Skip to main content Skip to office menu Skip to footer
Minnesota Legislature

Office of the Revisor of Statutes

CHAPTER 8275, ELECTRONIC AUTHENTICATION

SECRETARY OF STATE

Table of Parts
Part Title
8275.0005 SCOPE AND PURPOSE OF CHAPTER.
8275.0010 DEFINITIONS.
8275.0015 APPLICATION FOR LICENSE AS CERTIFICATION AUTHORITY.
8275.0020 ISSUANCE OF LICENSE OR RENEWAL.
8275.0025 SUITABLE GUARANTY.
8275.0030 WORKING CAPITAL.
8275.0035 QUALIFICATION OF OPERATIVE PERSONNEL.
8275.0040 TRUSTWORTHY SYSTEM.
8275.0045 CERTIFICATION PRACTICE STATEMENTS.
8275.0050 FEES.
8275.0055 SERVICE OF PROCESS.
8275.0060 FORM OF CERTIFICATES.
8275.0065 RECORD KEEPING.
8275.0070 COMPLIANCE AUDITS.
8275.0075 PROCEDURE ON DISCONTINUANCE OF BUSINESS.
8275.0080 LICENSE REVOCATION OR SUSPENSION.
8275.0085 CERTIFICATE REVOCATION OR SUSPENSION.
8275.0090 CIVIL PENALTIES.
8275.0095 CRITERIA FOR DETERMINING PENALTY AMOUNTS.
8275.0100 RECOVERY AGAINST SUITABLE GUARANTY.
8275.0105 CERTIFICATION AUTHORITY DISCLOSURE RECORDS.
8275.0110 RECOGNITION OF REPOSITORIES.
8275.0115 REVOCATION OF RECOGNITION OF REPOSITORY.
8275.0120 CONTRACT FOR SECRETARY OF STATE REPOSITORY PUBLICATION.
8275.0125 PUBLICATION IN SECRETARY OF STATE REPOSITORY.
8275.0130 PROCEDURE UPON DISCONTINUANCE OF BUSINESS AS REPOSITORY.
8275.0135 USE OF FOREIGN LICENSED CERTIFICATION AUTHORITIES.
8275.0140 GOVERNMENT CERTIFICATION AUTHORITIES.

8275.0005 SCOPE AND PURPOSE OF CHAPTER.

This chapter implements the Minnesota Electronic Authentication Act, codified as Minnesota Statutes, chapter 325K.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0010 DEFINITIONS.

Subpart 1.

Scope.

For purposes of this chapter, the terms in Minnesota Statutes, chapter 325K, have the meanings given them in that chapter, and the terms in subparts 2 to 5 have the meanings given them in this part.

Subp. 2.

Business organization.

"Business organization" means any type of business association recognized under Minnesota law.

Subp. 3.

Interested party.

"Interested party" means a jurisdiction, certification authority, subscriber, relying party, or potential subscriber or relying party.

Subp. 4.

Operative personnel.

"Operative personnel" means one or more individuals acting as a certification authority or its agent, or in the employment of, or under contract with, a certification authority, and who have duties directly involving the issuance of certificates including the identification of persons requesting a certificate from a certification authority, creation of private keys, or administration of a licensed certification authority's computing facilities.

Subp. 5.

X.509.

"X.509" means the Information Technology - Open Systems Interconnection - The directory authentication framework authored and published by the International Telecommunication Union which is incorporated by reference in part 8275.0060.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0015 APPLICATION FOR LICENSE AS CERTIFICATION AUTHORITY.

