WSR 97-20-151
PROPOSED RULES
SECRETARY OF STATE
(Corporations Division)
[Filed October 1, 1997, 11:28 a.m.]
Original Notice.
Preproposal statement of inquiry was filed as WSR 97-13-060.
Title of Rule: Electronic authentication.
Purpose: To provide administrative guidelines for the use of electronic authentication in the state of Washington.
Statutory Authority for Adoption: RCW 19.34.030, 19.34.040, 19.34.100, 19.34.111, 19.34.400.
Statute Being Implemented: Chapter 19.34 RCW.
Summary: Provides definition, establishes fees, licensing procedures and requirements for Certification Authorities and Repositories, and certification of operative personnel. Defines revocation and suspension processes of licensees.
Name of Agency Personnel Responsible for Drafting, Implementation and Enforcement: Hans Dettling, 505 East Union, Olympia, WA 98504, 586-0393.
Name of Proponent: Office of the Secretary of State, governmental.
Rule is not necessitated by federal law, federal or state court decision.
Explanation of Rule, its Purpose, and Anticipated Effects: To permit the use of digital signature technology in electronic transactions and to create a process for licensing the certification authorities which will issue certificates for digital signatures.
Proposal does not change existing rules.
A small business economic impact statement has been prepared under
chapter 19.85 RCW.
Summary: It is indeterminate whether the proposed regulation will have an economic impact on any one industry.
Background: The proposed regulation would establish specific administrative guidelines for the use of electronic authentication in the state of Washington. It also provides definition, establishes fees, licensing procedures and requirements for certification authorities and repositories, and certification of operative personnel. It further defines the revocation and suspension processes of licensees.
Impact Analysis: As the result of this proposed regulation, it would not have an impact on sales or revenues for small businesses.
The licensing of certification authorities to permit the use of digital signature technology in electronic transactions is a new activity, therefore, at this point, it cannot be measured if and what the impact on small businesses would be.
Along with the requirements to apply for a license, some cost would be associated with the certification of operative personnel (background check) as outlined in RCW 19.34.100 (1)(b), (c) and WAC 434-200-215 (2)(a), (b). The precise measurement of this cost could not be determined, but the secretary concludes it is likely to have less impact on small businesses with fewer employees who must comply with the requirement.
It is also required that the certification authority and/or repository has:
(a) A trustworthy data system if it materially satisfies as per WAC 434-200-360 by adopting national standards;
(b) A suitable guaranty as per RCW 19.34.100 (1)(d) (WAC 434-200-225) either in the form of a bond or an irrevocable letter of credit;
(c) Sufficient working capital as per WAC 434-200-235;
(d) A compliance audit at least once every year as per WAC 434-200-240; and
(e) Recordkeeping (WAC 434-200-310). To allow minimal impact, the form of recordkeeping is based on chapter 40.10 RCW to adopt new technologies in the future.
Recordkeeping: The records are generally necessary to establish compliance with statutory requirements, and so presumably a certification authority would be required to keep them by virtue of the statute even without the rule. It is to the discretion of the licensed certification authority what medium they use for recordkeeping. This allows to keep the cost on a minimum basis as long as these records can be reproduced and are accessible to an auditor (chapter 40.10 RCW).
Description of How the Agency Involved Small Businesses in Development of Rule: The office has established an open task force with representatives of private industry, state and local agencies. Meetings were conducted since 1996 on the draft of the rule. Drafts have been circulated for comment and were also posted on the Secretary of State's Internet home page.
Lists of Industries Required to Comply: All businesses that wish
to become either a certification authority or act as a repository must
comply with the rule. They could include, but are not limited to:
There is no established SIC code for certification authorities or repositories. Therefore, the current small business economic impact statement requirement would not apply to these rules. The secretary supplies this analysis, however to recognize that in the future there could be impact upon small business in this state.
Conclusion: The Secretary of State finds that, given the measures incorporated within the rule, adoption of the proposed rule will not have an adverse economic impact on small businesses. Rules for a trustworthy system are nationally adopted rules suggested by the National Institute of Standards and Technology (CC Common Criteria, CS2 Protection Profile) and the International Telecommunication Union (X.509).
Since digital signature is new technology, there is no established industry to comply with the rule or make an accurate assessment of the costs. They have to comply with national standards and state requirements set by chapter 434-200 WAC. Security measurements like the required background check for operative personnel and suitable guarantee should ensure the qualification and consistency of operations within the field of digital signature.
A copy of the statement may be obtained by writing to Office of the Secretary of State, Corporations Division, P.O. Box 40234, Olympia, WA 98504, phone (360) 586-0393, or FAX (360) 664-8781.
Section 201, chapter 403, Laws of 1995, does not apply to this rule adoption.
Hearing Location: John L. O'Brien Building (Capitol Campus), Hearing Room "C", 504 15th Avenue, Olympia, WA 98504, on November 4, 1997, at 9:00 a.m.
Assistance for Persons with Disabilities: Contact Hans Dettling by November 3, 1997, TDD (360) 753-1485.
Submit Written Comments to: Office of the Secretary of State, Corporations Division, 505 East Union, 2nd Floor, P.O. Box 40234, Olympia, WA 98504-0234, FAX (360) 664-8781, by November 4, 1997.
Date of Intended Adoption: November 6, 1997.
Tracy Guerin
Assistant Secretary of State
ELECTRONIC AUTHENTICATION
PART 1
GENERAL PRINCIPLES
NEW SECTION
WAC 434-200-100 Scope and purpose of chapter. This chapter
implements the Washington Electronic Authentication Act, codified as
chapter 19.34 RCW.
