Office of the Revisor of Statutes
Minnesota Session Laws - 1997, Regular Session
Key: (1) language to be deleted (2) new language
CHAPTER 178-S.F.No. 173
An act relating to commerce; providing for the use,
validity, and security of electronic signatures and
messages transmitted in commerce; prescribing
penalties; proposing coding for new law as Minnesota
Statutes, chapter 325K.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1. [SHORT TITLE.]
This chapter may be cited as the Minnesota Electronic
Authentication Act.
Sec. 2. [325K.01] [DEFINITIONS.]
Subdivision 1. [SCOPE.] Unless the context clearly
requires otherwise, the terms used in this chapter have the
meanings given them in this section.
Subd. 2. [ACCEPT A CERTIFICATE.] "Accept a certificate"
means either:
(1) to manifest approval of a certificate, while knowing or
having notice of its contents; or
(2) to apply to a licensed certification authority for a
certificate, without canceling or revoking the application by
delivering notice of the cancellation or revocation to the
certification authority and obtaining a signed, written receipt
from the certification authority, if the certification authority
subsequently issues a certificate based on the application.
Subd. 3. [ASYMMETRIC CRYPTOSYSTEM.] "Asymmetric
cryptosystem" means an algorithm or series of algorithms that
provide a secure key pair.
Subd. 4. [CERTIFICATE.] "Certificate" means a
computer-based record that:
(1) identifies the certification authority issuing it;
(2) names or identifies its subscriber;
(3) contains the subscriber's public key; and
(4) is digitally signed by the certification authority
issuing it.
Subd. 5. [CERTIFICATION AUTHORITY.] "Certification
authority" means a person who issues a certificate.
Subd. 6. [CERTIFICATION AUTHORITY DISCLOSURE
RECORD.] "Certification authority disclosure record" means an
on-line, publicly accessible record that concerns a licensed
certification authority and is kept by the secretary. A
certification authority disclosure record has the contents
specified by rule by the secretary under section 325K.03.
Subd. 7. [CERTIFICATION PRACTICE
STATEMENT.] "Certification practice statement" means a
declaration of the practices that a certification authority
employs in issuing certificates generally, or employed in
issuing a material certificate.
Subd. 8. [CERTIFY.] "Certify" means to declare with
reference to a certificate, with ample opportunity to reflect,
and with a duty to apprise oneself of all material facts.
Subd. 9. [CONFIRM.] "Confirm" means to ascertain through
appropriate inquiry and investigation.
Subd. 10. [CORRESPOND.] "Correspond," with reference to
keys, means to belong to the same key pair.
Subd. 11. [DIGITAL SIGNATURE.] "Digital signature" means a
transformation of a message using an asymmetric cryptosystem
such that a person having the initial message and the signer's
public key can accurately determine:
(1) whether the transformation was created using the
private key that corresponds to the signer's public key; and
(2) whether the initial message has been altered since the
transformation was made.
Subd. 12. [FINANCIAL INSTITUTION.] "Financial institution"
means a national or state-chartered commercial bank or trust
company, savings bank, savings association, or credit union
authorized to do business in the state of Minnesota and the
deposits of which are federally insured.
Subd. 13. [FORGE A DIGITAL SIGNATURE.] "Forge a digital
signature" means either:
(1) to create a digital signature without the authorization
of the rightful holder of the private key; or
(2) to create a digital signature verifiable by a
certificate listing as subscriber a person who either:
(i) does not exist; or
(ii) does not hold the private key corresponding to the
public key listed in the certificate.
Subd. 14. [HOLD A PRIVATE KEY.] "Hold a private key" means
to be authorized to utilize a private key.
Subd. 15. [INCORPORATE BY REFERENCE.] "Incorporate by
reference" means to make one message a part of another message
by identifying the message to be incorporated and expressing the
intention that it be incorporated.
Subd. 16. [ISSUE A CERTIFICATE.] "Issue a certificate"
means the acts of a certification authority in creating a
certificate and notifying the subscriber listed in the
certificate of the contents of the certificate.
Subd. 17. [KEY PAIR.] "Key pair" means a private key and
its corresponding public key in an asymmetric cryptosystem, keys
which have the property that the public key can verify a digital
signature that the private key creates.
Subd. 18. [LICENSED CERTIFICATION AUTHORITY.] "Licensed
certification authority" means a certification authority to whom
a license has been issued by the secretary and whose license is
in effect.
Subd. 19. [MESSAGE.] "Message" means a digital
representation of information.
Subd. 20. [NOTIFY.] "Notify" means to communicate a fact
to another person in a manner reasonably likely under the
circumstances to impart knowledge of the information to the
other person.
Subd. 21. [OPERATIVE PERSONNEL.] "Operative personnel"
means one or more natural persons acting as a certification
authority or its agent, or in the employment of, or under
contract with, a certification authority, and who have:
(1) managerial or policymaking responsibilities for the
certification authority; or
(2) duties directly involving the issuance of certificates,
creation of private keys, or administration of a certification
authority's computing facilities.
Subd. 22. [PERSON.] "Person" means a human being or an
organization capable of signing a document, either legally or as
a matter of fact.
Subd. 23. [PRIVATE KEY.] "Private key" means the key of a
key pair used to create a digital signature.
Subd. 24. [PUBLIC KEY.] "Public key" means the key of a
key pair used to verify a digital signature.
Subd. 25. [PUBLISH.] "Publish" means to record or file in
a repository.
Subd. 26. [QUALIFIED RIGHT TO PAYMENT.] "Qualified right
to payment" means an award of damages against a licensed
certification authority by a court having jurisdiction over the
certification authority in a civil action for violation of this
chapter.
