Minnesota Office of the Revisor of Statutes
[*Add Subtitle/link: Office]

Menu

Revisor of Statutes Menu

Pdf

Table of Sections

2013 Minnesota Statutes

Chapter 325K. Electronic Authentication

Chapter Sections
Section Headnote
325K.001Short Title
325K.01Definitions
325K.02Purposes and Construction
325K.03Role of the Secretary
325K.04Fees
325K.05Licensure and Qualifications of Certification Authorities
325K.06Performance Audits
325K.07Enforcement of Requirements for Licensed Certification Authorities
325K.08Dangerous Activities by Certification Authority Prohibited
325K.09General Requirements for Certification Authorities
325K.10Issuance of Certificate
325K.11Warranties and Obligations Upon Issuance of Certificate
325K.12Representations and Duties Upon Accepting Certificate
325K.13Control of Private Key
325K.14Suspension of Certificate
325K.15Certificate Revocation
325K.16Certificate Expiration
325K.17Recommended Reliance Limits
325K.18Collection Based on Suitable Guaranty
325K.19Satisfaction of Signature Requirements
325K.20Unreliable Digital Signatures
325K.21Digitally Signed Document is Written
325K.22Digitally Signed Originals
325K.23Acknowledgments
325K.24Presumptions in Adjudicating Disputes; Liability Allocation
325K.25Recognition of Repositories
325K.26Rulemaking
325K.27Court Rules

325K.001 SHORT TITLE.

This chapter may be cited as the Minnesota Electronic Authentication Act.

History:

1997 c 178 s 1

325K.01 DEFINITIONS.

Subdivision 1.Scope.

Unless the context clearly requires otherwise, the terms used in this chapter have the meanings given them in this section.

Subd. 2.Accept a certificate.

"Accept a certificate" means either:

(1) to manifest approval of a certificate, while knowing or having notice of its contents; or

(2) to apply to a licensed certification authority for a certificate, without canceling or revoking the application by delivering notice of the cancellation or revocation to the certification authority and obtaining a signed, written receipt from the certification authority, if the certification authority subsequently issues a certificate based on the application.

Subd. 3.Asymmetric cryptosystem.

"Asymmetric cryptosystem" means an algorithm or series of algorithms that provide a secure key pair.

Subd. 4.Certificate.

"Certificate" means a computer-based record that:

(1) identifies the certification authority issuing it;

(2) names or identifies its subscriber;

(3) contains the subscriber's public key; and

(4) is digitally signed by the certification authority issuing it.

Subd. 5.Certification authority.

"Certification authority" means a person who issues a certificate.

Subd. 6.Certification authority disclosure record.

"Certification authority disclosure record" means an online, publicly accessible electronic record that concerns a licensed certification authority and is kept by the secretary. A certification authority disclosure record has the contents specified by rule by the secretary under section 325K.03.

Subd. 7.Certification practice statement.

"Certification practice statement" means a declaration of the practices that a certification authority employs in issuing certificates generally, or employed in issuing a material certificate.

Subd. 8.Certify.

"Certify" means to declare with reference to a certificate, with ample opportunity to reflect, and with a duty to apprise oneself of all material facts.

Subd. 9.Confirm.

"Confirm" means to ascertain through appropriate inquiry and investigation.

Subd. 10.Correspond.

"Correspond," with reference to keys, means to belong to the same key pair.

Subd. 11.Digital signature or digitally signed.

"Digital signature" or "digitally signed" means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine:

(1) whether the transformation was created using the private key that corresponds to the signer's public key; and

(2) whether the initial message has been altered since the transformation was made.

Subd. 12.Financial institution.

"Financial institution" means a national or state-chartered commercial bank or trust company, savings bank, savings association, or credit union authorized to do business in the state of Minnesota and the deposits of which are federally insured.

Subd. 13.Forge a digital signature.

"Forge a digital signature" means either:

(1) to create a digital signature without the authorization of the rightful holder of the private key; or

(2) to create a digital signature verifiable by a certificate listing as subscriber a person who either:

(i) does not exist; or

(ii) does not hold the private key corresponding to the public key listed in the certificate.

Subd. 14.Hold a private key.

"Hold a private key" means to be authorized to utilize a private key.

Subd. 15.Incorporate by reference.

"Incorporate by reference" means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated.

Subd. 16.Issue a certificate.

"Issue a certificate" means the acts of a certification authority in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate.

Subd. 17.Key pair.

"Key pair" means a private key and its corresponding public key in an asymmetric cryptosystem, keys which have the property that the public key can verify a digital signature that the private key creates.

Subd. 18.Licensed certification authority.

"Licensed certification authority" means a certification authority to whom a license has been issued by the secretary and whose license is in effect, or a certification authority who operates under a license issued by a governmental entity which has been certified pursuant to section 325K.05, subdivision 5.

Subd. 19.Message.

"Message" means a digital representation of information.

Subd. 20.Notify.

"Notify" means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person.

Subd. 21.Operative personnel.

"Operative personnel" means one or more natural persons acting as a certification authority or its agent, or in the employment of, or under contract with, a certification authority, and who have duties directly involving the issuance of certificates, creation of private keys, or administration of a certification authority's computing facilities.

