WSR 97-24-053

PERMANENT RULES

SECRETARY OF STATE

(Corporations Division)

[Filed November 26, 1997, 3:30 p.m.]

Date of Adoption: November 14, 1997.

Purpose: To provide administrative guidelines for the use of electronic authentication in the state of Washington.

Statutory Authority for Adoption: RCW 19.34.030, 19.34.040, 19.34.100, 19.34.111, 19.34.400.

Adopted under notice filed as WSR 97-20-151 on October 1, 1997.

Changes Other than Editing from Proposed to Adopted Version: We received written and oral comments on the proposed rule and made the following substantive changes to the WAC.

WAC 434-180-120(4), we struck the words "or higher" after X.509. The language as proposed implied that any version of X.509 after Version 3 would be automatically adopted. We did not intend automatic adoption and therefore struck the two words.

WAC 434-180-215 (2)(b), we added some language to this section [that] allows other agencies to conduct background checks in the event the employees reside or work outside the state.

WAC 434-180-360, we struck the words "most current adopted version of" after satisfies the . . . This could be construed as automatically adopting future versions of the standard. We did not intend automatic adoption and therefore struck the five words.

WAC 434-180-430, we added an exclusion for the Washington State Department of Information Services. This department will be acting in a contracting capacity with the Office of the Secretary of State. Both of these agencies were included as the only agencies allowed to act in the capacity of certification authority for the state agencies in the legislation.

The WAC citation was changed from chapter 434-200 WAC to chapter 434-180 WAC for consistency with other agency program citations.

Number of Sections Adopted in Order to Comply with Federal Statute: New 0, amended 0, repealed 0; Federal Rules or Standards: New 0, amended 0, repealed 0; or Recently Enacted State Statutes: New 37, amended 0, repealed 0.

Number of Sections Adopted at Request of a Nongovernmental Entity: New 0, amended 0, repealed 0.

Number of Sections Adopted on the Agency's own Initiative: New 37, amended 0, repealed 0.

Number of Sections Adopted in Order to Clarify, Streamline, or Reform Agency Procedures: New 0, amended 0, repealed 0.

Number of Sections Adopted using Negotiated Rule Making: New 0, amended 0, repealed 0; Pilot Rule Making: New 0, amended 0, repealed 0; or Other Alternative Rule Making: New 37, amended 0, repealed 0.

Effective Date of Rule: Thirty-one days after filing.

November 26, 1997

Tracy Guerin

Deputy Secretary of State

Chapter 434-180 WAC


ELECTRONIC AUTHENTICATION

PART 1

GENERAL PRINCIPLES

NEW SECTION

WAC 434-180-100 Scope and purpose of chapter. This chapter implements the Washington Electronic Authentication Act, codified as chapter 19.34 RCW.

[]

NEW SECTION

WAC 434-180-110 Office address, hours, and telephone number. All services of the office of the secretary of state related to the Washington Electronic Authentication Act shall be provided through the corporations division.

(1) The mailing address of the division is: Corporations Division, Office of the Secretary of State, Post Office Box 40234, Olympia, Washington 98504-0234.

(2) The offices of the division are located in the Republic Building at 505 E. Union Avenue, Olympia, Washington.

(3) The office hours are from 8:00 a.m. to 5:00 p.m. daily, Monday through Friday, except for state holidays.

(4) The telephone number for the corporations division is (360) 753-7115.

[]

NEW SECTION

WAC 434-180-120 Definitions. For purposes of this chapter, all terms defined in RCW 19.34.020 have the meanings set forth in statute. Additionally, the following terms shall have the following meanings:

(1) "Operative personnel" means one or more natural persons acting as an agent of a licensed certification authority, or in the employment of, or under contract with, a licensed certification authority, and who have:

(a) Managerial or policy making responsibilities for such licensed certification authority; or

(b) Duties directly involving the issuance of certificates (including the identification of persons requesting a certificate from a certification authority), creation of private keys, or administration of a licensed certification authority's computing facilities.

(2) "Managerial or policy making responsibilities" means direct responsibility for the day-to-day operations, security and performance of those business activities that are regulated under chapter 19.34 of the Revised Code of Washington. If a licensed certification authority is a corporation, then it is presumed that the members of the board of directors, among others, exercise managerial or policy making responsibilities, unless the board delegates those duties in writing to one or more officers or employees of the corporation.

(3) "Presiding officer" means the secretary or an administrative law judge assigned to preside over an adjudicative hearing pursuant to this chapter.

(4) "X.509" means the specific set of technical standards identified by that name which were adopted by the international telecommunication union, formerly known as the international telegraph and telephone consultation committee. For purposes of these rules, all references to X.509 shall be construed as referring to version 3. Compliance with only versions 1 or 2 shall not be construed as compliance with X.509.

[]

NEW SECTION

WAC 434-180-130 Fees. Fees for services performed by the secretary of state are established in the following amounts:

(1) For application for a license as a certification authority:

(a) For the applicant's first year doing business as a licensed certification authority in this state: One thousand four hundred dollars;

(b) For the applicant's second year doing business as a licensed certification authority in this state: One thousand eight hundred dollars; and

(c) For the applicant's third or subsequent year doing business as a licensed certification authority in this state: Two thousand eight hundred dollars.