Subd. 27. [RECIPIENT.] "Recipient" means a person who
receives or has a digital signature and is in a position to rely
on it.
Subd. 28. [RECOGNIZED REPOSITORY.] "Recognized repository"
means a repository recognized by the secretary under section
325K.25.
Subd. 29. [RECOMMENDED RELIANCE LIMIT.] "Recommended
reliance limit" means the monetary amount recommended for
reliance on a certificate under section 325K.17.
Subd. 30. [REPOSITORY.] "Repository" means a system for
storing and retrieving certificates and other information
relevant to digital signatures.
Subd. 31. [REVOKE A CERTIFICATE.] "Revoke a certificate"
means to make a certificate ineffective permanently from a
specified time forward. Revocation is effected by notation or
inclusion in a set of revoked certificates, and does not imply
that a revoked certificate is destroyed or made illegible.
Subd. 32. [RIGHTFULLY HOLD A PRIVATE KEY.] "Rightfully
hold a private key" means the authority to utilize a private key:
(1) that the holder or the holder's agents have not
disclosed to a person in violation of section 325K.13,
subdivision 1; and
(2) that the holder has not obtained through theft, deceit,
eavesdropping, or other unlawful means.
Subd. 33. [SECRETARY.] "Secretary" means the Minnesota
secretary of state.
Subd. 34. [SUBSCRIBER.] "Subscriber" means a person who:
(1) is the subject listed in a certificate;
(2) accepts the certificate; and
(3) holds a private key that corresponds to a public key
listed in that certificate.
Subd. 35. [SUITABLE GUARANTY.] "Suitable guaranty" means
either a surety bond executed by a surety authorized by the
commissioner of commerce to do business in this state, or an
irrevocable letter of credit issued by a financial institution
authorized to do business in this state, that:
(1) is issued payable to the secretary for the benefit of
persons holding qualified rights of payment against the licensed
certification authority named as the principal of the bond or
customer of the letter of credit;
(2) is in an amount specified by rule by the secretary
under section 325K.03;
(3) states that it is issued for filing under this chapter;
(4) specifies a term of effectiveness extending at least as
long as the term of the license to be issued to the
certification authority; and
(5) is in a form prescribed or approved by rule by the
secretary.
A suitable guaranty may also provide that the total annual
liability on the guaranty to all persons making claims based on
it may not exceed the face amount of the guaranty.
Subd. 36. [SUSPEND A CERTIFICATE.] "Suspend a certificate"
means to make a certificate ineffective temporarily for a
specified time forward.
Subd. 37. [TIME STAMP.] "Time stamp" means either:
(1) to append or attach to a message, digital signature, or
certificate a digitally signed notation indicating at least the
date, time, and identity of the person appending or attaching
the notation; or
(2) the notation thus appended or attached.
Subd. 38. [TRANSACTIONAL CERTIFICATE.] "Transactional
certificate" means a valid certificate incorporating by
reference one or more of the digital signatures.
Subd. 39. [TRUSTWORTHY SYSTEM.] "Trustworthy system" means
a computer hardware and software that:
(1) are reasonably secure from intrusion and misuse;
(2) provide a reasonable level of availability,
reliability, and correct operation; and
(3) are reasonably suited to performing their intended
functions.
Subd. 40. [VALID CERTIFICATE.] "Valid certificate" means a
certificate that:
(1) a licensed certification authority has issued;
(2) the subscriber listed in it has accepted;
(3) has not been revoked or suspended; and
(4) has not expired.
However, a transactional certificate is a valid certificate
only in relation to the digital signature incorporated in it by
reference.
Subd. 41. [VERIFY A DIGITAL SIGNATURE.] "Verify a digital
signature" means, in relation to a given digital signature,
message, and public key, to determine accurately that:
(1) the digital signature was created by the private key
corresponding to the public key; and
(2) the message has not been altered since its digital
signature was created.
Sec. 3. [325K.02] [PURPOSES AND CONSTRUCTION.]
This chapter shall be construed consistently with what is
commercially reasonable under the circumstances and to
effectuate the following purposes:
(1) to facilitate commerce by means of reliable electronic
messages;
(2) to minimize the incidence of forged digital signatures
and fraud in electronic commerce;
(3) to implement legally the general import of relevant
standards, such as X.509 of the International Telecommunication
Union, formerly known as the international telegraph and
telephone consultative committee; and
(4) to establish, in coordination with multiple states,
uniform rules regarding the authentication and reliability of
electronic messages.
Sec. 4. [325K.03] [ROLE OF THE SECRETARY.]
Subdivision 1. [TRANSITIONAL DUTY.] If six months elapse
during which time no certification authority is licensed in this
state, then the secretary shall be a certification authority,
and may issue, suspend, and revoke certificates in the manner
prescribed for licensed certification authorities. Except for
licensing requirements, this chapter applies to the secretary
with respect to certificates the secretary issues. The
secretary must discontinue acting as a certification authority
if another certification authority is licensed, in a manner
allowing reasonable transition to private enterprise.
Subd. 2. [RECORD.] The secretary must maintain a publicly
accessible database containing a certification authority
disclosure record for each licensed certification authority.
The secretary must publish the contents of the database in at
least one recognized repository.