Subd. 22.Person.

"Person" means a human being or an organization capable of signing a document, either legally or as a matter of fact.

Subd. 23.Private key.

"Private key" means the key of a key pair used to create a digital signature.

Subd. 24.Public key.

"Public key" means the key of a key pair used to verify a digital signature.

Subd. 25.Publish.

"Publish" means to record or file in a repository.

Subd. 26.Qualified right to payment.

"Qualified right to payment" means an award of damages against a licensed certification authority by a court having jurisdiction over the certification authority in a civil action for violation of this chapter.

Subd. 27.Recipient.

"Recipient" means a person who has received a certificate and a digital signature verifiable with reference to a public key listed in the certificate and is in a position to rely on it.

Subd. 28.Recognized repository.

"Recognized repository" means a repository recognized by the secretary under section 325K.25.

Subd. 29.Recommended reliance limit.

"Recommended reliance limit" means the monetary amount recommended for reliance on a certificate under section 325K.17.

Subd. 30.Repository.

"Repository" means a system for storing and retrieving certificates and other information relevant to digital signatures.

Subd. 31.Revoke a certificate.

"Revoke a certificate" means to make a certificate ineffective permanently from a specified time forward. Revocation is effected by notation or inclusion in a set of revoked certificates, and does not imply that a revoked certificate is destroyed or made illegible.

Subd. 32.Rightfully hold a private key.

"Rightfully hold a private key" means the authority to utilize a private key:

(1) that the holder or the holder's agents have not disclosed to a person in violation of section 325K.13, subdivision 1; and

(2) that the holder has not obtained through theft, deceit, eavesdropping, or other unlawful means.

Subd. 33.Secretary.

"Secretary" means the Minnesota secretary of state.

Subd. 34.Subscriber.

"Subscriber" means a person who:

(1) is the subject listed in a certificate;

(2) accepts the certificate; and

(3) holds a private key that corresponds to a public key listed in that certificate.

Subd. 35.Suitable guaranty.

(a) "Suitable guaranty" means:

(1) a surety bond or an irrevocable letter of credit issued for the benefit of persons holding qualified rights of payment against the licensed certification authority named as the principal of the bond or the customer of the letter of credit; or

(2) a policy of insurance that provides that claims may be made and resolved without obtaining a qualified right to payment.

(b) The suitable guaranty must:

(1) be in an amount specified by rule by the secretary under section 325K.03;

(2) state that it is issued under this chapter;

(3) specify a term of effectiveness of at least five years; and

(4) be in a form the content of which is described in rule by the secretary.

If the suitable guaranty is a surety bond, it must be issued by a surety authorized by the commissioner of commerce to do business in this state. If the suitable guaranty is an irrevocable letter of credit, it must be issued by a financial institution authorized to do business in this state. If the suitable guaranty is a policy of insurance, it must be issued by an insurance company authorized by the commissioner of commerce to do business in this state.

Once a qualified right to payment or claim has been satisfied from the suitable guaranty, the licensed certification authority must provide evidence to the secretary that the amount required by rule is again available.

Subd. 35a.Summary suspension.

"Summary suspension" means a temporary rescission of a certification authority's license by order of the secretary. The secretary may order the summary suspension of a license before holding a hearing. The summary suspension is effective for up to five business days. If an action for suspension or revocation is instituted within five business days, the summary suspension is extended until the action for suspension or revocation is ultimately determined.

Subd. 36.Suspend a certificate.

"Suspend a certificate" means to make a certificate ineffective temporarily for a specified time forward.

Subd. 37.Time stamp.

"Time stamp" means either:

(1) to append or attach to a message, digital signature, or certificate a digitally signed notation indicating at least the date, time, and identity of the person appending or attaching the notation; or

(2) the notation thus appended or attached.

Subd. 38.Transactional certificate.

"Transactional certificate" means a valid certificate incorporating by reference one or more of the digital signatures.

Subd. 39.Trustworthy system.

"Trustworthy system" means computer hardware and software that:

(1) are reasonably secure from intrusion and misuse;

(2) provide a reasonable level of availability, reliability, and correct operation; and

(3) are reasonably suited to performing their intended functions.

Subd. 40.Valid certificate.

"Valid certificate" means a certificate that:

(1) a licensed certification authority has issued;

(2) the subscriber listed in it has accepted;

(3) has not been revoked or suspended; and

(4) has not expired.

However, a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference.

Subd. 41.Verify a digital signature.

"Verify a digital signature" means, in relation to a given digital signature, message, and public key, to determine accurately that:

(1) the digital signature was created by the private key corresponding to the public key; and

(2) the message has not been altered since its digital signature was created.

325K.02 PURPOSES AND CONSTRUCTION.

This chapter shall be construed consistently with what is commercially reasonable under the circumstances and to effectuate the following purposes:

(1) to facilitate commerce by means of reliable electronic messages;

(2) to minimize the incidence of forged digital signatures and fraud in electronic commerce;

(3) to implement legally the general import of relevant standards, such as X.509 of the International Telecommunication Union, formerly known as the International Telegraph and Telephone consultative committee; and

(4) to establish, in coordination with multiple states, uniform rules regarding the authentication and reliability of electronic messages.

