Office of the Revisor of Statutes
Minnesota Session Laws - 1998, Regular Session
Key: (1) language to be deleted (2) new language
CHAPTER 321-S.F.No. 2068
An act relating to commerce; providing for the
reliability of electronic messages; providing for
certification authorities; providing licensing and
enforcement powers; defining terms; providing
rulemaking; amending Minnesota Statutes 1997
Supplement, sections 325K.01, subdivisions 6, 11, 18,
21, 27, 35, 39, and by adding a subdivision; 325K.03;
325K.05, subdivisions 1, 4, 5, 6, and 7; 325K.07,
subdivisions 2 and 3; 325K.10, subdivision 1; 325K.12,
subdivision 4; 325K.13, by adding a subdivision;
325K.14, subdivisions 1, 2, 3, 5, and by adding a
subdivision; 325K.15, subdivisions 3 and 7; 325K.18,
subdivisions 1 and 2; and 325K.25, subdivision 1;
proposing coding for new law in Minnesota Statutes,
chapter 325K; repealing Minnesota Statutes 1997
Supplement, sections 325K.05, subdivision 3; 325K.06,
subdivisions 3, 4, and 5; 325K.13, subdivisions 2 and
3; and 325K.14, subdivision 7.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1. Minnesota Statutes 1997 Supplement, section
325K.01, subdivision 6, is amended to read:
Subd. 6. [CERTIFICATION AUTHORITY DISCLOSURE RECORD.]
"Certification authority disclosure record" means an on-line,
publicly accessible electronic record that concerns a licensed
certification authority and is kept by the secretary. A
certification authority disclosure record has the contents
specified by rule by the secretary under section 325K.03.
Sec. 2. Minnesota Statutes 1997 Supplement, section
325K.01, subdivision 11, is amended to read:
Subd. 11. [DIGITAL SIGNATURE OR DIGITALLY SIGNED.]
"Digital signature" or "digitally signed" means a transformation
of a message using an asymmetric cryptosystem such that a person
having the initial message and the signer's public key can
accurately determine:
(1) whether the transformation was created using the
private key that corresponds to the signer's public key; and
(2) whether the initial message has been altered since the
transformation was made.
Sec. 3. Minnesota Statutes 1997 Supplement, section
325K.01, subdivision 18, is amended to read:
Subd. 18. [LICENSED CERTIFICATION AUTHORITY.] "Licensed
certification authority" means a certification authority to whom
a license has been issued by the secretary and whose license is
in effect, or a certification authority who operates under a
license issued by a governmental entity which has been certified
pursuant to section 325K.05, subdivision 5.
Sec. 4. Minnesota Statutes 1997 Supplement, section
325K.01, subdivision 21, is amended to read:
Subd. 21. [OPERATIVE PERSONNEL.] "Operative personnel"
means one or more natural persons acting as a certification
authority or its agent, or in the employment of, or under
contract with, a certification authority, and who have:
(1) managerial or policymaking responsibilities for the
certification authority; or
(2) duties directly involving the issuance of certificates,
creation of private keys, or administration of a certification
authority's computing facilities.
Sec. 5. Minnesota Statutes 1997 Supplement, section
325K.01, subdivision 27, is amended to read:
Subd. 27. [RECIPIENT.] "Recipient" means a person who
receives or has received a certificate and a digital
signature verifiable with reference to a public key listed in
the certificate and is in a position to rely on it.
Sec. 6. Minnesota Statutes 1997 Supplement, section
325K.01, subdivision 35, is amended to read:
Subd. 35. [SUITABLE GUARANTY.] (a) "Suitable guaranty"
means either:
(1) a surety bond executed by a surety authorized by the
commissioner of commerce to do business in this state, or an
irrevocable letter of credit issued by a financial institution
authorized to do business in this state, that:
(1) is issued payable to the secretary for the benefit of
persons holding qualified rights of payment against the licensed
certification authority named as the principal of the bond or
customer of the letter of credit;
(2) is in an amount specified by rule by the secretary
under section 325K.03;
(3) states that it is issued for filing under this chapter;
(4) specifies a term of effectiveness extending at least as
long as the term of the license to be issued to the
certification authority; and
(5) is in a form prescribed or approved by rule by the
secretary.
