Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

Office of the Revisor of Statutes

Key: (1) language to be deleted (2) new language

                            CHAPTER 178-S.F.No. 173 
                  An act relating to commerce; providing for the use, 
                  validity, and security of electronic signatures and 
                  messages transmitted in commerce; prescribing 
                  penalties; proposing coding for new law as Minnesota 
                  Statutes, chapter 325K. 
        BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: 
           Section 1.  [SHORT TITLE.] 
           This chapter may be cited as the Minnesota Electronic 
        Authentication Act. 
           Sec. 2.  [325K.01] [DEFINITIONS.] 
           Subdivision 1.  [SCOPE.] Unless the context clearly 
        requires otherwise, the terms used in this chapter have the 
        meanings given them in this section.  
           Subd. 2.  [ACCEPT A CERTIFICATE.] "Accept a certificate" 
        means either:  
           (1) to manifest approval of a certificate, while knowing or 
        having notice of its contents; or 
           (2) to apply to a licensed certification authority for a 
        certificate, without canceling or revoking the application by 
        delivering notice of the cancellation or revocation to the 
        certification authority and obtaining a signed, written receipt 
        from the certification authority, if the certification authority 
        subsequently issues a certificate based on the application. 
           Subd. 3.  [ASYMMETRIC CRYPTOSYSTEM.] "Asymmetric 
        cryptosystem" means an algorithm or series of algorithms that 
        provide a secure key pair. 
           Subd. 4.  [CERTIFICATE.] "Certificate" means a 
        computer-based record that: 
           (1) identifies the certification authority issuing it; 
           (2) names or identifies its subscriber; 
           (3) contains the subscriber's public key; and 
           (4) is digitally signed by the certification authority 
        issuing it. 
           Subd. 5.  [CERTIFICATION AUTHORITY.] "Certification 
        authority" means a person who issues a certificate. 
           Subd. 6.  [CERTIFICATION AUTHORITY DISCLOSURE 
        RECORD.] "Certification authority disclosure record" means an 
        on-line, publicly accessible record that concerns a licensed 
        certification authority and is kept by the secretary.  A 
        certification authority disclosure record has the contents 
        specified by rule by the secretary under section 325K.03. 
           Subd. 7.  [CERTIFICATION PRACTICE 
        STATEMENT.] "Certification practice statement" means a 
        declaration of the practices that a certification authority 
        employs in issuing certificates generally, or employed in 
        issuing a material certificate. 
           Subd. 8.  [CERTIFY.] "Certify" means to declare with 
        reference to a certificate, with ample opportunity to reflect, 
        and with a duty to apprise oneself of all material facts. 
           Subd. 9.  [CONFIRM.] "Confirm" means to ascertain through 
        appropriate inquiry and investigation. 
           Subd. 10.  [CORRESPOND.] "Correspond," with reference to 
        keys, means to belong to the same key pair. 
           Subd. 11.  [DIGITAL SIGNATURE.] "Digital signature" means a 
        transformation of a message using an asymmetric cryptosystem 
        such that a person having the initial message and the signer's 
        public key can accurately determine: 
           (1) whether the transformation was created using the 
        private key that corresponds to the signer's public key; and 
           (2) whether the initial message has been altered since the 
        transformation was made. 
           Subd. 12.  [FINANCIAL INSTITUTION.] "Financial institution" 
        means a national or state-chartered commercial bank or trust 
        company, savings bank, savings association, or credit union 
        authorized to do business in the state of Minnesota and the 
        deposits of which are federally insured. 
           Subd. 13.  [FORGE A DIGITAL SIGNATURE.] "Forge a digital 
        signature" means either: 
           (1) to create a digital signature without the authorization 
        of the rightful holder of the private key; or 
           (2) to create a digital signature verifiable by a 
        certificate listing as subscriber a person who either: 
           (i) does not exist; or 
           (ii) does not hold the private key corresponding to the 
        public key listed in the certificate. 
           Subd. 14.  [HOLD A PRIVATE KEY.] "Hold a private key" means 
        to be authorized to utilize a private key. 
           Subd. 15.  [INCORPORATE BY REFERENCE.] "Incorporate by 
        reference" means to make one message a part of another message 
        by identifying the message to be incorporated and expressing the 
        intention that it be incorporated. 
           Subd. 16.  [ISSUE A CERTIFICATE.] "Issue a certificate" 
        means the acts of a certification authority in creating a 
        certificate and notifying the subscriber listed in the 
        certificate of the contents of the certificate. 
           Subd. 17.  [KEY PAIR.] "Key pair" means a private key and 
        its corresponding public key in an asymmetric cryptosystem, keys 
        which have the property that the public key can verify a digital 
        signature that the private key creates. 
           Subd. 18.  [LICENSED CERTIFICATION AUTHORITY.] "Licensed 
        certification authority" means a certification authority to whom 
        a license has been issued by the secretary and whose license is 
        in effect. 
           Subd. 19.  [MESSAGE.] "Message" means a digital 
        representation of information. 
           Subd. 20.  [NOTIFY.] "Notify" means to communicate a fact 
        to another person in a manner reasonably likely under the 
        circumstances to impart knowledge of the information to the 
        other person. 
           Subd. 21.  [OPERATIVE PERSONNEL.] "Operative personnel" 
        means one or more natural persons acting as a certification 
        authority or its agent, or in the employment of, or under 
        contract with, a certification authority, and who have: 
           (1) managerial or policymaking responsibilities for the 
        certification authority; or 
           (2) duties directly involving the issuance of certificates, 
        creation of private keys, or administration of a certification 
        authority's computing facilities. 
           Subd. 22.  [PERSON.] "Person" means a human being or an 
        organization capable of signing a document, either legally or as 
        a matter of fact. 
           Subd. 23.  [PRIVATE KEY.] "Private key" means the key of a 
        key pair used to create a digital signature. 
           Subd. 24.  [PUBLIC KEY.] "Public key" means the key of a 
        key pair used to verify a digital signature. 
           Subd. 25.  [PUBLISH.] "Publish" means to record or file in 
        a repository. 
           Subd. 26.  [QUALIFIED RIGHT TO PAYMENT.] "Qualified right 
        to payment" means an award of damages against a licensed 
        certification authority by a court having jurisdiction over the 
        certification authority in a civil action for violation of this 
        chapter. 
