Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

SF 173

as introduced - 80th Legislature (1997 - 1998) Posted on 12/15/2009 12:00am

KEY: stricken = removed, old language.
underscored = added, new language.
  1.1                          A bill for an act 
  1.2             relating to commerce; providing for the use, validity, 
  1.3             and security of electronic signatures and messages 
  1.4             transmitted in commerce; prescribing penalties; 
  1.5             proposing coding for new law as Minnesota Statutes, 
  1.6             chapter 325K. 
  1.8      Section 1.  [SHORT TITLE.] 
  1.9      This chapter may be cited as the Minnesota electronic 
  1.10  authentication act. 
  1.11     Sec. 2.  [325K.01] [DEFINITIONS.] 
  1.12     Subdivision 1.  [SCOPE.] Unless the context clearly 
  1.13  requires otherwise, the terms used in this chapter have the 
  1.14  meanings given them in this section.  
  1.15     Subd. 2.  [ACCEPT A CERTIFICATE.] "Accept a certificate" 
  1.16  means either:  
  1.17     (1) to manifest approval of a certificate, while knowing or 
  1.18  having notice of its contents; or 
  1.19     (2) to apply to a licensed certification authority for a 
  1.20  certificate, without canceling or revoking the application by 
  1.21  delivering notice of the cancellation or revocation to the 
  1.22  certification authority and obtaining a signed, written receipt 
  1.23  from the certification authority, if the certification authority 
  1.24  subsequently issues a certificate based on the application. 
  1.25     Subd. 3.  [ASYMMETRIC CRYPTOSYSTEM.] "Asymmetric 
  1.26  cryptosystem" means an algorithm or series of algorithms that 
  2.1   provide a secure key pair. 
  2.2      Subd. 4.  [CERTIFICATE.] "Certificate" means a 
  2.3   computer-based record that: 
  2.4      (1) identifies the certification authority issuing it; 
  2.5      (2) names or identifies its subscriber; 
  2.6      (3) contains the subscriber's public key; and 
  2.7      (4) is digitally signed by the certification authority 
  2.8   issuing it. 
  2.9      Subd. 5.  [CERTIFICATION AUTHORITY.] "Certification 
  2.10  authority" means a person who issues a certificate. 
  2.12  RECORD.] "Certification authority disclosure record" means an 
  2.13  on-line, publicly accessible record that concerns a licensed 
  2.14  certification authority and is kept by the secretary.  A 
  2.15  certification authority disclosure record has the contents 
  2.16  specified by rule by the secretary under section 352K.03. 
  2.17     Subd. 7.  [CERTIFICATION PRACTICE 
  2.18  STATEMENT.] "Certification practice statement" means a 
  2.19  declaration of the practices that a certification authority 
  2.20  employs in issuing certificates generally, or employed in 
  2.21  issuing a material certificate. 
  2.22     Subd. 8.  [CERTIFY.] "Certify" means to declare with 
  2.23  reference to a certificate, with ample opportunity to reflect, 
  2.24  and with a duty to apprise oneself of all material facts. 
  2.25     Subd. 9.  [CONFIRM.] "Confirm" means to ascertain through 
  2.26  appropriate inquiry and investigation. 
  2.27     Subd. 10.  [CORRESPOND.] "Correspond," with reference to 
  2.28  keys, means to belong to the same key pair. 
  2.29     Subd. 11.  [DIGITAL SIGNATURE.] "Digital signature" means a 
  2.30  transformation of a message using an asymmetric cryptosystem 
  2.31  such that a person having the initial message and the signer's 
  2.32  public key can accurately determine: 
  2.33     (1) whether the transformation was created using the 
  2.34  private key that corresponds to the signer's public key; and 
  2.35     (2) whether the initial message has been altered since the 
  2.36  transformation was made. 
  3.1      Subd. 12.  [FINANCIAL INSTITUTION.] "Financial institution" 
  3.2   means a national or state-chartered commercial bank or trust 
  3.3   company, savings bank, savings association, or credit union 
  3.4   authorized to do business in the state of Minnesota and the 
  3.5   deposits of which are federally insured. 
  3.6      Subd. 13.  [FORGE A DIGITAL SIGNATURE.] "Forge a digital 
  3.7   signature" means either: 
  3.8      (1) to create a digital signature without the authorization 
  3.9   of the rightful holder of the private key; or 
  3.10     (2) to create a digital signature verifiable by a 
  3.11  certificate listing as subscriber a person who either: 
  3.12     (i) does not exist; or 
  3.13     (ii) does not hold the private key corresponding to the 
  3.14  public key listed in the certificate. 
  3.15     Subd. 14.  [HOLD A PRIVATE KEY.] "Hold a private key" means 
  3.16  to be authorized to utilize a private key. 
  3.17     Subd. 15.  [INCORPORATE BY REFERENCE.] "Incorporate by 
  3.18  reference" means to make one message a part of another message 
  3.19  by identifying the message to be incorporated and expressing the 
  3.20  intention that it be incorporated. 
  3.21     Subd. 16.  [ISSUE A CERTIFICATE.] "Issue a certificate" 
  3.22  means the acts of a certification authority in creating a 
  3.23  certificate and notifying the subscriber listed in the 
  3.24  certificate of the contents of the certificate. 
  3.25     Subd. 17.  [KEY PAIR.] "Key pair" means a private key and 
  3.26  its corresponding public key in an asymmetric cryptosystem, keys 
  3.27  which have the property that the public key can verify a digital 
  3.28  signature that the private key creates. 
  3.29     Subd. 18.  [LICENSED CERTIFICATION AUTHORITY.] "Licensed 
  3.30  certification authority" means a certification authority to whom 
  3.31  a license has been issued by the secretary and whose license is 
  3.32  in effect. 
  3.33     Subd. 19.  [MESSAGE.] "Message" means a digital 
  3.34  representation of information. 
  3.35     Subd. 20.  [NOTIFY.] "Notify" means to communicate a fact 
  3.36  to another person in a manner reasonably likely under the 
  4.1   circumstances to impart knowledge of the information to the 
  4.2   other person. 
  4.3      Subd. 21.  [OPERATIVE PERSONNEL.] "Operative personnel" 
  4.4   means one or more natural persons acting as a certification 
  4.5   authority or its agent, or in the employment of, or under 
  4.6   contract with, a certification authority, and who have: 
  4.7      (1) managerial or policymaking responsibilities for the 
  4.8   certification authority; or 
  4.9      (2) duties directly involving the issuance of certificates, 
  4.10  creation of private keys, or administration of a certification 
  4.11  authority's computing facilities. 
  4.12     Subd. 22.  [PERSON.] "Person" means a human being or an 
  4.13  organization capable of signing a document, either legally or as 
  4.14  a matter of fact. 
  4.15     Subd. 23.  [PRIVATE KEY.] "Private key" means the key of a 
  4.16  key pair used to create a digital signature. 
  4.17     Subd. 24.  [PUBLIC KEY.] "Public key" means the key of a 
  4.18  key pair used to verify a digital signature. 
  4.19     Subd. 25.  [PUBLISH.] "Publish" means to record or file in 
  4.20  a repository. 
  4.21     Subd. 26.  [QUALIFIED RIGHT TO PAYMENT.] "Qualified right 
  4.22  to payment" means an award of damages against a licensed 
  4.23  certification authority by a court having jurisdiction over the 
  4.24  certification authority in a civil action for violation of this 
  4.25  chapter. 
  4.26     Subd. 27.  [RECIPIENT.] "Recipient" means a person who 
  4.27  receives or has a digital signature and is in a position to rely 
  4.28  on it. 
  4.29     Subd. 28.  [RECOGNIZED REPOSITORY.] "Recognized repository" 
  4.30  means a repository recognized by the secretary under section 
  4.31  325K.25. 