A suitable guaranty may also provide that the total annual
liability on the guaranty to all persons making claims based on
it may not exceed the face amount of the guaranty. for the
benefit of persons holding qualified rights of payment against
the licensed certification authority named as the principal of
the bond or the customer of the letter of credit; or
(2) a policy of insurance that provides that claims may be
made and resolved without obtaining a qualified right to payment.
(b) The suitable guaranty must:
(1) be in an amount specified by rule by the secretary
under section 325K.03;
(2) state that it is issued under this chapter;
(3) specify a term of effectiveness of at least five years;
and
(4) be in a form the content of which is described in rule
by the secretary.
If the suitable guaranty is a surety bond, it must be
issued by a surety authorized by the commissioner of commerce to
do business in this state. If the suitable guaranty is an
irrevocable letter of credit, it must be issued by a financial
institution authorized to do business in this state. If the
suitable guaranty is a policy of insurance, it must be issued by
an insurance company authorized by the commissioner of commerce
to do business in this state.
Once a qualified right to payment or claim has been
satisfied from the suitable guaranty, the licensed certification
authority must provide evidence to the secretary that the amount
required by rule is again available.
Sec. 7. Minnesota Statutes 1997 Supplement, section
325K.01, is amended by adding a subdivision to read:
Subd. 35a. [SUMMARY SUSPENSION.] "Summary suspension"
means a temporary recision of a certification authority's
license by order of the secretary. The secretary may order the
summary suspension of a license before holding a hearing. The
summary suspension is effective for up to five business days.
If an action for suspension or revocation is instituted within
five business days, the summary suspension is extended until the
action for suspension or revocation is ultimately determined.
Sec. 8. Minnesota Statutes 1997 Supplement, section
325K.01, subdivision 39, is amended to read:
Subd. 39. [TRUSTWORTHY SYSTEM.] "Trustworthy system" means
a computer hardware and software that:
(1) are reasonably secure from intrusion and misuse;
(2) provide a reasonable level of availability,
reliability, and correct operation; and
(3) are reasonably suited to performing their intended
functions.
Sec. 9. Minnesota Statutes 1997 Supplement, section
325K.03, is amended to read:
325K.03 [ROLE OF THE SECRETARY.]
Subdivision 1. [TRANSITIONAL DUTY SECRETARY AS
CERTIFICATION AUTHORITY.] If six months elapse during which time
no certification authority is licensed in this state, then The
secretary shall be a certification authority, and may. The
secretary shall issue, suspend, and revoke certificates in the
manner prescribed for licensed certification authorities under
section 325K.10 to applicants for licensure. The secretary may
also issue, suspend, and revoke certificates for governmental
entities. Except for licensing requirements, this chapter
applies to the secretary with respect to certificates the
secretary issues. The secretary must discontinue acting as a
certification authority if another certification authority is
licensed, in a manner allowing reasonable transition to private
enterprise.
Subd. 2. [RECORD.] The secretary must maintain a an
on-line, publicly accessible electronic database containing a
certification authority disclosure record and list of judgments
for each licensed certification authority. The secretary must
publish the contents of the database in at least one recognized
repository.