           Subd. 27.  [RECIPIENT.] "Recipient" means a person who 
        receives or has a digital signature and is in a position to rely 
        on it. 
           Subd. 28.  [RECOGNIZED REPOSITORY.] "Recognized repository" 
        means a repository recognized by the secretary under section 
        325K.25. 
           Subd. 29.  [RECOMMENDED RELIANCE LIMIT.] "Recommended 
        reliance limit" means the monetary amount recommended for 
        reliance on a certificate under section 325K.17. 
           Subd. 30.  [REPOSITORY.] "Repository" means a system for 
        storing and retrieving certificates and other information 
        relevant to digital signatures. 
           Subd. 31.  [REVOKE A CERTIFICATE.] "Revoke a certificate" 
        means to make a certificate ineffective permanently from a 
        specified time forward.  Revocation is effected by notation or 
        inclusion in a set of revoked certificates, and does not imply 
        that a revoked certificate is destroyed or made illegible. 
           Subd. 32.  [RIGHTFULLY HOLD A PRIVATE KEY.] "Rightfully 
        hold a private key" means the authority to utilize a private key:
           (1) that the holder or the holder's agents have not 
        disclosed to a person in violation of section 325K.13, 
        subdivision 1; and 
           (2) that the holder has not obtained through theft, deceit, 
        eavesdropping, or other unlawful means. 
           Subd. 33.  [SECRETARY.] "Secretary" means the Minnesota 
        secretary of state. 
           Subd. 34.  [SUBSCRIBER.] "Subscriber" means a person who: 
           (1) is the subject listed in a certificate; 
           (2) accepts the certificate; and 
           (3) holds a private key that corresponds to a public key 
        listed in that certificate. 
           Subd. 35.  [SUITABLE GUARANTY.] "Suitable guaranty" means 
        either a surety bond executed by a surety authorized by the 
        commissioner of commerce to do business in this state, or an 
        irrevocable letter of credit issued by a financial institution 
        authorized to do business in this state, that: 
           (1) is issued payable to the secretary for the benefit of 
        persons holding qualified rights of payment against the licensed 
        certification authority named as the principal of the bond or 
        customer of the letter of credit; 
           (2) is in an amount specified by rule by the secretary 
        under section 325K.03; 
           (3) states that it is issued for filing under this chapter; 
           (4) specifies a term of effectiveness extending at least as 
        long as the term of the license to be issued to the 
        certification authority; and 
           (5) is in a form prescribed or approved by rule by the 
        secretary. 
           A suitable guaranty may also provide that the total annual 
        liability on the guaranty to all persons making claims based on 
        it may not exceed the face amount of the guaranty. 
           Subd. 36.  [SUSPEND A CERTIFICATE.] "Suspend a certificate" 
        means to make a certificate ineffective temporarily for a 
        specified time forward. 
           Subd. 37.  [TIME STAMP.] "Time stamp" means either: 
           (1) to append or attach to a message, digital signature, or 
        certificate a digitally signed notation indicating at least the 
        date, time, and identity of the person appending or attaching 
        the notation; or 
           (2) the notation thus appended or attached. 
           Subd. 38.  [TRANSACTIONAL CERTIFICATE.] "Transactional 
        certificate" means a valid certificate incorporating by 
        reference one or more of the digital signatures. 
           Subd. 39.  [TRUSTWORTHY SYSTEM.] "Trustworthy system" means 
        a computer hardware and software that: 
           (1) are reasonably secure from intrusion and misuse; 
           (2) provide a reasonable level of availability, 
        reliability, and correct operation; and 
           (3) are reasonably suited to performing their intended 
        functions. 
           Subd. 40.  [VALID CERTIFICATE.] "Valid certificate" means a 
        certificate that: 
           (1) a licensed certification authority has issued; 
           (2) the subscriber listed in it has accepted; 
           (3) has not been revoked or suspended; and 
           (4) has not expired. 
           However, a transactional certificate is a valid certificate 
        only in relation to the digital signature incorporated in it by 
        reference. 
           Subd. 41.  [VERIFY A DIGITAL SIGNATURE.] "Verify a digital 
        signature" means, in relation to a given digital signature, 
        message, and public key, to determine accurately that: 
           (1) the digital signature was created by the private key 
        corresponding to the public key; and 
           (2) the message has not been altered since its digital 
        signature was created. 
           Sec. 3.  [325K.02] [PURPOSES AND CONSTRUCTION.] 
           This chapter shall be construed consistently with what is 
        commercially reasonable under the circumstances and to 
        effectuate the following purposes: 
           (1) to facilitate commerce by means of reliable electronic 
        messages; 
           (2) to minimize the incidence of forged digital signatures 
        and fraud in electronic commerce; 
           (3) to implement legally the general import of relevant 
        standards, such as X.509 of the International Telecommunication 
        Union, formerly known as the international telegraph and 
        telephone consultative committee; and 
           (4) to establish, in coordination with multiple states, 
        uniform rules regarding the authentication and reliability of 
        electronic messages. 
           Sec. 4.  [325K.03] [ROLE OF THE SECRETARY.] 
           Subdivision 1.  [TRANSITIONAL DUTY.] If six months elapse 
        during which time no certification authority is licensed in this 
        state, then the secretary shall be a certification authority, 
        and may issue, suspend, and revoke certificates in the manner 
        prescribed for licensed certification authorities.  Except for 
        licensing requirements, this chapter applies to the secretary 
        with respect to certificates the secretary issues.  The 
        secretary must discontinue acting as a certification authority 
        if another certification authority is licensed, in a manner 
        allowing reasonable transition to private enterprise. 
           Subd. 2.  [RECORD.] The secretary must maintain a publicly 
        accessible database containing a certification authority 
        disclosure record for each licensed certification authority.  
        The secretary must publish the contents of the database in at 
        least one recognized repository. 