Subd. 3. [RULES.] The secretary must adopt rules
consistent with this chapter and in furtherance of its purposes:
(1) to govern licensed certification authorities, their
practice, and the termination of a certification authority's
practice;
(2) to determine an amount reasonably appropriate for a
suitable guaranty, in light of the burden a suitable guaranty
places upon licensed certification authorities and the assurance
of quality and financial responsibility it provides to persons
who rely on certificates issued by licensed certification
authorities;
(3) to specify reasonable requirements for the form of
certificates issued by licensed certification authorities, in
accordance with generally accepted standards for digital
signature certificates;
(4) to specify reasonable requirements for recordkeeping by
licensed certification authorities;
(5) to specify reasonable requirements for the content,
form, and sources of information in certification authority
disclosure records, the updating and timeliness of the
information, and other practices and policies relating to
certification authority disclosure records;
(6) to specify the form of the certification practice
statements; and
(7) otherwise to give effect to and implement this chapter.
Sec. 5. [325K.04] [FEES.]
The secretary may adopt rules establishing reasonable fees
for all services rendered under this chapter, in amounts
sufficient to compensate for the costs of all services under
this chapter. All fees recovered by the secretary must be
deposited in the state general fund.
Sec. 6. [325K.05] [LICENSURE AND QUALIFICATIONS OF
CERTIFICATION AUTHORITIES.]
Subdivision 1. [LICENSE CONDITIONS.] To obtain or retain a
license, a certification authority must:
(1) be the subscriber of a certificate published in a
recognized repository;
(2) employ as operative personnel only persons who have not
been convicted within the past 15 years of a felony or a crime
involving fraud, false statement, or deception;
(3) employ as operative personnel only persons who have
demonstrated knowledge and proficiency in following the
requirements of this chapter;
(4) file with the secretary a suitable guaranty, unless the
certification authority is a department, office, or official of
a state, city, or county governmental entity, provided that:
(i) each of these public entities act through designated
officials authorized by rule or ordinance to perform
certification authority functions; or
(ii) one of these public entities is the subscriber of all
certificates issued by the certification authority;
(5) have the right to use a trustworthy system, including a
secure means for limiting access to its private key;
(6) present proof to the secretary of having working
capital reasonably sufficient, according to rules adopted by the
secretary, to enable the applicant to conduct business as a
certification authority;
(7) maintain an office in this state or have established a
registered agent for service of process in this state; and
(8) comply with all further licensing requirements
established by rule by the secretary.
Subd. 2. [LICENSE PROCEDURES.] The secretary must issue a
license to a certification authority that:
(1) is qualified under subdivision 1;
(2) applies in writing to the secretary for a license; and
(3) pays a filing fee adopted by rule by the secretary.
Subd. 3. [RULES.] The secretary may by rule classify
licenses according to specified limitations, such as a maximum
number of outstanding certificates, cumulative maximum of
recommended reliance limits in certificates issued by the
certification authority, or issuance only within a single firm
or organization, and the secretary may issue licenses restricted
according to the limits of each classification. A certification
authority acts as an unlicensed certification authority in
issuing a certificate exceeding the restrictions of the
certification authority's license.
Subd. 4. [REVOCATION OR SUSPENSION.] The secretary may
revoke or suspend a certification authority's license, in
accordance with the administrative procedure act, chapter 14,
for failure to comply with this chapter or for failure to remain
qualified under subdivision 1.
Subd. 5. [LOCAL AUTHORITIES.] The secretary may recognize
by rule the licensing or authorization of certification
authorities by local, metropolitan, or regional governmental
entities, provided that those licensing or authorization
requirements are substantially similar to those of this state.
If licensing by another governmental entity is so recognized:
(1) sections 325K.19 to 325K.24 apply to certificates
issued by the certification authorities licensed or authorized
by that governmental entity in the same manner as it applies to
licensed certification authorities of this state; and
(2) the liability limits of section 325K.17 apply to the
certification authorities licensed or authorized by that
governmental entity in the same manner as they apply to licensed
certification authorities of this state.
Subd. 6. [APPLICABILITY TO DIGITAL SIGNATURES.] Unless the
parties provide otherwise by contract between themselves, the
licensing requirements in this section do not affect the
effectiveness, enforceability, or validity of any digital
signature, except that sections 325K.19 to 325K.24 do not apply
in relation to a digital signature that cannot be verified by a
certificate issued by an unlicensed certification authority.
Subd. 7. [NONAPPLICABILITY.] A certification authority
that has not obtained a license is not subject to the provision
of this chapter.
Sec. 7. [325K.06] [PERFORMANCE AUDITS.]
Subdivision 1. [ANNUAL AUDIT; AUDITOR QUALIFICATIONS;
RULES.] A certified public accountant having expertise in
computer security must audit the operations of each licensed
certification authority at least once each year to evaluate
compliance with this chapter. The secretary may by rule specify
the qualifications of auditors.
Subd. 2. [COMPLIANCE CATEGORIES.] Based on information
gathered in the audit, the auditor must categorize the licensed
certification authority's compliance as one of the following:
(a) [FULL COMPLIANCE.] The certification authority appears
to conform to all applicable statutory and regulatory
requirements.
(b) [SUBSTANTIAL COMPLIANCE.] The certification authority
appears generally to conform to applicable statutory and
regulatory requirements. However, one or more instances of
noncompliance or of inability to demonstrate compliance were
found in an audited sample, but were likely to be
inconsequential.
(c) [PARTIAL COMPLIANCE.] The certification authority
appears to comply with some statutory and regulatory
requirements, but was found not to have complied or not be able
to demonstrate compliance with one or more important safeguards.
(d) [NONCOMPLIANCE.] The certification authority complies
with few or none of the statutory and regulatory requirements,
fails to keep adequate records to demonstrate compliance with
more than a few requirements, or refused to submit to an audit.
The secretary shall publish in the certification authority
disclosure record it maintains for the certification authority
the date of the audit and the resulting categorization of the
certification authority.