Subd. 3. [RULES.] The secretary must adopt rules
consistent with this chapter and in furtherance of its
purposes to:
(1) to govern licensed certification authorities and
repositories, their practice, and the termination of a
certification authority's their practice;
(2) to determine an amount reasonably appropriate for a
suitable guaranty, in light of the burden a suitable guaranty
places upon licensed certification authorities and the assurance
of quality and financial responsibility it provides to persons
who rely on certificates issued by licensed certification
authorities;
(3) to specify reasonable requirements for the form of
certificates issued by licensed certification authorities, in
accordance with generally accepted standards for digital
signature certificates;
(4) to specify reasonable requirements for recordkeeping by
licensed certification authorities;
(5) to specify reasonable requirements for the content,
form, and sources of information in certification authority
disclosure records, the updating and timeliness of the
information, and other practices and policies relating to
certification authority disclosure records;
(6) to specify the form of the certification practice
statements; and
(7) otherwise to give effect to and implement this chapter
specify the procedure and manner in which a certificate may be
suspended or revoked.
Sec. 10. Minnesota Statutes 1997 Supplement, section
325K.05, subdivision 1, is amended to read:
Subdivision 1. [LICENSE CONDITIONS.] To obtain or retain a
license, a certification authority must:
(1) be the subscriber of a certificate published in a
recognized repository;
(2) employ as operative personnel only persons who have not
been convicted within the past 15 years of a felony or a crime
involving fraud, false statement, or deception;
(3) employ as operative personnel only persons who have
demonstrated knowledge and proficiency in following the
requirements of this chapter;
(4) file with the secretary a suitable guaranty, unless the
certification authority is a department, office, or official of
a federal, state, city, or county governmental entity, provided
that: is self-insured;
(i) each of these public entities act through designated
officials authorized by rule or ordinance to perform
certification authority functions; or
(ii) one of these public entities is the subscriber of all
certificates issued by the certification authority;
(5) have the right to use a trustworthy system, including a
secure means for limiting access to its private key;
(6) present proof to the secretary of having working
capital reasonably sufficient, according to rules adopted by the
secretary, to enable the applicant to conduct business as a
certification authority;
(7) maintain an office in this state or have established a
registered agent for service of process in this state register
its business organization with the secretary, unless the
applicant is a governmental entity or is otherwise prohibited
from registering; and
(8) comply with all further licensing requirements
established by rule by the secretary.
Sec. 11. Minnesota Statutes 1997 Supplement, section
325K.05, subdivision 4, is amended to read:
Subd. 4. [REVOCATION OR SUSPENSION.] (a) The secretary may
revoke or suspend a certification authority's license, in
accordance with the Administrative Procedure Act, chapter 14,
for failure to comply with this chapter or for failure to remain
qualified under subdivision 1.
(b) The secretary may order a summary suspension of a
license. The written order for summary suspension may include a
finding that the certification authority has:
(1) used its license in the commission of a state or
federal crime or of a violation of sections 325F.68 to 325F.70;
or
(2) engaged in conduct giving rise to serious risk of loss
to public or private parties if the license is not immediately
suspended.
Sec. 12. Minnesota Statutes 1997 Supplement, section
325K.05, subdivision 5, is amended to read:
Subd. 5. [LOCAL OTHER AUTHORITIES.] The secretary may
recognize by rule the licensing or authorization of
certification authorities by local, metropolitan, or regional
non-Minnesota governmental entities, provided that those
licensing or authorization requirements are substantially
similar to those of this state. If licensing by another
governmental entity is so recognized:
(1) sections 325K.19 to 325K.24 apply to certificates
issued by the certification authorities licensed or authorized
by that governmental entity in the same manner as it applies to
licensed certification authorities of this state; and
(2) the liability limits of section 325K.17 apply to the
certification authorities licensed or authorized by that
governmental entity in the same manner as they apply to licensed
certification authorities of this state.
Sec. 13. Minnesota Statutes 1997 Supplement, section
325K.05, subdivision 6, is amended to read:
Subd. 6. [APPLICABILITY TO DIGITAL SIGNATURES.] Unless the
Parties may provide otherwise by contract between themselves,
the licensing requirements in this section do not affect for the
effectiveness, enforceability, or validity of any digital
signature, except that as between those parties. Sections
325K.19 to 325K.24 do not apply in relation to a certificate and
associated digital signature that cannot be verified by a
certificate issued by an unlicensed certification authority.