           Subd. 3.  [RULES.] The secretary must adopt rules 
        consistent with this chapter and in furtherance of its purposes: 
           (1) to govern licensed certification authorities, their 
        practice, and the termination of a certification authority's 
        practice; 
           (2) to determine an amount reasonably appropriate for a 
        suitable guaranty, in light of the burden a suitable guaranty 
        places upon licensed certification authorities and the assurance 
        of quality and financial responsibility it provides to persons 
        who rely on certificates issued by licensed certification 
        authorities; 
           (3) to specify reasonable requirements for the form of 
        certificates issued by licensed certification authorities, in 
        accordance with generally accepted standards for digital 
        signature certificates; 
           (4) to specify reasonable requirements for recordkeeping by 
        licensed certification authorities; 
           (5) to specify reasonable requirements for the content, 
        form, and sources of information in certification authority 
        disclosure records, the updating and timeliness of the 
        information, and other practices and policies relating to 
        certification authority disclosure records; 
           (6) to specify the form of the certification practice 
        statements; and 
           (7) otherwise to give effect to and implement this chapter. 
           Sec. 5.  [325K.04] [FEES.] 
           The secretary may adopt rules establishing reasonable fees 
        for all services rendered under this chapter, in amounts 
        sufficient to compensate for the costs of all services under 
        this chapter.  All fees recovered by the secretary must be 
        deposited in the state general fund. 
           Sec. 6.  [325K.05] [LICENSURE AND QUALIFICATIONS OF 
        CERTIFICATION AUTHORITIES.] 
           Subdivision 1.  [LICENSE CONDITIONS.] To obtain or retain a 
        license, a certification authority must: 
           (1) be the subscriber of a certificate published in a 
        recognized repository; 
           (2) employ as operative personnel only persons who have not 
        been convicted within the past 15 years of a felony or a crime 
        involving fraud, false statement, or deception; 
           (3) employ as operative personnel only persons who have 
        demonstrated knowledge and proficiency in following the 
        requirements of this chapter; 
           (4) file with the secretary a suitable guaranty, unless the 
        certification authority is a department, office, or official of 
        a state, city, or county governmental entity, provided that: 
           (i) each of these public entities act through designated 
        officials authorized by rule or ordinance to perform 
        certification authority functions; or 
           (ii) one of these public entities is the subscriber of all 
        certificates issued by the certification authority; 
           (5) have the right to use a trustworthy system, including a 
        secure means for limiting access to its private key; 
           (6) present proof to the secretary of having working 
        capital reasonably sufficient, according to rules adopted by the 
        secretary, to enable the applicant to conduct business as a 
        certification authority; 
           (7) maintain an office in this state or have established a 
        registered agent for service of process in this state; and 
           (8) comply with all further licensing requirements 
        established by rule by the secretary. 
           Subd. 2.  [LICENSE PROCEDURES.] The secretary must issue a 
        license to a certification authority that: 
           (1) is qualified under subdivision 1; 
           (2) applies in writing to the secretary for a license; and 
           (3) pays a filing fee adopted by rule by the secretary. 
           Subd. 3.  [RULES.] The secretary may by rule classify 
        licenses according to specified limitations, such as a maximum 
        number of outstanding certificates, cumulative maximum of 
        recommended reliance limits in certificates issued by the 
        certification authority, or issuance only within a single firm 
        or organization, and the secretary may issue licenses restricted 
        according to the limits of each classification.  A certification 
        authority acts as an unlicensed certification authority in 
        issuing a certificate exceeding the restrictions of the 
        certification authority's license. 
           Subd. 4.  [REVOCATION OR SUSPENSION.] The secretary may 
        revoke or suspend a certification authority's license, in 
        accordance with the administrative procedure act, chapter 14, 
        for failure to comply with this chapter or for failure to remain 
        qualified under subdivision 1. 
           Subd. 5.  [LOCAL AUTHORITIES.] The secretary may recognize 
        by rule the licensing or authorization of certification 
        authorities by local, metropolitan, or regional governmental 
        entities, provided that those licensing or authorization 
        requirements are substantially similar to those of this state.  
        If licensing by another governmental entity is so recognized: 
           (1) sections 325K.19 to 325K.24 apply to certificates 
        issued by the certification authorities licensed or authorized 
        by that governmental entity in the same manner as it applies to 
        licensed certification authorities of this state; and 
           (2) the liability limits of section 325K.17 apply to the 
        certification authorities licensed or authorized by that 
        governmental entity in the same manner as they apply to licensed 
        certification authorities of this state. 
           Subd. 6.  [APPLICABILITY TO DIGITAL SIGNATURES.] Unless the 
        parties provide otherwise by contract between themselves, the 
        licensing requirements in this section do not affect the 
        effectiveness, enforceability, or validity of any digital 
        signature, except that sections 325K.19 to 325K.24 do not apply 
        in relation to a digital signature that cannot be verified by a 
        certificate issued by an unlicensed certification authority. 
           Subd. 7.  [NONAPPLICABILITY.] A certification authority 
        that has not obtained a license is not subject to the provision 
        of this chapter. 
           Sec. 7.  [325K.06] [PERFORMANCE AUDITS.] 
           Subdivision 1.  [ANNUAL AUDIT; AUDITOR QUALIFICATIONS; 
        RULES.] A certified public accountant having expertise in 
        computer security must audit the operations of each licensed 
        certification authority at least once each year to evaluate 
        compliance with this chapter.  The secretary may by rule specify 
        the qualifications of auditors. 
           Subd. 2.  [COMPLIANCE CATEGORIES.] Based on information 
        gathered in the audit, the auditor must categorize the licensed 
        certification authority's compliance as one of the following: 
           (a) [FULL COMPLIANCE.] The certification authority appears 
        to conform to all applicable statutory and regulatory 
        requirements. 
           (b) [SUBSTANTIAL COMPLIANCE.] The certification authority 
        appears generally to conform to applicable statutory and 
        regulatory requirements.  However, one or more instances of 
        noncompliance or of inability to demonstrate compliance were 
        found in an audited sample, but were likely to be 
        inconsequential. 
           (c) [PARTIAL COMPLIANCE.] The certification authority 
        appears to comply with some statutory and regulatory 
        requirements, but was found not to have complied or not be able 
        to demonstrate compliance with one or more important safeguards. 
           (d) [NONCOMPLIANCE.] The certification authority complies 
        with few or none of the statutory and regulatory requirements, 
        fails to keep adequate records to demonstrate compliance with 
        more than a few requirements, or refused to submit to an audit. 
           The secretary shall publish in the certification authority 
        disclosure record it maintains for the certification authority 
        the date of the audit and the resulting categorization of the 
        certification authority. 