History:

1997 c 178 s 3

325K.03 ROLE OF THE SECRETARY.

Subdivision 1.Secretary as certification authority.

The secretary shall be a certification authority. The secretary shall issue, suspend, and revoke certificates in the manner prescribed under section 325K.10 to applicants for licensure. The secretary may also issue, suspend, and revoke certificates for governmental entities. Except for licensing requirements, this chapter applies to the secretary with respect to certificates the secretary issues.

Subd. 2.Record.

The secretary must maintain an online, publicly accessible electronic database containing a certification authority disclosure record and list of judgments for each licensed certification authority.

Subd. 3.Rules.

The secretary must adopt rules to:

(1) govern licensed certification authorities and repositories, their practice, and termination of their practice;

(2) determine an amount reasonably appropriate for a suitable guaranty, in light of the burden a suitable guaranty places upon licensed certification authorities and the assurance of quality and financial responsibility it provides to persons who rely on certificates issued by licensed certification authorities;

(3) specify reasonable requirements for the form of certificates issued by licensed certification authorities, in accordance with generally accepted standards for digital signature certificates;

(4) specify reasonable requirements for record keeping by licensed certification authorities;

(5) specify reasonable requirements for the content, form, and sources of information in certification authority disclosure records, the updating and timeliness of the information, and other practices and policies relating to certification authority disclosure records;

(6) specify the form of the certification practice statements; and

(7) specify the procedure and manner in which a certificate may be suspended or revoked.

Subd. 4.Certification practice statement.

The secretary in the role of licensed certification authority may adopt and amend a certification practice statement without using the provisions of chapter 14.

325K.04 FEES.

(a) The secretary shall set reasonable fees for all services rendered under this chapter, in amounts sufficient to compensate for the costs of all services provided by the secretary under this chapter. Until July 1, 2001, the fees need not be set by rule.

(b) The digital signature account is created in the special revenue fund. All fees recovered by the secretary must be deposited in the digital signature account. Money in the digital signature account is appropriated to the secretary to pay the costs of all services provided by the secretary.

325K.05 LICENSURE AND QUALIFICATIONS OF CERTIFICATION AUTHORITIES.

Subdivision 1.License conditions.

To obtain or retain a license, a certification authority must:

(1) be the subscriber of a certificate issued by the secretary and published in a recognized repository;

(2) employ as operative personnel only persons who have not been convicted within the past 15 years of a felony or a crime involving fraud, false statement, or deception;

(3) employ as operative personnel only persons who have demonstrated knowledge and proficiency in following the requirements of this chapter;

(4) file with the secretary a suitable guaranty, unless the certification authority is a department, office, or official of a federal, state, city, or county governmental entity that is self-insured;

(5) use a trustworthy system, including a secure means for limiting access to its private key;

(6) present proof to the secretary of having working capital reasonably sufficient, according to rules adopted by the secretary, to enable the applicant to conduct business as a certification authority;

(7) register its business organization with the secretary, unless the applicant is a governmental entity or is otherwise prohibited from registering;

(8) require a potential subscriber to appear in person before the certification authority, or an agent of the certification authority, to prove the subscriber's identity before a certificate is issued to the subscriber; and

(9) comply with all further licensing requirements established by rule by the secretary.

The secretary may, by rule, establish standards by which the in-person registration required in clause (8) may be waived.

Subd. 2.License procedures.

The secretary must issue a license to a certification authority that:

(1) is qualified under subdivision 1;

(2) applies in writing to the secretary for a license; and

(3) pays a filing fee adopted by rule by the secretary.

Subd. 3.

[Repealed, 1998 c 321 s 31]

Subd. 4.Revocation or suspension.

(a) The secretary may revoke or suspend a certification authority's license, in accordance with the Administrative Procedure Act, chapter 14, for failure to comply with this chapter or for failure to remain qualified under subdivision 1.

(b) The secretary may order a summary suspension of a license. The written order for summary suspension may include a finding that the certification authority has:

(1) used its license in the commission of a state or federal crime or of a violation of sections 325F.68 to 325F.70; or

(2) engaged in conduct giving rise to serious risk of loss to public or private parties if the license is not immediately suspended.

Subd. 5.Other authorities.

The secretary may recognize by rule the licensing or authorization of certification authorities by non-Minnesota governmental entities, provided that those licensing or authorization requirements are substantially similar to those of this state. If licensing by another governmental entity is so recognized:

(1) sections 325K.19 to 325K.24 apply to certificates issued by the certification authorities licensed or authorized by that governmental entity in the same manner as it applies to licensed certification authorities of this state; and

(2) the liability limits of section 325K.17 apply to the certification authorities licensed or authorized by that governmental entity in the same manner as they apply to licensed certification authorities of this state.

Subd. 6.Applicability to digital signatures.

Parties may provide by contract for the effectiveness, enforceability, or validity of any digital signature as between those parties. Sections 325K.19 to 325K.24 do not apply to a certificate and associated digital signature issued by an unlicensed certification authority.

Subd. 7.Nonapplicability.

A certification authority that has not obtained a license is not subject to the provisions of this chapter, except as specifically provided.