[]
NEW SECTION
WAC 434-200-110 Office address, hours, and telephone number. All services of the office of the secretary of state related to the Washington Electronic Authentication Act shall be provided through the corporations division.
(1) The mailing address of the division is: Corporations Division, Office of the Secretary of State, Post Office Box 40234, Olympia, Washington 98504-0234.
(2) The offices of the division are located in the Republic Building at 505 E. Union Avenue, Olympia, Washington.
(3) The office hours are from 8:00 a.m. to 5:00 p.m. daily, Monday through Friday, except for state holidays.
(4) The telephone number for the corporations division is (360) 753-7115.
[]
NEW SECTION
WAC 434-200-120 Definitions. For purposes of this chapter, all terms defined in RCW 19.34.020 have the meanings set forth in statute. Additionally, the following terms shall have the following meanings:
(1) "Operative personnel" means one or more natural persons acting as an agent of a licensed certification authority, or in the employment of, or under contract with, a licensed certification authority, and who have:
(a) Managerial or policy making responsibilities for such licensed certification authority; or
(b) Duties directly involving the issuance of certificates (including the identification of persons requesting a certificate from a certification authority), creation of private keys, or administration of a licensed certification authority's computing facilities.
(2) "Managerial or policy making responsibilities" means direct responsibility for the day-to-day operations, security and performance of those business activities that are regulated under chapter 19.34 of the Revised Code of Washington. If a licensed certification authority is a corporation, then it is presumed that the members of the board of directors, among others, exercise managerial or policy making responsibilities, unless the board delegates those duties in writing to one or more officers or employees of the corporation.
(3) "Presiding officer" means the secretary or an administrative law judge assigned to preside over an adjudicative hearing pursuant to this chapter.
(4) "X.509" means the specific set of technical standards identified
by that name which were adopted by the international telecommunication
union, formerly known as the international telegraph and telephone
consultation committee. For purposes of these rules, all references to
X.509 shall be construed as referring to version 3, or higher.
Compliance with only versions 1 or 2 shall not be construed as compliance
with X.509.
[]
NEW SECTION
WAC 434-200-130 Fees. Fees for services performed by the secretary of state are established in the following amounts:
(1) For application for a license as a certification authority:
(a) For the applicant's first year doing business as a licensed certification authority in this state: One thousand four hundred dollars;
(b) For the applicant's second year doing business as a licensed certification authority in this state: One thousand eight hundred dollars; and
(c) For the applicant's third or subsequent year doing business as a licensed certification authority in this state: Two thousand eight hundred dollars.
(2) For recognition as a repository, in addition to the license issuance or renewal fee paid pursuant to this section:
(a) For the applicant's first year doing business as a recognized repository in this state: One thousand four hundred dollars;
(b) For the applicant's second year doing business as a recognized repository in this state: One thousand eight hundred dollars; and
(c) For the applicant's third or subsequent year doing business as a recognized repository in this state: Two thousand eight hundred dollars.
(3) For recognition of a foreign license, either:
(a) Two thousand eight hundred dollars; or
(b) Upon certification by the issuer of the foreign license that the applicant has been licensed as a certification authority in that jurisdiction for less than three years, the fee that would be due under subsection (1) of this section for a Washington license under the same circumstances. No applicant may file under this subsection (b) more than two times.
(4) For qualification of operative personnel:
(a) For administering and scoring the examination required by WAC 434-200-215(3), fifty dollars per individual; and
(b) For qualifying operative personnel pursuant to WAC 434-200-215
and 434-200-220, other than (or in addition to) administering and scoring
the examination, twenty-five dollars per individual.
[]
PART 2
CERTIFICATION AUTHORITY LICENSE APPLICATION, SUSPENSION, REVOCATION
NEW SECTION
WAC 434-200-200 Application for license as a certification authority. Any person desiring to be licensed as a certification authority must file an application pursuant to this chapter demonstrating compliance with the requirements of RCW 19.34.100. To apply for a license, an applicant must submit all of the following:
(1) A completed application form as prescribed by WAC 434-200-210;
(2) The fee or fees provided by WAC 434-200-130;
(3) A certificate that shows the applicant as subscriber and is published in a recognized repository;
(4) A suitable guaranty, described by WAC 434-200-225, unless the applicant is a self-insured city, a self-insured county, or the department of information services of the state of Washington;
(5) Demonstration of sufficient working capital, pursuant to WAC 434-200-235;
(6) Documentation, in the form of an information systems audit, establishing that the applicant has the use of a trustworthy system as defined by WAC 434-200-360. The audit required by this subsection shall be performed pursuant to WAC 434-200-240, except that it is not required to establish anything more than that the applicant has the use of a trustworthy system;
(7) Materials establishing, to the satisfaction of the secretary that each person listed as operative personnel has qualified to act as operative personnel pursuant to WAC 434-200-215; and
(8) A written certification practice statement as described in WAC
434-200-330.
[]
NEW SECTION
WAC 434-200-205 Issuance of license or renewal. The secretary shall, within a reasonable time, issue or renew a license as a certification authority if the applicant has:
(1) Submitted all documentation required by WAC 434-200-200 and 434-200-210; and
(2) The secretary has determined that the applicant meets all requirements for licensure.
(3) Issuance or renewal of a license shall be valid for a period of
one year. Failure to receive a notice of the need to renew a license is
an insufficient reason for failing to file the required application for
renewal.