           Subd. 3.  [EXEMPTION FROM AUDIT.] The secretary may exempt 
        a licensed certification authority from the requirements of 
        subdivision 1, if: 
           (1) the certification authority to be exempted requests 
        exemption in writing; 
           (2) the most recent performance audit, if any, of the 
        certification authority resulted in a finding of full or 
        substantial compliance; and 
           (3) the certification authority declares under oath, 
        affirmation, or penalty of perjury that one or more of the 
        following is true with respect to the certification authority:  
           (i) the certification authority has issued fewer than six 
        certificates during the past year and the recommended reliance 
        limits of all of the certificates do not exceed $10,000; 
           (ii) the aggregate lifetime of all certificates issued by 
        the certification authority during the past year is less than 30 
        days and the recommended reliance limits of all of the 
        certificates do not exceed $10,000; or 
           (iii) the recommended reliance limits of all certificates 
        outstanding and issued by the certification authority total less 
        than $1,000. 
           Subd. 4.  [FALSE DECLARATION.] If the certification 
        authority's declaration under subdivision 3 falsely states a 
        material fact, the certification authority has failed to comply 
        with the performance audit requirements of this section. 
           Subd. 5.  [RECORD OF EXEMPTION.] If a licensed 
        certification authority is exempt under subdivision 3, the 
        secretary must publish in the certification authority disclosure 
        record it maintains for the certification authority that the 
        certification authority is exempt from the performance audit 
        requirement. 
           Sec. 8.  [325K.07] [ENFORCEMENT OF REQUIREMENTS FOR 
        LICENSED CERTIFICATION AUTHORITIES.] 
           Subdivision 1.  [INVESTIGATION.] The secretary may 
        investigate the activities of a licensed certification authority 
        material to its compliance with this chapter and issue orders to 
        a certification authority to further its investigation and 
        secure compliance with this chapter. 
           Subd. 2.  [SUSPENSION OR REVOCATION.] The secretary may 
        suspend or revoke the license of a certification authority for 
        its failure to comply with an order of the secretary. 
           Subd. 3.  [CIVIL PENALTY.] The secretary may by order 
        impose and collect a civil monetary penalty for a violation of 
        this chapter in an amount not to exceed $5,000 per incident, or 
        90 percent of the recommended reliance limit of a material 
        certificate, whichever is less.  In case of a violation 
        continuing for more than one day, each day is considered a 
        separate incident. 
           Subd. 4.  [PAYMENT OF COSTS.] The secretary may order a 
        certification authority, which it has found to be in violation 
        of this chapter, to pay the costs incurred by the secretary in 
        prosecuting and adjudicating proceedings relative to the order, 
        and enforcing it. 
           Subd. 5.  [ADMINISTRATIVE PROCEDURES; INJUNCTIVE 
        RELIEF.] (a) The secretary must exercise authority under this 
        section in accordance with the administrative procedure act, 
        chapter 14, and a licensed certification authority may obtain 
        judicial review of the secretary's actions as prescribed by 
        chapter 14.  
           (b) The secretary may also seek injunctive relief to compel 
        compliance with an order. 
           Sec. 9.  [325K.08] [DANGEROUS ACTIVITIES BY CERTIFICATION 
        AUTHORITY PROHIBITED.] 
           Subdivision 1.  [PROHIBITION GENERALLY.] No certification 
        authority, whether licensed or not, may conduct its business in 
        a manner that creates an unreasonable risk of loss to 
        subscribers of the certification authority, to persons relying 
        on certificates issued by the certification authority, or to a 
        repository. 
           Subd. 2.  [ORDERS AND CIVIL ACTIONS.] In the manner 
        provided by the administrative procedure act, chapter 14, the 
        secretary may issue orders and obtain injunctions or other civil 
        relief to prevent or restrain a certification authority from 
        violating this section, regardless of whether the certification 
        authority is licensed.  This section does not create a right of 
        action in a person other than the secretary. 
           Sec. 10.  [325K.09] [GENERAL REQUIREMENTS FOR CERTIFICATION 
        AUTHORITIES.] 
           Subdivision 1.  [USE OF TRUSTWORTHY SYSTEM.] A licensed 
        certification authority or subscriber may use only a trustworthy 
        system: 
           (1) to issue, suspend, or revoke a certificate; 
           (2) to publish or give notice of the issuance, suspension, 
        or revocation of a certificate; or 
           (3) to create a private key. 
           Subd. 2.  [DISCLOSURE REQUIRED.] A licensed certification 
        authority shall disclose any material certification practice 
        statement and disclose any fact material to either the 
        reliability of a certificate that it has issued or its ability 
        to perform its services.  A certification authority may require 
        a signed, written, and reasonably specific inquiry from an 
        identified person and payment of reasonable compensation as 
        conditions precedent to effecting a disclosure required in this 
        subdivision. 
           Sec. 11.  [325K.10] [ISSUANCE OF CERTIFICATE.] 
           Subdivision 1.  [CONDITIONS.] A licensed certification 
        authority may issue a certificate to a subscriber only after all 
        of the following conditions are satisfied: 
           (1) the certification authority has received a request for 
        issuance signed by the prospective subscriber; and 
           (2) the certification authority has confirmed that: 
           (i) the prospective subscriber is the person to be listed 
        in the certificate to be issued; 
           (ii) if the prospective subscriber is acting through one or 
        more agents, the subscriber duly authorized each agent to have 
        custody of the subscriber's private key and to request issuance 
        of a certificate listing the corresponding public key; 
           (iii) the information in the certificate to be issued is 
        accurate; 
           (iv) the prospective subscriber rightfully holds the 
        private key corresponding to the public key to be listed in the 
        certificate; 
           (v) the prospective subscriber holds a private key capable 
        of creating a digital signature; and 
           (vi) the public key to be listed in the certificate can be 
        used to verify a digital signature affixed by the private key 
        held by the prospective subscriber. 
           The requirements of this subdivision may not be waived or 
        disclaimed by either the licensed certification authority, the 
        subscriber, or both. 
           Subd. 2.  [PUBLICATION.] If the subscriber accepts the 
        issued certificate, the certification authority shall publish a 
        signed copy of the certificate in a recognized repository, as 
        the certification authority and the subscriber named in the 
        certificate may agree, unless a contract between the 
        certification authority and the subscriber provides otherwise.  