(2) For recognition as a repository, in addition to the license issuance or renewal fee paid pursuant to this section:

(a) For the applicant's first year doing business as a recognized repository in this state: One thousand four hundred dollars;

(b) For the applicant's second year doing business as a recognized repository in this state: One thousand eight hundred dollars; and

(c) For the applicant's third or subsequent year doing business as a recognized repository in this state: Two thousand eight hundred dollars.

(3) For recognition of a foreign license, either:

(a) Two thousand eight hundred dollars; or

(b) Upon certification by the issuer of the foreign license that the applicant has been licensed as a certification authority in that jurisdiction for less than three years, the fee that would be due under subsection (1) of this section for a Washington license under the same circumstances. No applicant may file under this subsection (b) more than two times.

(4) For qualification of operative personnel:

(a) For administering and scoring the examination required by WAC 434-180-215(3), fifty dollars per individual; and

(b) For qualifying operative personnel pursuant to WAC 434-180-215 and 434-180-220, other than (or in addition to) administering and scoring the examination, twenty-five dollars per individual.

[]

PART 2

CERTIFICATION AUTHORITY LICENSE APPLICATION, SUSPENSION, REVOCATION

NEW SECTION

WAC 434-180-200 Application for license as a certification authority. Any person desiring to be licensed as a certification authority must file an application pursuant to this chapter demonstrating compliance with the requirements of RCW 19.34.100. To apply for a license, an applicant must submit all of the following:

(1) A completed application form as prescribed by WAC 434-180-210;

(2) The fee or fees provided by WAC 434-180-130;

(3) A certificate that shows the applicant as subscriber and is published in a recognized repository;

(4) A suitable guaranty, described by WAC 434-180-225, unless the applicant is a self-insured city, a self-insured county, or the department of information services of the state of Washington;

(5) Demonstration of sufficient working capital, pursuant to WAC 434-180-235;

(6) Documentation, in the form of an information systems audit report, establishing that the applicant has the use of a trustworthy system as defined by WAC 434-180-360. The audit required by this subsection shall be performed pursuant to WAC 434-180-240, except that it is not required to establish anything more than that the applicant has the use of a trustworthy system;

(7) Materials establishing, to the satisfaction of the secretary that each person listed as operative personnel has qualified to act as operative personnel pursuant to WAC 434-180-215; and

(8) A written certification practice statement as described in WAC 434-180-330.

[]

NEW SECTION

WAC 434-180-205 Issuance of license or renewal. The secretary shall, within a reasonable time, issue or renew a license as a certification authority if the applicant has:

(1) Submitted all documentation required by WAC 434-180-200 and 434-180-210; and

(2) The secretary has determined that the applicant meets all requirements for licensure.

(3) Issuance or renewal of a license shall be valid for a period of one year. Failure to receive a notice of the need to renew a license is an insufficient reason for failing to file the required application for renewal.

[]

NEW SECTION

WAC 434-180-210 Form. Each application for a license, or renewal of a license, as a certification authority shall be submitted on a form prescribed by the secretary. The completed form shall contain the following:

(1) The name of the applicant;

(2) The applicant's uniform business identifier number, if any;

(3) The mailing address of the applicant, and a physical address if different;

(4) The telephone number of the applicant;

(5) The electronic mail address of the applicant;

(6) The name and address of the applicant's registered agent for service of process, other than the secretary. Address information shall include a physical address, but may additionally provide a mailing address if different;

(7) The names of all operative personnel; and

(8) The appointment of the secretary of state as the applicant's agent for service of process.

[]

NEW SECTION

WAC 434-180-215 Certification of operative personnel. The secretary shall not issue or renew a license as a certification authority unless the licensee documents that every individual employed or acting as operative personnel qualifies to act as operative personnel. This documentation shall include:

(1) Receipt of a completed form, signed by the individual under penalty of perjury, stating:

(a) The name (including all other names used in the past), date of birth, and business address of the individual;

(b) That the individual has not been convicted within the past fifteen years of a felony and has never been convicted of a crime involving fraud, false statement, or deception in any jurisdiction; and

(c) If the individual has resided in any nation other than the United States during the previous five years, the name of that nation and the period of residency.

(2) A criminal background check supporting the declaration required by subsection (1) of this section. This requirement is excused as to any individual for whom documentation satisfying this paragraph was submitted within the previous two years, even if the individual has changed employment. This check must include both of the following:

(a) A criminal background check compiled by a private sector provider, documenting a background check reasonably sufficient to disclose any criminal convictions within the previous seven years in any state or federal jurisdiction in the United States, its territories, or possessions, and any other jurisdiction specified pursuant to subsection (1)(c) of this section. This background check must contain information that is current to within thirty days of its date of submission; and

(b) The certified results of a criminal background check performed by the Washington state patrol or law enforcement agency where the operative personnel reside and are employed for the previous fifteen years, dated not more than thirty days prior to submission or such other jurisdictions as the secretary may reasonably request.

(3) Satisfactory completion by the individual of a written examination demonstrating knowledge and proficiency in following the requirements of the Washington Electronic Authentication Act and these rules. The secretary shall develop an open book written test covering the subject matter of the act, and provide it upon request, which may include electronic access. The secretary may update or modify the test from time to time. The secretary shall indicate at the top of the test the percentage or number of questions that must be answered correctly in order to constitute satisfactory completion. No individual may take the examination more than once within a period of thirty days. A certification by the secretary that an individual has successfully completed this examination shall be valid for two years, and shall continue to satisfy the requirements of this subsection even if the individual changes employment.