[]
NEW SECTION
WAC 434-200-210 Form. Each application for a license, or renewal of a license, as a certification authority shall be submitted on a form prescribed by the secretary. The completed form shall contain the following:
(1) The name of the applicant;
(2) The applicant's uniform business identifier number;
(3) The mailing address of the applicant, and a physical address if different;
(4) The telephone number of the applicant;
(5) The electronic mail address of the applicant;
(6) The name and address of the applicant's registered agent for service of process, other than the secretary. Address information shall include a physical address, but may additionally provide a mailing address if different;
(7) The names of all operative personnel; and
(8) The appointment of the secretary of state as the applicant's
agent for service of process.
[]
NEW SECTION
WAC 434-200-215 Certification of operative personnel. The secretary shall not issue or renew a license as a certification authority unless the licensee documents that every individual employed or acting as operative personnel qualifies to act as operative personnel. This documentation shall include:
(1) Receipt of a completed form, signed by the individual under penalty of perjury, stating:
(a) The name (including all other names used in the past), date of birth, and business address of the individual;
(b) That the individual has not been convicted within the past fifteen years of a felony and has never been convicted of a crime involving fraud, false statement, or deception in any jurisdiction; and
(c) If the individual has resided in any nation other than the United States during the previous five years, the name of that nation and the period of residency.
(2) A criminal background check supporting the declaration required by subsection (1) of this section. This requirement is excused as to any individual for whom documentation satisfying this paragraph was submitted within the previous two years, even if the individual has changed employment. This check must include both of the following:
(a) A criminal background check compiled by a private sector provider, documenting a background check reasonably sufficient to disclose any criminal convictions within the previous seven years in any state or federal jurisdiction in the United States, its territories, or possessions, and any other jurisdiction specified pursuant to subsection (1)(c) of this section. This background check must contain information that is current to within thirty days of its date of submission; and
(b) The certified results of a criminal background check performed by the Washington state patrol for the previous fifteen years, dated not more than thirty days prior to submission.
(3) Satisfactory completion by the individual of a written examination demonstrating knowledge and proficiency in following the requirements of the Washington Electronic Authentication Act and these rules. The secretary shall develop an open book written test covering the subject matter of the act, and provide it upon request, which may include electronic access. The secretary may update or modify the test from time to time. The secretary shall indicate at the top of the test the percentage or number of questions that must be answered correctly in order to constitute satisfactory completion. No individual may take the examination more than once within a period of thirty days. A certification by the secretary that an individual has successfully completed this examination shall be valid for two years, and shall continue to satisfy the requirements of this subsection even if the individual changes employment.
(4) A licensed certification authority must remove a person from
performing the functions of operative personnel immediately upon learning
that the person has been convicted within the past fifteen years of a
felony or has ever been convicted of a crime involving fraud, false
statement, or deception, and must notify the secretary of this action
within three business days.
[]
NEW SECTION
WAC 434-200-220 Qualification of newly designated operative
personnel. No licensed certification authority may assign any individual
to perform the functions of operative personnel if that individual has
not been certified by the secretary pursuant to WAC 434-200-215. Such
certification may be obtained by application to the secretary at any
time, without regard to the time at which the certification authority's
license is subject to renewal.
[]
NEW SECTION
WAC 434-200-225 Suitable guaranty. (1) The suitable guaranty required for licensure as a certification authority may be in the form of either a surety bond executed by an insurer lawfully operating in this state, or an irrevocable letter of credit issued by a financial institution authorized to do business in this state.
(2) The suitable guaranty must be in an amount of at least fifty thousand dollars.
(3) As to form, the suitable guaranty must:
(a) Identify the insurer or financial institution upon which it is drawn, including name, mailing address, and physical address, and identify by number or copy its licensure or approval as an insurer or financial institution in this state;
(b) Identify the certification authority on behalf of which it is issued;
(c) Be issued payable to the secretary for the benefit of persons holding qualified rights of payment against the licensed certification authority named as principal of the bond or customer of the letter of credit;
(d) State that it is issued for filing under the Washington Electronic Authentication Act; and
(e) Specify a term of effectiveness extending at least as long as
the term of the license to be issued to the certification authority.
[]
NEW SECTION
WAC 434-200-235 Sufficient working capital. (1) A certification authority's working capital is sufficient for licensing purposes if, at the time it applies for a license or renewal, its current assets minus current liabilities exceeds twenty-five thousand dollars.
(2) A certification authority may demonstrate the sufficiency of its
working capital only through a financial statement signed by a licensed
certified public accountant, dated no more than sixty days prior to the
date received by the secretary. A state agency shall be deemed to have
sufficient working capital without documentation.
[]
NEW SECTION
WAC 434-200-240 Compliance audits. (1) A licensed certification authority shall obtain a compliance audit at least once every year. The auditor shall issue an opinion evaluating the degree to which the certification authority conforms to the requirements of this chapter and of chapter 19.34 RCW. If the certification authority is also a recognized repository, the audit must include the repository.
(2) For purposes of the opinion required by this section, the auditor shall exercise reasonable professional judgment as to whether a condition that does not strictly comply with legal requirements is or is not material, taking into consideration the circumstances and context. Noncompliance as to any of the following shall be deemed material, in addition to any others the auditor may judge to be material:
(a) Any condition of noncompliance with statute or rule that relates to the validity of a certificate;
(b) Any employee performing the functions of operative personnel who has not qualified pursuant to WAC 434-200-215;
(c) Any material indication that the certification authority has used any system other than a trustworthy system.
(3) An audit may be performed by any licensed certified public accountant, or, in the case of a public agency, by the Washington state auditor. Any auditor, or group of auditors, performing an audit pursuant to this section shall include at least one individual who has been issued a current and valid certificate as either a certified information systems auditor, by the information systems audit and control foundation, or as a certified information systems security professional, by the International Information Systems Security Certification Consortium. The names of all individuals possessing such certificates shall be disclosed in the audit report, or in a cover letter accompanying that report.