Sec. 14. Minnesota Statutes 1997 Supplement, section
325K.05, subdivision 7, is amended to read:
Subd. 7. [NONAPPLICABILITY.] A certification authority
that has not obtained a license is not subject to the provision
provisions of this chapter, except as specifically provided.
Sec. 15. Minnesota Statutes 1997 Supplement, section
325K.07, subdivision 2, is amended to read:
Subd. 2. [SUSPENSION OR REVOCATION.] The secretary may
summarily suspend or revoke the license of a certification
authority for its failure to comply with an order of the
secretary.
Sec. 16. Minnesota Statutes 1997 Supplement, section
325K.07, subdivision 3, is amended to read:
Subd. 3. [CIVIL PENALTY.] The secretary may by order
impose and collect a civil monetary penalty against a licensed
certification authority for a violation of this chapter in an
amount not to exceed $5,000 per incident, or 90 percent of the
recommended reliance limit of a material certificate, whichever
is less. In case of a violation continuing for more than one
day, each day is considered a separate incident. The secretary
may adopt rules setting the standards governing the
determination of the penalty amounts.
Sec. 17. Minnesota Statutes 1997 Supplement, section
325K.10, subdivision 1, is amended to read:
Subdivision 1. [CONDITIONS.] A licensed certification
authority may issue a certificate to a subscriber only after all
of the following conditions are satisfied:
(1) the certification authority has received a request for
issuance signed by the prospective subscriber; and
(2) the certification authority has confirmed that:
(i) the prospective subscriber is the person to be listed
in the certificate to be issued;
(ii) if the prospective subscriber is acting through one or
more agents, the subscriber duly authorized each agent to have
custody of the subscriber's private key and to request issuance
of a certificate listing the corresponding public key;
(iii) the information in the certificate to be issued is
accurate;
(iv) the prospective subscriber rightfully holds the
private key corresponding to the public key to be listed in the
certificate;
(v) the prospective subscriber holds a private key capable
of creating a digital signature; and
(vi) the public key to be listed in the certificate can be
used to verify a digital signature affixed by the private key
held by the prospective subscriber; and
(vii) the certificate provides information sufficient to
locate or identify one or more repositories in which
notification of the revocation or suspension of the certificate
will be listed if the certificate is suspended or revoked.
The requirements of this subdivision may not be waived or
disclaimed by either the licensed certification authority, the
subscriber, or both.
Sec. 18. Minnesota Statutes 1997 Supplement, section
325K.12, subdivision 4, is amended to read:
Subd. 4. [INDEMNIFICATION BY SUBSCRIBER OR AGENT.] By
accepting a certificate, a subscriber undertakes to indemnify
the issuing certification authority for loss or damage caused by
issuance or publication of a certificate in reliance on:
(1) a false and material representation of fact by the
subscriber; or
(2) the failure by the subscriber to disclose a material
fact if the representation or failure to disclose was made
either with intent to deceive the certification authority or a
person relying on the certificate, or with gross negligence. If
the certification authority issued the certificate at the
request of one or more agents of the subscriber, the agent or
agents personally undertake to indemnify the certification
authority under this subdivision, as if they were accepting
subscribers in their own right. The indemnity provided in this
section may not be disclaimed or contractually limited in
scope. However, a contract may provide consistent, additional
terms regarding the indemnification.
Sec. 19. Minnesota Statutes 1997 Supplement, section
325K.13, is amended by adding a subdivision to read:
Subd. 2a. [POSSESSION OF PRIVATE KEY.] A certification
authority cannot hold a private key on behalf of a subscriber.