  4.32     Subd. 29.  [RECOMMENDED RELIANCE LIMIT.] "Recommended 
  4.33  reliance limit" means the monetary amount recommended for 
  4.34  reliance on a certificate under section 325K.17, subdivision 1. 
  4.35     Subd. 30.  [REPOSITORY.] "Repository" means a system for 
  4.36  storing and retrieving certificates and other information 
  5.1   relevant to digital signatures. 
  5.2      Subd. 31.  [REVOKE A CERTIFICATE.] "Revoke a certificate" 
  5.3   means to make a certificate ineffective permanently from a 
  5.4   specified time forward.  Revocation is effected by notation or 
  5.5   inclusion in a set of revoked certificates, and does not imply 
  5.6   that a revoked certificate is destroyed or made illegible. 
  5.7      Subd. 32.  [RIGHTFULLY HOLD A PRIVATE KEY.] "Rightfully 
  5.8   hold a private key" means the authority to utilize a private key:
  5.9      (1) that the holder or the holder's agents have not 
  5.10  disclosed to a person in violation of section 325K.13, 
  5.11  subdivision 1; and 
  5.12     (2) that the holder has not obtained through theft, deceit, 
  5.13  eavesdropping, or other unlawful means. 
  5.14     Subd. 33.  [SECRETARY.] "Secretary" means the Minnesota 
  5.15  secretary of state. 
  5.16     Subd. 34.  [SUBSCRIBER.] "Subscriber" means a person who: 
  5.17     (1) is the subject listed in a certificate; 
  5.18     (2) accepts the certificate; and 
  5.19     (3) holds a private key that corresponds to a public key 
  5.20  listed in that certificate. 
  5.21     Subd. 35.  [SUITABLE GUARANTY.] "Suitable guaranty" means 
  5.22  either a surety bond executed by a surety authorized by the 
  5.23  insurance commissioner to do business in this state, or an 
  5.24  irrevocable letter of credit issued by a financial institution 
  5.25  authorized to do business in this state, that: 
  5.26     (1) is issued payable to the secretary for the benefit of 
  5.27  persons holding qualified rights of payment against the licensed 
  5.28  certification authority named as the principal of the bond or 
  5.29  customer of the letter of credit; 
  5.30     (2) is in an amount specified by rule by the secretary 
  5.31  under section 325K.03; 
  5.32     (3) states that it is issued for filing under this chapter; 
  5.33     (4) specifies a term of effectiveness extending at least as 
  5.34  long as the term of the license to be issued to the 
  5.35  certification authority; and 
  5.36     (5) is in a form prescribed or approved by rule by the 
  6.1   secretary. 
  6.2      A suitable guaranty may also provide that the total annual 
  6.3   liability on the guaranty to all persons making claims based on 
  6.4   it may not exceed the face amount of the guaranty. 
  6.5      Subd. 36.  [SUSPEND A CERTIFICATE.] "Suspend a certificate" 
  6.6   means to make a certificate ineffective temporarily for a 
  6.7   specified time forward. 
  6.8      Subd. 37.  [TIME STAMP.] "Time stamp" means either: 
  6.9      (1) to append or attach to a message, digital signature, or 
  6.10  certificate a digitally signed notation indicating at least the 
  6.11  date, time, and identity of the person appending or attaching 
  6.12  the notation; or 
  6.13     (2) the notation thus appended or attached. 
  6.14     Subd. 38.  [TRANSACTIONAL CERTIFICATE.] "Transactional 
  6.15  certificate" means a valid certificate incorporating by 
  6.16  reference one or more of the digital signatures. 
  6.17     Subd. 39.  [TRUSTWORTHY SYSTEM.] "Trustworthy system" means 
  6.18  a computer hardware and software that: 
  6.19     (1) are reasonably secure from intrusion and misuse; 
  6.20     (2) provide a reasonable level of availability, 
  6.21  reliability, and correct operation; and 
  6.22     (3) are reasonably suited to performing their intended 
  6.23  functions. 
  6.24     Subd. 40.  [VALID CERTIFICATE.] "Valid certificate" means a 
  6.25  certificate that: 
  6.26     (1) a licensed certification authority has issued; 
  6.27     (2) the subscriber listed in it has accepted; 
  6.28     (3) has not been revoked or suspended; and 
  6.29     (4) has not expired. 
  6.30     However, a transactional certificate is a valid certificate 
  6.31  only in relation to the digital signature incorporated in it by 
  6.32  reference. 
  6.33     Subd. 41.  [VERIFY A DIGITAL SIGNATURE.] "Verify a digital 
  6.34  signature" means, in relation to a given digital signature, 
  6.35  message, and public key, to determine accurately that: 
  6.36     (1) the digital signature was created by the private key 
  7.1   corresponding to the public key; and 
  7.2      (2) the message has not been altered since its digital 
  7.3   signature was created. 
  7.4      Sec. 3.  [325K.02] [PURPOSES AND CONSTRUCTION.] 
  7.5      This chapter shall be construed consistently with what is 
  7.6   commercially reasonable under the circumstances and to 
  7.7   effectuate the following purposes: 
  7.8      (1) to facilitate commerce by means of reliable electronic 
  7.9   messages; 
  7.10     (2) to minimize the incidence of forged digital signatures 
  7.11  and fraud in electronic commerce; 
  7.12     (3) to implement legally the general import of relevant 
  7.13  standards, such as X.509 of the International Telecommunication 
  7.14  Union, formerly known as the international telegraph and 
  7.15  telephone consultative committee; and 
  7.16     (4) to establish, in coordination with multiple states, 
  7.17  uniform rules regarding the authentication and reliability of 
  7.18  electronic messages. 
  7.19     Sec. 4.  [325K.03] [ROLE OF THE SECRETARY.] 
  7.20     Subdivision 1.  [TRANSITIONAL DUTY.] If six months elapse 
  7.21  during which time no certification authority is licensed in this 
  7.22  state, then the secretary shall be a certification authority, 
  7.23  and may issue, suspend, and revoke certificates in the manner 
  7.24  prescribed for licensed certification authorities.  Except for 
  7.25  licensing requirements, this chapter applies to the secretary 
  7.26  with respect to certificates the secretary issues.  The 
  7.27  secretary must discontinue acting as a certification authority 
  7.28  if another certification authority is licensed, in a manner 
  7.29  allowing reasonable transition to private enterprise. 
  7.30     Subd. 2.  [RECORD.] The secretary must maintain a publicly 
  7.31  accessible database containing a certification authority 
  7.32  disclosure record for each licensed certification authority.  
  7.33  The secretary must publish the contents of the database in at 
  7.34  least one recognized repository. 
  7.35     Subd. 3.  [RULES.] The secretary must adopt rules 
  7.36  consistent with this chapter and in furtherance of its purposes: 
  8.1      (1) to govern licensed certification authorities, their 
  8.2   practice, and the termination of a certification authority's 
  8.3   practice; 
  8.4      (2) to determine an amount reasonably appropriate for a 
  8.5   suitable guaranty, in light of the burden a suitable guaranty 
  8.6   places upon licensed certification authorities and the assurance 
  8.7   of quality and financial responsibility it provides to persons 
  8.8   who rely on certificates issued by licensed certification 
  8.9   authorities; 
  8.10     (3) to specify reasonable requirements for the form of 
  8.11  certificates issued by licensed certification authorities, in 
  8.12  accordance with generally accepted standards for digital 
  8.13  signature certificates; 
  8.14     (4) to specify reasonable requirements for recordkeeping by 
  8.15  licensed certification authorities; 
  8.16     (5) to specify reasonable requirements for the content, 
  8.17  form, and sources of information in certification authority 
  8.18  disclosure records, the updating and timeliness of the 
  8.19  information, and other practices and policies relating to 
  8.20  certification authority disclosure records; 
  8.21     (6) to specify the form of the certification practice 
  8.22  statements; and 
  8.23     (7) otherwise to give effect to and implement this chapter. 