(4) A licensed certification authority must remove a person from performing the functions of operative personnel immediately upon learning that the person has been convicted within the past fifteen years of a felony or has ever been convicted of a crime involving fraud, false statement, or deception, and must notify the secretary of this action within three business days.

[]

NEW SECTION

WAC 434-180-220 Qualification of newly designated operative personnel. No licensed certification authority may assign any individual to perform the functions of operative personnel if that individual has not been certified by the secretary pursuant to WAC 434-180-215. Such certification may be obtained by application to the secretary at any time, without regard to the time at which the certification authority's license is subject to renewal.

[]

NEW SECTION

WAC 434-180-225 Suitable guaranty. (1) The suitable guaranty required for licensure as a certification authority may be in the form of either a surety bond executed by an insurer lawfully operating in this state, or an irrevocable letter of credit issued by a financial institution authorized to do business in this state.

(2) The suitable guaranty must be in an amount of at least fifty thousand dollars.

(3) As to form, the suitable guaranty must:

(a) Identify the insurer issuing the suitable guaranty or financial institution upon which it is drawn, including name, mailing address, and physical address, and identify by number or copy its licensure or approval as a financial institution, or in the case of an insurer, as an insurer in this state;

(b) Identify the certification authority on behalf of which it is issued;

(c) Be issued payable to the secretary for the benefit of persons holding qualified rights of payment against the licensed certification authority named as principal of the bond or customer of the letter of credit;

(d) State that it is issued for filing under the Washington Electronic Authentication Act; and

(e) Specify a term of effectiveness extending at least as long as the term of the license to be issued to the certification authority.

[]

NEW SECTION

WAC 434-180-235 Sufficient working capital. (1) A certification authority's working capital is sufficient for licensing purposes if, at the time it applies for a license or renewal, its current assets minus current liabilities exceeds twenty-five thousand dollars.

(2) A certification authority may demonstrate the sufficiency of its working capital only through a financial statement signed by a licensed certified public accountant, dated no more than sixty days prior to the date received by the secretary. A state agency shall be deemed to have sufficient working capital without documentation.

[]

NEW SECTION

WAC 434-180-240 Compliance audits. (1) A licensed certification authority shall obtain a compliance audit at least once every year. The auditor shall issue an opinion evaluating the degree to which the certification authority conforms to the requirements of this chapter and of chapter 19.34 RCW. If the certification authority is also a recognized repository, the audit must include the repository.

(2) For purposes of the opinion required by this section, the auditor shall exercise reasonable professional judgment as to whether a condition that does not strictly comply with legal requirements is or is not material, taking into consideration the circumstances and context. Noncompliance as to any of the following shall be deemed material, in addition to any others the auditor may judge to be material:

(a) Any condition of noncompliance with statute or rule that relates to the validity of a certificate;

(b) Any employee performing the functions of operative personnel who has not qualified pursuant to WAC 434-180-215;

(c) Any material indication that the certification authority has used any system other than a trustworthy system.

(3) An audit may be performed by any licensed certified public accountant, or, in the case of a public agency, by the Washington state auditor. Any auditor, or group of auditors, performing an audit pursuant to this section shall include at least one individual who has been issued a current and valid certificate as either a certified information systems auditor, by the information systems audit and control foundation, or as a certified information systems security professional, by the International Information Systems Security Certification Consortium. The names of all individuals possessing such certificates shall be disclosed in the audit report, or in a cover letter accompanying that report.

(4) The certification authority shall file a copy of the audit report with the secretary, prior to the date the certification authority must renew its license pursuant to WAC 434-180-205. At the certification authority's option, it shall be sufficient to file a portion of the report if that report summarizes all audit exceptions and conditions of noncompliance (including, but not limited to, those stated in subsection (2) of this section) stated in the full report, and bears the auditor's signature. The report may be filed electronically, if it is validly digitally signed by the auditor, using a licensed certification authority. The secretary shall publish the report, or summary, in the certification authority disclosure record it maintains for the certification authority.

[]

NEW SECTION

WAC 434-180-245 Recognition of foreign licenses. (1) A certification authority licensed as such by a governmental entity other than the state of Washington, may act as a licensed certification authority in Washington only if, in addition to meeting any other requirements established by law for the transaction of business, it either:

(a) Obtains a license as a certification authority from the secretary; or

(b) Provides to the secretary a certified copy of a license issued by a governmental entity whose licensing or authorization requirements the secretary has found to be substantially similar to those of Washington, together with the fee required by WAC 434-180-130. A license recognized under this subsection shall be valid in Washington only during the time it is valid in the issuing jurisdiction.

(2) The secretary may certify that the requirements of another jurisdiction are substantially similar to those of Washington if, in order to obtain a license, the controlling law of the other jurisdiction requires that a licensed certification authority:

(a) Issue certificates based upon a system of public key cryptography using a trustworthy system;

(b) Provide a suitable guaranty in an amount of at least twenty-five thousand dollars;

(c) Employ as operative personnel only individuals who have demonstrated knowledge and proficiency in the requirements of the law regarding digital signatures, and who are free of felony criminal conviction for a minimum of seven years;

(d) Be subject to a legally established system of enforcement of licensure requirements.