Sec. 20. Minnesota Statutes 1997 Supplement, section
325K.14, subdivision 1, is amended to read:
Subdivision 1. [SUSPENSION FOR 48 96 HOURS.] Unless the
certification authority and the subscriber agree otherwise, the
licensed certification authority that issued a certificate that
is not a transactional certificate must suspend the certificate
for a period not to exceed 48 96 hours:
(1) upon request by a person identifying himself or herself
as the subscriber named in the certificate, or as a person in a
position likely to know of a compromise of the security of a
subscriber's private key, such as an agent, business associate,
employee, or member of the immediate family of the subscriber;
or
(2) by order of the secretary under section 325K.10.
The certification authority need not confirm the identity
or agency of the person requesting suspension.
Sec. 21. Minnesota Statutes 1997 Supplement, section
325K.14, subdivision 2, is amended to read:
Subd. 2. [SUSPENSION FOR 48 96 HOURS; OTHER CAUSES.] (a)
Unless the certificate provides otherwise or the certificate is
a transactional certificate, The secretary or a county clerk may
suspend a certificate issued by a licensed certification
authority for a period of 48 96 hours, if:
(1) a person identifying himself or herself as the
subscriber named in the certificate or as an agent, business
associate, employee, or member of the immediate family of the
subscriber requests suspension; and
(2) the requester represents that the certification
authority that issued the certificate is unavailable.
(b) The secretary or county clerk may require the person
requesting suspension to provide evidence, including a statement
under oath or affirmation, regarding the requester's identity,
authorization, or the unavailability of the issuing
certification authority, and may decline to suspend the
certificate in its discretion. The secretary or law enforcement
agencies may investigate suspensions by the secretary or county
clerk for possible wrongdoing by persons requesting suspension.
Sec. 22. Minnesota Statutes 1997 Supplement, section
325K.14, subdivision 3, is amended to read:
Subd. 3. [NOTICE OF SUSPENSION.] Immediately upon
suspension of a certificate by a licensed certification
authority, the licensed certification authority shall give
notice of the suspension according to the specification in the
certificate. If one or more repositories are specified, then
the licensed certification authority must publish a signed
notice of the suspension in all the repositories. If a
repository no longer exists or refuses to accept publication, or
if no repository is recognized under section 325K.25, the
licensed certification authority must also publish the notice in
a recognized repository. If a certificate is suspended by the
secretary or county clerk, the secretary or clerk must give
notice as required in this subdivision for a licensed
certification authority, provided that the person requesting
suspension pays in advance any fee required by a repository for
publication of the notice of suspension.
Sec. 23. Minnesota Statutes 1997 Supplement, section
325K.14, subdivision 5, is amended to read:
Subd. 5. [CONTRACT LIMITATION OR PRECLUSION.] The contract
between a subscriber and a licensed certification authority may
limit or preclude requested suspension by the certification
authority, or may provide otherwise for termination of a
requested suspension. However, if the contract limits or
precludes suspension by the secretary or county clerk when the
issuing certification authority is unavailable, the limitation
or preclusion is effective only if notice of it is published in
the certificate.
Sec. 24. Minnesota Statutes 1997 Supplement, section
325K.14, is amended by adding a subdivision to read:
Subd. 8. [COMPLETION OF SUSPENSION.] A suspension under
this section must be completed within 24 hours of receipt of all
of the information required in this section.
Sec. 25. Minnesota Statutes 1997 Supplement, section
325K.15, subdivision 3, is amended to read:
Subd. 3. [AFTER DEATH OR DISSOLUTION.] A licensed
certification authority must revoke a certificate that it issued:
(1) upon receiving a certified copy of the subscriber's
death certificate, or upon confirming by other evidence that the
subscriber is dead; or
(2) upon presentation of documents effecting a dissolution
of the subscriber, or upon confirming by other evidence that the
subscriber has been dissolved or has ceased to exist, except
that if the subscriber is dissolved and is reinstated or
restored before revocation is completed, the certification
authority is not required to revoke the certificate.