  8.24     Sec. 5.  [325K.04] [FEES.] 
  8.25     The secretary may adopt rules establishing reasonable fees 
  8.26  for all services rendered under this chapter, in amounts 
  8.27  sufficient to compensate for the costs of all services under 
  8.28  this chapter.  All fees recovered by the secretary must be 
  8.29  deposited in the state general fund. 
  8.30     Sec. 6.  [325K.05] [LICENSURE AND QUALIFICATIONS OF 
  8.32     Subdivision 1.  [LICENSE CONDITIONS.] To obtain or retain a 
  8.33  license, a certification authority must: 
  8.34     (1) be the subscriber of a certificate published in a 
  8.35  recognized repository; 
  8.36     (2) employ as operative personnel only persons who have not 
  9.1   been convicted within the past 15 years of a felony or a crime 
  9.2   involving fraud, false statement, or deception; 
  9.3      (3) employ as operative personnel only persons who have 
  9.4   demonstrated knowledge and proficiency in following the 
  9.5   requirements of this chapter; 
  9.6      (4) file with the secretary a suitable guaranty, unless the 
  9.7   certification authority is a department, office, or official of 
  9.8   a state, city, or county governmental entity, provided that: 
  9.9      (i) each of these public entities act through designated 
  9.10  officials authorized by rule or ordinance to perform 
  9.11  certification authority functions; or 
  9.12     (ii) one of these public entities is the subscriber of all 
  9.13  certificates issued by the certification authority; 
  9.14     (5) have the right to use a trustworthy system, including a 
  9.15  secure means for limiting access to its private key; 
  9.16     (6) present proof to the secretary of having working 
  9.17  capital reasonably sufficient, according to rules adopted by the 
  9.18  secretary, to enable the applicant to conduct business as a 
  9.19  certification authority; 
  9.20     (7) maintain an office in this state or have established a 
  9.21  registered agent for service or process in this state; and 
  9.22     (8) comply with all further licensing requirements 
  9.23  established by rule by the secretary. 
  9.24     Subd. 2.  [LICENSE PROCEDURES.] The secretary must issue a 
  9.25  license to a certification authority that: 
  9.26     (1) is qualified under subdivision 1; 
  9.27     (2) applies in writing to the secretary for a license; and 
  9.28     (3) pays a filing fee adopted by rule by the secretary. 
  9.29     Subd. 3.  [RULES.] The secretary may by rule classify 
  9.30  licenses according to specified limitations, such as a maximum 
  9.31  number of outstanding certificates, cumulative maximum of 
  9.32  recommended reliance limits in certificates issued by the 
  9.33  certification authority, or issuance only within a single firm 
  9.34  or organization, and the secretary may issue licenses restricted 
  9.35  according to the limits of each classification.  A certification 
  9.36  authority acts as an unlicensed certification authority in 
 10.1   issuing a certificate exceeding the restrictions of the 
 10.2   certification authority's license. 
 10.3      Subd. 4.  [REVOCATION OR SUSPENSION.] The secretary may 
 10.4   revoke or suspend a certification authority's license, in 
 10.5   accordance with the administrative procedure act, chapter 14, 
 10.6   for failure to comply with this chapter or for failure to remain 
 10.7   qualified under subdivision 1. 
 10.8      Subd. 5.  [LOCAL AUTHORITIES.] The secretary may recognize 
 10.9   by rule the licensing or authorization of certification 
 10.10  authorities by local, metropolitan, or regional governmental 
 10.11  entities, provided that those licensing or authorization 
 10.12  requirements are substantially similar to those of this state.  
 10.13  If licensing by another governmental entity is so recognized: 
 10.14     (1) sections 325K.19 to 325K.24 apply to certificates 
 10.15  issued by the certification authorities licensed or authorized 
 10.16  by that governmental entity in the same manner as it applies to 
 10.17  licensed certification authorities of this state; and 
 10.18     (2) the liability limits of section 325K.17 apply to the 
 10.19  certification authorities licensed or authorized by that 
 10.20  governmental entity in the same manner as they apply to licensed 
 10.21  certification authorities of this state. 
 10.22     Subd. 6.  [APPLICABILITY TO DIGITAL SIGNATURES.] Unless the 
 10.23  parties provide otherwise by contract between themselves, the 
 10.24  licensing requirements in this section do not affect the 
 10.25  effectiveness, enforceability, or validity of any digital 
 10.26  signature, except that sections 325K.19 to 325K.24 do not apply 
 10.27  in relation to a digital signature that cannot be verified by a 
 10.28  certificate issued by an unlicensed certification authority. 
 10.29     Subd. 7.  [NONAPPLICABILITY.] A certification authority 
 10.30  that has not obtained a license is not subject to the provision 
 10.31  of this chapter. 
 10.32     Sec. 7.  [325K.06] [PERFORMANCE AUDITS.] 
 10.33     Subdivision 1.  [ANNUAL AUDIT; AUDITOR QUALIFICATIONS; 
 10.34  RULES.] A certified public account having expertise in computer 
 10.35  security or an accredited computer security professional must 
 10.36  audit the operations of each licensed certification authority at 
 11.1   least once each year to evaluate compliance with this chapter.  
 11.2   The secretary may by rule specify the qualifications of auditors.
 11.3      Subd. 2.  [COMPLIANCE CATEGORIES.] Based on information 
 11.4   gathered in the audit, the auditor must categorize the licensed 
 11.5   certification authority's compliance as one of the following: 
 11.6      (a) [FULL COMPLIANCE.] The certification authority appears 
 11.7   to conform to all applicable statutory and regulatory 
 11.8   requirements. 
 11.9      (b) [SUBSTANTIAL COMPLIANCE.] The certification authority 
 11.10  appears generally to conform to applicable statutory and 
 11.11  regulatory requirements.  However, one or more instances of 
 11.12  noncompliance or of inability to demonstrate compliance were 
 11.13  found in an audited sample, but were likely to be 
 11.14  inconsequential. 
 11.15     (c) [PARTIAL COMPLIANCE.] The certification authority 
 11.16  appears to comply with some statutory and regulatory 
 11.17  requirements, but was found not to have complied or not be able 
 11.18  to demonstrate compliance with one or more important safeguards. 
 11.19     (d) [NONCOMPLIANCE.] The certification authority complies 
 11.20  with few or none of the statutory and regulatory requirements, 
 11.21  fails to keep adequate records to demonstrate compliance with 
 11.22  more than a few requirements, or refused to submit to an audit. 
 11.23     The secretary shall publish in the certification authority 
 11.24  disclosure record it maintains for the certification authority 
 11.25  the date of the audit and the resulting categorization of the 
 11.26  certification authority. 
 11.27     Subd. 3.  [EXEMPTION FROM AUDIT.] The secretary may exempt 
 11.28  a licensed certification authority from the requirements of 
 11.29  subdivision 1, if: 
 11.30     (1) the certification authority to be exempted requests 
 11.31  exemption in writing; 
 11.32     (2) the most recent performance audit, if any, of the 
 11.33  certification authority resulted in a finding of full or 
 11.34  substantial compliance; and 
 11.35     (3) the certification authority declares under oath, 
 11.36  affirmation, or penalty of perjury that one or more of the 
 12.1   following is true with respect to the certification authority:  
 12.2      (i) the certification authority has issued fewer than six 
 12.3   certificates during the past year and the recommended reliance 
 12.4   limits of all of the certificates do not exceed $10,000; 
 12.5      (ii) the aggregate lifetime of all certificates issued by 
 12.6   the certification authority during the past year is less than 30 
 12.7   days and the recommended reliance limits of all of the 
 12.8   certificates do not exceed $10,000; or 
 12.9      (iii) the recommended reliance limits of all certificates 
 12.10  outstanding and issued by the certification authority total less 
 12.11  than $1,000. 