325K.06 PERFORMANCE AUDITS.

Subdivision 1.Annual audit; auditor qualifications; rules.

A certified public accountant having expertise in computer security must audit the operations of each licensed certification authority at least once each year to evaluate compliance with this chapter. The secretary may by rule specify the qualifications of auditors.

Subd. 2.Compliance categories.

Based on information gathered in the audit, the auditor must categorize the licensed certification authority's compliance as one of the following:

(a) Full compliance. The certification authority appears to conform to all applicable statutory and regulatory requirements.

(b) Substantial compliance. The certification authority appears generally to conform to applicable statutory and regulatory requirements. However, one or more instances of noncompliance or of inability to demonstrate compliance were found in an audited sample, but were likely to be inconsequential.

(c) Partial compliance. The certification authority appears to comply with some statutory and regulatory requirements, but was found not to have complied or not be able to demonstrate compliance with one or more important safeguards.

(d) Noncompliance. The certification authority complies with few or none of the statutory and regulatory requirements, fails to keep adequate records to demonstrate compliance with more than a few requirements, or refused to submit to an audit.

The secretary shall publish in the certification authority disclosure record it maintains for the certification authority the date of the audit and the resulting categorization of the certification authority.

Subd. 3.

[Repealed, 1998 c 321 s 31]

Subd. 4.

[Repealed, 1998 c 321 s 31]

Subd. 5.

[Repealed, 1998 c 321 s 31]

History:

1997 c 178 s 7

325K.07 ENFORCEMENT OF REQUIREMENTS FOR LICENSED CERTIFICATION AUTHORITIES.

Subdivision 1.Investigation.

The secretary may investigate the activities of a licensed certification authority material to its compliance with this chapter and issue orders to a certification authority to further its investigation and secure compliance with this chapter.

Subd. 2.Suspension or revocation.

The secretary may summarily suspend or revoke the license of a certification authority for its failure to comply with an order of the secretary.

Subd. 3.Civil penalty.

The secretary may by order impose and collect a civil monetary penalty against a licensed certification authority for a violation of this chapter in an amount not to exceed $5,000 per incident. In case of a violation continuing for more than one day, each day is considered a separate incident. The secretary may adopt rules setting the standards governing the determination of the penalty amounts.

Subd. 4.Payment of costs.

The secretary may order a certification authority, which it has found to be in violation of this chapter, to pay the costs incurred by the secretary in prosecuting and adjudicating proceedings relative to the order, and enforcing it.

Subd. 5.Administrative procedures; injunctive relief.

(a) The secretary must exercise authority under this section in accordance with the Administrative Procedure Act, chapter 14, and a licensed certification authority may obtain judicial review of the secretary's actions as prescribed by chapter 14.

(b) The secretary may also seek injunctive relief to compel compliance with an order.

325K.08 DANGEROUS ACTIVITIES BY CERTIFICATION AUTHORITY PROHIBITED.

Subdivision 1.Prohibition generally.

No certification authority, whether licensed or not, may conduct its business in a manner that creates an unreasonable risk of loss to subscribers of the certification authority, to persons relying on certificates issued by the certification authority, or to a repository.

Subd. 2.Orders and civil actions.

In the manner provided by the Administrative Procedure Act, chapter 14, the secretary may issue orders and obtain injunctions or other civil relief to prevent or restrain a certification authority from violating this section, regardless of whether the certification authority is licensed. This section does not create a right of action in a person other than the secretary.

History:

1997 c 178 s 9

325K.09 GENERAL REQUIREMENTS FOR CERTIFICATION AUTHORITIES.

Subdivision 1.Use of trustworthy system.

A licensed certification authority or subscriber may use only a trustworthy system:

(1) to issue, suspend, or revoke a certificate;

(2) to publish or give notice of the issuance, suspension, or revocation of a certificate; or

(3) to create a private key.

Subd. 2.Disclosure required.

A licensed certification authority shall disclose any material certification practice statement and disclose any fact material to either the reliability of a certificate that it has issued or its ability to perform its services. A certification authority may require a signed, written, and reasonably specific inquiry from an identified person and payment of reasonable compensation as conditions precedent to effecting a disclosure required in this subdivision.

Subd. 3.Acceptance.

A recipient who accepts a digital signature when the certificate was issued by a licensed certification authority becomes a party to and accepts all of the terms and conditions of the licensed certification authority's certification practice statement.

325K.10 ISSUANCE OF CERTIFICATE.

Subdivision 1.Conditions.

A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:

(1) the certification authority has received a request for issuance signed by the prospective subscriber;

(2) the prospective subscriber or the prospective subscriber's duly authorized agent must appear before the licensed certification authority to present the request; and

(3) the certification authority has confirmed that:

(i) the prospective subscriber is the person to be listed in the certificate to be issued;

(ii) if the prospective subscriber is acting through one or more agents, the subscriber duly authorized each agent to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;

(iii) the information in the certificate to be issued is accurate;

(iv) the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;

(v) the prospective subscriber holds a private key capable of creating a digital signature;

(vi) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber; and

(vii) the certificate provides information sufficient to locate or identify one or more repositories in which notification of the revocation or suspension of the certificate will be listed if the certificate is suspended or revoked.