Sec. 26. Minnesota Statutes 1997 Supplement, section
325K.15, subdivision 7, is amended to read:
Subd. 7. [WARRANTIES DISCHARGED.] Upon notification as
required by subdivision 5, a licensed certification authority is
discharged of its warranties based on issuance of the revoked
certificate as to transactions occurring after the notification
and ceases to certify as provided in section 325K.11,
subdivisions 2 and 3, in relation to the revoked certificate.
Sec. 27. Minnesota Statutes 1997 Supplement, section
325K.18, subdivision 1, is amended to read:
Subdivision 1. [BOND OR LETTER OF CREDIT.] (a) If the
suitable guaranty is a surety bond, a person may recover from
the surety the full amount of a qualified right to payment
against the principal named in the bond, or, if there is more.
than one such qualified right to payment during the term of the
bond, a ratable share, up to a maximum total liability of the
surety equal to the amount of the bond.
(b) If the suitable guaranty is a letter of credit, a
person may recover from the issuing financial institution the
full amount of a qualified right to payment only in accordance
with the terms of the letter of credit.
(c) If the suitable guaranty is a policy of insurance, a
person may recover under the terms of the policy.
(d) Claimants may recover successively on the same suitable
guaranty, provided that the total liability on the suitable
guaranty to all persons making qualified rights of payment
during its term must not exceed the amount of the suitable
guaranty.
Sec. 28. Minnesota Statutes 1997 Supplement, section
325K.18, subdivision 2, is amended to read:
Subd. 2. [ATTORNEY FEES AND COURT COSTS.] (a) Subject to
paragraph (b), in addition to recovering the amount of a
qualified right to payment, a claimant may recover:
(1) from the proceeds of the guaranty, until depleted;:
(2) (1) the attorneys' fees, reasonable in amount; and
(3) (2) court costs incurred by the claimant in collecting
the claim.
(b) However, the total liability on the suitable guaranty
to all persons making qualified rights of payment or recovering
attorneys' fees during its term must not exceed the amount of
the suitable guaranty.
Sec. 29. Minnesota Statutes 1997 Supplement, section
325K.25, subdivision 1, is amended to read:
Subdivision 1. [CONDITIONS.] The secretary must recognize
one or more repositories, after finding that a repository to be
recognized:
(1) is operated under the direction of a licensed
certification authority;
(2) includes a database containing:
(i) certificates published in the repository;
(ii) notices of suspended or revoked certificates published
by licensed certification authorities or other persons
suspending or revoking certificates;
(iii) certification authority disclosure records for
licensed certification authorities;
(iv) all orders or advisory statements published by the
secretary in regulating certification authorities; and
(v) other information adopted by rule by the secretary;
(3) operates by means of a trustworthy system;
(4) contains no significant amount of information that is
known or likely to be untrue, inaccurate, or not reasonably
reliable;
(5) contains certificates published by certification
authorities that conform to legally binding requirements that
the secretary finds to be substantially similar to, or more
stringent toward the certification authorities, than those of
this state; and
(6) keeps an archive of certificates that have been
suspended or revoked, or that have expired, within at least the
past three years; and
(7) complies with other reasonable requirements adopted by
rule by the secretary.
Sec. 30. [325K.27] [COURT RULES.]
Nothing in this chapter shall be construed to limit the
authority of the supreme court to adopt rules of pleading,
practice or procedure, or of the court of appeals or district
courts to adopt supplementary local rules, governing the use of
electronic messages and documents, including, but not limited
to, rules governing the use of digital signatures in judicial
proceedings.
Sec. 31. [REPEALER.]
Minnesota Statutes 1997 Supplement, sections 325K.05,
subdivision 3; 325K.06, subdivisions 3, 4, and 5; 325K.13,
subdivisions 2 and 3; and 325K.14, subdivision 7, are repealed.
Presented to the governor March 19, 1998
Signed by the governor March 23, 1998, 10:51 a.m.
Official Publication of the State of Minnesota
Revisor of Statutes