Subd. 3. [EXEMPTION FROM AUDIT.] The secretary may exempt
a licensed certification authority from the requirements of
subdivision 1, if:
(1) the certification authority to be exempted requests
exemption in writing;
(2) the most recent performance audit, if any, of the
certification authority resulted in a finding of full or
substantial compliance; and
(3) the certification authority declares under oath,
affirmation, or penalty of perjury that one or more of the
following is true with respect to the certification authority:
(i) the certification authority has issued fewer than six
certificates during the past year and the recommended reliance
limits of all of the certificates do not exceed $10,000;
(ii) the aggregate lifetime of all certificates issued by
the certification authority during the past year is less than 30
days and the recommended reliance limits of all of the
certificates do not exceed $10,000; or
(iii) the recommended reliance limits of all certificates
outstanding and issued by the certification authority total less
than $1,000.
Subd. 4. [FALSE DECLARATION.] If the certification
authority's declaration under subdivision 3 falsely states a
material fact, the certification authority has failed to comply
with the performance audit requirements of this section.
Subd. 5. [RECORD OF EXEMPTION.] If a licensed
certification authority is exempt under subdivision 3, the
secretary must publish in the certification authority disclosure
record it maintains for the certification authority that the
certification authority is exempt from the performance audit
requirement.
Sec. 8. [325K.07] [ENFORCEMENT OF REQUIREMENTS FOR
LICENSED CERTIFICATION AUTHORITIES.]
Subdivision 1. [INVESTIGATION.] The secretary may
investigate the activities of a licensed certification authority
material to its compliance with this chapter and issue orders to
a certification authority to further its investigation and
secure compliance with this chapter.
Subd. 2. [SUSPENSION OR REVOCATION.] The secretary may
suspend or revoke the license of a certification authority for
its failure to comply with an order of the secretary.
Subd. 3. [CIVIL PENALTY.] The secretary may by order
impose and collect a civil monetary penalty for a violation of
this chapter in an amount not to exceed $5,000 per incident, or
90 percent of the recommended reliance limit of a material
certificate, whichever is less. In case of a violation
continuing for more than one day, each day is considered a
separate incident.
Subd. 4. [PAYMENT OF COSTS.] The secretary may order a
certification authority, which it has found to be in violation
of this chapter, to pay the costs incurred by the secretary in
prosecuting and adjudicating proceedings relative to the order,
and enforcing it.
Subd. 5. [ADMINISTRATIVE PROCEDURES; INJUNCTIVE
RELIEF.] (a) The secretary must exercise authority under this
section in accordance with the administrative procedure act,
chapter 14, and a licensed certification authority may obtain
judicial review of the secretary's actions as prescribed by
chapter 14.
(b) The secretary may also seek injunctive relief to compel
compliance with an order.
Sec. 9. [325K.08] [DANGEROUS ACTIVITIES BY CERTIFICATION
AUTHORITY PROHIBITED.]
Subdivision 1. [PROHIBITION GENERALLY.] No certification
authority, whether licensed or not, may conduct its business in
a manner that creates an unreasonable risk of loss to
subscribers of the certification authority, to persons relying
on certificates issued by the certification authority, or to a
repository.
Subd. 2. [ORDERS AND CIVIL ACTIONS.] In the manner
provided by the administrative procedure act, chapter 14, the
secretary may issue orders and obtain injunctions or other civil
relief to prevent or restrain a certification authority from
violating this section, regardless of whether the certification
authority is licensed. This section does not create a right of
action in a person other than the secretary.
Sec. 10. [325K.09] [GENERAL REQUIREMENTS FOR CERTIFICATION
AUTHORITIES.]
Subdivision 1. [USE OF TRUSTWORTHY SYSTEM.] A licensed
certification authority or subscriber may use only a trustworthy
system:
(1) to issue, suspend, or revoke a certificate;
(2) to publish or give notice of the issuance, suspension,
or revocation of a certificate; or
(3) to create a private key.
Subd. 2. [DISCLOSURE REQUIRED.] A licensed certification
authority shall disclose any material certification practice
statement and disclose any fact material to either the
reliability of a certificate that it has issued or its ability
to perform its services. A certification authority may require
a signed, written, and reasonably specific inquiry from an
identified person and payment of reasonable compensation as
conditions precedent to effecting a disclosure required in this
subdivision.
Sec. 11. [325K.10] [ISSUANCE OF CERTIFICATE.]
Subdivision 1. [CONDITIONS.] A licensed certification
authority may issue a certificate to a subscriber only after all
of the following conditions are satisfied:
(1) the certification authority has received a request for
issuance signed by the prospective subscriber; and
(2) the certification authority has confirmed that:
(i) the prospective subscriber is the person to be listed
in the certificate to be issued;
(ii) if the prospective subscriber is acting through one or
more agents, the subscriber duly authorized each agent to have
custody of the subscriber's private key and to request issuance
of a certificate listing the corresponding public key;
(iii) the information in the certificate to be issued is
accurate;
(iv) the prospective subscriber rightfully holds the
private key corresponding to the public key to be listed in the
certificate;
(v) the prospective subscriber holds a private key capable
of creating a digital signature; and
(vi) the public key to be listed in the certificate can be
used to verify a digital signature affixed by the private key
held by the prospective subscriber.
The requirements of this subdivision may not be waived or
disclaimed by either the licensed certification authority, the
subscriber, or both.
Subd. 2. [PUBLICATION.] If the subscriber accepts the
issued certificate, the certification authority shall publish a
signed copy of the certificate in a recognized repository, as
the certification authority and the subscriber named in the
certificate may agree, unless a contract between the
certification authority and the subscriber provides otherwise.