(4) The certification authority shall file a copy of the audit
report with the secretary, prior to the date the certification authority
must renew its license pursuant to WAC 434-200-205. At the certification
authority's option, it shall be sufficient to file a portion of the
report if that report summarizes all audit exceptions and conditions of
noncompliance (including, but not limited to, those stated in subsection
(2) of this section) stated in the full report, and bears the auditor's
signature. The report may be filed electronically, if it is validly
digitally signed by the auditor, using a licensed certification
authority. The secretary shall publish the report, or summary, in the
certification authority disclosure record it maintains for the
certification authority.
[]
NEW SECTION
WAC 434-200-245 Recognition of foreign licenses. (1) A certification authority licensed as such by a governmental entity other than the state of Washington, may act as a licensed certification authority in Washington only if, in addition to meeting any other requirements established by law for the transaction of business, it either:
(a) Obtains a license as a certification authority from the secretary; or
(b) Provides to the secretary a certified copy of a license issued by a governmental entity whose licensing or authorization requirements the secretary has found to be substantially similar to those of Washington, together with the fee required by WAC 434-200-130. A license recognized under this subsection shall be valid in Washington only during the time it is valid in the issuing jurisdiction.
(2) The secretary may certify that the requirements of another jurisdiction are substantially similar to those of Washington if, in order to obtain a license, the controlling law of the other jurisdiction requires that a licensed certification authority:
(a) Issue certificates based upon a system of public key cryptography using a trustworthy system;
(b) Provide a suitable guaranty in an amount of at least twenty-five thousand dollars;
(c) Employ as operative personnel only individuals who have demonstrated knowledge and proficiency in the requirements of the law regarding digital signatures, and who are free of felony criminal conviction for a minimum of seven years;
(d) Be subject to a legally established system of enforcement of licensure requirements.
(3) The secretary shall publish in the State Register, and make
available upon request, a list of those jurisdictions which the secretary
has certified pursuant to subsection (2) of this section. If a
jurisdiction is not included in the list most recently published in the
State Register, the secretary shall consider whether certification of
such jurisdiction should be added, upon request of either the
jurisdiction or a certification authority licensed by that jurisdiction
and upon receipt of an English language copy of the applicable laws and
regulations of that jurisdiction.
[]
NEW SECTION
WAC 434-200-250 Revocation or suspension of license. (1) The secretary may revoke or suspend a license, pursuant to chapter 34.05 RCW, for failure to comply with any requirement of chapter 19.34 RCW or this chapter, for failure to remain qualified for a license pursuant to chapter 19.34 RCW or this chapter, or for failure to comply with a lawful order of the secretary.
(2) The secretary shall inform a licensed certification authority by written order, by mail directed to the mailing address or electronic mail address listed on the licensee's application, of a decision to revoke or suspend the license. The notification shall state when the revocation or suspension shall be effective, which shall not be less than thirty days following the issuance of the order except in the case of a summary suspension pursuant to WAC 434-200-255.
(3) If the licensee files an application for an adjudicative
hearing, pursuant to WAC 434-200-500, prior to the effective date of
revocation or suspension, the suspension or revocation shall not take
effect until so ordered by the presiding officer, except in the case of
a summary suspension pursuant to WAC 434-200-255.
[]
NEW SECTION
WAC 434-200-255 Summary suspension of license. The secretary may
order the summary suspension of a license pending proceedings for
revocation or other action, as described in RCW 19.34.100(4). A summary
suspension of a license is effective immediately upon issuance.
[]
NEW SECTION
WAC 434-200-260 Technical assistance program. (1) This section describes the secretary's technical assistance program for licensed certification authorities, including recognized repositories. This section implements RCW 43.05.020, by providing for the dissemination of information to licensed certification authorities regarding the requirements of the Washington Electronic Authentication Act and this chapter. It is not intended as a method of providing general business advice to certification authorities, or technical information to the general public, although any member of the public may receive written materials described in this section upon request.
(2) The technical assistance program shall consist of the following:
(a) Technical assistance visits: The secretary, in his or her discretion, may conduct a technical assistance visit, as described by RCW 43.05.030, either by the request or the consent of a licensed certification authority. The secretary is not required to conduct a technical assistance visit.
(b) Printed information: The secretary shall develop, and make available upon request, printed information outlining the requirements of chapter 19.34 RCW and this chapter. This information should not be regarded as a comprehensive guide to conducting business as a certification authority.
(c) Information and assistance by telephone: A licensed certification authority or applicant for licensing or recognition, may contact the secretary's office by telephone during normal business hours at the number listed in WAC 434-200-110. The secretary's office shall provide information regarding the licensing and recognition requirements of chapter 19.34 RCW, and this chapter, but no representation or conclusion offered shall be binding upon the secretary.
(d) Training meetings: The secretary may, in his or her discretion, conduct meetings for the purpose of providing training regarding requirements for licensure or recognition.
(e) List of organizations providing technical assistance: The secretary shall compile, and make available upon request, a list of organizations, including private companies, that provide technical assistance to certification authorities. The secretary shall compile this list from information submitted by the organizations and shall not constitute an endorsement by the secretary of any organization.
(3) If the secretary determines, during or within a reasonable time
after a technical assistance visit, that the licensed certification
authority has violated any statute or rule, the secretary shall notify
the certification authority in writing and specify a reasonable period
of time to correct the violation before any civil penalty may be imposed.
The notification shall include a copy of the specific statute or rule
violated. After the expiration of a reasonable time period conveyed to
the certification authority, the secretary may revisit the certification
authority and issue civil penalties with regard to any uncorrected
violations, for which notice was provided.