(3) The secretary shall publish in the State Register, and make available upon request, a list of those jurisdictions which the secretary has certified pursuant to subsection (2) of this section. If a jurisdiction is not included in the list most recently published in the State Register, the secretary shall consider whether certification of such jurisdiction should be added, upon request of either the jurisdiction or a certification authority licensed by that jurisdiction and upon receipt of an English language copy of the applicable laws and regulations of that jurisdiction.

[]

NEW SECTION

WAC 434-180-250 Revocation or suspension of license. (1) The secretary may revoke or suspend a license, pursuant to chapter 34.05 RCW, for failure to comply with any requirement of chapter 19.34 RCW or this chapter, for failure to remain qualified for a license pursuant to chapter 19.34 RCW or this chapter, or for failure to comply with a lawful order of the secretary.

(2) The secretary shall inform a licensed certification authority by written order, by mail directed to the mailing address or electronic mail address listed on the licensee's application, of a decision to revoke or suspend the license. The notification shall state when the revocation or suspension shall be effective, which shall not be less than thirty days following the issuance of the order except in the case of a summary suspension pursuant to WAC 434-180-255.

(3) If the licensee files an application for an adjudicative hearing, pursuant to WAC 434-180-500, prior to the effective date of revocation or suspension, the suspension or revocation shall not take effect until so ordered by the presiding officer, except in the case of a summary suspension pursuant to WAC 434-180-255.

[]

NEW SECTION

WAC 434-180-255 Summary suspension of license. The secretary may order the summary suspension of a license pending proceedings for revocation or other action, as described in RCW 19.34.100(4). A summary suspension of a license is effective immediately upon issuance.

[]

NEW SECTION

WAC 434-180-260 Technical assistance program. (1) This section describes the secretary's technical assistance program for licensed certification authorities, including recognized repositories. This section implements RCW 43.05.020, by providing for the dissemination of information to licensed certification authorities regarding the requirements of the Washington Electronic Authentication Act and this chapter. It is not intended as a method of providing general business advice to certification authorities, or technical information to the general public, although any member of the public may receive written materials described in this section upon request.

(2) The technical assistance program shall consist of the following:

(a) Technical assistance visits: The secretary, in his or her discretion, may conduct a technical assistance visit, as described by RCW 43.05.030, either by the request or the consent of a licensed certification authority. The secretary is not required to conduct a technical assistance visit.

(b) Printed information: The secretary shall develop, and make available upon request, printed information outlining the requirements of chapter 19.34 RCW and this chapter. This information should not be regarded as a comprehensive guide to conducting business as a certification authority.

(c) Information and assistance by telephone: A licensed certification authority or applicant for licensing or recognition, may contact the secretary's office by telephone during normal business hours at the number listed in WAC 434-180-110. The secretary's office shall provide information regarding the licensing and recognition requirements of chapter 19.34 RCW, and this chapter, but no representation or conclusion offered shall be binding upon the secretary.

(d) Training meetings: The secretary may, in his or her discretion, conduct meetings for the purpose of providing training regarding requirements for licensure or recognition.

(e) List of organizations providing technical assistance: The secretary shall compile, and make available upon request, a list of organizations, including private companies, that provide technical assistance to certification authorities. The secretary shall compile this list from information submitted by the organizations and shall not constitute an endorsement by the secretary of any organization.

(3) If the secretary determines, during or within a reasonable time after a technical assistance visit, that the licensed certification authority has violated any statute or rule, the secretary shall notify the certification authority in writing and specify a reasonable period of time to correct the violation before any civil penalty may be imposed. The notification shall include a copy of the specific statute or rule violated. After the expiration of a reasonable time period conveyed to the certification authority, the secretary may revisit the certification authority and issue civil penalties with regard to any uncorrected violations, for which notice was provided.

[]

NEW SECTION

WAC 434-180-265 Civil penalties. The secretary may, by order, impose and collect a civil monetary penalty against a licensed certification authority for a violation of chapter 19.34 RCW as provided by RCW 19.34.120.

[]

NEW SECTION

WAC 434-180-270 Criteria for determining penalty amounts. In determining the appropriate penalty amount against a licensed certification authority for violation of chapter 19.34 RCW or this chapter, the secretary may consider the nature of the violation and the extent or magnitude of the severity of the violation, including:

(1) The damages arising from the violation including:

(a) The financial impact of the violation to any subscriber, relying party, or any other person;

(b) The amount of money obtained, or profit derived, by the certification authority as a result of the violation;

(c) The costs incurred by the state in enforcement, including reasonable investigative costs;

(d) The nonfinancial consequences of the violation, including harm to any subscriber, relying party, or other person;

(2) The nature of the violation, including whether it was continuing in nature, involved criminal conduct, or tended to significantly impair the reliability of any certificate or key pair;

(3) The presence of any aggravating circumstances, including whether the violator:

(a) Intentionally committed the violation with knowledge that the conduct constituted a violation;

(b) Attempted to conceal the violation;

(c) Was untruthful or uncooperative in dealing with the secretary or the secretary's staff;

(d) Had committed prior violations found by the secretary;

(e) Incurred no other sanction as a result of the violation;

(4) The presence of any mitigating circumstances, including whether the violator:

(a) Had taken any prior action to correct the violation or mitigate its consequences;

(b) Had previously paid any damages to any party resulting from the violation;

(c) Acted without intention to commit a violation; or

(d) Acted reasonably in light of any other mitigating factors deemed relevant by the secretary.