To be licensed, a certification authority shall demonstrate compliance with the requirements of Minnesota Statutes, section 325K.05, by submitting the following:

A.

a completed application containing:

(1)

the applicant's name as registered with the secretary;

(2)

the registration number assigned by the secretary to the business registration;

(3)

the applicant's mailing address, including the country, if appropriate, and the zip or other postal code;

(4)

the applicant's electronic mailing address, which the applicant will monitor regularly for incoming mail to facilitate communication under this chapter;

(5)

a Uniform Resource Locator (URL) for the applicant's presence on the Internet; and

(6)

the applicant's telephone and facsimile numbers including area code and country code, if applicable;

B.

the fee or fees provided by part 8275.0050;

C.

a certificate issued by the secretary that shows the applicant as the subscriber and is published in a recognized repository;

D.

a suitable guaranty, described by part 8275.0025, unless the applicant is the secretary, or a federal, state, or city governmental entity that is self-insured;

E.

demonstration of sufficient working capital as required by part 8275.0030;

F.

documentation, in the form of an information systems audit, establishing that the applicant has the use of a trustworthy system as defined by part 8275.0040. The audit required by this item must be performed according to part 8275.0070, except that it is not required to establish anything more than that the applicant has the use of a trustworthy system;

G.

a statement that each person employed as operative personnel has qualified to act as operative personnel and that a criminal background check has been conducted;

H.

registration of the underlying business organization with the secretary, unless the registration is prohibited by law, and in the event the registration is prohibited, the applicant shall provide to the secretary the name and address in Minnesota of an agent for the service of process; and

I.

a written certification practice statement as described in part 8275.0045.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

August 9, 2013

8275.0020 ISSUANCE OF LICENSE OR RENEWAL.

Subpart 1.

Requirements.

The secretary shall issue a license as a certification authority if the applicant has submitted all of the documentation required by part 8275.0015.

Subp. 2.

Term.

A license is valid for one year. To renew a license, the applicant must submit all of the documentation required by part 8275.0015. The license may be renewed for successive one-year periods. If information contained in the application changes, the certification authority has ten days to submit information to the secretary to update its record.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0025 SUITABLE GUARANTY.

The suitable guaranty required for licensure as a certification authority under part 8275.0015, item D, may be in the form of a surety bond executed by an insurer lawfully operating in this state, an irrevocable letter of credit issued by a financial institution authorized to do business in this state, or a policy of insurance issued by an insurance company authorized by the commissioner of commerce to do business in this state. The suitable guaranty must be in an amount of at least $100,000. The suitable guaranty must:

A.

identify the insurer or financial institution upon which it is drawn, including the name, mailing address, and physical address, and identify by number or copy its licensure or approval as an insurer or financial institution in this state;

B.

identify the certification authority on behalf of which it is issued;

C.

be issued payable (1) for the benefit of persons holding qualified rights of payment against the licensed certification authority named as principal of the bond or customer of the letter of credit; or (2) based on claims made against the insured and resolved without first obtaining a qualified right to payment;

D.

state that it is issued under the Minnesota Electronic Authentication Act, Minnesota Statutes, chapter 325K; and

E.

specify a term of effectiveness of at least five years.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0030 WORKING CAPITAL.

Subpart 1.

Generally.

A certification authority's working capital is sufficient for licensing or renewal purposes if, at the time application for licensure or renewal is made, its current assets minus current liabilities exceeds $50,000.

The existence of working capital must be demonstrated through an audited financial statement authenticated by a licensed certified public accountant and dated no more than 60 days before the date it is received by the secretary.

Subp. 2.

Governmental entities.

A federal, state, or city governmental entity is considered to have sufficient working capital without providing any documentation.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0035 QUALIFICATION OF OPERATIVE PERSONNEL.

The certification authority shall determine whether an individual employed or acting as operative personnel qualifies to act as operative personnel according to Minnesota Statutes, sections 325K.01, subdivision 21, and 325K.05, subdivision 1, clauses (2) and (3). The determination must be made after a criminal background check of the individual and based on the individual's knowledge of this chapter and Minnesota Statutes, chapter 325K. The certification authority shall continue to monitor the qualifications of operative personnel on an ongoing basis. If at any time operative personnel are determined to not be qualified as defined in this part, the individual's employment as operative personnel with the certification authority must be immediately terminated. The steps that a certification authority takes to assess an individual's qualification to be employed as operative personnel must be disclosed in the certification practice statement.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0040 TRUSTWORTHY SYSTEM.