[]
NEW SECTION
WAC 434-200-265 Civil penalties. The secretary may, by order,
impose and collect a civil monetary penalty against a licensed
certification authority for a violation of chapter 19.34 RCW as provided
by RCW 19.34.120.
[]
NEW SECTION
WAC 434-200-270 Criteria for determining penalty amounts. In determining the appropriate penalty amount against a licensed certification authority for violation of chapter 19.34 RCW or this chapter, the secretary may consider the nature of the violation and the extent or magnitude of the severity of the violation, including:
(1) The damages arising from the violation including:
(a) The financial impact of the violation to any subscriber, relying party, or any other person;
(b) The amount of money obtained, or profit derived, by the certification authority as a result of the violation;
(c) The costs incurred by the state in enforcement, including reasonable investigative costs;
(d) The nonfinancial consequences of the violation, including harm to any subscriber, relying party, or other person;
(2) The nature of the violation, including whether it was continuing in nature, involved criminal conduct, or tended to significantly impair the reliability of any certificate or key pair;
(3) The presence of any aggravating circumstances, including whether the violator:
(a) Intentionally committed the violation with knowledge that the conduct constituted a violation;
(b) Attempted to conceal the violation;
(c) Was untruthful or uncooperative in dealing with the secretary or the secretary's staff;
(d) Had committed prior violations found by the secretary;
(e) Incurred no other sanction as a result of the violation;
(4) The presence of any mitigating circumstances, including whether the violator:
(a) Had taken any prior action to correct the violation or mitigate its consequences;
(b) Had previously paid any damages to any party resulting from the violation;
(c) Acted without intention to commit a violation; or
(d) Acted reasonably in light of any other mitigating factors deemed
relevant by the secretary.
[]
NEW SECTION
WAC 434-200-275 Recovery against suitable guaranty. (1) To recover a qualified right to payment against a surety or issuer of a suitable guaranty, pursuant to RCW 34.10.290, the claimant must:
(a) File a signed notice of the claim with the secretary stating the name and address of the claimant, the amount claimed, the grounds for the qualified right to payment, the date of the occurrence of the violation forming the basis of the claim; and
(b) Append to the notice a certified copy of the judgment on which the qualified right to payment is based, except as provided in subsection (2) of this section.
(2) If the notice pursuant to subsection (1)(a) of this section is filed prior to entry of judgment, the secretary shall hold such notice on file, without further action, until the claimant files a copy of the judgment. If the secretary determines that the litigation identified in the notice has been finally resolved without a judgment providing the claimant with a qualified right to payment, the secretary may expunge the notice from his or her records. The secretary shall not expunge a notice until three years have elapsed since it was first filed.
(3) The secretary shall reject a notice for filing if the date of the occurrence of the violation is more than three years prior to the filing of the notice.
(4) If a notice and judgment are filed pursuant to subsection (1)
of this section, the secretary shall provide the notice and judgment to
the surety or issuer.
[]
PART 3
CERTIFICATION AUTHORITY STANDARDS AND PRACTICES
NEW SECTION
WAC 434-200-300 Form of certificates. (1) Certificates issued by licensed certification authorities shall follow the Basic Certificate Field Standards specified in standard X.509, part one, section 4.1. Certificate data extension fields are optional. If certificate extension fields are used, usage must conform to the required guidelines referenced in X.509 section 4.1.2.1, section 4.2, and may be displayed on the certificate.
(2) Any certificate issued by a licensed certification authority
that is to be used as an acknowledgment, as provided in RCW 19.34.340,
shall include a certificate data extension field that specifies the
reliance limit, if any, and a certificate data extension field that
states that the certificate may be used as an acknowledgment.
[]
NEW SECTION
WAC 434-200-310 Recordkeeping and retention. (1) Every licensed certification authority shall make, keep, and preserve the following records:
(a) Such records as are necessary to demonstrate compliance with RCW 19.34.100 (1)(b), (c), (e), (f), and (g);
(b) Such records as are necessary to demonstrate compliance with RCW 19.34.210 (1)(a), (b), and (2);
(c) All notices of suspension of certificates pursuant to RCW 19.34.210(4), together with such other documents as required to demonstrate compliance with RCW 19.34.210;
(d) Such records as are necessary to demonstrate compliance with RCW 19.34.250(1);
(e) Such records as are necessary to demonstrate compliance with RCW 19.34.260 (1), (2), (3), (4), and (5); and
(f) Such records as are necessary to demonstrate compliance with RCW 19.34.290(1).
(2) Every licensed certification authority shall maintain a data base file which shall contain records of the identity of the subscriber named in each certificate issued by the certification authority, which identity is to include all the facts represented in the certificate, the date of issuance of the certificate, and number of the certificate.
(3) Every licensed certification authority shall maintain a date base file of every time-stamp issued by the certification authority, to include sufficient information so that the identity of the subscriber and the item being time stamped can be identified.
(4) Every licensed certification authority shall retain in a trustworthy fashion the following records for the following periods:
(a) All records identified in subsections (2) and (3) of this section for a period of at least ten years after the date a certificate is revoked or expired, or after a time-stamp is affixed; and
(b) All other records required to be retained under this section shall be retained for at least five years.
(5) Records may be kept in the form of paper-based documents,
retrievable computer-based documents, or any form of reproduction
approved by the state archivist for essential records pursuant to chapter
40.10 RCW. Such records shall be indexed, stored, preserved and
reproduced so as to be accurate, complete, and accessible to an auditor.
Certificate extension data, referenced in X.509 section 4.2, is not
required to be part of any publicly accessible record.