If the subscriber does not accept the certificate, a licensed
certification authority shall not publish it, or shall cancel
its publication if the certificate has already been published.
Subd. 3. [APPLICATION OF OTHER STANDARDS.] Nothing in this
section precludes a licensed certification authority from
conforming to standards, certification practice statements,
security plans, or contractual requirements more rigorous than,
but nevertheless consistent with, this chapter.
Subd. 4. [SUSPENSION OR REVOCATION.] After issuing a
certificate, a licensed certification authority shall revoke it
immediately upon confirming that it was not issued as required
by this section. A licensed certification authority may also
suspend a certificate that it has issued for a reasonable period
not exceeding 48 hours as needed for an investigation to confirm
grounds for revocation under this subdivision. The
certification authority shall give notice to the subscriber as
soon as practicable after a decision to revoke or suspend under
this subdivision.
Subd. 5. [ORDER OF SUSPENSION OR REVOCATION.] The
secretary may order the licensed certification authority to
suspend or revoke a certificate that the certification authority
issued if, after giving any required notice and opportunity for
the certification authority and subscriber to be heard in
accordance with the administrative procedure act, chapter 14,
the secretary determines that:
(1) the certificate was issued without substantial
compliance with this section; and
(2) the noncompliance poses a significant risk to persons
reasonably relying on the certificate.
Upon determining that an emergency requires an immediate
remedy, and in accordance with the administrative procedure act,
chapter 14, the secretary may issue an order suspending a
certificate for a period not to exceed 48 hours.
Sec. 12. [325K.11] [WARRANTIES AND OBLIGATIONS UPON
ISSUANCE OF CERTIFICATE.]
Subdivision 1. [ABSOLUTE WARRANTIES TO SUBSCRIBERS.] By
issuing a certificate, a licensed certification authority
warrants to the subscriber named in the certificate that:
(1) the certificate contains no information known to the
certification authority to be false;
(2) the certificate satisfies all material requirements of
this chapter; and
(3) the certification authority has not exceeded any limits
of its license in issuing the certificate.
The certification authority may not disclaim or limit the
warranties of this subdivision.
Subd. 2. [NEGOTIABLE WARRANTIES TO SUBSCRIBERS.] Unless
the subscriber and certification authority otherwise agree, a
certification authority, by issuing a certificate, promises to
the subscriber:
(1) to act promptly to suspend or revoke a certificate in
accordance with section 325K.14 or 325K.15; and
(2) to notify the subscriber within a reasonable time of
any facts known to the certification authority that
significantly affect the validity or reliability of the
certificate once it is issued.
Subd. 3. [WARRANTIES TO THOSE WHO REASONABLY RELY.] By
issuing a certificate, a licensed certification authority
certifies to all who reasonably rely on the information
contained in the certificate that:
(1) the information in the certificate and listed as
confirmed by the certification authority is accurate;
(2) all information foreseeably material to the reliability
of the certificate is stated or incorporated by reference within
the certificate;
(3) the subscriber has accepted the certificate; and
(4) the licensed certification authority has complied with
all applicable laws of this state governing issuance of the
certificate.
Subd. 4. [WARRANTIES FOLLOWING PUBLICATION.] By publishing
a certificate, a licensed certification authority certifies to
the repository in which the certificate is published and to all
who reasonably rely on the information contained in the
certificate that the certification authority has issued the
certificate to the subscriber.
Sec. 13. [325K.12] [REPRESENTATIONS AND DUTIES UPON
ACCEPTING CERTIFICATE.]
Subdivision 1. [SUBSCRIBER WARRANTIES.] By accepting a
certificate issued by a licensed certification authority, the
subscriber listed in the certificate certifies to all who
reasonably rely on the information contained in the certificate
that:
(1) the subscriber rightfully holds the private key
corresponding to the public key listed in the certificate;
(2) all representations made by the subscriber to the
certification authority and material to the information listed
in the certificate are true; and
(3) all material representations made by the subscriber to
a certification authority or made in the certificate and not
confirmed by the certification authority in issuing the
certificate are true.
Subd. 2. [AGENT WARRANTIES.] By requesting on behalf of a
principal the issuance of a certificate naming the principal as
subscriber, the requesting person certifies in that person's own
right to all who reasonably rely on the information contained in
the certificate that the requesting person:
(1) holds all authority legally required to apply for
issuance of a certificate naming the principal as subscriber;
and
(2) has authority to sign digitally on behalf of the
principal, and, if that authority is limited in any way,
adequate safeguards exist to prevent a digital signature
exceeding the bounds of the person's authority.
Subd. 3. [DISCLAIMER LIMITATIONS.] No person may disclaim
or contractually limit the application of this section, nor
obtain indemnity for its effects, if the disclaimer, limitation,
or indemnity restricts liability for misrepresentation as
against persons reasonably relying on the certificate.
Subd. 4. [INDEMNIFICATION BY SUBSCRIBER OR AGENT.] By
accepting a certificate, a subscriber undertakes to indemnify
the issuing certification authority for loss or damage caused by
issuance or publication of a certificate in reliance on:
(1) a false and material representation of fact by the
subscriber; or
(2) the failure by the subscriber to disclose a material
fact if the representation or failure to disclose was made
either with intent to deceive the certification authority or a
person relying on the certificate, or with negligence. If the
certification authority issued the certificate at the request of
one or more agents of the subscriber, the agent or agents
personally undertake to indemnify the certification authority
under this subdivision, as if they were accepting subscribers in
their own right. The indemnity provided in this section may not
be disclaimed or contractually limited in scope. However, a
contract may provide consistent, additional terms regarding the
indemnification.