 12.12     Subd. 4.  [FALSE DECLARATION.] If the certification 
 12.13  authority's declaration under subdivision 3 falsely states a 
 12.14  material fact, the certification authority has failed to comply 
 12.15  with the performance audit requirements of this section. 
 12.16     Subd. 5.  [RECORD OF EXEMPTION.] If a licensed 
 12.17  certification authority is exempt under subdivision 3, the 
 12.18  secretary must publish in the certification authority disclosure 
 12.19  record it maintains for the certification authority that the 
 12.20  certification authority is exempt from the performance audit 
 12.21  requirement. 
 12.22     Sec. 8.  [325K.07] [ENFORCEMENT OF REQUIREMENTS FOR 
 12.24     Subdivision 1.  [INVESTIGATION.] The secretary may 
 12.25  investigate the activities of a licensed certification authority 
 12.26  material to its compliance with this chapter and issue orders to 
 12.27  a certification authority to further its investigation and 
 12.28  secure compliance with this chapter. 
 12.29     Subd. 2.  [SUSPENSION OR REVOCATION.] The secretary may 
 12.30  suspend or revoke the license of a certification authority for 
 12.31  its failure to comply with an order of the secretary. 
 12.32     Subd. 3.  [CIVIL PENALTY.] The secretary may by order 
 12.33  impose and collect a civil monetary penalty for a violation of 
 12.34  this chapter in an amount not to exceed $5,000 per incident, or 
 12.35  90 percent of the recommended reliance limit of a material 
 12.36  certificate, whichever is less.  In case of a violation 
 13.1   continuing for more than one day, each day is considered a 
 13.2   separate incident. 
 13.3      Subd. 4.  [PAYMENT OF COSTS.] The secretary may order a 
 13.4   certification authority, which it has found to be in violation 
 13.5   of this chapter, to pay the costs incurred by the secretary in 
 13.6   prosecuting and adjudicating proceedings relative to the order, 
 13.7   and enforcing it. 
 13.9   RELIEF.] (a) The secretary must exercise authority under this 
 13.10  section in accordance with the administrative procedure act, 
 13.11  chapter 14, and a licensed certification authority may obtain 
 13.12  judicial review of the secretary's actions as prescribed by 
 13.13  chapter 14.  
 13.14     (b) The secretary may also seek injunctive relief to compel 
 13.15  compliance with an order. 
 13.18     Subdivision 1.  [PROHIBITION GENERALLY.] No certification 
 13.19  authority, whether licensed or not, may conduct its business in 
 13.20  a manner that creates an unreasonable risk of loss to 
 13.21  subscribers of the certification authority, to persons relying 
 13.22  on certificates issued by the certification authority, or to a 
 13.23  repository. 
 13.25  SUBSEQUENT ACTION.] The secretary may publish in the repository 
 13.26  it provides, or elsewhere, brief statements advising 
 13.27  subscribers, persons relying on digital signatures, or other 
 13.28  repositories about activities of a certification authority, 
 13.29  whether licensed or not, that create a risk prohibited by 
 13.30  subdivision 1.  The certification authority named in a statement 
 13.31  as creating or causing such a risk may protest the publication 
 13.32  of the statement by filing a written defense of 10,000 bytes or 
 13.33  less.  Upon receipt of a protest, the secretary shall publish 
 13.34  the protest along with the secretary's statement, and shall 
 13.35  promptly give the protesting certification authority notice and 
 13.36  an opportunity to be heard.  Following the hearing, the 
 14.1   secretary shall rescind the advisory statement if its 
 14.2   publication was unwarranted under this section, cancel it if its 
 14.3   publication is no longer warranted, continue or amend it if it 
 14.4   remains warranted, or take further legal action to eliminate or 
 14.5   reduce a risk prohibited by subdivision 1.  The secretary shall 
 14.6   publish its decision in the repository it provides. 
 14.7      Subd. 3.  [ORDERS AND CIVIL ACTIONS.] In the manner 
 14.8   provided by the administrative procedure act, chapter 14, the 
 14.9   secretary may issue orders and obtain injunctions or other civil 
 14.10  relief to prevent or restrain a certification authority from 
 14.11  violating this section, regardless of whether the certification 
 14.12  authority is licensed.  This section does not create a right of 
 14.13  action in a person other than the secretary. 
 14.15  AUTHORITIES.] 
 14.16     Subdivision 1.  [USE OF TRUSTWORTHY SYSTEM.] A licensed 
 14.17  certification authority or subscriber may use only a trustworthy 
 14.18  system: 
 14.19     (1) to issue, suspend, or revoke a certificate; 
 14.20     (2) to publish or give notice of the issuance, suspension, 
 14.21  or revocation of a certificate; or 
 14.22     (3) to create a private key. 
 14.23     Subd. 2.  [DISCLOSURE REQUIRED.] A licensed certification 
 14.24  authority shall disclose any material certification practice 
 14.25  statement and disclose any fact material to either the 
 14.26  reliability of a certificate that it has issued or its ability 
 14.27  to perform its services.  A certification authority may require 
 14.28  a signed, written, and reasonably specific inquiry from an 
 14.29  identified person and payment of reasonable compensation as 
 14.30  conditions precedent to effecting a disclosure required in this 
 14.31  subdivision. 
 14.32     Sec. 11.  [325K.10] [ISSUANCE OF CERTIFICATE.] 
 14.33     Subdivision 1.  [CONDITIONS.] A licensed certification 
 14.34  authority may issue a certificate to a subscriber only after all 
 14.35  of the following conditions are satisfied: 
 14.36     (1) the certification authority has received a request for 
 15.1   issuance signed by the prospective subscriber; and 
 15.2      (2) the certification authority has confirmed that: 
 15.3      (i) the prospective subscriber is the person to be listed 
 15.4   in the certificate to be issued; 
 15.5      (ii) if the prospective subscriber is acting through one or 
 15.6   more agents, the subscriber duly authorized each agent to have 
 15.7   custody of the subscriber's private key and to request issuance 
 15.8   of a certificate listing the corresponding public key; 
 15.9      (iii) the information in the certificate to be issued is 
 15.10  accurate; 
 15.11     (iv) the prospective subscriber rightfully holds the 
 15.12  private key corresponding to the public key to be listed in the 
 15.13  certificate; 
 15.14     (v) the prospective subscriber holds a private key capable 
 15.15  of creating a digital signature; and 
 15.16     (vi) the public key to be listed in the certificate can be 
 15.17  used to verify a digital signature affixed by the private key 
 15.18  held by the prospective subscriber. 
 15.19     The requirements of this subdivision may not be waived or 
 15.20  disclaimed by either the licensed certification authority, the 
 15.21  subscriber, or both. 
 15.22     Subd. 2.  [PUBLICATION.] If the subscriber accepts the 
 15.23  issued certificate, the certification authority shall publish a 
 15.24  signed copy of the certificate in a recognized repository, as 
 15.25  the certification authority and the subscriber named in the 
 15.26  certificate may agree, unless a contract between the 
 15.27  certification authority and the subscriber provides otherwise.  
 15.28  If the subscriber does not accept the certificate, a licensed 
 15.29  certification authority shall not publish it, or shall cancel 
 15.30  its publication if the certificate has already been published. 
 15.31     Subd. 3.  [APPLICATION OF OTHER STANDARDS.] Nothing in this 
 15.32  section precludes a licensed certification authority from 
 15.33  conforming to standards, certification practice statements, 
 15.34  security plans, or contractual requirements more rigorous than, 
 15.35  but nevertheless consistent with, this chapter. 
 15.36     Subd. 4.  [SUSPENSION OR REVOCATION.] After issuing a 
 16.1   certificate, a licensed certification authority shall revoke it 
 16.2   immediately upon confirming that it was not issued as required 
 16.3   by this section.  A licensed certification authority may also 
 16.4   suspend a certificate that it has issued for a reasonable period 
 16.5   not exceeding 48 hours as needed for an investigation to confirm 
 16.6   grounds for revocation under this subdivision.  The 
 16.7   certification authority shall give notice to the subscriber as 
 16.8   soon as practicable after a decision to revoke or suspend under 
 16.9   this subdivision. 
