For publishing certificates and other records; and
 

 
Page 48                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      (4)  For its other activities required by this chapter.
 
 2      (g)  There is established in the state treasury a special
 
 3 fund to be known as the digital signature special fund.  Moneys
 
 4 collected from fees pursuant to subsection (f) shall be deposited
 
 5 into the fund, and shall be used by the department for purposes
 
 6 of this chapter.
 
 7      §   -52  Recognition of repositories.(a)  The department
 
 8 shall recognize a repository kept by a licensed certification
 
 9 authority, if the department concludes that:
 
10      (1)  The repository includes a database of certificates
 
11           substantially similar in content and operation to the
 
12           repository kept by the department;
 
13      (2)  The information in the repository appears to be true,
 
14           accurate, and reasonably reliable;
 
15      (3)  The repository, its operator, and the certification
 
16           authorities issuing the certificates in the repository
 
17           conform to legally binding rules which the department
 
18           finds to be substantially similar to, or more stringent
 
19           toward the certificate authorities than those of the
 
20           department;
 
21      (4)  The repository provides a time-stamping service which
 
22           the department finds to be reasonably trustworthy;
 
23      (5)  The repository keeps an archive of suspended, revoked,
 

 
Page 49                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           or expired certificates; and
 
 2      (6)  The repository has expressed in writing its intention
 
 3           to continue acting as a repository for the foreseeable
 
 4           future and is able to do so as indicated from its
 
 5           managerial and financial capabilities.
 
 6      (b)  A repository may apply to the department for
 
 7 recognition by filing a written request and providing evidence to
 
 8 the department that the conditions for recognition are satisfied.
 
 9      (c)  The department may withdraw or discontinue recognition
 
10 of a repository in accordance with the procedures for
 
11 adjudicative proceedings under chapter 91, if it concludes that
 
12 the repository no longer satisfies the conditions for recognition
 
13 listed in this section.
 
14      (d)  The department shall publish in its repository the
 
15 names, addresses, and public keys of all recognized repositories.
 
16      §   -53  Liability of repositories limited.  A recognized
 
17 repository, the department in providing for a repository, or the
 
18 department's repository operator is not liable for any loss
 
19 arising from:
 
20      (1)  Misrepresentation in a certificate published by a
 
21           licensed certification authority;
 
22      (2)  Accurately recording or reporting information which a
 
23           licensed certification authority, a court, or the
 

 
Page 50                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1           department has published as required by this chapter,
 
 2           including information about suspension or revocation of
 
 3           a certificate;
 
 4      (3)  Reporting information about a certification authority,
 
 5           a certificate, or a subscriber, if the information is
 
 6           published as required by this chapter or by department
 
 7           rule, or is published by order of the department in the
 
 8           performance of its licensing and regulatory duties
 
 9           under this chapter; and
 
10      (4)  Failure to record publication of a certificate,
 
11           suspension, or revocation, unless the repository has
 
12           received notice of publication and a commercially
 
13           reasonable time of not more than one business day has
 
14           elapsed for processing of the publication.
 
15      §   -54  Confidentiality.  The following information shall
 
16 be confidential:
 
17      (1)  Information which might lead to the disclosure of
 
18           private keys, asymmetric cryptosystems, or algorithms;
 
19           or
 
20      (2)  Information which might jeopardize the security of an
 
21           issued certificate or a certificate to be issued."
 

 
 
 
 
 
Page 51                                                    
                                     S.B. NO.           1434
                                                        
                                                        

 
 1      SECTION 2.  This Act shall take effect July 1, 1999.
 
 2 
 
 3                           INTRODUCED BY:  _______________________