Subd. 5. [CERTIFIED ACCURACY.] In obtaining information of
the subscriber material to issuance of a certificate, the
certification authority may require the subscriber to certify
the accuracy of relevant information under oath or affirmation
of truthfulness and under penalty of perjury.
Sec. 14. [325K.13] [CONTROL OF PRIVATE KEY.]
Subdivision 1. [DUTY.] By accepting a certificate issued
by a licensed certification authority, the subscriber identified
in the certificate assumes a duty to exercise reasonable care to
retain control of the private key and prevent its disclosure to
a person not authorized to create the subscriber's digital
signature.
Subd. 2. [PRIVATE PROPERTY.] A private key is the personal
property of the subscriber who rightfully holds it.
Subd. 3. [AUTHORITY AS FIDUCIARY.] If a certification
authority holds the private key corresponding to a public key
listed in a certificate that it has issued, the certification
authority holds the private key as a fiduciary of the subscriber
named in the certificate, and may use that private key only with
the subscriber's prior written approval, unless the subscriber
expressly grants the private key to the certification authority
and expressly permits the certification authority to hold the
private key according to other terms.
Sec. 15. [325K.14] [SUSPENSION OF CERTIFICATE.]
Subdivision 1. [SUSPENSION FOR 48 HOURS.] Unless the
certification authority and the subscriber agree otherwise, the
licensed certification authority that issued a certificate that
is not a transactional certificate must suspend the certificate
for a period not to exceed 48 hours:
(1) upon request by a person identifying himself or herself
as the subscriber named in the certificate, or as a person in a
position likely to know of a compromise of the security of a
subscriber's private key, such as an agent, business associate,
employee, or member of the immediate family of the subscriber;
or
(2) by order of the secretary under section 325K.10.
The certification authority need not confirm the identity
or agency of the person requesting suspension.
Subd. 2. [SUSPENSION FOR 48 HOURS; OTHER CAUSES.] (a)
Unless the certificate provides otherwise or the certificate is
a transactional certificate, the secretary or a county clerk may
suspend a certificate issued by a licensed certification
authority for a period of 48 hours, if:
(1) a person identifying himself or herself as the
subscriber named in the certificate or as an agent, business
associate, employee, or member of the immediate family of the
subscriber requests suspension; and
(2) the requester represents that the certification
authority that issued the certificate is unavailable.
(b) The secretary or county clerk may require the person
requesting suspension to provide evidence, including a statement
under oath or affirmation, regarding the requester's identity,
authorization, or the unavailability of the issuing
certification authority, and may decline to suspend the
certificate in its discretion. The secretary or law enforcement
agencies may investigate suspensions by the secretary or county
clerk for possible wrongdoing by persons requesting suspension.
Subd. 3. [NOTICE OF SUSPENSION.] Immediately upon
suspension of a certificate by a licensed certification
authority, the licensed certification authority shall give
notice of the suspension according to the specification in the
certificate. If one or more repositories are specified, then
the licensed certification authority must publish a signed
notice of the suspension in all the repositories. If a
repository no longer exists or refuses to accept publication, or
if no repository is recognized under section 325K.25, the
licensed certification authority must also publish the notice in
a recognized repository. If a certificate is suspended by the
secretary or county clerk, the secretary or clerk must give
notice as required in this subdivision for a licensed
certification authority, provided that the person requesting
suspension pays in advance any fee required by a repository for
publication of the notice of suspension.
Subd. 4. [TERMINATING SUSPENSION.] A certification
authority must terminate a suspension initiated by request only:
(1) if the subscriber named in the suspended certificate
requests termination of the suspension and the certification
authority has confirmed that the person requesting suspension is
the subscriber or an agent of the subscriber authorized to
terminate the suspension; or
(2) when the certification authority discovers and confirms
that the request for the suspension was made without
authorization by the subscriber. However, this clause does not
require the certification authority to confirm a request for
suspension.
Subd. 5. [CONTRACT LIMITATION OR PRECLUSION.] The contract
between a subscriber and a licensed certification authority may
limit or preclude requested suspension by the certification
authority, or may provide otherwise for termination of a
requested suspension. However, if the contract limits or
precludes suspension by the secretary or county clerk when the
issuing certification authority is unavailable, the limitation
or preclusion is effective only if notice of it is published in
the certificate.
Subd. 6. [MISREPRESENTATION.] No person may knowingly or
intentionally misrepresent to a certification authority the
person's identity or authorization in requesting suspension of a
certificate. Violation of this subdivision is a misdemeanor.
Subd. 7. [EFFECT ON SUBSCRIBER.] The subscriber is
released from the duty to keep the private key secure under
section 325K.13, subdivision 1, while the certificate is
suspended.
Sec. 16. [325K.15] [CERTIFICATE REVOCATION.]
Subdivision 1. [AFTER REQUEST.] A licensed certification
authority must revoke a certificate that it issued but which is
not a transactional certificate, after:
(1) receiving a request for revocation by the subscriber
named in the certificate; and
(2) confirming that the person requesting revocation is the
subscriber, or is an agent of the subscriber with authority to
request the revocation.
Subd. 2. [AFTER IDENTITY CONFIRMED.] A licensed
certification authority must confirm a request for revocation
and revoke a certificate within one business day after receiving
both a subscriber's written request and evidence reasonably
sufficient to confirm the identity and any agency of the person
requesting the suspension.
Subd. 3. [AFTER DEATH OR DISSOLUTION.] A licensed
certification authority must revoke a certificate that it issued:
(1) upon receiving a certified copy of the subscriber's
death certificate, or upon confirming by other evidence that the
subscriber is dead; or
(2) upon presentation of documents effecting a dissolution
of the subscriber, or upon confirming by other evidence that the
subscriber has been dissolved or has ceased to exist.