 16.10     Subd. 5.  [ORDER OF SUSPENSION OR REVOCATION.] The 
 16.11  secretary may order the licensed certification authority to 
 16.12  suspend or revoke a certificate that the certification authority 
 16.13  issued if, after giving any required notice and opportunity for 
 16.14  the certification authority and subscriber to be heard in 
 16.15  accordance with the administrative procedure act, chapter 14, 
 16.16  the secretary determines that: 
 16.17     (1) the certificate was issued without substantial 
 16.18  compliance with this section; and 
 16.19     (2) the noncompliance poses a significant risk to persons 
 16.20  reasonably relying on the certificate. 
 16.21     Upon determining that an emergency requires an immediate 
 16.22  remedy, and in accordance with the administrative procedure act, 
 16.23  chapter 14, the secretary may issue an order suspending a 
 16.24  certificate for a period not to exceed 48 hours. 
 16.25     Sec. 12.  [325K.11] [WARRANTIES AND OBLIGATIONS UPON 
 16.27     Subdivision 1.  [ABSOLUTE WARRANTIES TO SUBSCRIBERS.] By 
 16.28  issuing a certificate, a licensed certification authority 
 16.29  warrants to the subscriber named in the certificate that: 
 16.30     (1) the certificate contains no information known to the 
 16.31  certification authority to be false; 
 16.32     (2) the certificate satisfies all material requirements of 
 16.33  this chapter; and 
 16.34     (3) the certification authority has not exceeded any limits 
 16.35  of its license in issuing the certificate. 
 16.36     The certification authority may not disclaim or limit the 
 17.1   warranties of this subdivision. 
 17.3   the subscriber and certification authority otherwise agree, a 
 17.4   certification authority, by issuing a certificate, promises to 
 17.5   the subscriber: 
 17.6      (1) to act promptly to suspend or revoke a certificate in 
 17.7   accordance with section 325K.14 or 325K.15; and 
 17.8      (2) to notify the subscriber within a reasonable time of 
 17.9   any facts known to the certification authority that 
 17.10  significantly affect the validity or reliability of the 
 17.11  certificate once it is issued. 
 17.13  issuing a certificate, a licensed certification authority 
 17.14  certifies to all who reasonably rely on the information 
 17.15  contained in the certificate that: 
 17.16     (1) the information in the certificate and listed as 
 17.17  confirmed by the certification authority is accurate; 
 17.18     (2) all information foreseeably material to the reliability 
 17.19  of the certificate is stated or incorporated by reference within 
 17.20  the certificate; 
 17.21     (3) the subscriber has accepted the certificate; and 
 17.22     (4) the licensed certification authority has complied with 
 17.23  all applicable laws of this state governing issuance of the 
 17.24  certificate. 
 17.25     Subd. 4.  [WARRANTIES FOLLOWING PUBLICATION.] By publishing 
 17.26  a certificate, a licensed certification authority certifies to 
 17.27  the repository in which the certificate is published and to all 
 17.28  who reasonably rely on the information contained in the 
 17.29  certificate that the certification authority has issued the 
 17.30  certificate to the subscriber. 
 17.31     Sec. 13.  [325K.12] [REPRESENTATIONS AND DUTIES UPON 
 17.33     Subdivision 1.  [SUBSCRIBER WARRANTIES.] By accepting a 
 17.34  certificate issued by a licensed certification authority, the 
 17.35  subscriber listed in the certificate certifies to all who 
 17.36  reasonably rely on the information contained in the certificate 
 18.1   that: 
 18.2      (1) the subscriber rightfully holds the private key 
 18.3   corresponding to the public key listed in the certificate; 
 18.4      (2) all representations made by the subscriber to the 
 18.5   certification authority and material to the information listed 
 18.6   in the certificate are true; and 
 18.7      (3) all material representations made by the subscriber to 
 18.8   a certification authority or made in the certificate and not 
 18.9   confirmed by the certification authority in issuing the 
 18.10  certificate are true. 
 18.11     Subd. 2.  [AGENT WARRANTIES.] By requesting on behalf of a 
 18.12  principal the issuance of a certificate naming the principal as 
 18.13  subscriber, the requesting person certifies in that person's own 
 18.14  right to all who reasonably rely on the information contained in 
 18.15  the certificate that the requesting person: 
 18.16     (1) holds all authority legally required to apply for 
 18.17  issuance of a certificate naming the principal as subscriber; 
 18.18  and 
 18.19     (2) has authority to sign digitally on behalf of the 
 18.20  principal, and, if that authority is limited in any way, 
 18.21  adequate safeguards exist to prevent a digital signature 
 18.22  exceeding the bounds of the person's authority. 
 18.23     Subd. 3.  [DISCLAIMER LIMITATIONS.] No person may disclaim 
 18.24  or contractually limit the application of this section, nor 
 18.25  obtain indemnity for its effects, if the disclaimer, limitation, 
 18.26  or indemnity restricts liability for misrepresentation as 
 18.27  against persons reasonably relying on the certificate. 
 18.29  accepting a certificate, a subscriber undertakes to indemnify 
 18.30  the issuing certification authority for loss or damage caused by 
 18.31  issuance or publication of a certificate in reliance on: 
 18.32     (1) a false and material representation of fact by the 
 18.33  subscriber; or 
 18.34     (2) the failure by the subscriber to disclose a material 
 18.35  fact if the representation or failure to disclose was made 
 18.36  either with intent to deceive the certification authority or a 
 19.1   person relying on the certificate, or with negligence.  If the 
 19.2   certification authority issued the certificate at the request of 
 19.3   one or more agents of the subscriber, the agent or agents 
 19.4   personally undertake to indemnify the certification authority 
 19.5   under this subdivision, as if they were accepting subscribers in 
 19.6   their own right.  The indemnity provided in this section may not 
 19.7   be disclaimed or contractually limited in scope.  However, a 
 19.8   contract may provide consistent, additional terms regarding the 
 19.9   indemnification. 
 19.10     Subd. 5.  [CERTIFIED ACCURACY.] In obtaining information of 
 19.11  the subscriber material to issuance of a certificate, the 
 19.12  certification authority may require the subscriber to certify 
 19.13  the accuracy of relevant information under oath or affirmation 
 19.14  of truthfulness and under penalty of perjury. 
 19.15     Sec. 14.  [325K.13] [CONTROL OF PRIVATE KEY.] 
 19.16     Subdivision 1.  [DUTY.] By accepting a certificate issued 
 19.17  by a licensed certification authority, the subscriber identified 
 19.18  in the certificate assumes a duty to exercise reasonable care to 
 19.19  retain control of the private key and prevent its disclosure to 
 19.20  a person not authorized to create the subscriber's digital 
 19.21  signature. 
 19.22     Subd. 2.  [PRIVATE PROPERTY.] A private key is the personal 
 19.23  property of the subscriber who rightfully holds it. 
 19.24     Subd. 3.  [AUTHORITY AS FIDUCIARY.] If a certification 
 19.25  authority holds the private key corresponding to a public key 
 19.26  listed in a certificate that it has issued, the certification 
 19.27  authority holds the private key as a fiduciary of the subscriber 
 19.28  named in the certificate, and may use that private key only with 
 19.29  the subscriber's prior written approval, unless the subscriber 
 19.30  expressly grants the private key to the certification authority 
 19.31  and expressly permits the certification authority to hold the 
 19.32  private key according to other terms. 