The certification authority or repository must operate a trustworthy system. A system shall be regarded as trustworthy if it satisfies the most current adopted version of Common Criteria (CC) Protection Profile (PP) for Commercial Security 2 (CS2), (CCPPCS), developed and published by the National Institute of Standards and Technology (NIST). The determination whether a departure from CCPPCS is material is governed by part 8275.0070, subpart 2. For purposes of this chapter, CCPPCS shall be interpreted in a manner that is reasonable in the context in which a system is used and is consistent with other state and federal laws. Until the referenced standard is adopted by NIST, the standard applicable for purposes of this chapter shall be the draft of CCPPCS dated March 1998. The March 1998 draft and all subsequent revisions is incorporated by reference and is not subject to frequent change. The draft is available from the State Law Library and NIST at http://csrc.nist.gov/nistpubs/cc/pp/pplist.htm/#cs2.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0045 CERTIFICATION PRACTICE STATEMENTS.

Subpart 1.

Required contents.

Each licensed certification authority shall file with the secretary a certification practice statement demonstrating compliance with the requirements of Minnesota Statutes, chapter 325K. This statement must disclose:

A.

the practices the certification authority uses in issuing, suspending, and revoking certificates. If certificates are issued by class or level of service, the necessary criteria for each class or level of service must also be disclosed;

B.

any warnings, liability limitations, warranty disclaimers, and indemnity and hold harmless provisions on which the certification authority intends to rely;

C.

any disclaimers and limitations on obligations, losses, or damages to be asserted by the certification authority;

D.

a written description of all representations by the subscriber to the certification authority about the subscriber's responsibility to protect the secrecy of the private key;

E.

any mandatory dispute resolution process, including choice of forum and choice of law provisions;

F.

where the summary of the most recent report of the auditor may be found which may be in the form of a URL;

G.

the method used to determine that operative personnel are qualified to act and have knowledge regarding this chapter and Minnesota Statutes, chapter 325K, both initially and periodically throughout employment; and

H.

the method used to initially determine that operative personnel have not been convicted within the past 15 years of a felony or a crime involving fraud, false statement, or deception and the method used to continue to evaluate the status of operative personnel.

Subp. 2.

[Repealed, L 1999 c 250 art 1 s 115]

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352; L 1999 c 250 art 1 s 115

Published Electronically:

October 27, 2003

8275.0050 FEES.

Fees for services performed by the Secretary of State are established in the following amounts:

A.

for application for or renewal of a license as a certification authority, $500 each year; and

B.

for recognition as or renewal of recognition as a repository, in addition to the license issuance or renewal fee paid pursuant to this part, $500 each year.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0055 SERVICE OF PROCESS.

A licensed certification authority is subject to service of process at the registered office address provided in its business registration with the secretary. If the licensed certification authority's business registration is as an assumed business name according to Minnesota Statutes, section 333.01, the business address is the registered office address for purposes of this chapter and Minnesota Statutes, chapter 325K. Service of process may be made according to Minnesota Statutes, section 5.25.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0060 FORM OF CERTIFICATES.

Subpart 1.

General standards.

Certificates issued by licensed certification authorities must follow the basic certificate field standards specified in X.509. Certificate data extension fields are optional. If certificate extension fields are used, usage must conform to the required guidelines referenced in X.509 and may be displayed on the certificate.

Subp. 2.

Acknowledgment standards.

A certificate issued by a licensed certification authority that is to be used as an acknowledgment, as provided in Minnesota Statutes, section 325K.23, must include a certificate data extension field that specifies the reliance limit, if any, and a certificate data extension field that states that the certificate may be used as an acknowledgment. If certificate data extension fields are used in an acknowledgment, the usage must conform to the required guidelines referenced in X.509.