[]

NEW SECTION

WAC 434-180-275 Recovery against suitable guaranty. (1) To recover a qualified right to payment against a surety or issuer of a suitable guaranty, pursuant to RCW 34.10.290, the claimant must:

(a) File a signed notice of the claim with the secretary stating the name and address of the claimant, the amount claimed, the grounds for the qualified right to payment, the date of the occurrence of the violation forming the basis of the claim; and

(b) Append to the notice a certified copy of the judgment on which the qualified right to payment is based, except as provided in subsection (2) of this section.

(2) If the notice pursuant to subsection (1)(a) of this section is filed prior to entry of judgment, the secretary shall hold such notice on file, without further action, until the claimant files a copy of the judgment. If the secretary determines that the litigation identified in the notice has been finally resolved without a judgment providing the claimant with a qualified right to payment, the secretary may expunge the notice from his or her records. The secretary shall not expunge a notice until three years have elapsed since it was first filed.

(3) The secretary shall reject a notice for filing if the date of the occurrence of the violation is more than three years prior to the filing of the notice.

(4) If a notice and judgment are filed pursuant to subsection (1) of this section, the secretary shall provide the notice and judgment to the surety or issuer.

[]

PART 3

CERTIFICATION AUTHORITY STANDARDS AND PRACTICES

NEW SECTION

WAC 434-180-300 Form of certificates. (1) Certificates issued by licensed certification authorities shall follow the Basic Certificate Field Standards specified in standard X.509, part one, section 4.1. Certificate data extension fields are optional. If certificate extension fields are used, usage must conform to the required guidelines referenced in X.509 section 4.1.2.1, section 4.2, and may be displayed on the certificate.

(2) Any certificate issued by a licensed certification authority that is to be used as an acknowledgment, as provided in RCW 19.34.340, shall include a certificate data extension field that specifies the reliance limit, if any, and a certificate data extension field that states that the certificate may be used as an acknowledgment.

[]

NEW SECTION

WAC 434-180-310 Recordkeeping and retention. (1) Every licensed certification authority shall make, keep, and preserve the following records:

(a) Such records as are necessary to demonstrate compliance with RCW 19.34.100 (1)(b), (c), (e), (f), and (g);

(b) Such records as are necessary to demonstrate compliance with RCW 19.34.210 (1)(a), (b), and (2);

(c) All notices of suspension of certificates pursuant to RCW 19.34.210(4), together with such other documents as required to demonstrate compliance with RCW 19.34.210;

(d) Such records as are necessary to demonstrate compliance with RCW 19.34.250(1);

(e) Such records as are necessary to demonstrate compliance with RCW 19.34.260 (1), (2), (3), (4), and (5); and

(f) Such records as are necessary to demonstrate compliance with RCW 19.34.290(1).

(2) Every licensed certification authority shall maintain a data base file which shall contain records of the identity of the subscriber named in each certificate issued by the certification authority, which identity is to include all the facts represented in the certificate, the date of issuance of the certificate, and number of the certificate.

(3) Every licensed certification authority shall maintain a date base file of every time-stamp issued by the certification authority, to include sufficient information so that the identity of the subscriber and the item being time stamped can be identified.

(4) Every licensed certification authority shall retain in a trustworthy fashion the following records for the following periods:

(a) All records identified in subsections (2) and (3) of this section for a period of at least ten years after the date a certificate is revoked or expired, or after a time-stamp is affixed; and

(b) All other records required to be retained under this section shall be retained for at least five years.

(5) Records may be kept in the form of paper-based documents, retrievable computer-based documents, or any form of reproduction approved by the state archivist for essential records pursuant to chapter 40.10 RCW. Such records shall be indexed, stored, preserved and reproduced so as to be accurate, complete, and accessible to an auditor. Certificate extension data, referenced in X.509 section 4.2, is not required to be part of any publicly accessible record.

[]

NEW SECTION

WAC 434-180-320 Certification authority disclosure records. (1) The secretary shall compile and maintain certification authority disclosure records for each certification authority that has been issued a current and valid Washington certification authority license. The secretary shall publish them in the secretary's repository and any other recognized repository the secretary deems appropriate. Each certification authority disclosure record shall include, at a minimum, the following:

(a) The information specified in WAC 434-180-210 (1), (2), (3), and (4);

(b) The name, mailing address, telephone number, and electronic mail address of the issuer or surety of the certification authority's suitable guaranty, and the expiration date of the guaranty;

(c) A copy of the certification practice statement filed with the secretary pursuant to WAC 434-180-330;

(d) A copy of the most recent audit report, or summary thereof, filed with the secretary pursuant to WAC 434-180-240;

(e) Information as to the current status of the certification authority's Washington license, including disclosure of any license revocation or suspension. If a suspension or revocation is currently subject to a pending administrative or judicial review, the record shall so note;

(f) Whether the certification authority operates a recognized repository, and, information sufficient to locate or identify any repository it either operates or utilizes;

(g) A list of all judgments filed with the secretary pursuant to WAC 434-180-275, within the previous five years; and

(h) Any other information specified by statute.