 19.33     Sec. 15.  [325K.14] [SUSPENSION OF CERTIFICATE.] 
 19.34     Subdivision 1.  [SUSPENSION FOR 48 HOURS.] Unless the 
 19.35  certification authority and the subscriber agree otherwise, the 
 19.36  licensed certification authority that issued a certificate that 
 20.1   is not a transactional certificate must suspend the certificate 
 20.2   for a period not to exceed 48 hours: 
 20.3      (1) upon request by a person identifying himself or herself 
 20.4   as the subscriber named in the certificate, or as a person in a 
 20.5   position likely to know of a compromise of the security of a 
 20.6   subscriber's private key, such as an agent, business associate, 
 20.7   employee, or member of the immediate family of the subscriber; 
 20.8   or 
 20.9      (2) by order of the secretary under section 325K... 
 20.10     The certification authority need not confirm the identity 
 20.11  or agency of the person requesting suspension. 
 20.12     Subd. 2.  [SUSPENSION FOR 48 HOURS; OTHER CAUSES.] (a) 
 20.13  Unless the certificate provides otherwise or the certificate is 
 20.14  a transactional certificate, the secretary or a county clerk may 
 20.15  suspend a certificate issued by a licensed certification 
 20.16  authority for a period of 48 hours, if: 
 20.17     (1) a person identifying himself or herself as the 
 20.18  subscriber named in the certificate or as an agent, business 
 20.19  associate, employee, or member of the immediate family of the 
 20.20  subscriber requests suspension; and 
 20.21     (2) the requester represents that the certification 
 20.22  authority that issued the certificate is unavailable. 
 20.23     (b) The secretary or county clerk may require the person 
 20.24  requesting suspension to provide evidence, including a statement 
 20.25  under oath or affirmation, regarding the requester's identity, 
 20.26  authorization, or the unavailability of the issuing 
 20.27  certification authority, and may decline to suspend the 
 20.28  certificate in its discretion.  The secretary or law enforcement 
 20.29  agencies may investigate suspensions by the secretary or county 
 20.30  clerk for possible wrongdoing by persons requesting suspension. 
 20.31     Subd. 3.  [NOTICE OF SUSPENSION.] Immediately upon 
 20.32  suspension of a certificate by a licensed certification 
 20.33  authority, the licensed certification authority shall give 
 20.34  notice of the suspension according to the specification in the 
 20.35  certificate.  If one or more repositories are specified, then 
 20.36  the licensed certification authority must publish a signed 
 21.1   notice of the suspension in all the repositories.  If a 
 21.2   repository no longer exists or refuses to accept publication, or 
 21.3   if no repository is recognized under section 325K..., the 
 21.4   licensed certification authority must also publish the notice in 
 21.5   a recognized repository.  If a certificate is suspended by the 
 21.6   secretary or county clerk, the secretary or clerk must give 
 21.7   notice as required in this subdivision for a licensed 
 21.8   certification authority, provided that the person requesting 
 21.9   suspension pays in advance any fee required by a repository for 
 21.10  publication of the notice of suspension. 
 21.11     Subd. 4.  [TERMINATING SUSPENSION.] A certification 
 21.12  authority must terminate a suspension initiated by request only: 
 21.13     (1) if the subscriber named in the suspended certificate 
 21.14  requests termination of the suspension and the certification 
 21.15  authority has confirmed that the person requesting suspension is 
 21.16  the subscriber or an agent of the subscriber authorized to 
 21.17  terminate the suspension; or 
 21.18     (2) when the certification authority discovers and confirms 
 21.19  that the request for the suspension was made without 
 21.20  authorization by the subscriber.  However, this clause does not 
 21.21  require the certification authority to confirm a request for 
 21.22  suspension. 
 21.23     Subd. 5.  [CONTRACT LIMITATION OR PRECLUSION.] The contract 
 21.24  between a subscriber and a licensed certification authority may 
 21.25  limit or preclude requested suspension by the certification 
 21.26  authority, or may provide otherwise for termination of a 
 21.27  requested suspension.  However, if the contract limits or 
 21.28  precludes suspension by the secretary or county clerk when the 
 21.29  issuing certification authority is unavailable, the limitation 
 21.30  or preclusion is effective only if notice of it is published in 
 21.31  the certificate. 
 21.32     Subd. 6.  [MISREPRESENTATION.] No person may knowingly or 
 21.33  intentionally misrepresent to a certification authority the 
 21.34  person's identity or authorization in requesting suspension of a 
 21.35  certificate.  Violation of this subdivision is a misdemeanor. 
 21.36     Subd. 7.  [EFFECT ON SUBSCRIBER.] The subscriber is 
 22.1   released from the duty to keep the private key secure under 
 22.2   section 325K.13, subdivision 1, while the certificate is 
 22.3   suspended. 
 22.4      Sec. 16.  [325K.15] [CERTIFICATE REVOCATION.] 
 22.5      Subdivision 1.  [AFTER REQUEST.] A licensed certification 
 22.6   authority must revoke a certificate that it issued but which is 
 22.7   not a transactional certificate, after: 
 22.8      (1) receiving a request for revocation by the subscriber 
 22.9   named in the certificate; and 
 22.10     (2) confirming that the person requesting revocation is the 
 22.11  subscriber, or is an agent of the subscriber with authority to 
 22.12  request the revocation. 
 22.13     Subd. 2.  [AFTER IDENTITY CONFIRMED.] A licensed 
 22.14  certification authority must confirm a request for revocation 
 22.15  and revoke a certificate within one business day after receiving 
 22.16  both a subscriber's written request and evidence reasonably 
 22.17  sufficient to confirm the identity and any agency of the person 
 22.18  requesting the suspension. 
 22.19     Subd. 3.  [AFTER DEATH OR DISSOLUTION.] A licensed 
 22.20  certification authority must revoke a certificate that it issued:
 22.21     (1) upon receiving a certified copy of the subscriber's 
 22.22  death certificate, or upon confirming by other evidence that the 
 22.23  subscriber is dead; or 
 22.24     (2) upon presentation of documents effecting a dissolution 
 22.25  of the subscriber, or upon confirming by other evidence that the 
 22.26  subscriber has been dissolved or has ceased to exist. 
 22.27     Subd. 4.  [UNRELIABLE CERTIFICATE.] A licensed 
 22.28  certification authority may revoke one or more certificates that 
 22.29  it issued if the certificates are or become unreliable, 
 22.30  regardless of whether the subscriber consents to the revocation 
 22.31  and notwithstanding a provision to the contrary in a contract 
 22.32  between the subscriber and certification authority. 
 22.33     Subd. 5.  [NOTICE OF REVOCATION.] Immediately upon 
 22.34  revocation of a certificate by a licensed certification 
 22.35  authority, the licensed certification authority must give notice 
 22.36  of the revocation according to the specification in the 
 23.1   certificate.  If one or more repositories are specified, then 
 23.2   the licensed certification authority must publish a signed 
 23.3   notice of the revocation in all repositories.  If a repository 
 23.4   no longer exists or refuses to accept publication, or if no 
 23.5   repository is recognized under section 325K.13, then the 
 23.6   licensed certification authority must also publish the notice in 
 23.7   a recognized repository. 
 23.9   subscriber ceases to certify, as provided in section 325K.12, 
 23.10  and has no further duty to keep the private key secure, as 
 23.11  required by section 325K.13, in relation to the certificate 
 23.12  whose revocation the subscriber has requested, beginning at the 
 23.13  earlier of either: 
 23.14     (1) when notice of the revocation is published as required 
 23.15  in subdivision 5; or 
 23.16     (2) one business day after the subscriber requests 
 23.17  revocation in writing, supplies to the issuing certification 
 23.18  authority information reasonably sufficient to confirm the 
 23.19  request, and pays any contractually required fee. 
 23.20     Subd. 7.  [WARRANTIES DISCHARGED.] Upon notification as 
 23.21  required by subdivision 5, a licensed certification authority is 
 23.22  discharged of its warranties based on issuance of the revoked 
 23.23  certificate and ceases to certify as provided in section 
 23.24  325K.11, subdivisions 2 and 3, in relation to the revoked 
 23.25  certificate. 