Subp. 3.

Incorporation by reference.

X.509, dated November 1993, and all subsequent amendments to it are incorporated by reference and are not subject to frequent change. It is published by the International Telecommunication Union and is available from the State Law Library and the International Telecommunication Union, Place des Nations, CH-1211 Geneva 20, Switzerland, telephone +41 22 730 5111 and electronic mail: itumail@itu.int. For purposes of this chapter, all references to X.509 shall be construed as referring to the most current version, which at the time this chapter was adopted was version 3. Compliance with a historical version will not be construed as compliance with X.509.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0065 RECORD KEEPING.

Subpart 1.

General requirement.

A licensed certification authority shall make, keep, and preserve records that demonstrate compliance with:

A.

Minnesota Statutes, section 325K.05, subdivision 1;

B.

Minnesota Statutes, section 325K.10, including all notices of suspension of certificates according to Minnesota Statutes, section 325K.10, subdivision 4;

C.

Minnesota Statutes, section 325K.14, subdivision 1;

D.

Minnesota Statutes, section 325K.15; and

E.

Minnesota Statutes, section 325K.18.

Subp. 2.

Subscriber identity records.

A licensed certification authority shall maintain a database file that contains:

A.

records of the identity of the subscriber named in each certificate issued by the certification authority, including all the facts represented in the certificate other than the extension data referenced in X.509;

B.

the date of issuance of the certificate; and

C.

the certificate serial number as defined in X.509.

Subp. 3.

Time stamp records.

A licensed certification authority shall maintain a database file of certificate-related time-stamps issued by the certification authority, including the name of the subscriber, a reference to the certificate used in the transaction such as a serial number, and a description of the item being time-stamped.

Subp. 4.

Retention period.

All records retained under this part must be kept by the licensed certification authority for at least ten years.

Subp. 5.

Form and accessibility.

Records may be inscribed on any tangible medium or stored in an electronic or other medium so long as they are retrievable, readable, accurate, complete, and accessible. The records must be indexed, stored, preserved, and reproducible so as to be authentic, reliable, complete, and accessible. Certificate extension data, referenced in X.509, is not required to be part of any publicly accessible record.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0070 COMPLIANCE AUDITS.

Subpart 1.

Frequency.

A licensed certification authority shall obtain a compliance and financial audit at least once every calendar year. The auditor shall issue an opinion evaluating the degree to which the certification authority conforms to the requirements of this chapter and Minnesota Statutes, chapter 325K and must also prepare financial statements. If the certification authority is also a recognized repository, the audit must include the repository.

Subp. 2.

Determination of compliance.

For purposes of the opinion required by this part, the auditor shall exercise reasonable professional judgment as to whether a condition that does not strictly comply with legal requirements is or is not material, taking into consideration the circumstances and context. Noncompliance as to any of the following must be considered material, in addition to any others the auditor may judge to be material:

A.

a condition of noncompliance with a statute, rule, or the certification practice statement that relates to the validity of a certificate;

B.

an employee performing the functions of operative personnel who has not qualified according to part 8275.0035; or

C.

a material indication that the certification authority has used any system other than a trustworthy system.

Audited financial statements must state that they have been prepared according to generally accepted accounting principles.

Subp. 3.

Auditors.

The financial audit must be performed by a licensed certified public accountant or, in the case of a public agency, by the Minnesota state auditor or, in the case of a state agency, the Minnesota legislative auditor. The audit of the trustworthy system must be done by an individual who has been issued a current and valid certificate as either a certified information systems auditor by the Information Systems Audit and Control Foundation, or as a certified information systems security professional by the International Information Systems Security Certification Consortium. The names of all individuals possessing these certificates and participating in the audit must be disclosed in the audit report filed with the secretary.

Subp. 4.

Required filings.