The requirements of this subdivision may not be waived or disclaimed by either the licensed certification authority, the subscriber, or both.

Subd. 2.Publication.

If the subscriber accepts the issued certificate, the licensed certification authority shall publish a signed copy of the certificate in a recognized repository, as the certification authority and the subscriber named in the certificate may agree, unless a contract between the certification authority and the subscriber provides otherwise. If the subscriber does not accept the certificate, a licensed certification authority shall not publish it, or shall cancel its publication if the certificate has already been published.

Subd. 3.Application of other standards.

Nothing in this section precludes a licensed certification authority from conforming to standards, certification practice statements, security plans, or contractual requirements more rigorous than, but nevertheless consistent with, this chapter.

Subd. 4.Suspension or revocation.

After issuing a certificate, a licensed certification authority shall revoke it immediately upon confirming that it was not issued as required by this section. A licensed certification authority may also suspend a certificate that it has issued for a reasonable period not exceeding 48 hours as needed for an investigation to confirm grounds for revocation under this subdivision. The certification authority shall give notice to the subscriber as soon as practicable after a decision to revoke or suspend under this subdivision.

Subd. 5.Order of suspension or revocation.

The secretary may order the licensed certification authority to suspend or revoke a certificate that the certification authority issued if, after giving any required notice and opportunity for the certification authority and subscriber to be heard in accordance with the Administrative Procedure Act, chapter 14, the secretary determines that:

(1) the certificate was issued without substantial compliance with this section; and

(2) the noncompliance poses a significant risk to persons reasonably relying on the certificate.

Upon determining that an emergency requires an immediate remedy, and in accordance with the Administrative Procedure Act, chapter 14, the secretary may issue an order suspending a certificate for a period not to exceed 96 hours.

325K.11 WARRANTIES AND OBLIGATIONS UPON ISSUANCE OF CERTIFICATE.

Subdivision 1.Absolute warranties to subscribers.

By issuing a certificate, a licensed certification authority warrants to the subscriber named in the certificate that:

(1) the certificate contains no information known to the certification authority to be false;

(2) the certificate satisfies all material requirements of this chapter; and

(3) the certification authority has not exceeded any limits of its license in issuing the certificate.

The certification authority may not disclaim or limit the warranties of this subdivision.

Subd. 2.Negotiable warranties to subscribers.

Unless the subscriber and certification authority otherwise agree, a certification authority, by issuing a certificate, promises to the subscriber:

(1) to act promptly to suspend or revoke a certificate in accordance with section 325K.14 or 325K.15; and

(2) to notify the subscriber within a reasonable time of any facts known to the certification authority that significantly affect the validity or reliability of the certificate once it is issued.

Subd. 3.Warranties to those who reasonably rely.

By issuing a certificate, a licensed certification authority certifies to all who reasonably rely on the information contained in the certificate that:

(1) the information in the certificate and listed as confirmed by the certification authority is accurate;

(2) all information foreseeably material to the reliability of the certificate is stated or incorporated by reference within the certificate;

(3) the subscriber has accepted the certificate; and

(4) the licensed certification authority has complied with all applicable laws of this state governing issuance of the certificate.

Subd. 4.Warranties following publication.

By publishing a certificate, a licensed certification authority certifies to the repository in which the certificate is published and to all who reasonably rely on the information contained in the certificate that the certification authority has issued the certificate to the subscriber.

History:

1997 c 178 s 12

325K.12 REPRESENTATIONS AND DUTIES UPON ACCEPTING CERTIFICATE.

Subdivision 1.Subscriber warranties.

By accepting a certificate issued by a licensed certification authority, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate that:

(1) the subscriber rightfully holds the private key corresponding to the public key listed in the certificate;

(2) all representations made by the subscriber to the certification authority and material to the information listed in the certificate are true; and

(3) all material representations made by the subscriber to a certification authority or made in the certificate and not confirmed by the certification authority in issuing the certificate are true.

Subd. 2.Agent warranties.

By requesting on behalf of a principal the issuance of a certificate naming the principal as subscriber, the requesting person certifies in that person's own right to all who reasonably rely on the information contained in the certificate that the requesting person:

(1) holds all authority legally required to apply for issuance of a certificate naming the principal as subscriber; and

(2) has authority to sign digitally on behalf of the principal, and, if that authority is limited in any way, adequate safeguards exist to prevent a digital signature exceeding the bounds of the person's authority.

Subd. 3.Disclaimer limitations.

No person may disclaim or contractually limit the application of this section, nor obtain indemnity for its effects, if the disclaimer, limitation, or indemnity restricts liability for misrepresentation as against persons reasonably relying on the certificate.

Subd. 4.Indemnification by subscriber.

By accepting a certificate, a subscriber undertakes to indemnify the issuing certification authority for loss or damage caused by issuance or publication of a certificate in reliance on:

(1) a false and material representation of fact by the subscriber; or

(2) the failure by the subscriber to disclose a material fact if the representation or failure to disclose was made either with intent to deceive the certification authority or a person relying on the certificate, or with gross negligence. The indemnity provided in this section may not be disclaimed or contractually limited in scope. However, a contract may provide consistent, additional terms regarding the indemnification.