[]
NEW SECTION
WAC 434-200-320 Certification authority disclosure records. (1) The secretary shall compile and maintain certification authority disclosure records for each certification authority that has been issued a current and valid Washington certification authority license. The secretary shall publish them in the secretary's repository and any other recognized repository the secretary deems appropriate. Each certification authority disclosure record shall include, at a minimum, the following:
(a) The information specified in WAC 434-200-210 (1), (2), (3), and (4);
(b) The name, mailing address, telephone number, and electronic mail address of the issuer or surety of the certification authority's suitable guaranty;
(c) A copy of the certification practice statement filed with the secretary pursuant to WAC 434-200-330;
(d) A copy of the most recent audit report, or summary thereof, filed with the secretary pursuant to WAC 434-200-240;
(e) Information as to the current status of the certification authority's Washington license, including disclosure of any license revocation or suspension. If a suspension or revocation is currently subject to a pending administrative or judicial review, the record shall so note;
(f) Whether the certification authority operates a recognized repository, and, information sufficient to locate or identify any repository it either operates or utilizes;
(g) A list of all judgments filed with the secretary pursuant to WAC 434-200-275, within the previous five years; and
(h) Any other information specified by statute.
(2) The secretary shall update a certification authority disclosure record upon becoming aware that any item of information contained within it has changed or is not accurate.
(3) In compiling and maintaining certification authority disclosure
records, the secretary shall utilize the records of the secretary's
office, and is not obligated to conduct any affirmative investigation or
review beyond the face of those records.
[]
NEW SECTION
WAC 434-200-330 Certification practice statements. Each licensed certification authority must file with the secretary a certification practice statement. This statement must declare the practices the certification authority uses in issuing, suspending, and revoking certificates. Additionally, it must set forth the following:
(1) If certificates are issued by class, the necessary criteria for each class of certificate, including the methods of subscriber identification applicable to each class;
(2) Disclosure of any warnings, liability limitations, warranty disclaimers, and indemnity and hold harmless provisions, if any, upon which the certification authority intends to rely;
(3) Disclosure of any and all disclaimers and limitations on obligations, losses, or damages, if any, to be asserted by the certification authority;
(4) A written description of all representations required by the certification authority of the subscriber for the subscriber's responsibility to protect the private key; and
(5) Disclosure of any mandatory dispute resolution process, if any,
to include choice of forum and choice of law provisions.
[]
NEW SECTION
WAC 434-200-340 Suspension or revocation of a certificate by the secretary. (1) The secretary may order a licensed certification authority to suspend or revoke a certificate that the certification authority issued, if, after giving any required notice and opportunity for the certification authority and the subscriber to be heard in accordance with chapter 34.05 RCW, the secretary determines that:
(a) The certificate was issued without substantial compliance with RCW 19.34.210; and
(b) The noncompliance poses a significant risk to persons reasonably relying on the certificate.
(2) The secretary may issue an order, pursuant to RCW 19.34.210(5), suspending a certificate for a period not to exceed ninety-six hours upon determining that an emergency requires an immediate remedy. The secretary shall issue an order including such a finding, and mail it to the licensed certification authority at the mailing address listed in its application.
(3) The secretary may issue an order, pursuant to RCW 19.34.250(2),
suspending a certificate for a period not to exceed ninety-six hours,
unless the certificate provides otherwise or the certificate is a
transactional certificate, under circumstances described by RCW 19.34.250
(2)(a) and (b). If, upon request by the secretary, the person requesting
suspension fails to provide a statement under oath or affirmation
regarding his or her identity or authorization to request suspension, the
secretary shall not issue an order suspending the certificate unless he
or she is satisfied that discretion to enter the order should be
exercised because the circumstances provide a sufficient basis for
confidence of the person's identity and authority.
[]
NEW SECTION
WAC 434-200-350 Regional services for certificate suspension. The secretary may enter into an agreement, pursuant to RCW 19.35.250(7) and chapter 39.34 RCW, authorizing a state or local agency to perform any of the functions of the secretary under RCW 19.34.250 or WAC 434-200-350 (2) or (3) upon a regional basis. The terms and conditions of such an agreement shall include, at a minimum:
(1) The identity of contracting parties;
(2) The region of the state for which the contract is effective;
(3) The duration of the agreement;
(4) The method by which the contracting agency shall inform the secretary of all actions taken pursuant to the agreement;
(5) The method by which any suspension pursuant to the agreement shall be made effective;
(6) The method by which the secretary shall reimburse the agency for its costs of performance under the agreement;
(7) A provision under which each party agrees to indemnify the other, to the extent permitted by law;
(8) The method by which the contract may be terminated prior to expiration, which shall include the right of either party to terminate the agreement immediately in the event of a loss or withdrawal of funding; and
(9) A method of resolving disputes under the agreement.
[]
NEW SECTION
WAC 434-200-360 Trustworthy system. A system shall be regarded as
trustworthy if it materially satisfies the most current adopted version
of Common Criteria (CC) Protection Profile (PP) for Commercial Security
2 (CS2), (CCPPCS), developed by the National Institute of Standards and
Technology (NIST). The determination whether a departure from CCPPCS is
material shall be governed by WAC 434-200-240(2). For purposes of this
chapter, CCPPCS shall be interpreted in a manner that is reasonable in
the context in which a system is used and is consistent with other state
and federal laws. Until such time as the referenced standard is adopted
by NIST, the standard applicable for purposes of this chapter shall be
the draft of CCPPCS dated May 23, 1997.
[]
NEW SECTION
WAC 434-200-370 Procedure upon discontinuance of business. A licensed certification authority that discontinues providing certification authority services without making other arrangements for preservation of the certification authority's records shall either:
(1) Revoke all valid certificates and return all records concerning them to the appropriate subscriber; or
(2) Submit such records to another licensed certification authority
or authorities designated by the secretary.