        If the subscriber does not accept the certificate, a licensed 
        certification authority shall not publish it, or shall cancel 
        its publication if the certificate has already been published. 
           Subd. 3.  [APPLICATION OF OTHER STANDARDS.] Nothing in this 
        section precludes a licensed certification authority from 
        conforming to standards, certification practice statements, 
        security plans, or contractual requirements more rigorous than, 
        but nevertheless consistent with, this chapter. 
           Subd. 4.  [SUSPENSION OR REVOCATION.] After issuing a 
        certificate, a licensed certification authority shall revoke it 
        immediately upon confirming that it was not issued as required 
        by this section.  A licensed certification authority may also 
        suspend a certificate that it has issued for a reasonable period 
        not exceeding 48 hours as needed for an investigation to confirm 
        grounds for revocation under this subdivision.  The 
        certification authority shall give notice to the subscriber as 
        soon as practicable after a decision to revoke or suspend under 
        this subdivision. 
           Subd. 5.  [ORDER OF SUSPENSION OR REVOCATION.] The 
        secretary may order the licensed certification authority to 
        suspend or revoke a certificate that the certification authority 
        issued if, after giving any required notice and opportunity for 
        the certification authority and subscriber to be heard in 
        accordance with the administrative procedure act, chapter 14, 
        the secretary determines that: 
           (1) the certificate was issued without substantial 
        compliance with this section; and 
           (2) the noncompliance poses a significant risk to persons 
        reasonably relying on the certificate. 
           Upon determining that an emergency requires an immediate 
        remedy, and in accordance with the administrative procedure act, 
        chapter 14, the secretary may issue an order suspending a 
        certificate for a period not to exceed 48 hours. 
           Sec. 12.  [325K.11] [WARRANTIES AND OBLIGATIONS UPON 
        ISSUANCE OF CERTIFICATE.] 
           Subdivision 1.  [ABSOLUTE WARRANTIES TO SUBSCRIBERS.] By 
        issuing a certificate, a licensed certification authority 
        warrants to the subscriber named in the certificate that: 
           (1) the certificate contains no information known to the 
        certification authority to be false; 
           (2) the certificate satisfies all material requirements of 
        this chapter; and 
           (3) the certification authority has not exceeded any limits 
        of its license in issuing the certificate. 
           The certification authority may not disclaim or limit the 
        warranties of this subdivision. 
           Subd. 2.  [NEGOTIABLE WARRANTIES TO SUBSCRIBERS.] Unless 
        the subscriber and certification authority otherwise agree, a 
        certification authority, by issuing a certificate, promises to 
        the subscriber: 
           (1) to act promptly to suspend or revoke a certificate in 
        accordance with section 325K.14 or 325K.15; and 
           (2) to notify the subscriber within a reasonable time of 
        any facts known to the certification authority that 
        significantly affect the validity or reliability of the 
        certificate once it is issued. 
           Subd. 3.  [WARRANTIES TO THOSE WHO REASONABLY RELY.] By 
        issuing a certificate, a licensed certification authority 
        certifies to all who reasonably rely on the information 
        contained in the certificate that: 
           (1) the information in the certificate and listed as 
        confirmed by the certification authority is accurate; 
           (2) all information foreseeably material to the reliability 
        of the certificate is stated or incorporated by reference within 
        the certificate; 
           (3) the subscriber has accepted the certificate; and 
           (4) the licensed certification authority has complied with 
        all applicable laws of this state governing issuance of the 
        certificate. 
           Subd. 4.  [WARRANTIES FOLLOWING PUBLICATION.] By publishing 
        a certificate, a licensed certification authority certifies to 
        the repository in which the certificate is published and to all 
        who reasonably rely on the information contained in the 
        certificate that the certification authority has issued the 
        certificate to the subscriber. 
           Sec. 13.  [325K.12] [REPRESENTATIONS AND DUTIES UPON 
        ACCEPTING CERTIFICATE.] 
           Subdivision 1.  [SUBSCRIBER WARRANTIES.] By accepting a 
        certificate issued by a licensed certification authority, the 
        subscriber listed in the certificate certifies to all who 
        reasonably rely on the information contained in the certificate 
        that: 
           (1) the subscriber rightfully holds the private key 
        corresponding to the public key listed in the certificate; 
           (2) all representations made by the subscriber to the 
        certification authority and material to the information listed 
        in the certificate are true; and 
           (3) all material representations made by the subscriber to 
        a certification authority or made in the certificate and not 
        confirmed by the certification authority in issuing the 
        certificate are true. 
           Subd. 2.  [AGENT WARRANTIES.] By requesting on behalf of a 
        principal the issuance of a certificate naming the principal as 
        subscriber, the requesting person certifies in that person's own 
        right to all who reasonably rely on the information contained in 
        the certificate that the requesting person: 
           (1) holds all authority legally required to apply for 
        issuance of a certificate naming the principal as subscriber; 
        and 
           (2) has authority to sign digitally on behalf of the 
        principal, and, if that authority is limited in any way, 
        adequate safeguards exist to prevent a digital signature 
        exceeding the bounds of the person's authority. 
           Subd. 3.  [DISCLAIMER LIMITATIONS.] No person may disclaim 
        or contractually limit the application of this section, nor 
        obtain indemnity for its effects, if the disclaimer, limitation, 
        or indemnity restricts liability for misrepresentation as 
        against persons reasonably relying on the certificate. 
           Subd. 4.  [INDEMNIFICATION BY SUBSCRIBER OR AGENT.] By 
        accepting a certificate, a subscriber undertakes to indemnify 
        the issuing certification authority for loss or damage caused by 
        issuance or publication of a certificate in reliance on: 
           (1) a false and material representation of fact by the 
        subscriber; or 
           (2) the failure by the subscriber to disclose a material 
        fact if the representation or failure to disclose was made 
        either with intent to deceive the certification authority or a 
        person relying on the certificate, or with negligence.  If the 
        certification authority issued the certificate at the request of 
        one or more agents of the subscriber, the agent or agents 
        personally undertake to indemnify the certification authority 
        under this subdivision, as if they were accepting subscribers in 
        their own right.  The indemnity provided in this section may not 
        be disclaimed or contractually limited in scope.  However, a 
        contract may provide consistent, additional terms regarding the 
        indemnification. 