The certification authority shall file the following information with the secretary before the date the certification authority must renew its license according to part 8275.0020: the auditor's name, the name of the auditor holding the certificate required to complete the trustworthy system audit, the name of the auditing firm, the address of the auditor, the date of the audit, and the categorization resulting from the audit. The information may be filed electronically if it is digitally signed by the auditor using a licensed certification authority. The secretary shall publish the information in the certification authority disclosure record it maintains for the licensed certification authority.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0075 PROCEDURE ON DISCONTINUANCE OF BUSINESS.

A licensed certification authority shall deposit the records required by part 8275.0065 in escrow once each calendar year with the organization conducting the audit required by this chapter. The escrowed records must also include a copy of the software needed to read the records or the records must be stored in a retrievable, readable, accurate, complete, and accessible manner. Escrowed records must be kept permanently by the auditor. A licensed certification authority that discontinues providing certification authority services without making other arrangements for preservation of the certification authority's records shall:

A.

revoke all valid certificates and return all records concerning them to the appropriate subscriber; and

B.

submit the escrowed records held by the auditor to another licensed certification authority or authorities designated by the secretary or to another certification authority or authorities not licensed, but recognized in this state, and designated by the secretary.

If the auditor goes out of business, it must transfer all of the escrowed records to an auditing firm designated by the secretary.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0080 LICENSE REVOCATION OR SUSPENSION.

Subpart 1.

Grounds.

The secretary may revoke or suspend a license according to Minnesota Statutes, chapter 325K, for failure to:

A.

comply with any requirement of Minnesota Statutes, chapter 14 or 325K, or rules adopted pursuant to those chapters;

B.

remain qualified for a license according to Minnesota Statutes, chapter 14 or 325K, or rules adopted according to those chapters; or

C.

comply with a lawful order of the secretary.

Subp. 2.

Notice.

The secretary shall inform a licensed certification authority by a notice directed to the mailing address and the electronic mail address of a decision to revoke or suspend the license. If an electronic mail message is sent as the notice, it must be sent as a direct message and not as an attachment to electronic mail. The notification must state when the revocation or suspension will be effective, which may not be less than 30 days following the issuance of the order except in the case of a summary suspension.

Subp. 3.

Effective date.

If the licensee files an application for a contested case hearing according to Minnesota Statutes, chapter 14, before the effective date of revocation or suspension, the suspension or revocation will not take effect until so ordered by the administrative law judge, except in the case of a summary suspension.

Subp. 4.

Summary suspension.

The secretary may order the summary suspension of a license pending proceedings for revocation or other action as described in Minnesota Statutes, section 325K.14. A summary suspension of a license is effective from the date of the secretary's order.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0085 CERTIFICATE REVOCATION OR SUSPENSION.

Subpart 1.

Grounds.

The secretary may order a licensed certification authority to suspend or revoke a certificate that the certification authority issued if, after giving any required notice and opportunity for the certification authority and the subscriber to be heard according to Minnesota Statutes, chapter 325K, the secretary determines that:

A.

the certificate was issued that does not comply with Minnesota Statutes, section 325K.10; and

B.

the noncompliance poses a significant risk to persons reasonably relying on the certificate. In determining whether the noncompliance poses a significant risk, the secretary shall consider:

(1)

the financial impact on the relying party;

(2)

the nonfinancial consequences on the relying party;

(3)

whether it is continuing in nature;

(4)

whether it involved criminal conduct; and

(5)

whether it impaired the reliability of the certificate or key pair.

Subp. 2.

96-hour emergency suspension.

The secretary may issue an order according to Minnesota Statutes, section 325K.10, suspending a certificate for a period not to exceed 96 hours on determining that an emergency requires an immediate remedy. The secretary shall issue an order, including a finding of an emergency, and mail it and send it via electronic mail to the licensed certification authority at the addresses listed in its application.

Subp. 3.

96-hour suspension for other circumstances.