 23.26     Sec. 17.  [325K.16] [CERTIFICATE EXPIRATION.] 
 23.27     Subdivision 1.  [EXPIRATION DATE.] A certificate must 
 23.28  indicate the date on which it expires. 
 23.29     Subd. 2.  [EFFECT OF EXPIRATION.] When a certificate 
 23.30  expires, the subscriber and certification authority cease to 
 23.31  certify as provided in this chapter and the certification 
 23.32  authority is discharged of its duties based on issuance, in 
 23.33  relation to the expired certificate. 
 23.34     Sec. 18.  [325K.17] [RECOMMENDED RELIANCE LIMITS AND 
 23.35  LIABILITY.] 
 23.36     Subdivision 1.  [TOTAL AMOUNT AT RISK.] By specifying a 
 24.1   recommended reliance limit in a certificate, the issuing 
 24.2   certification authority and accepting subscriber recommend that 
 24.3   persons rely on the certificate only to the extent that the 
 24.4   total amount at risk does not exceed the recommended reliance 
 24.5   limit. 
 24.6      Subd. 2.  [LIABILITY.] Unless a licensed certification 
 24.7   authority waives application of this subdivision, a licensed 
 24.8   certification authority is: 
 24.9      (1) not liable for a loss caused by reliance on a false or 
 24.10  forged digital signature of a subscriber, if, with respect to 
 24.11  the false or forged digital signature, the certification 
 24.12  authority complied with all material requirements of this 
 24.13  chapter; 
 24.14     (2) not liable in excess of the amount specified in the 
 24.15  certificate as its recommended reliance limit for either: 
 24.16     (i) a loss caused by reliance on a misrepresentation in the 
 24.17  certificate of a fact that the licensed certification authority 
 24.18  is required to confirm; or 
 24.19     (ii) failure to comply with section 325K.10 in issuing the 
 24.20  certificate; 
 24.21     (3) liable only for direct compensatory damages in an 
 24.22  action to recover a loss due to reliance on the certificate, 
 24.23  provided that direct compensatory damages do not include: 
 24.24     (i) punitive or exemplary damages, and nothing in this 
 24.25  chapter may be interpreted to permit punitive or exemplary 
 24.26  damages that would not otherwise be permitted by Minnesota law; 
 24.27     (ii) damages for lost profits or opportunity; or 
 24.28     (iii) damages for pain or suffering. 
 24.29     Sec. 19.  [325K.18] [COLLECTION BASED ON SUITABLE 
 24.30  GUARANTY.] 
 24.31     Subdivision 1.  [BOND OR LETTER OF CREDIT.] (a) If the 
 24.32  suitable guaranty is a surety bond, a person may recover from 
 24.33  the surety the full amount of a qualified right to payment 
 24.34  against the principal named in the bond, or, if there is more 
 24.35  than one such qualified right to payment during the term of the 
 24.36  bond, a ratable share, up to a maximum total liability of the 
 25.1   surety equal to the amount of the bond. 
 25.2      (b) If the suitable guaranty is a letter of credit, a 
 25.3   person may recover from the issuing financial institution only 
 25.4   in accordance with the terms of the letter of credit. 
 25.5      (c) Claimants may recover successively on the same suitable 
 25.6   guaranty, provided that the total liability on the suitable 
 25.7   guaranty to all persons making qualified rights of payment 
 25.8   during its term must not exceed the amount of the suitable 
 25.9   guaranty. 
 25.10     Subd. 2.  [ATTORNEY FEES AND COURT COSTS.] (a) Subject to 
 25.11  paragraph (b), in addition to recovering the amount of a 
 25.12  qualified right to payment, a claimant may recover: 
 25.13     (1) from the proceeds of the guaranty, until depleted; 
 25.14     (2) the attorneys' fees, reasonable in amount; and 
 25.15     (3) court costs incurred by the claimant in collecting the 
 25.16  claim.  
 25.17     (b) However, the total liability on the suitable guaranty 
 25.18  to all persons making qualified rights of payment or recovering 
 25.19  attorneys' fees during its term must not exceed the amount of 
 25.20  the suitable guaranty. 
 25.21     Subd. 3.  [QUALIFIED RIGHT TO PAYMENT.] (a) To recover a 
 25.22  qualified right to payment against a surety or issuer of a 
 25.23  suitable guaranty, the claimant must: 
 25.24     (1) file written notice of the claim with the secretary 
 25.25  stating the name and address of the claimant, the amount 
 25.26  claimed, and the grounds for the qualified right to payment, and 
 25.27  any other information required by rule by the secretary; and 
 25.28     (2) append to the notice a certified copy of the judgment 
 25.29  on which the qualified right to payment is based. 
 25.30     (b) Recovery of a qualified right to payment from the 
 25.31  proceeds of the suitable guaranty is barred unless the claimant 
 25.32  substantially complies with this subdivision. 
 25.33     Subd. 4.  [STATUTE OF LIMITATIONS.] Recovery of a qualified 
 25.34  right to payment from the proceeds of a suitable guaranty are 
 25.35  forever barred unless notice of the claim is filed as required 
 25.36  in subdivision 3, paragraph (a), clause (1), within three years 
 26.1   after the occurrence of the violation of this chapter that is 
 26.2   the basis for the claim.  Notice under this subdivision need not 
 26.3   include the requirement imposed by subdivision 3, paragraph (a), 
 26.4   clause (2). 
 26.5      Sec. 20.  [325K.19] [SATISFACTION OF SIGNATURE 
 26.7      (a) Where a rule of law requires a signature, or provides 
 26.8   for certain consequences in the absence of a signature, that 
 26.9   rule is satisfied by a digital signature, if: 
 26.10     (1) no party affected by a digital signature objects to the 
 26.11  use of digital signatures in lieu of a signature, and the 
 26.12  objection may be evidenced by refusal to provide or accept a 
 26.13  digital signature; 
 26.14     (2) that digital signature is verified by reference to the 
 26.15  public key listed in a valid certificate issued by a licensed 
 26.16  certification authority; 
 26.17     (3) that digital signature was affixed by the signer with 
 26.18  the intention of signing the message and after the signer has 
 26.19  had an opportunity to review items being signed; and 
 26.20     (4) the recipient has no knowledge or notice that the 
 26.21  signer either: 
 26.22     (i) breached a duty as a subscriber; or 
 26.23     (ii) does not rightfully hold the private key used to affix 
 26.24  the digital signature. 
 26.25     (b) However, nothing in this chapter precludes a mark from 
 26.26  being valid as a signature under other applicable law. 
 26.27     Sec. 21.  [325K.20] [UNRELIABLE DIGITAL SIGNATURES.] 
 26.28     Unless otherwise provided by law or contract, the recipient 
 26.29  of a digital signature assumes the risk that a digital signature 
 26.30  is forged, if reliance on the digital signature is not 
 26.31  reasonable under the circumstances.  If the recipient determines 
 26.32  not to rely on a digital signature under this section, the 
 26.33  recipient determines not to rely on a digital signature under 
 26.34  this section, the recipient must promptly notify the signer of 
 26.35  any determination not to rely on a digital signature and the 
 26.36  grounds for that determination.  Nothing in this chapter shall 
 27.1   be construed to obligate a person to accept a digital signature 
 27.2   or to respond to an electronic message containing a digital 
 27.3   signature. 
 27.4      Sec. 22.  [325K.21] [DIGITALLY SIGNED DOCUMENT IS WRITTEN.] 
 27.5      (a) A message is as valid, enforceable, and effective as if 
 27.6   it had been written on paper, if it: 
 27.7      (1) bears in its entirety a digital signature; and 
 27.8      (2) that digital signature is verified by the public key 
 27.9   listed in a certificate that: 
 27.10     (i) was issued by a licensed certification authority; and 
 27.11     (ii) was valid at the time the digital signature was 
 27.12  created. 