           Subd. 5.  [CERTIFIED ACCURACY.] In obtaining information of 
        the subscriber material to issuance of a certificate, the 
        certification authority may require the subscriber to certify 
        the accuracy of relevant information under oath or affirmation 
        of truthfulness and under penalty of perjury. 
           Sec. 14.  [325K.13] [CONTROL OF PRIVATE KEY.] 
           Subdivision 1.  [DUTY.] By accepting a certificate issued 
        by a licensed certification authority, the subscriber identified 
        in the certificate assumes a duty to exercise reasonable care to 
        retain control of the private key and prevent its disclosure to 
        a person not authorized to create the subscriber's digital 
        signature. 
           Subd. 2.  [PRIVATE PROPERTY.] A private key is the personal 
        property of the subscriber who rightfully holds it. 
           Subd. 3.  [AUTHORITY AS FIDUCIARY.] If a certification 
        authority holds the private key corresponding to a public key 
        listed in a certificate that it has issued, the certification 
        authority holds the private key as a fiduciary of the subscriber 
        named in the certificate, and may use that private key only with 
        the subscriber's prior written approval, unless the subscriber 
        expressly grants the private key to the certification authority 
        and expressly permits the certification authority to hold the 
        private key according to other terms. 
           Sec. 15.  [325K.14] [SUSPENSION OF CERTIFICATE.] 
           Subdivision 1.  [SUSPENSION FOR 48 HOURS.] Unless the 
        certification authority and the subscriber agree otherwise, the 
        licensed certification authority that issued a certificate that 
        is not a transactional certificate must suspend the certificate 
        for a period not to exceed 48 hours: 
           (1) upon request by a person identifying himself or herself 
        as the subscriber named in the certificate, or as a person in a 
        position likely to know of a compromise of the security of a 
        subscriber's private key, such as an agent, business associate, 
        employee, or member of the immediate family of the subscriber; 
        or 
           (2) by order of the secretary under section 325K.10. 
           The certification authority need not confirm the identity 
        or agency of the person requesting suspension. 
           Subd. 2.  [SUSPENSION FOR 48 HOURS; OTHER CAUSES.] (a) 
        Unless the certificate provides otherwise or the certificate is 
        a transactional certificate, the secretary or a county clerk may 
        suspend a certificate issued by a licensed certification 
        authority for a period of 48 hours, if: 
           (1) a person identifying himself or herself as the 
        subscriber named in the certificate or as an agent, business 
        associate, employee, or member of the immediate family of the 
        subscriber requests suspension; and 
           (2) the requester represents that the certification 
        authority that issued the certificate is unavailable. 
           (b) The secretary or county clerk may require the person 
        requesting suspension to provide evidence, including a statement 
        under oath or affirmation, regarding the requester's identity, 
        authorization, or the unavailability of the issuing 
        certification authority, and may decline to suspend the 
        certificate in its discretion.  The secretary or law enforcement 
        agencies may investigate suspensions by the secretary or county 
        clerk for possible wrongdoing by persons requesting suspension. 
           Subd. 3.  [NOTICE OF SUSPENSION.] Immediately upon 
        suspension of a certificate by a licensed certification 
        authority, the licensed certification authority shall give 
        notice of the suspension according to the specification in the 
        certificate.  If one or more repositories are specified, then 
        the licensed certification authority must publish a signed 
        notice of the suspension in all the repositories.  If a 
        repository no longer exists or refuses to accept publication, or 
        if no repository is recognized under section 325K.25, the 
        licensed certification authority must also publish the notice in 
        a recognized repository.  If a certificate is suspended by the 
        secretary or county clerk, the secretary or clerk must give 
        notice as required in this subdivision for a licensed 
        certification authority, provided that the person requesting 
        suspension pays in advance any fee required by a repository for 
        publication of the notice of suspension. 
           Subd. 4.  [TERMINATING SUSPENSION.] A certification 
        authority must terminate a suspension initiated by request only: 
           (1) if the subscriber named in the suspended certificate 
        requests termination of the suspension and the certification 
        authority has confirmed that the person requesting suspension is 
        the subscriber or an agent of the subscriber authorized to 
        terminate the suspension; or 
           (2) when the certification authority discovers and confirms 
        that the request for the suspension was made without 
        authorization by the subscriber.  However, this clause does not 
        require the certification authority to confirm a request for 
        suspension. 
           Subd. 5.  [CONTRACT LIMITATION OR PRECLUSION.] The contract 
        between a subscriber and a licensed certification authority may 
        limit or preclude requested suspension by the certification 
        authority, or may provide otherwise for termination of a 
        requested suspension.  However, if the contract limits or 
        precludes suspension by the secretary or county clerk when the 
        issuing certification authority is unavailable, the limitation 
        or preclusion is effective only if notice of it is published in 
        the certificate. 
           Subd. 6.  [MISREPRESENTATION.] No person may knowingly or 
        intentionally misrepresent to a certification authority the 
        person's identity or authorization in requesting suspension of a 
        certificate.  Violation of this subdivision is a misdemeanor. 
           Subd. 7.  [EFFECT ON SUBSCRIBER.] The subscriber is 
        released from the duty to keep the private key secure under 
        section 325K.13, subdivision 1, while the certificate is 
        suspended. 
           Sec. 16.  [325K.15] [CERTIFICATE REVOCATION.] 
           Subdivision 1.  [AFTER REQUEST.] A licensed certification 
        authority must revoke a certificate that it issued but which is 
        not a transactional certificate, after: 
           (1) receiving a request for revocation by the subscriber 
        named in the certificate; and 
           (2) confirming that the person requesting revocation is the 
        subscriber, or is an agent of the subscriber with authority to 
        request the revocation. 
           Subd. 2.  [AFTER IDENTITY CONFIRMED.] A licensed 
        certification authority must confirm a request for revocation 
        and revoke a certificate within one business day after receiving 
        both a subscriber's written request and evidence reasonably 
        sufficient to confirm the identity and any agency of the person 
        requesting the suspension. 
           Subd. 3.  [AFTER DEATH OR DISSOLUTION.] A licensed 
        certification authority must revoke a certificate that it issued:
           (1) upon receiving a certified copy of the subscriber's 
        death certificate, or upon confirming by other evidence that the 
        subscriber is dead; or 
           (2) upon presentation of documents effecting a dissolution 
        of the subscriber, or upon confirming by other evidence that the 
        subscriber has been dissolved or has ceased to exist. 