The secretary may issue an order according to Minnesota Statutes, section 325K.10, suspending a certificate for a period not to exceed 96 hours under circumstances described by Minnesota Statutes, section 325K.14. If the person requesting suspension fails to provide a statement under oath or affirmation regarding the person's identity or authorization to request suspension, the secretary shall not issue an order suspending the certificate unless the secretary is satisfied that discretion to enter the order should be exercised because the circumstances provide a sufficient basis for confidence of the person's identity and authority.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0090 CIVIL PENALTIES.

The secretary may, by order, impose and collect a civil monetary penalty against a licensed certification authority for a violation of Minnesota Statutes, chapter 325K, as provided by Minnesota Statutes, section 325K.07, subdivision 3.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0095 CRITERIA FOR DETERMINING PENALTY AMOUNTS.

In determining the appropriate penalty amount against a licensed certification authority for violation of this chapter or Minnesota Statutes, chapter 325K, the secretary may consider the nature of the violation and the extent or magnitude of the severity of the violation, including:

A.

the damages arising from the violation, including:

(1)

the financial impact of the violation to any subscriber, relying party, or other person;

(2)

the costs incurred by the state in enforcement, including reasonable investigative costs; or

(3)

the nonfinancial consequences of the violation, including harm to any subscriber, relying party, or other person;

B.

the nature of the violation, including whether it was continuing in nature, involved criminal conduct, or tended to significantly impair the reliability of any certificate or key pair;

C.

the presence of any aggravating circumstances, including whether the violator:

(1)

intentionally committed the violation with knowledge that the conduct constituted a violation;

(2)

attempted to conceal the violation;

(3)

was untruthful or uncooperative in dealing with the secretary or the secretary's staff;

(4)

had committed prior violations found by the secretary; or

(5)

incurred no other sanction as a result of the violation;

D.

the presence of any mitigating circumstances, including whether the violator:

(1)

had taken any prior action to correct the violation or mitigate its consequences;

(2)

had previously paid damages to a party resulting from the violation;

(3)

acted without intention to commit a violation; or

(4)

acted reasonably in light of any other mitigating factors considered relevant by the secretary.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0100 RECOVERY AGAINST SUITABLE GUARANTY.

Subpart 1.

Judgment.

To recover a qualified right to payment against a surety or issuer of an irrevocable letter of credit as a suitable guaranty according to Minnesota Statutes, section 325K.18, the claimant shall file with the surety or issuer of an irrevocable letter of credit a certified copy of the judgment on which the qualified right to payment is based.

Subp. 2.

Insurance claim.

If the suitable guaranty is a policy of insurance, the party who claims to have suffered damage must follow the claim process outlined in the policy.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0105 CERTIFICATION AUTHORITY DISCLOSURE RECORDS.

Subpart 1.

Content.

A certification authority disclosure record must include, at a minimum, the following:

A.

the name, business registration number, mailing address, physical address, telephone number, facsimile number, and electronic mail address of the applicant;

B.

the name, mailing address, physical address, telephone number, facsimile number, and electronic mail address of the issuer or surety of the certification authority's suitable guaranty;

C.

a copy of the certification practice statement filed with the secretary according to part 8275.0015, item I;

D.

the following information from the most recent audit performed according to Minnesota Statutes, section 325K.06: the certification authority's resulting categorization according to Minnesota Statutes, section 325K.06, subdivision 2, the date of the audit, and the auditor's name, firm name, and address; and the audited financial statements;

E.

information as to the current status of the certification authority's Minnesota license, including the dates of original issuance and renewal and the dates of any expiration, revocation, suspension, or other lapse in licensing. If a suspension or revocation is currently subject to a pending administrative or judicial review, the record must note that fact;

F.

the name, mailing address, physical address, telephone number, facsimile number, and electronic mail address of all recognized repositories that the certification authority operates or uses; and

G.

a list of all judgments reported to the secretary according to Minnesota Statutes, section 325K.03, subdivision 2, within the previous five years.

