Unless the certification authority and the subscriber agree otherwise, the licensed certification authority that issued a certificate that is not a transactional certificate must suspend the certificate for a period not to exceed 96 hours:
(1) upon request by a person identifying himself or herself as the subscriber named in the certificate, or as a person in a position likely to know of a compromise of the security of a subscriber's private key, such as an agent, business associate, employee, or member of the immediate family of the subscriber; or
(2) by order of the secretary under section 325K.10.
The certification authority need not confirm the identity or agency of the person requesting suspension.
(a) The secretary may suspend a certificate issued by a licensed certification authority for a period of 96 hours, if:
(1) a person identifying himself or herself as the subscriber named in the certificate or as an agent, business associate, employee, or member of the immediate family of the subscriber requests suspension; and
(2) the requester represents that the certification authority that issued the certificate is unavailable.
(b) The secretary may require the person requesting suspension to provide evidence, including a statement under oath or affirmation, regarding the requester's identity, authorization, or the unavailability of the issuing certification authority, and may decline to suspend the certificate in its discretion. The secretary or law enforcement agencies may investigate suspensions by the secretary for possible wrongdoing by persons requesting suspension.
Immediately upon suspension of a certificate by a licensed certification authority, the licensed certification authority shall give notice of the suspension according to the specification in the certificate. If one or more repositories are specified, then the licensed certification authority must publish a signed notice of the suspension in all the repositories. If a repository no longer exists or refuses to accept publication, or if no repository is recognized under section 325K.25, the licensed certification authority must also publish the notice in a recognized repository. If a certificate is suspended by the secretary, the secretary must give notice as required in this subdivision for a licensed certification authority, provided that the person requesting suspension pays in advance any fee required by a repository for publication of the notice of suspension.
A certification authority must terminate a suspension initiated by request only:
(1) if the subscriber named in the suspended certificate requests termination of the suspension and the certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorized to terminate the suspension; or
(2) when the certification authority discovers and confirms that the request for the suspension was made without authorization by the subscriber. However, this clause does not require the certification authority to confirm a request for suspension.
The contract between a subscriber and a licensed certification authority may limit or preclude requested suspension by the certification authority, or may provide otherwise for termination of a requested suspension. However, if the contract limits or precludes suspension by the secretary when the issuing certification authority is unavailable, the limitation or preclusion is effective only if notice of it is published in the certificate.
No person may knowingly or intentionally misrepresent to a certification authority the person's identity or authorization in requesting suspension of a certificate. Violation of this subdivision is a misdemeanor.
A suspension under this section must be completed within 24 hours of receipt of all of the information required in this section.
For purposes of this section, the provisions of chapter 14 do not apply when the secretary acts as a licensed certification authority for governmental entities.
Official Publication of the State of Minnesota
Revisor of Statutes