           Subd. 4.  [UNRELIABLE CERTIFICATE.] A licensed 
        certification authority may revoke one or more certificates that 
        it issued if the certificates are or become unreliable, 
        regardless of whether the subscriber consents to the revocation 
        and notwithstanding a provision to the contrary in a contract 
        between the subscriber and certification authority. 
           Subd. 5.  [NOTICE OF REVOCATION.] Immediately upon 
        revocation of a certificate by a licensed certification 
        authority, the licensed certification authority must give notice 
        of the revocation according to the specification in the 
        certificate.  If one or more repositories are specified, then 
        the licensed certification authority must publish a signed 
        notice of the revocation in all repositories.  If a repository 
        no longer exists or refuses to accept publication, or if no 
        repository is recognized under section 325K.13, then the 
        licensed certification authority must also publish the notice in 
        a recognized repository. 
           Subd. 6.  [WHEN CERTIFICATION BY SUBSCRIBER CEASES.] A 
        subscriber ceases to certify, as provided in section 325K.12, 
        and has no further duty to keep the private key secure, as 
        required by section 325K.13, in relation to the certificate 
        whose revocation the subscriber has requested, beginning at the 
        earlier of either: 
           (1) when notice of the revocation is published as required 
        in subdivision 5; or 
           (2) one business day after the subscriber requests 
        revocation in writing, supplies to the issuing certification 
        authority information reasonably sufficient to confirm the 
        request, and pays any contractually required fee. 
           Subd. 7.  [WARRANTIES DISCHARGED.] Upon notification as 
        required by subdivision 5, a licensed certification authority is 
        discharged of its warranties based on issuance of the revoked 
        certificate and ceases to certify as provided in section 
        325K.11, subdivisions 2 and 3, in relation to the revoked 
        certificate. 
           Sec. 17.  [325K.16] [CERTIFICATE EXPIRATION.] 
           Subdivision 1.  [EXPIRATION DATE.] A certificate must 
        indicate the date on which it expires. 
           Subd. 2.  [EFFECT OF EXPIRATION.] When a certificate 
        expires, the subscriber and certification authority cease to 
        certify as provided in this chapter and the certification 
        authority is discharged of its duties based on issuance, in 
        relation to the expired certificate. 
           Sec. 18.  [325K.17] [RECOMMENDED RELIANCE LIMITS.] 
           By specifying a recommended reliance limit in a 
        certificate, the issuing certification authority and accepting 
        subscriber recommend that persons rely on the certificate only 
        to the extent that the total amount at risk does not exceed the 
        recommended reliance limit. 
           Sec. 19.  [325K.18] [COLLECTION BASED ON SUITABLE 
        GUARANTY.] 
           Subdivision 1.  [BOND OR LETTER OF CREDIT.] (a) If the 
        suitable guaranty is a surety bond, a person may recover from 
        the surety the full amount of a qualified right to payment 
        against the principal named in the bond, or, if there is more 
        than one such qualified right to payment during the term of the 
        bond, a ratable share, up to a maximum total liability of the 
        surety equal to the amount of the bond. 
           (b) If the suitable guaranty is a letter of credit, a 
        person may recover from the issuing financial institution only 
        in accordance with the terms of the letter of credit. 
           (c) Claimants may recover successively on the same suitable 
        guaranty, provided that the total liability on the suitable 
        guaranty to all persons making qualified rights of payment 
        during its term must not exceed the amount of the suitable 
        guaranty. 
           Subd. 2.  [ATTORNEY FEES AND COURT COSTS.] (a) Subject to 
        paragraph (b), in addition to recovering the amount of a 
        qualified right to payment, a claimant may recover: 
           (1) from the proceeds of the guaranty, until depleted; 
           (2) the attorneys' fees, reasonable in amount; and 
           (3) court costs incurred by the claimant in collecting the 
        claim.  
           (b) However, the total liability on the suitable guaranty 
        to all persons making qualified rights of payment or recovering 
        attorneys' fees during its term must not exceed the amount of 
        the suitable guaranty. 
           Subd. 3.  [QUALIFIED RIGHT TO PAYMENT.] (a) To recover a 
        qualified right to payment against a surety or issuer of a 
        suitable guaranty, the claimant must: 
           (1) file written notice of the claim with the secretary 
        stating the name and address of the claimant, the amount 
        claimed, and the grounds for the qualified right to payment, and 
        any other information required by rule by the secretary; and 
           (2) append to the notice a certified copy of the judgment 
        on which the qualified right to payment is based. 
           (b) Recovery of a qualified right to payment from the 
        proceeds of the suitable guaranty is barred unless the claimant 
        substantially complies with this subdivision. 
           Subd. 4.  [STATUTE OF LIMITATIONS.] Recovery of a qualified 
        right to payment from the proceeds of a suitable guaranty are 
        forever barred unless notice of the claim is filed as required 
        in subdivision 3, paragraph (a), clause (1), within three years 
        after the occurrence of the violation of this chapter that is 
        the basis for the claim.  Notice under this subdivision need not 
        include the requirement imposed by subdivision 3, paragraph (a), 
        clause (2). 
           Sec. 20.  [325K.19] [SATISFACTION OF SIGNATURE 
        REQUIREMENTS.] 
           (a) Where a rule of law requires a signature, or provides 
        for certain consequences in the absence of a signature, that 
        rule is satisfied by a digital signature, if: 
           (1) no party affected by a digital signature objects to the 
        use of digital signatures in lieu of a signature, and the 
        objection may be evidenced by refusal to provide or accept a 
        digital signature; 
           (2) that digital signature is verified by reference to the 
        public key listed in a valid certificate issued by a licensed 
        certification authority; 
           (3) that digital signature was affixed by the signer with 
        the intention of signing the message and after the signer has 
        had an opportunity to review items being signed; and 
           (4) the recipient has no knowledge or notice that the 
        signer either: 
           (i) breached a duty as a subscriber; or 
           (ii) does not rightfully hold the private key used to affix 
        the digital signature. 
           (b) However, nothing in this chapter precludes a mark from 
        being valid as a signature under other applicable law. 
           Sec. 21.  [325K.20] [UNRELIABLE DIGITAL SIGNATURES.] 