Subp. 2.

Notice of change.

Within five days of a change in information contained on the disclosure record, the certification authority shall notify the secretary of the change and the secretary shall update a certification authority disclosure record on receipt of the notice. On receipt of a certified copy of a judgment against a certification authority, the secretary shall update the disclosure record to reflect the judgment. The requirement to update information does not apply to changes in the certification authority's financial condition. Updates of financial information are made only on receipt of audited financial statements.

Subp. 3.

Use of secretary of state's records.

In compiling and maintaining certification authority disclosure records, the secretary shall use the records of the Office of the Secretary of State, and is not obligated to conduct any affirmative investigation or review beyond the face of those records.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0110 RECOGNITION OF REPOSITORIES.

A repository desiring to be recognized shall demonstrate compliance with Minnesota Statutes, section 325K.25, by submitting all of the following:

A.

the name of the licensed certification authority, or applicant for licensure as a certification authority, requesting recognition of a repository;

B.

the applicant's registration number assigned by the secretary to the business registration of the repository;

C.

the applicant's mailing address, including the country, if appropriate, and the zip or other postal code;

D.

the applicant's telephone and facsimile numbers, including the area code and country code, if appropriate;

E.

the applicant's electronic mail address which the applicant will monitor regularly for incoming mail to facilitate communication under this chapter;

F.

a URL for the applicant's presence on the Internet;

G.

a description of the database and system architecture demonstrating that it satisfies the requirements of Minnesota Statutes, section 325K.25, subdivision 1, clause (3);

H.

registration of the underlying business organization with the secretary unless the registration is prohibited by law, and in the event the registration is prohibited, the applicant shall provide the secretary the name and address of an agent for service of process; and

I.

the fee required by part 8275.0050.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0115 REVOCATION OF RECOGNITION OF REPOSITORY.

Subpart 1.

Grounds.

This part describes the secretary's procedure for revoking the recognition of a repository without also revoking the license of the certification authority that operates the repository. Because a valid license as a certification authority is a statutory requirement for recognition of a repository, the secretary shall automatically revoke the recognition of any repository operated by a certification authority whose license is revoked, expired, or otherwise inoperative.

The secretary may revoke recognition of a repository according to Minnesota Statutes, section 325K.25, subdivision 3, for failure to comply with any requirement of this chapter or Minnesota Statutes, section 325K.25, or for failure to comply with a lawful order of the secretary.

Subp. 2.

Notice.

The secretary shall inform a licensed certification authority that operates a recognized repository by a notice directed to the mailing address and the electronic mail address of a decision to revoke or suspend the license. If an electronic mail message is used, it must be sent as a direct message and not as an attachment to electronic mail. The notice must state when the revocation or suspension will be effective, which cannot be less than 30 days following the issuance of the order except in the case of a summary suspension.

Subp. 3.

Effective date.

If the licensee files an application for a contested case hearing before the effective date of revocation or suspension, the suspension or revocation will not take effect until so ordered by the administrative law judge, except in the case of a summary suspension. The secretary may order the summary suspension of a license pending proceedings for revocation or other action as described in Minnesota Statutes, section 325K.14. A summary suspension of a license is effective from the date of the secretary's order.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0120 CONTRACT FOR SECRETARY OF STATE REPOSITORY PUBLICATION.

The secretary may either directly operate, or contract for the operation of, a repository including an online publicly accessible database described in Minnesota Statutes, section 325K.01, subdivision 6. If the secretary contracts for the operation of the repository, the contractor shall be a licensed certification authority and shall agree to operate according to all requirements of Minnesota Statutes, chapter 325K. The contract may be rescinded for any reason that would form a basis for revoking recognition of a repository.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

August 8, 2013

8275.0125 PUBLICATION IN SECRETARY OF STATE REPOSITORY.

The secretary shall maintain, either directly or under contract, a repository for the purpose of publishing information required by statute. Information published in the secretary's repository must include:

A.

the certification authority disclosure record for each certification authority licensed or certified in Minnesota;

B.

a list of all judgments filed with the secretary within the previous five years pursuant to Minnesota Statutes, section 325K.03, subdivision 2; and

C.

any other information necessary or appropriate for publication in the secretary's repository according to this chapter or Minnesota Statutes, chapter 325K.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0130 PROCEDURE UPON DISCONTINUANCE OF BUSINESS AS REPOSITORY.