[]
PART 4
RECOGNITION OF REPOSITORIES
NEW SECTION
WAC 434-200-400 Recognition of repositories. The secretary shall recognize a repository upon determining that it satisfies all requirements set forth in RCW 19.34.400, and upon payment of the required fee and upon receipt and review of a completed form, provided by the secretary, containing the following:
(1) The name of the licensed certification authority, or applicant for licensure as a certification authority, requesting recognition of a repository;
(2) The applicant's uniform business identifier number;
(3) The mailing address of the applicant, and a physical address if different;
(4) The telephone number of the applicant;
(5) The electronic mail address of the applicant; and
(6) A description of the data base and system architecture
demonstrating that it satisfies the requirements of RCW 19.34.400(1) and
WAC 434-200-420.
[]
NEW SECTION
WAC 434-200-410 Revocation of recognition of a repository. (1) This rule describes the secretary's procedure for revoking the recognition of a repository, without also revoking the license of the certification authority that operates the repository. Because a valid license as a certification authority is a statutory requirement for recognition of a repository, the secretary shall automatically revoke the recognition of any repository operated by a certification authority whose license is revoked, expired, or otherwise inoperative.
(2) The secretary may revoke recognition of a repository, pursuant to chapter 34.05 RCW, for failure to comply with any requirement of RCW 19.34.400 or this chapter, or for failure to comply with a lawful order of the secretary.
(3) The secretary shall inform a licensed certification authority that operates a recognized repository by written order, by mail directed to the mailing address listed on the licensee's application, of a decision to revoke recognition of the repository. The notification shall state when the revocation shall be effective, which shall not be less than thirty days following the issuance of the order.
(4) If the certification authority files an application for an
adjudicative hearing, pursuant to WAC 434-200-500, prior to the effective
date of revocation, the revocation shall not take effect until so ordered
by the presiding officer.
[]
NEW SECTION
WAC 434-200-420 Trustworthy system for recognized repositories. A system shall be regarded as trustworthy for purposes of operating a recognized repository if it satisfies the requirements of WAC 434-200-360, and additionally it:
(1) Provides on-line access to the repository upon a continuous basis, with reasonable allowance for scheduled maintenance;
(2) Possesses the capacity to process transactions in a manner reasonably adequate for anticipated volume; and
(3) Provides for the periodic storage of data at a location other
than the principal system utilized for the repository.
[]
NEW SECTION
WAC 434-200-430 Contract for secretary of state repository
publication. The secretary may either directly operate, or contract for
the operation of, a repository described in WAC 434-200-440. If the
secretary contracts for the operation of the repository, the contractor
must be a licensed certification authority and must agree to operate the
repository according to all requirements of chapter 19.34 RCW, including
RCW 19.34.400. The contract may be rescinded for any reason that would
form a basis for revoking recognition of a repository or for failure to
meet the requirements of WAC 434-200-440.
[]
NEW SECTION
WAC 434-200-440 Publication in the secretary of state repository. The secretary shall maintain, either directly or under contract, a repository for the purpose of publishing any information required by chapter 19.34 RCW. Information published in the secretary's repository shall include:
(1) The certification authority disclosure record for each certification authority licensed in Washington;
(2) A list of all judgments filed with the secretary within the previous five years pursuant to RCW 19.34.290;
(3) Any advisory statements published by the secretary regarding the activities of a licensed or unlicensed certification authority, together with any protest filed by the certification authority named in the statement and any final decision of the secretary regarding the issues raised in the statement, all as provided by RCW 19.34.130(2);
(4) Any information published in the secretary's repository pursuant to WAC 434-200-450; and
(5) Any other information necessary or appropriate for publication
in the secretary's repository pursuant to chapter 19.34 RCW or this
chapter.
[]
NEW SECTION
WAC 434-200-450 Procedure upon discontinuance of business as
repository. A licensed certification authority that discontinues
providing services as a recognized repository shall republish the records
published in the repository in another recognized repository. If no
other repository is available or willing to republish that information,
the certification authority shall publish it in the secretary's
repository.
[]
PART 5
PROCEEDINGS BEFORE THE SECRETARY
NEW SECTION
WAC 434-200-500 Application for adjudicative proceedings.
Decisions and actions of the secretary pursuant to chapter 19.34 RCW and
this chapter may be reviewed by filing an application of an adjudicative
proceeding. An adjudicative proceeding shall be commenced when required
by chapter 34.05 RCW, and may be commenced in the secretary's discretion
upon such other occasions as may be permitted by statute. An application
for an adjudicative proceeding may be on a form provided by the secretary
for that purpose or in another paper or electronic writing signed by the
applicant or the applicant's representative. The application for an
adjudicative proceeding should specify the issue to be adjudicated in the
proceeding.
[]
NEW SECTION
WAC 434-200-510 Appointment of administrative law judge--Designation of procedural rules. (1) The secretary hereby appoints the office of administrative hearings and the administrative law judges employed by that office to preside at all hearings that result from the commencement of adjudicative proceedings unless the secretary, by his or her own order, declares his or her intent to preside at a specific proceeding or the proceeding is an appeal of an initial order issued by an administrative law judge.
(2) All hearings shall be conducted in compliance with these rules,
and with chapter 34.05 RCW. The secretary adopts chapter 10-08 WAC as
the applicable rules of procedure, except where this chapter provides
different, additional or conflicting procedures.