           Unless otherwise provided by law or contract, the recipient 
        of a digital signature assumes the risk that a digital signature 
        is forged, if reliance on the digital signature is not 
        reasonable under the circumstances.  If the recipient determines 
        not to rely on a digital signature under this section, the 
        recipient must promptly notify the signer of any determination 
        not to rely on a digital signature and the grounds for that 
        determination.  Nothing in this chapter shall be construed to 
        obligate a person to accept a digital signature or to respond to 
        an electronic message containing a digital signature. 
           Sec. 22.  [325K.21] [DIGITALLY SIGNED DOCUMENT IS WRITTEN.] 
           (a) A message is as valid, enforceable, and effective as if 
        it had been written on paper, if it: 
           (1) bears in its entirety a digital signature; and 
           (2) that digital signature is verified by the public key 
        listed in a certificate that: 
           (i) was issued by a licensed certification authority; and 
           (ii) was valid at the time the digital signature was 
        created. 
           (b) Nothing in this chapter shall be construed to 
        eliminate, modify, or condition any other requirements for a 
        contract to be valid, enforceable, and effective.  No digital 
        message shall be deemed to be an instrument under the provisions 
        of section 336.3-104 unless all parties to the transaction agree.
           Sec. 23.  [325K.22] [DIGITALLY SIGNED ORIGINALS.] 
           A copy of a digitally signed message is as effective, 
        valid, and enforceable as the original of the message, unless it 
        is evident that the signer designated an instance of the 
        digitally signed message to be a unique original, in which case 
        only that instance constitutes the valid, effective, and 
        enforceable message. 
           Sec. 24.  [325K.23] [CERTIFICATE AS ACKNOWLEDGMENT.] 
           Unless otherwise provided by law or contract, a certificate 
        issued by a licensed certification authority is an 
        acknowledgment of a digital signature verified by reference to 
        the public key listed in the certificate, regardless of whether 
        words of an express acknowledgment appear with the digital 
        signature and regardless of whether the signer physically 
        appeared before the certification authority when the digital 
        signature was created, if that digital signature is: 
           (1) verifiable by that certificate; and 
           (2) affixed when that certificate was valid. 
           Sec. 25.  [325K.24] [PRESUMPTIONS IN ADJUDICATING DISPUTES; 
        LIABILITY ALLOCATION.] 
           Subdivision 1.  [PRESUMPTIONS.] In adjudicating a dispute 
        involving a digital signature, a court of this state presumes 
        that: 
           (a) A certificate digitally signed by a licensed 
        certification authority and either published in a recognized 
        repository, or made available by the issuing certification 
        authority or by the subscriber listed in the certificate is 
        issued by the certification authority that digitally signed it 
        and is accepted by the subscriber listed in it. 
           (b) The information listed in a valid certificate and 
        confirmed by a licensed certification authority issuing the 
        certificate is accurate. 
           (c) If a digital signature is verified by the public key 
        listed in a valid certificate issued by a licensed certification 
        authority: 
           (1) that digital signature is the digital signature of the 
        subscriber listed in that certificate; 
           (2) that digital signature was affixed by that subscriber 
        with the intention of signing the message; and 
           (3) the recipient of that digital signature has no 
        knowledge or notice that the signer: 
           (i) breached a duty as a subscriber; or 
           (ii) does not rightfully hold the private key used to affix 
        the digital signature. 
           (d) A digital signature was created before it was time 
        stamped by a disinterested person utilizing a trustworthy system.
           Subd. 2.  [LIABILITY ALLOCATION.] A court of this state 
        shall give effect to liability allocations between the parties 
        provided by contract to the extent not inconsistent with the 
        requirements of this chapter. 
           Sec. 26.  [325K.25] [RECOGNITION OF REPOSITORIES.] 
           Subdivision 1.  [CONDITIONS.] The secretary must recognize 
        one or more repositories, after finding that a repository to be 
        recognized: 
           (1) is operated under the direction of a licensed 
        certification authority; 
           (2) includes a database containing: 
           (i) certificates published in the repository; 
           (ii) notices of suspended or revoked certificates published 
        by licensed certification authorities or other persons 
        suspending or revoking certificates; 
           (iii) certification authority disclosure records for 
        licensed certification authorities; 
           (iv) all orders or advisory statements published by the 
        secretary in regulating certification authorities; and 
           (v) other information adopted by rule by the secretary; 
           (3) operates by means of a trustworthy system; 
           (4) contains no significant amount of information that is 
        known or likely to be untrue, inaccurate, or not reasonably 
        reliable; 
           (5) contains certificates published by certification 
        authorities that conform to legally binding requirements that 
        the secretary finds to be substantially similar to, or more 
        stringent toward the certification authorities, than those of 
        this state; 
           (6) keeps an archive of certificates that have been 
        suspended or revoked, or that have expired, within at least the 
        past three years; and 
           (7) complies with other reasonable requirements adopted by 
        rule by the secretary. 
           Subd. 2.  [APPLICATION.] A repository may apply to the 
        secretary for recognition by filing a written request and 
        providing evidence to the secretary sufficient for the secretary 
        to find that the conditions for recognition are satisfied. 
           Subd. 3.  [RECOGNITION DISCONTINUED.] A repository may 
        discontinue its recognition by filing 30 days' written notice 
        with the secretary.  In addition, the secretary may discontinue 
        recognition of a repository in accordance with the 
        administrative procedure act, chapter 14, if it concludes that 
        the repository no longer satisfies the conditions for 
        recognition listed in this section or in rules adopted by the 
        secretary. 
           Sec. 27.  [325K.26] [RULEMAKING.] 
           The secretary may adopt rules effective July 1, 1998, to 
        implement this chapter. 
           Sec. 28.  [EFFECTIVE DATE.] 
           Section 27 is effective July 1, 1997.  Sections 1 to 26 are 
        effective the day after the secretary of state causes to be 
        published in the State Register a certification by the secretary 
        of state that the secretary of state has adopted rules necessary 
        for the use of sections 1 to 27, except that any provision of 
        sections 1 to 27 authorizing or requiring rules to be adopted is 
        effective the day following final enactment. 
           Presented to the governor May 17, 1997 
           Signed by the governor May 19, 1997, 7:20 p.m.

Official Publication of the State of Minnesota
Revisor of Statutes