Each licensed certification authority that discontinues providing services as a recognized repository must deposit the records required by part 8275.0065 in escrow once each calendar year with the organization conducting the audit required by this chapter. The escrowed records must also include a copy of the software needed to read the records or the records must be stored in a retrievable, readable, accurate, complete, and accessible manner. Escrowed records must be kept permanently by the auditor. A licensed certification authority that discontinues providing services as a recognized repository without making other arrangements for preservation of the certification authority's records must submit the escrowed records held by the auditor to another recognized repository or repositories designated by the secretary or to another recognized repository not licensed but recognized in this state, but designated by the secretary.

If the auditor goes out of business, it must transfer all of the escrowed records to another auditing firm designated by the secretary.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0135 USE OF FOREIGN LICENSED CERTIFICATION AUTHORITIES.

Subpart 1.

Presumptions.

Digital signatures made pursuant to a certificate issued by a certification authority are entitled to the presumptions in Minnesota Statutes, sections 325K.19 to 325K.24:

A.

if the parties mutually agree to the provisions in a contract;

B.

if the certification authority obtains a license as a certification authority from the secretary; or

C.

if the certification authority is licensed by a governmental entity other than the state of Minnesota and the secretary determines that the requirements for licensure in that jurisdiction are substantially similar to those in Minnesota as found in this chapter and Minnesota Statutes, chapter 325K. To make the determination, the secretary must receive from an interested party:

(1)

a request stating the name; address; telephone number, including area code; and electronic mailing address of the interested party; and

(2)

a copy, in English, of the applicable laws and rules under which the license has been issued.

Once the secretary has completed the determination, the interested party will be notified in writing, by mail, and electronic mail.

Subp. 2.

Publication of information.

A.

A list of the jurisdictions whose law has been determined to be substantially similar to that of Minnesota will be published in the secretary's repository and will be made available on request.

B.

If a certification authority's approval is revoked following the procedures in subpart 3, notice of the revocation will be published in the secretary's repository and will be made available on request.

Subp. 3.

Loss of presumptions.

A digital signature made pursuant to a certificate issued by a certification authority licensed by a governmental entity whose law has been determined to be substantially similar to that of Minnesota is not entitled to the presumptions in Minnesota Statutes, sections 325K.19 to 325K.24, if:

A.

a complaint about the certification authority is received by the secretary from a person whose transaction has been or will be performed in whole or in part in Minnesota;

B.

an investigation is conducted by the secretary pursuant to the processes in this chapter for certification authorities licensed by the secretary; and

C.

the secretary determines that denial of the presumptions is necessary due to the violation of the operating criteria in this chapter for licensed certification authorities and follows the procedures in Minnesota Statutes, chapter 14, to issue the revocation.

Subp. 4.

Application for renewed presumptions.

To regain the application of the presumptions in Minnesota Statutes, sections 325K.19 to 325K.24, a certification authority whose status has been revoked pursuant to subpart 3 must apply for and receive a license from the secretary and pay the reasonable costs of the investigation and hearing conducted under subpart 3.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003

8275.0140 GOVERNMENT CERTIFICATION AUTHORITIES.

A government agency or office that is a licensed certification authority cannot issue certificates to nongovernment offices or employees.

Statutory Authority:

MS s 325K.01; 325K.03; 325K.04; 325K.05; 325K.06; 325K.07

History:

23 SR 1352

Published Electronically:

October 27, 2003