[]
NEW SECTION
WAC 434-200-520 Pleadings in digital form. (1) Unless the presiding officer directs otherwise, any party may file any pleading or other document in an adjudicative proceeding under this chapter in electronic form. If a pleading or document filed electronically requires a signature, that pleading or document shall be signed digitally, pursuant to a valid certificate issued by a licensed certification authority. The certification authority that issued the certificate shall not be a party to the adjudicative proceeding.
(2) Service of electronic pleadings or documents by electronic
transmission is effective upon receipt, except that if sent after 5:00
p.m. on a business day or at any time on a weekend or state holiday,
service is effective as of 8:00 a.m. on the following business day.
[]
NEW SECTION
WAC 434-200-530 Service of process on the secretary. Service of
pleadings or documents upon the secretary or the presiding officer does
not constitute service upon the attorney general as counsel to the
secretary.
[]
NEW SECTION
WAC 434-200-540 Stay of summary suspension. (1) Upon summary suspension of a license by the secretary pursuant to this chapter and chapter 19.34 RCW, an affected certification authority may petition the secretary for a stay of suspension pursuant to RCW 34.05.467 and 34.05.550(1). Such petition must be received by the secretary within the time specified in RCW 34.05.467.
(2) Within seven days of receipt of a petition for stay, a hearing shall be held before an administrative law judge, or if an administrative law judge is not available during this period, before an individual designated by the secretary. The hearing shall be limited to consideration of whether a stay should be granted, or whether the terms of the suspension may be modified to allow the conduct of limited activities under current licenses.
(3) Any hearing conducted pursuant to subsection (2) of this section shall be conducted under RCW 34.05.485, brief adjudicative proceedings. The agency record for the hearing shall consist of the information upon which the summary suspension was based and may be supplemented by any information obtained by the secretary subsequent to the date of the suspension order. The certification authority shall have the burden of demonstrating by a preponderance of the evidence that:
(a) The certification authority is likely to prevail upon the merits at hearing;
(b) Without relief, the certification authority will suffer irreparable injury. For purposes of this section, elimination of income from licensed activities shall not be deemed irreparable injury;
(c) The grant of relief will not substantially harm other
parties to the proceedings; and
(d) The threat to the public safety or welfare is not sufficiently serious to justify continuation of the suspension, or that modification of the terms of the suspension will adequately protect the public interest.
(4) The initial order granting or denying a stay shall be effective
immediately upon service unless another date is specified in the order.
[]
NEW SECTION
WAC 434-200-550 Review of orders regarding stay. (1) Any party may petition the secretary for review of an initial order granting or denying a motion for a stay of suspension. A petition for review must be in writing and received by the secretary within twenty-one days of service of the initial order. If neither party has requested review within twenty-one days of service, the initial order shall be deemed the final order of the secretary for purposes of RCW 34.05.467.
(2) If the secretary receives a timely petition for review, he or she shall consider the petition promptly. Consideration on review shall be limited to the record of the hearing on stay.
(3) The secretary's order on the petition for review shall be
effective upon service unless another date is specified in the order and
is final pursuant to RCW 34.05.467. Final disposition of the petition
for stay shall not affect subsequent administrative proceedings for
suspension or revocation of a license.
[]
NEW SECTION
WAC 434-200-560 Adjudicative proceedings--Appearance and practice before the secretary--Who may appear. No person may appear in a representative capacity before the secretary or the designated administrative law judge other than the following:
(1) Attorneys at law duly qualified and entitled to practice before the supreme court of the state of Washington.
(2) A bona fide officer, authorized manager, partner, or full-time employee of a firm, association, partnership, or corporation who appears for such firm, association, partnership or corporation.
(3) An individual appearing pro se.
(4) Such interpreters for persons with a limited understanding of the English language or hearing impaired persons as provided for in WAC 10-08-150.
(5) Such other persons as may be permitted by the secretary upon a
showing by a party to the hearing of such a necessity or such a hardship
as would make it unduly burdensome upon him to have a representative as
set forth under subsections (1) and (2) of this section.
[]
NEW SECTION
WAC 434-200-590 Brief adjudicative proceeding regarding certificate suspension. (1) Pursuant to RCW 34.05.482, the secretary may use brief adjudicative proceedings where not violative of law, where in the judgment of the secretary protection of the public interest does not require the secretary to give notice and an opportunity to participate to persons other than the parties, and the issue and interests involved in the controversy do not warrant the use of the procedures of RCW 34.05.413 through 34.05.479.
(2) The secretary finds that prompt review of the suspension of a certificate pursuant to RCW 19.34.210(5), 19.34.250(2), or WAC 434-200-350 by the secretary or a state or local agency under contract with the secretary is appropriate for a brief adjudicative proceeding. The secretary adopts the provisions of RCW 34.05.482 through 34.05.494 for purposes of this category of proceedings.
(3) If any person affected by the suspension requests administrative review, the secretary shall immediately notify, by the most rapid means reasonably calculated to inform the recipient of the proceeding, the subscriber, the certification authority, and any other affected party who has requested notification or has requested the review, of the intent to conduct a proceeding pursuant to this section. Conduct of that review shall be in accordance with RCW 34.05.485 through 34.05.494.
(4) The suspension of a certificate by order of the secretary pursuant to RCW 19.34.210(5) and 19.34.250(2) shall lapse ninety-six hours after the suspension.
(5) The secretary may, in his or her discretion, conduct a full adjudicative proceeding if any affected party requests a full review of the suspension of a certificate pursuant to RCW 19.34.250(2). If a full adjudicative proceeding is held, the suspension lapses ninety-six hours after the suspension, but the review need not be completed within that time.
(6) If, by final order, the secretary determines that the suspension
was in error, the certificate shall be deemed valid retroactively to the
time of suspension.
[]