(2) The secretary shall update a certification authority disclosure record upon becoming aware that any item of information contained within it has changed or is not accurate.

(3) In compiling and maintaining certification authority disclosure records, the secretary shall utilize the records of the secretary's office, and is not obligated to conduct any affirmative investigation or review beyond the face of those records.

[]

NEW SECTION

WAC 434-180-330 Certification practice statements. Each licensed certification authority must file with the secretary a certification practice statement. This statement must declare the practices the certification authority uses in issuing, suspending, and revoking certificates. Additionally, it must set forth the following:

(1) If certificates are issued by class, the necessary criteria for each class of certificate, including the methods of subscriber identification applicable to each class;

(2) Disclosure of any warnings, liability limitations, warranty disclaimers, and indemnity and hold harmless provisions, if any, upon which the certification authority intends to rely;

(3) Disclosure of any and all disclaimers and limitations on obligations, losses, or damages, if any, to be asserted by the certification authority;

(4) A written description of all representations required by the certification authority of the subscriber for the subscriber's responsibility to protect the private key; and

(5) Disclosure of any mandatory dispute resolution process, if any, including any choice of forum and choice of law provisions.

[]

NEW SECTION

WAC 434-180-340 Suspension or revocation of a certificate by the secretary. (1) The secretary may order a licensed certification authority to suspend or revoke a certificate that the certification authority issued, if, after giving any required notice and opportunity for the certification authority and the subscriber to be heard in accordance with chapter 34.05 RCW, the secretary determines that:

(a) The certificate was issued without substantial compliance with RCW 19.34.210; and

(b) The noncompliance poses a significant risk to persons reasonably relying on the certificate.

(2) The secretary may issue an order, pursuant to RCW 19.34.210(5), suspending a certificate for a period not to exceed ninety-six hours upon determining that an emergency requires an immediate remedy. The secretary shall issue an order including such a finding, and mail it to the licensed certification authority at the mailing address listed in its application.

(3) The secretary may issue an order, pursuant to RCW 19.34.250(2), suspending a certificate for a period not to exceed ninety-six hours, unless the certificate provides otherwise or the certificate is a transactional certificate, under circumstances described by RCW 19.34.250 (2)(a) and (b). If, upon request by the secretary, the person requesting suspension fails to provide a statement under oath or affirmation regarding his or her identity or authorization to request suspension, the secretary shall not issue an order suspending the certificate unless he or she is satisfied that discretion to enter the order should be exercised because the circumstances provide a sufficient basis for confidence of the person's identity and authority.

[]

NEW SECTION

WAC 434-180-350 Regional services for certificate suspension. The secretary may enter into an agreement, pursuant to RCW 19.35.250(7) and chapter 39.34 RCW, authorizing a state or local agency to perform any of the functions of the secretary under RCW 19.34.250 or WAC 434-180-350 (2) or (3) upon a regional basis. The terms and conditions of such an agreement shall include, at a minimum:

(1) The identity of contracting parties;

(2) The region of the state for which the contract is effective;

(3) The duration of the agreement;

(4) The method by which the contracting agency shall inform the secretary of all actions taken pursuant to the agreement;

(5) The method by which any suspension pursuant to the agreement shall be made effective;

(6) The method by which the secretary shall reimburse the agency for its costs of performance under the agreement;

(7) A provision under which each party agrees to indemnify the other, to the extent permitted by law;

(8) The method by which the contract may be terminated prior to expiration, which shall include the right of either party to terminate the agreement immediately in the event of a loss or withdrawal of funding; and

(9) A method of resolving disputes under the agreement.

[]

NEW SECTION

WAC 434-180-360 Trustworthy system. A system shall be regarded as trustworthy if it materially satisfies the Common Criteria (CC) Protection Profile (PP) for Commercial Security 2 (CS2), (CCPPCS), developed by the National Institute of Standards and Technology (NIST). The determination whether a departure from CCPPCS is material shall be governed by WAC 434-180-240(2). For purposes of this chapter, CCPPCS shall be interpreted in a manner that is reasonable in the context in which a system is used and is consistent with other state and federal laws. Until such time as the referenced standard is adopted by NIST, the standard applicable for purposes of this chapter shall be the draft of CCPPCS dated May 23, 1997.

[]

NEW SECTION

WAC 434-180-370 Procedure upon discontinuance of business. A licensed certification authority that discontinues providing certification authority services without making other arrangements for preservation of the certification authority's records shall either:

(1) Revoke all valid certificates and return all records concerning them to the appropriate subscriber; or

(2) Submit such records to another licensed certification authority or authorities designated by the secretary.

[]

PART 4

RECOGNITION OF REPOSITORIES

NEW SECTION

WAC 434-180-400 Recognition of repositories. The secretary shall recognize a repository upon determining that it satisfies all requirements set forth in RCW 19.34.400, and upon payment of the required fee and upon receipt and review of a completed form, provided by the secretary, containing the following:

(1) The name of the licensed certification authority, or applicant for licensure as a certification authority, requesting recognition of a repository;

(2) The applicant's uniform business identifier number, if any;

(3) The mailing address of the applicant, and a physical address if different;

(4) The telephone number of the applicant;

(5) The electronic mail address of the applicant; and

(6) A description of the data base and system architecture demonstrating that it satisfies the requirements of RCW 19.34.400(1) and WAC 434-180-420.