Subd. 4. [UNRELIABLE CERTIFICATE.] A licensed
certification authority may revoke one or more certificates that
it issued if the certificates are or become unreliable,
regardless of whether the subscriber consents to the revocation
and notwithstanding a provision to the contrary in a contract
between the subscriber and certification authority.
Subd. 5. [NOTICE OF REVOCATION.] Immediately upon
revocation of a certificate by a licensed certification
authority, the licensed certification authority must give notice
of the revocation according to the specification in the
certificate. If one or more repositories are specified, then
the licensed certification authority must publish a signed
notice of the revocation in all repositories. If a repository
no longer exists or refuses to accept publication, or if no
repository is recognized under section 325K.13, then the
licensed certification authority must also publish the notice in
a recognized repository.
Subd. 6. [WHEN CERTIFICATION BY SUBSCRIBER CEASES.] A
subscriber ceases to certify, as provided in section 325K.12,
and has no further duty to keep the private key secure, as
required by section 325K.13, in relation to the certificate
whose revocation the subscriber has requested, beginning at the
earlier of either:
(1) when notice of the revocation is published as required
in subdivision 5; or
(2) one business day after the subscriber requests
revocation in writing, supplies to the issuing certification
authority information reasonably sufficient to confirm the
request, and pays any contractually required fee.
Subd. 7. [WARRANTIES DISCHARGED.] Upon notification as
required by subdivision 5, a licensed certification authority is
discharged of its warranties based on issuance of the revoked
certificate and ceases to certify as provided in section
325K.11, subdivisions 2 and 3, in relation to the revoked
certificate.
Sec. 17. [325K.16] [CERTIFICATE EXPIRATION.]
Subdivision 1. [EXPIRATION DATE.] A certificate must
indicate the date on which it expires.
Subd. 2. [EFFECT OF EXPIRATION.] When a certificate
expires, the subscriber and certification authority cease to
certify as provided in this chapter and the certification
authority is discharged of its duties based on issuance, in
relation to the expired certificate.
Sec. 18. [325K.17] [RECOMMENDED RELIANCE LIMITS.]
By specifying a recommended reliance limit in a
certificate, the issuing certification authority and accepting
subscriber recommend that persons rely on the certificate only
to the extent that the total amount at risk does not exceed the
recommended reliance limit.
Sec. 19. [325K.18] [COLLECTION BASED ON SUITABLE
GUARANTY.]
Subdivision 1. [BOND OR LETTER OF CREDIT.] (a) If the
suitable guaranty is a surety bond, a person may recover from
the surety the full amount of a qualified right to payment
against the principal named in the bond, or, if there is more
than one such qualified right to payment during the term of the
bond, a ratable share, up to a maximum total liability of the
surety equal to the amount of the bond.
(b) If the suitable guaranty is a letter of credit, a
person may recover from the issuing financial institution only
in accordance with the terms of the letter of credit.
(c) Claimants may recover successively on the same suitable
guaranty, provided that the total liability on the suitable
guaranty to all persons making qualified rights of payment
during its term must not exceed the amount of the suitable
guaranty.
Subd. 2. [ATTORNEY FEES AND COURT COSTS.] (a) Subject to
paragraph (b), in addition to recovering the amount of a
qualified right to payment, a claimant may recover:
(1) from the proceeds of the guaranty, until depleted;
(2) the attorneys' fees, reasonable in amount; and
(3) court costs incurred by the claimant in collecting the
claim.
(b) However, the total liability on the suitable guaranty
to all persons making qualified rights of payment or recovering
attorneys' fees during its term must not exceed the amount of
the suitable guaranty.
Subd. 3. [QUALIFIED RIGHT TO PAYMENT.] (a) To recover a
qualified right to payment against a surety or issuer of a
suitable guaranty, the claimant must:
(1) file written notice of the claim with the secretary
stating the name and address of the claimant, the amount
claimed, and the grounds for the qualified right to payment, and
any other information required by rule by the secretary; and
(2) append to the notice a certified copy of the judgment
on which the qualified right to payment is based.
(b) Recovery of a qualified right to payment from the
proceeds of the suitable guaranty is barred unless the claimant
substantially complies with this subdivision.
Subd. 4. [STATUTE OF LIMITATIONS.] Recovery of a qualified
right to payment from the proceeds of a suitable guaranty are
forever barred unless notice of the claim is filed as required
in subdivision 3, paragraph (a), clause (1), within three years
after the occurrence of the violation of this chapter that is
the basis for the claim. Notice under this subdivision need not
include the requirement imposed by subdivision 3, paragraph (a),
clause (2).
Sec. 20. [325K.19] [SATISFACTION OF SIGNATURE
REQUIREMENTS.]
(a) Where a rule of law requires a signature, or provides
for certain consequences in the absence of a signature, that
rule is satisfied by a digital signature, if:
(1) no party affected by a digital signature objects to the
use of digital signatures in lieu of a signature, and the
objection may be evidenced by refusal to provide or accept a
digital signature;
(2) that digital signature is verified by reference to the
public key listed in a valid certificate issued by a licensed
certification authority;
(3) that digital signature was affixed by the signer with
the intention of signing the message and after the signer has
had an opportunity to review items being signed; and
(4) the recipient has no knowledge or notice that the
signer either:
(i) breached a duty as a subscriber; or
(ii) does not rightfully hold the private key used to affix
the digital signature.
(b) However, nothing in this chapter precludes a mark from
being valid as a signature under other applicable law.
Sec. 21. [325K.20] [UNRELIABLE DIGITAL SIGNATURES.]