Subd. 5.Certified accuracy.

In obtaining information of the subscriber material to issuance of a certificate, the certification authority may require the subscriber to certify the accuracy of relevant information under oath or affirmation of truthfulness and under penalty of perjury.

325K.13 CONTROL OF PRIVATE KEY.

Subdivision 1.Duty.

By accepting a certificate issued by a licensed certification authority, the subscriber identified in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to a person not authorized to create the subscriber's digital signature.

Subd. 2.

[Repealed, 1998 c 321 s 31]

Subd. 2a.Possession of private key.

A certification authority cannot hold a private key on behalf of a subscriber.

Subd. 3.

[Repealed, 1998 c 321 s 31]

325K.14 SUSPENSION OF CERTIFICATE.

Subdivision 1.Suspension for 96 hours.

Unless the certification authority and the subscriber agree otherwise, the licensed certification authority that issued a certificate that is not a transactional certificate must suspend the certificate for a period not to exceed 96 hours:

(1) upon request by a person identifying himself or herself as the subscriber named in the certificate, or as a person in a position likely to know of a compromise of the security of a subscriber's private key, such as an agent, business associate, employee, or member of the immediate family of the subscriber; or

(2) by order of the secretary under section 325K.10.

The certification authority need not confirm the identity or agency of the person requesting suspension.

Subd. 2.Suspension for 96 hours; other causes.

(a) The secretary may suspend a certificate issued by a licensed certification authority for a period of 96 hours, if:

(1) a person identifying himself or herself as the subscriber named in the certificate or as an agent, business associate, employee, or member of the immediate family of the subscriber requests suspension; and

(2) the requester represents that the certification authority that issued the certificate is unavailable.

(b) The secretary may require the person requesting suspension to provide evidence, including a statement under oath or affirmation, regarding the requester's identity, authorization, or the unavailability of the issuing certification authority, and may decline to suspend the certificate in its discretion. The secretary or law enforcement agencies may investigate suspensions by the secretary for possible wrongdoing by persons requesting suspension.

Subd. 3.Notice of suspension.

Immediately upon suspension of a certificate by a licensed certification authority, the licensed certification authority shall give notice of the suspension according to the specification in the certificate. If one or more repositories are specified, then the licensed certification authority must publish a signed notice of the suspension in all the repositories. If a repository no longer exists or refuses to accept publication, or if no repository is recognized under section 325K.25, the licensed certification authority must also publish the notice in a recognized repository. If a certificate is suspended by the secretary, the secretary must give notice as required in this subdivision for a licensed certification authority, provided that the person requesting suspension pays in advance any fee required by a repository for publication of the notice of suspension.

Subd. 4.Terminating suspension.

A certification authority must terminate a suspension initiated by request only:

(1) if the subscriber named in the suspended certificate requests termination of the suspension and the certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorized to terminate the suspension; or

(2) when the certification authority discovers and confirms that the request for the suspension was made without authorization by the subscriber. However, this clause does not require the certification authority to confirm a request for suspension.

Subd. 5.Contract limitation or preclusion.

The contract between a subscriber and a licensed certification authority may limit or preclude requested suspension by the certification authority, or may provide otherwise for termination of a requested suspension. However, if the contract limits or precludes suspension by the secretary when the issuing certification authority is unavailable, the limitation or preclusion is effective only if notice of it is published in the certificate.

Subd. 6.Misrepresentation.

No person may knowingly or intentionally misrepresent to a certification authority the person's identity or authorization in requesting suspension of a certificate. Violation of this subdivision is a misdemeanor.

Subd. 7.

[Repealed, 1998 c 321 s 31]

Subd. 8.Completion of suspension.

A suspension under this section must be completed within 24 hours of receipt of all of the information required in this section.

Subd. 9.Administrative procedures.

For purposes of this section, the provisions of chapter 14 do not apply when the secretary acts as a licensed certification authority for governmental entities.

325K.15 CERTIFICATE REVOCATION.

Subdivision 1.After request.

A licensed certification authority must revoke a certificate that it issued but which is not a transactional certificate, after:

(1) receiving a request for revocation by the subscriber named in the certificate; and

(2) confirming that the person requesting revocation is the subscriber, or is an agent of the subscriber with authority to request the revocation.

Subd. 2.After identity confirmed.

A licensed certification authority must confirm a request for revocation and revoke a certificate within one business day after receiving both a subscriber's written request and evidence reasonably sufficient to confirm the identity and any agency of the person requesting the suspension.

Subd. 3.After death or dissolution.

A licensed certification authority must revoke a certificate that it issued:

(1) upon receiving a certified copy of the subscriber's death record, or upon confirming by other evidence that the subscriber is dead; or

(2) upon presentation of documents effecting a dissolution of the subscriber, or upon confirming by other evidence that the subscriber has been dissolved or has ceased to exist, except that if the subscriber is dissolved and is reinstated or restored before revocation is completed, the certification authority is not required to revoke the certificate.

Subd. 4.Unreliable certificate.