[]

NEW SECTION

WAC 434-180-410 Revocation of recognition of a repository. (1) This rule describes the secretary's procedure for revoking the recognition of a repository, without also revoking the license of the certification authority that operates the repository. Because a valid license as a certification authority is a statutory requirement for recognition of a repository, the secretary shall automatically revoke the recognition of any repository operated by a certification authority whose license is revoked, expired, or otherwise inoperative.

(2) The secretary may revoke recognition of a repository, pursuant to chapter 34.05 RCW, for failure to comply with any requirement of RCW 19.34.400 or this chapter, or for failure to comply with a lawful order of the secretary.

(3) The secretary shall inform a licensed certification authority that operates a recognized repository by written order, by mail directed to the mailing address listed on the licensee's application, of a decision to revoke recognition of the repository. The notification shall state when the revocation shall be effective, which shall not be less than thirty days following the issuance of the order.

(4) If the certification authority files an application for an adjudicative hearing, pursuant to WAC 434-180-500, prior to the effective date of revocation, the revocation shall not take effect until so ordered by the presiding officer.

[]

NEW SECTION

WAC 434-180-420 Trustworthy system for recognized repositories. A system shall be regarded as trustworthy for purposes of operating a recognized repository if it satisfies the requirements of WAC 434-180-360, and additionally it:

(1) Provides on-line access to the repository upon a continuous basis, with reasonable allowance for scheduled maintenance;

(2) Possesses the capacity to process transactions in a manner reasonably adequate for anticipated volume; and

(3) Provides for the periodic storage of data at a location other than the principal system utilized for the repository.

[]

NEW SECTION

WAC 434-180-430 Contract for secretary of state repository publication. The secretary may either directly operate, or contract for the operation of, a repository described in WAC 434-180-440. If the secretary contracts for the operation of the repository, with other than DIS, the contractor must be a licensed certification authority and must agree to operate the repository according to all requirements of chapter 19.34 RCW, including RCW 19.34.400. The contract may be rescinded for any reason that would form a basis for revoking recognition of a repository or for failure to meet the requirements of WAC 434-180-440.

[]

NEW SECTION

WAC 434-180-440 Publication in the secretary of state repository. The secretary shall maintain, either directly or under contract, a repository for the purpose of publishing any information required by chapter 19.34 RCW. Information published in the secretary's repository shall include:

(1) The certification authority disclosure record for each certification authority licensed in Washington;

(2) A list of all judgments filed with the secretary within the previous five years pursuant to RCW 19.34.290;

(3) Any advisory statements published by the secretary regarding the activities of a licensed or unlicensed certification authority, together with any protest filed by the certification authority named in the statement and any final decision of the secretary regarding the issues raised in the statement, all as provided by RCW 19.34.130(2);

(4) Any information published in the secretary's repository pursuant to WAC 434-180-450; and

(5) Any other information necessary or appropriate for publication in the secretary's repository pursuant to chapter 19.34 RCW or this chapter.

[]

NEW SECTION

WAC 434-180-450 Procedure upon discontinuance of business as repository. A licensed certification authority that discontinues providing services as a recognized repository shall republish the records published in the repository in another recognized repository. If no other repository is available or willing to republish that information, the certification authority shall publish it in the secretary's repository.

[]

PART 5

PROCEEDINGS BEFORE THE SECRETARY

NEW SECTION

WAC 434-180-500 Application for adjudicative proceedings. Decisions and actions of the secretary pursuant to chapter 19.34 RCW and this chapter may be reviewed by filing an application of an adjudicative proceeding. An adjudicative proceeding shall be commenced when required by chapter 34.05 RCW, and may be commenced in the secretary's discretion upon such other occasions as may be permitted by statute. An application for an adjudicative proceeding may be on a form provided by the secretary for that purpose or in another paper or electronic writing signed by the applicant or the applicant's representative. The application for an adjudicative proceeding should specify the issue to be adjudicated in the proceeding.

[]

NEW SECTION

WAC 434-180-510 Appointment of administrative law judge--Designation of procedural rules. (1) The secretary hereby appoints the office of administrative hearings and the administrative law judges employed by that office to preside at all hearings that result from the commencement of adjudicative proceedings unless the secretary, by his or her own order, declares his or her intent to preside at a specific proceeding or the proceeding is an appeal of an initial order issued by an administrative law judge.

(2) All hearings shall be conducted in compliance with these rules, and with chapter 34.05 RCW. The secretary adopts chapter 10-08 WAC as the applicable rules of procedure, except where this chapter provides different, additional or conflicting procedures.

[]

NEW SECTION

WAC 434-180-520 Pleadings in digital form. (1) Unless the presiding officer directs otherwise, any party may file any pleading or other document in an adjudicative proceeding under this chapter in electronic form. If a pleading or document filed electronically requires a signature, that pleading or document shall be signed digitally, pursuant to a valid certificate issued by a licensed certification authority. The certification authority that issued the certificate shall not be a party to the adjudicative proceeding.

(2) Service of electronic pleadings or documents by electronic transmission is effective upon receipt, except that if sent after 5:00 p.m. on a business day or at any time on a weekend or state holiday, service is effective as of 8:00 a.m. on the following business day.