Unless otherwise provided by law or contract, the recipient
of a digital signature assumes the risk that a digital signature
is forged, if reliance on the digital signature is not
reasonable under the circumstances. If the recipient determines
not to rely on a digital signature under this section, the
recipient must promptly notify the signer of any determination
not to rely on a digital signature and the grounds for that
determination. Nothing in this chapter shall be construed to
obligate a person to accept a digital signature or to respond to
an electronic message containing a digital signature.
Sec. 22. [325K.21] [DIGITALLY SIGNED DOCUMENT IS WRITTEN.]
(a) A message is as valid, enforceable, and effective as if
it had been written on paper, if it:
(1) bears in its entirety a digital signature; and
(2) that digital signature is verified by the public key
listed in a certificate that:
(i) was issued by a licensed certification authority; and
(ii) was valid at the time the digital signature was
created.
(b) Nothing in this chapter shall be construed to
eliminate, modify, or condition any other requirements for a
contract to be valid, enforceable, and effective. No digital
message shall be deemed to be an instrument under the provisions
of section 336.3-104 unless all parties to the transaction agree.
Sec. 23. [325K.22] [DIGITALLY SIGNED ORIGINALS.]
A copy of a digitally signed message is as effective,
valid, and enforceable as the original of the message, unless it
is evident that the signer designated an instance of the
digitally signed message to be a unique original, in which case
only that instance constitutes the valid, effective, and
enforceable message.
Sec. 24. [325K.23] [CERTIFICATE AS ACKNOWLEDGMENT.]
Unless otherwise provided by law or contract, a certificate
issued by a licensed certification authority is an
acknowledgment of a digital signature verified by reference to
the public key listed in the certificate, regardless of whether
words of an express acknowledgment appear with the digital
signature and regardless of whether the signer physically
appeared before the certification authority when the digital
signature was created, if that digital signature is:
(1) verifiable by that certificate; and
(2) affixed when that certificate was valid.
Sec. 25. [325K.24] [PRESUMPTIONS IN ADJUDICATING DISPUTES;
LIABILITY ALLOCATION.]
Subdivision 1. [PRESUMPTIONS.] In adjudicating a dispute
involving a digital signature, a court of this state presumes
that:
(a) A certificate digitally signed by a licensed
certification authority and either published in a recognized
repository, or made available by the issuing certification
authority or by the subscriber listed in the certificate is
issued by the certification authority that digitally signed it
and is accepted by the subscriber listed in it.
(b) The information listed in a valid certificate and
confirmed by a licensed certification authority issuing the
certificate is accurate.
(c) If a digital signature is verified by the public key
listed in a valid certificate issued by a licensed certification
authority:
(1) that digital signature is the digital signature of the
subscriber listed in that certificate;
(2) that digital signature was affixed by that subscriber
with the intention of signing the message; and
(3) the recipient of that digital signature has no
knowledge or notice that the signer:
(i) breached a duty as a subscriber; or
(ii) does not rightfully hold the private key used to affix
the digital signature.
(d) A digital signature was created before it was time
stamped by a disinterested person utilizing a trustworthy system.
Subd. 2. [LIABILITY ALLOCATION.] A court of this state
shall give effect to liability allocations between the parties
provided by contract to the extent not inconsistent with the
requirements of this chapter.
Sec. 26. [325K.25] [RECOGNITION OF REPOSITORIES.]
Subdivision 1. [CONDITIONS.] The secretary must recognize
one or more repositories, after finding that a repository to be
recognized:
(1) is operated under the direction of a licensed
certification authority;
(2) includes a database containing:
(i) certificates published in the repository;
(ii) notices of suspended or revoked certificates published
by licensed certification authorities or other persons
suspending or revoking certificates;
(iii) certification authority disclosure records for
licensed certification authorities;
(iv) all orders or advisory statements published by the
secretary in regulating certification authorities; and
(v) other information adopted by rule by the secretary;
(3) operates by means of a trustworthy system;
(4) contains no significant amount of information that is
known or likely to be untrue, inaccurate, or not reasonably
reliable;
(5) contains certificates published by certification
authorities that conform to legally binding requirements that
the secretary finds to be substantially similar to, or more
stringent toward the certification authorities, than those of
this state;
(6) keeps an archive of certificates that have been
suspended or revoked, or that have expired, within at least the
past three years; and
(7) complies with other reasonable requirements adopted by
rule by the secretary.
Subd. 2. [APPLICATION.] A repository may apply to the
secretary for recognition by filing a written request and
providing evidence to the secretary sufficient for the secretary
to find that the conditions for recognition are satisfied.
Subd. 3. [RECOGNITION DISCONTINUED.] A repository may
discontinue its recognition by filing 30 days' written notice
with the secretary. In addition, the secretary may discontinue
recognition of a repository in accordance with the
administrative procedure act, chapter 14, if it concludes that
the repository no longer satisfies the conditions for
recognition listed in this section or in rules adopted by the
secretary.
Sec. 27. [325K.26] [RULEMAKING.]
The secretary may adopt rules effective July 1, 1998, to
implement this chapter.
Sec. 28. [EFFECTIVE DATE.]
Section 27 is effective July 1, 1997. Sections 1 to 26 are
effective the day after the secretary of state causes to be
published in the State Register a certification by the secretary
of state that the secretary of state has adopted rules necessary
for the use of sections 1 to 27, except that any provision of
sections 1 to 27 authorizing or requiring rules to be adopted is
effective the day following final enactment.
Presented to the governor May 17, 1997
Signed by the governor May 19, 1997, 7:20 p.m.
Official Publication of the State of Minnesota
Revisor of Statutes