A licensed certification authority may revoke one or more certificates that it issued if the certificates are or become unreliable, regardless of whether the subscriber consents to the revocation and notwithstanding a provision to the contrary in a contract between the subscriber and certification authority.

Subd. 5.Notice of revocation.

Immediately upon revocation of a certificate by a licensed certification authority, the licensed certification authority must give notice of the revocation according to the specification in the certificate. If one or more repositories are specified, then the licensed certification authority must publish a signed notice of the revocation in all repositories. If a repository no longer exists or refuses to accept publication, or if no repository is recognized under section 325K.13, then the licensed certification authority must also publish the notice in a recognized repository.

Subd. 6.When certification by subscriber ceases.

A subscriber ceases to certify, as provided in section 325K.12, and has no further duty to keep the private key secure, as required by section 325K.13, in relation to the certificate whose revocation the subscriber has requested, beginning at the earlier of either:

(1) when notice of the revocation is published as required in subdivision 5; or

(2) one business day after the subscriber requests revocation in writing, supplies to the issuing certification authority information reasonably sufficient to confirm the request, and pays any contractually required fee.

Subd. 7.Warranties discharged.

Upon notification as required by subdivision 5, a licensed certification authority is discharged of its warranties based on issuance of the revoked certificate as to transactions occurring after the notification and ceases to certify as provided in section 325K.11, subdivisions 2 and 3, in relation to the revoked certificate.

Subd. 8.Administrative procedures.

For purposes of this section, the provisions of chapter 14 do not apply when the secretary acts as a licensed certification authority for governmental entities.

325K.16 CERTIFICATE EXPIRATION.

Subdivision 1.Expiration date.

A certificate must indicate the date on which it expires.

Subd. 2.Effect of expiration.

When a certificate expires, the subscriber and certification authority cease to certify as provided in this chapter and the certification authority is discharged of its duties based on issuance, in relation to the expired certificate.

History:

1997 c 178 s 17

325K.17 RECOMMENDED RELIANCE LIMITS.

By specifying a recommended reliance limit in a certificate, the issuing certification authority and accepting subscriber recommend that persons rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit.

History:

1997 c 178 s 18

325K.18 COLLECTION BASED ON SUITABLE GUARANTY.

Subdivision 1.Bond or letter of credit.

(a) If the suitable guaranty is a surety bond, a person may recover from the surety the full amount of a qualified right to payment against the principal named in the bond.

(b) If the suitable guaranty is a letter of credit, a person may recover from the issuing financial institution the full amount of a qualified right to payment only in accordance with the terms of the letter of credit.

(c) If the suitable guaranty is a policy of insurance, a person may recover under the terms of the policy.

(d) Claimants may recover successively on the same suitable guaranty.

Subd. 2.Attorney fees and court costs.

(a) Subject to paragraph (b), in addition to recovering the amount of a qualified right to payment, a claimant may recover from the proceeds of the guaranty, until depleted:

(1) the attorneys' fees, reasonable in amount; and

(2) court costs incurred by the claimant in collecting the claim.

(b) However, the total liability on the suitable guaranty to all persons making qualified rights of payment or recovering attorneys' fees during its term must not exceed the amount of the suitable guaranty.

Subd. 3.Qualified right to payment.

(a) To recover a qualified right to payment against a surety or issuer of a suitable guaranty, the claimant must:

(1) file written notice of the claim with the issuer of the suitable guarantee stating the name and address of the claimant, the amount claimed, and the grounds for the qualified right to payment; and

(2) append to the notice a certified copy of the judgment on which the qualified right to payment is based.

(b) Recovery of a qualified right to payment from the proceeds of the suitable guaranty is barred unless the claimant substantially complies with this subdivision.

Subd. 4.Statute of limitations.

Recovery of a qualified right to payment from the proceeds of a suitable guaranty are forever barred unless notice of the claim is filed as required in subdivision 3, paragraph (a), clause (1), within three years after the occurrence of the violation of this chapter that is the basis for the claim. Notice under this subdivision need not include the requirement imposed by subdivision 3, paragraph (a), clause (2).

325K.19 SATISFACTION OF SIGNATURE REQUIREMENTS.

(a) Where a rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is satisfied by a digital signature, if:

(1)(i) the digital signature is that of a public or local official as defined in section 10A.01, subdivisions 22 and 35, on government records described in section 15.17; or

(ii) no party affected by a digital signature objects to the use of digital signatures in lieu of a signature, and the objection may be evidenced by refusal to provide or accept a digital signature;

(2) that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;

(3) that digital signature was affixed by the signer with the intention of signing the message and after the signer has had an opportunity to review items being signed; and

(4) the recipient has no knowledge or notice that the signer either:

(i) breached a duty as a subscriber; or

(ii) does not rightfully hold the private key used to affix the digital signature.

(b) However, nothing in this chapter precludes a mark from being valid as a signature under other applicable law.

325K.20 UNRELIABLE DIGITAL SIGNATURES.

Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances. If the recipient determines not to rely on a digital signature under this section, the recipient must promptly notify the signer of any determination not to rely on a digital signature and the grounds for that determination. Nothing in this chapter shall be construed to obligate a person to accept a digital signature or to respond to an electronic message containing a digital signature.