[]

NEW SECTION

WAC 434-180-530 Service of process on the secretary. Service of pleadings or documents upon the secretary or the presiding officer does not constitute service upon the attorney general as counsel to the secretary.

[]

NEW SECTION

WAC 434-180-540 Stay of summary suspension. (1) Upon summary suspension of a license by the secretary pursuant to this chapter and chapter 19.34 RCW, an affected certification authority may petition the secretary for a stay of suspension pursuant to RCW 34.05.467 and 34.05.550(1). Such petition must be received by the secretary within the time specified in RCW 34.05.467.

(2) Within seven days of receipt of a petition for stay, a hearing shall be held before an administrative law judge, or if an administrative law judge is not available during this period, before an individual designated by the secretary. The hearing shall be limited to consideration of whether a stay should be granted, or whether the terms of the suspension may be modified to allow the conduct of limited activities under current licenses.

(3) Any hearing conducted pursuant to subsection (2) of this section shall be conducted under RCW 34.05.485, brief adjudicative proceedings. The agency record for the hearing shall consist of the information upon which the summary suspension was based and may be supplemented by any information obtained by the secretary subsequent to the date of the suspension order. The certification authority shall have the burden of demonstrating by a preponderance of the evidence that:

(a) The certification authority is likely to prevail upon the merits at hearing;

(b) Without relief, the certification authority will suffer irreparable injury. For purposes of this section, elimination of income from licensed activities shall not be deemed irreparable injury;

(c) The grant of relief will not substantially harm other

parties to the proceedings; and

(d) The threat to the public safety or welfare is not sufficiently serious to justify continuation of the suspension, or that modification of the terms of the suspension will adequately protect the public interest.

(4) The initial order granting or denying a stay shall be effective immediately upon service unless another date is specified in the order.

[]

NEW SECTION

WAC 434-180-550 Review of orders regarding stay. (1) Any party may petition the secretary for review of an initial order granting or denying a motion for a stay of suspension. A petition for review must be in writing and received by the secretary within twenty-one days of service of the initial order. If neither party has requested review within twenty-one days of service, the initial order shall be deemed the final order of the secretary for purposes of RCW 34.05.467.

(2) If the secretary receives a timely petition for review, he or she shall consider the petition promptly. Consideration on review shall be limited to the record of the hearing on stay.

(3) The secretary's order on the petition for review shall be effective upon service unless another date is specified in the order and is final pursuant to RCW 34.05.467. Final disposition of the petition for stay shall not affect subsequent administrative proceedings for suspension or revocation of a license.

[]

NEW SECTION

WAC 434-180-560 Adjudicative proceedings--Appearance and practice before the secretary--Who may appear. No person may appear in a representative capacity before the secretary or the designated administrative law judge other than the following:

(1) Attorneys at law duly qualified and entitled to practice before the supreme court of the state of Washington.

(2) A bona fide officer, authorized manager, partner, or full-time employee of a firm, association, partnership, LLC, or corporation who appears for such firm, association, partnership, corporation, or company.

(3) An individual appearing pro se.

(4) Such interpreters for persons with a limited understanding of the English language or hearing impaired persons as provided for in WAC 10-08-150.

(5) Such other persons as may be permitted by the secretary upon a showing by a party to the hearing of such a necessity or such a hardship as would make it unduly burdensome upon him to have a representative as set forth under subsections (1) and (2) of this section.

[]

NEW SECTION

WAC 434-180-590 Brief adjudicative proceeding regarding certificate suspension. (1) Pursuant to RCW 34.05.482, the secretary may use brief adjudicative proceedings where not violative of law, where in the judgment of the secretary protection of the public interest does not require the secretary to give notice and an opportunity to participate to persons other than the parties, and the issue and interests involved in the controversy do not warrant the use of the procedures of RCW 34.05.413 through 34.05.479.

(2) The secretary finds that prompt review of the suspension of a certificate pursuant to RCW 19.34.210(5), 19.34.250(2), or WAC 434-180-350 by the secretary or a state or local agency under contract with the secretary is appropriate for a brief adjudicative proceeding. The secretary adopts the provisions of RCW 34.05.482 through 34.05.494 for purposes of this category of proceedings.

(3) If any person affected by the suspension requests administrative review, the secretary shall immediately notify, by the most rapid means reasonably calculated to inform the recipient of the proceeding, the subscriber, the certification authority, and any other affected party who has requested notification or has requested the review, of the intent to conduct a proceeding pursuant to this section. Conduct of that review shall be in accordance with RCW 34.05.485 through 34.05.494.

(4) The suspension of a certificate by order of the secretary pursuant to RCW 19.34.210(5) and 19.34.250(2) shall lapse ninety-six hours after the suspension.

(5) The secretary may, in his or her discretion, conduct a full adjudicative proceeding if any affected party requests a full review of the suspension of a certificate pursuant to RCW 19.34.250(2). If a full adjudicative proceeding is held, the suspension lapses ninety-six hours after the suspension, but the review need not be completed within that time.

(6) If, by final order, the secretary determines that the suspension was in error, the certificate shall be deemed valid retroactively to the time of suspension.

[]

Legislature Code Reviser

Register

Washington State Code Reviser's Office