 27.13     (b) Nothing in this chapter shall be construed to 
 27.14  eliminate, modify, or condition any other requirements for a 
 27.15  contract to be valid, enforceable, and effective.  No digital 
 27.16  message shall be deemed to be an instrument under the provisions 
 27.17  of section 336.3-104 unless all parties to the transaction agree.
 27.18     Sec. 23.  [325K.22] [DIGITALLY SIGNED ORIGINALS.] 
 27.19     A copy of a digitally signed message is as effective, 
 27.20  valid, and enforceable as the original of the message, unless it 
 27.21  is evident that the signer designated an instance of the 
 27.22  digitally signed message to be a unique original, in which case 
 27.23  only that instance constitutes the valid, effective, and 
 27.24  enforceable message. 
 27.25     Sec. 24.  [325K.23] [CERTIFICATE AS ACKNOWLEDGMENT.] 
 27.26     Unless otherwise provided by law or contract, a certificate 
 27.27  issued by a licensed certification authority is an 
 27.28  acknowledgment of a digital signature verified by reference to 
 27.29  the public key listed in the certificate, regardless of whether 
 27.30  words of an express acknowledgment appear with the digital 
 27.31  signature and regardless of whether the signer physically 
 27.32  appeared before the certification authority when the digital 
 27.33  signature was created, if that digital signature is: 
 27.34     (1) verifiable by that certificate; and 
 27.35     (2) affixed when that certificate was valid. 
 27.36     Sec. 25.  [325K.24] [PRESUMPTIONS IN ADJUDICATING 
 28.1   DISPUTES.] 
 28.2      In adjudicating a dispute involving a digital signature, a 
 28.3   court of this state presumes that: 
 28.4      (a) A certificate digitally signed by a licensed 
 28.5   certification authority and either published in a recognized 
 28.6   repository, or made available by the issuing certification 
 28.7   authority or by the subscriber listed in the certificate is 
 28.8   issued by the certification authority that digitally signed it 
 28.9   and is accepted by the subscriber listed in it. 
 28.10     (b) The information listed in a valid certificate and 
 28.11  confirmed by a licensed certification authority issuing the 
 28.12  certificate is accurate. 
 28.13     (c) If a digital signature is verified by the public key 
 28.14  listed in a valid certificate issued by a licensed certification 
 28.15  authority: 
 28.16     (1) that digital signature is the digital signature of the 
 28.17  subscriber listed in that certificate; 
 28.18     (2) that digital signature was affixed by that subscriber 
 28.19  with the intention of signing the message; and 
 28.20     (3) the recipient of that digital signature has no 
 28.21  knowledge or notice that the signer: 
 28.22     (i) breached a duty as a subscriber; or 
 28.23     (ii) does not rightfully hold the private key used to affix 
 28.24  the digital signature. 
 28.25     (d) A digital signature was created before it was time 
 28.26  stamped by a disinterested person utilizing a trustworthy system.
 28.27     Sec. 26.  [325K.25] [RECOGNITION OF REPOSITORIES.] 
 28.28     Subdivision 1.  [CONDITIONS.] The secretary must recognize 
 28.29  one or more repositories, after finding that a repository to be 
 28.30  recognized: 
 28.31     (1) is operated under the direction of a licensed 
 28.32  certification authority; 
 28.33     (2) includes a database containing: 
 28.34     (i) certificates published in the repository; 
 28.35     (ii) notices of suspended or revoked certificates published 
 28.36  by licensed certification authorities or other persons 
 29.1   suspending or revoking certificates; 
 29.2      (iii) certification authority disclosure records for 
 29.3   licensed certification authorities; 
 29.4      (iv) all orders or advisory statements published by the 
 29.5   secretary in regulating certification authorities; and 
 29.6      (v) other information adopted by rule by the secretary; 
 29.7      (3) operates by means of a trustworthy system; 
 29.8      (4) contains no significant amount of information that is 
 29.9   known or likely to be untrue, inaccurate, or not reasonably 
 29.10  reliable; 
 29.11     (5) contains certificates published by certification 
 29.12  authorities that conform to legally binding requirements that 
 29.13  the secretary finds to be substantially similar to, or more 
 29.14  stringent toward the certification authorities, than those of 
 29.15  this state; 
 29.16     (6) keeps an archive of certificates that have been 
 29.17  suspended or revoked, or that have expired, within at least the 
 29.18  past three years; and 
 29.19     (7) complies with other reasonable requirements adopted by 
 29.20  rule by the secretary. 
 29.21     Subd. 2.  [APPLICATION.] A repository may apply to the 
 29.22  secretary for recognition by filing a written request and 
 29.23  providing evidence to the secretary sufficient for the secretary 
 29.24  to find that the conditions for recognition are satisfied. 
 29.25     Subd. 3.  [RECOGNITION DISCONTINUED.] A repository may 
 29.26  discontinue its recognition by filing 30 days' written notice 
 29.27  with the secretary.  In addition, the secretary may discontinue 
 29.28  recognition of a repository in accordance with the 
 29.29  administrative procedure act, chapter 14, if it concludes that 
 29.30  the repository no longer satisfies the conditions for 
 29.31  recognition listed in this section or in rules adopted by the 
 29.32  secretary. 
 29.33     Sec. 27.  [325K.26] [LIABILITY OF REPOSITORIES.] 
 29.34     Subdivision 1.  [REASONABLE RELIANCE.] Notwithstanding a 
 29.35  disclaimer by the repository or a contract to the contrary 
 29.36  between the repository, a certification authority, or a 
 30.1   subscriber, a repository is liable for a loss incurred by a 
 30.2   person reasonably relying on a digital signature verified by the 
 30.3   public key listed in a suspended or revoked certificate, if loss 
 30.4   was incurred more than one business day after receipt by the 
 30.5   repository of a request to publish notice of the suspension or 
 30.6   revocation, and the repository had failed to publish the notice 
 30.7   when the person relied on the digital signature. 
 30.8      Subd. 2.  [LIMITATIONS.] Unless waived, a recognized 
 30.9   repository or the owner or operator of a recognized repository 
 30.10  is: 
 30.11     (1) not liable for failure to record publication of a 
 30.12  suspension or revocation, unless the repository has received 
 30.13  notice of publication and one business day has elapsed since the 
 30.14  notice was received; 
 30.15     (2) not liable under subdivision 1 in excess of the amount 
 30.16  specified in the certificate as the recommended reliance limit; 
 30.17     (3) liable under subdivision 1 only for direct compensatory 
 30.18  damages, which do not include: 
 30.19     (i) punitive or exemplary damages; 
 30.20     (ii) damages for lost profits or opportunity; or 
 30.21     (iii) damages for pain or suffering; 
 30.22     (4) not liable for misrepresentation in a certificate 
 30.23  published by a licensed certification authority; 
 30.24     (5) not liable for accurately recording or reporting 
 30.25  information that a licensed certification authority, or court 
 30.26  clerk, or the secretary has published as required or permitted 
 30.27  in this chapter, including information about suspension or 
 30.28  revocation of a certificate; and 
 30.29     (6) not liable for reporting information about a 
 30.30  certification authority, a certificate, or a subscriber, if the 
 30.31  information is published as required or permitted in this 
 30.32  chapter or a rule adopted by the secretary, or is published by 
 30.33  order of the secretary in the performance of the licensing and 
 30.34  regulatory duties of that office under this chapter. 
 30.35     Sec. 28.  [325K.27] [RULEMAKING.] 
 30.36     The secretary may adopt rules effective July 1, 1998, to 
 31.1   implement this chapter. 
 31.2      Sec. 29.  [EFFECTIVE DATE.] 
 31.3      Sections 1 to 27 are effective January 1, 1999.  Section 28 
 31.4   is effective the day following final enactment.