History:

1997 c 178 s 21

325K.21 DIGITALLY SIGNED DOCUMENT IS WRITTEN.

(a) A message is as valid, enforceable, and effective as if it had been written on paper, if it:

(1) bears in its entirety a digital signature; and

(2) that digital signature is verified by the public key listed in a certificate that:

(i) was issued by a licensed certification authority; and

(ii) was valid at the time the digital signature was created.

(b) Nothing in this chapter shall be construed to eliminate, modify, or condition any other requirements for a contract to be valid, enforceable, and effective. No digital message shall be deemed to be an instrument under the provisions of section 336.3-104 unless all parties to the transaction agree.

History:

1997 c 178 s 22

325K.22 DIGITALLY SIGNED ORIGINALS.

A copy of a digitally signed message is as effective, valid, and enforceable as the original of the message, unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, effective, and enforceable message.

History:

1997 c 178 s 23

325K.23 ACKNOWLEDGMENTS.

Subdivision 1.Certificates.

Unless otherwise provided by law or contract, a certificate issued by a licensed certification authority satisfies the requirement for an acknowledgment pursuant to section 358.41 of a digital signature verified by reference to the public key listed in the certificate, regardless of whether words of an express acknowledgment appear with the digital signature and regardless of whether the signer physically appeared before the certification authority when the digital signature was created, if that digital signature is:

(1) verifiable by that certificate; and

(2) affixed when that certificate was valid.

Subd. 2.Digital signatures.

If the digital signature is used as an acknowledgment, then the certification authority is responsible to the same extent as a notary up to any limit on liability stated in the certification authority's certification practice statement for failure to satisfy the requirements for an acknowledgment. The certification authority may not disclaim or limit, other than as provided in section 325K.17, the effect of this section.

325K.24 PRESUMPTIONS IN ADJUDICATING DISPUTES; LIABILITY ALLOCATION.

Subdivision 1.Presumptions.

In adjudicating a dispute involving a digital signature, a court of this state presumes that:

(a) A certificate digitally signed by a licensed certification authority and either published in a recognized repository, or made available by the issuing certification authority or by the subscriber listed in the certificate is issued by the certification authority that digitally signed it and is accepted by the subscriber listed in it.

(b) The information listed in a valid certificate and confirmed by a licensed certification authority issuing the certificate is accurate.

(c) If a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority:

(1) that digital signature is the digital signature of the subscriber listed in that certificate;

(2) that digital signature was affixed by that subscriber with the intention of signing the message; and

(3) the recipient of that digital signature has no knowledge or notice that the signer:

(i) breached a duty as a subscriber; or

(ii) does not rightfully hold the private key used to affix the digital signature.

(d) A digital signature was created before it was time stamped by a disinterested person utilizing a trustworthy system.

Subd. 2.Liability allocation.

A court of this state shall give effect to liability allocations between the parties provided by contract to the extent not inconsistent with the requirements of this chapter.

History:

1997 c 178 s 25

325K.25 RECOGNITION OF REPOSITORIES.

Subdivision 1.Conditions.

The secretary must recognize one or more repositories, after finding that a repository to be recognized:

(1) is operated under the direction of a licensed certification authority;

(2) includes a database containing:

(i) certificates published in the repository;

(ii) notices of suspended or revoked certificates published by licensed certification authorities or other persons suspending or revoking certificates;

(iii) certification authority disclosure records for licensed certification authorities;

(iv) all orders published by the secretary in regulating certification authorities; and

(v) other information adopted by rule by the secretary;

(3) operates by means of a trustworthy system;

(4) contains no significant amount of information that is known or likely to be untrue, inaccurate, or not reasonably reliable;

(5) contains certificates published by certification authorities that conform to legally binding requirements that the secretary finds to be substantially similar to, or more stringent toward the certification authorities, than those of this state; and

(6) keeps an archive of certificates that have been suspended or revoked, or that have expired, within at least the past three years.

Subd. 2.Application.

A repository may apply to the secretary for recognition by filing a written request and providing evidence to the secretary sufficient for the secretary to find that the conditions for recognition are satisfied.

Subd. 3.Recognition discontinued.

A repository may discontinue its recognition by filing 30 days' written notice with the secretary. In addition, the secretary may discontinue recognition of a repository in accordance with the Administrative Procedure Act, chapter 14, if it concludes that the repository no longer satisfies the conditions for recognition listed in this section or in rules adopted by the secretary.

325K.26 RULEMAKING.

The secretary may adopt rules effective July 1, 1998, to implement this chapter.

History:

1997 c 178 s 27

325K.27 COURT RULES.

Nothing in this chapter shall be construed to limit the authority of the Supreme Court to adopt rules of pleading, practice or procedure, or of the court of appeals or district courts to adopt supplementary local rules, governing the use of electronic messages and documents, including, but not limited to, rules governing the use of digital signatures in judicial proceedings.

History:

1998 c 321 s 30

700 State Office Building, 100 Rev. Dr. Martin Luther King Jr. Blvd., St. Paul, MN 55155 ♦ Phone: (651) 296-2868 ♦ TTY: 1-800-627-3529 ♦ Fax: (651) 296-0569