HOUSE
BILL ANALYSIS
HB
1326
Brief
Description: Regulating
electronic signatures.
Sponsors: Representatives McMorris, Conway, Boldt,
Hatfield, Clements, Wood, Lisk, Cole, Wensman, Costa and Dunn; by request of
the Secretary of State.
Hearing:
February 6, 1997
BACKGROUND:
Digital
signature encryption systems are used to both protect the confidentiality of an
electronic document and authenticate its source. These systems operate on the
basis of two digital keys, or codes, created by the person desiring to send
encrypted messages. One key is the Aprivate@ key, which is known only to the signer of the
electronic message, and the other is the signer=s Apublic@ key, which is given to individuals with whom the
sender wishes to exchange the confidential or authenticated message. A message
encrypted by the private key is Adigitally signed@ by the
sender and the message then can be read only by the person using the
corresponding public key. The public key is used to verify both that the
message was signed by the person holding the private key and that the message
itself was not altered during its transmission.
To
ensure public keys really do belong to the people to whom they appear to
belong, each public key is provided with a computer-based certificate of
authenticity. These certificates are created by Acertification
authorities,@ which guarantee that the public keys they certify
belong to the people possessing the corresponding private keys. Further, a
chain of certification authorities can be created to provide even greater
assurance as to the identity of the holder of the private key. Protections
were needed, however, to ensure the reliability of both the certificates and
the certificating authorities. Thus, the Washington Electronic Authentication
Act was enacted in 1996 to provide rules with respect to the authentication and
reliability of digital signature encryption systems, the issuance, suspension,
and revocation of certificates, and the licensing of certification
authorities. This law will take effect on January 1, 1998.
Duties
of the Secretary of State:
If
no certification authority is licensed in the state, then the Secretary of
State may issue, suspend, and revoke certificates as a licensed certification
authority. Once another certification authority becomes licensed in the state,
the Secretary of State may no longer act as a certification authority.
The
Department of Information Services:
The
Washington Electronic Authorization Act does not authorize the Department of
Information Services to become a licensed certification authority.
State
and local government units as subscribers and certification authorities:
The
Washington Electronic Authentication Act does not specifically authorize state
or local government units to become subscribers or licensed certification
authorities.
Licensing
of certification authorities:
There
is no limitation on the duration of a license issued to a certification
authority.
Performance
audits:
The
Secretary of State may exempt a licensed certification authority from
performance audit requirements.
Discontinuance
of licensed certification authorities:
There
are no specific actions that licensed certification authorities are required to
take when they discontinue providing certification authority services.
Recommended
reliance limits and penalties:
By
specifying a recommended reliance limit in a certificate, both the issuing
certification authority and accepting subscriber recommend that persons rely on
the certificate only to the extent that the total amount at risk does not
exceed the recommended reliance limit. A licensed certification authority is
not liable for any loss in excess of the certificate=s recommended reliance limit that results from (1) the certification
authority=s failure to comply with the rules for issuing
certificates or (2) a misrepresentation in the certificate of a fact that the
certification authority is required to confirm.
The
Secretary of State may impose a maximum civil monetary penalty of five thousand
dollars or ninety percent of the recommended reliance limit of a certificate,
whichever is less, for a violation of the Washington Electronic Authentication
Act.
Revocation
and suspension of certificates:
A
certificate issued by a licensed certification authority need not contain any
information with respect to the location or identity of a repository in which
notification of the certificate=s revocation or suspension will be listed if the
certificate is suspended or revoked.
The
Secretary of State may revoke or suspend a certification authority=s license for failure to comply with the Washington Electronic
Authentication Act.
In
an emergency resulting from a licensed certification authority=s noncompliance with the rules for issuing certificates, the Secretary
of State may suspend a certificate for a period not to exceed forty-eight
hours. The Secretary of State also may suspend a certificate for a period of
forty-eight hours upon request.
A
licensed certification authority upon request or by order of the Secretary of
State must suspend a certificate for a period not to exceed forty-eight hours.
The
county clerk may suspend certificates by a licensed certification authority.
A
person who knowingly or intentionally misrepresents to a certification
authority his or her identity or authorization in requesting a suspension of a
certificate is guilty of a misdemeanor.
Control
of private keys:
By
accepting a certificate issued by a licensed certification authority, the
subscriber identified in the certificate assumes a duty to exercise reasonable
care to retain control of the private key and prevent its disclosure to a
person not authorized to create the subscriber=s digital
signature. However, there is no statutory provision concerning the duty of the
subscriber if the certificate expires or is revoked. Further, the subscriber
has no duty to keep the private key secure while a certificate is suspended.
The
Washington Electronic Authentication Act does not exempt a private key in the
possession of a state or local agency from public inspection and copying under
Washington=s public record disclosure laws.
Satisfaction
of signature requirements:
Where
a signature is required by law, that rule is satisfied by a digital signature
if, among other requirements, no party affected by a digital signature objects
to the use of digital signatures in lieu of a signature.
No
person is obligated to accept a digital signature or to respond to an
electronic message containing a digital signature, nor is any person required
to honor, accept, or act upon a court order, writ, or warrant if it is
electronic in form and signed with a digital signature, including digital
signatures that are certified by a licensed certification authority or
otherwise issued under court rule.
Factors
used in evaluating reasonable reliance upon a certificate:
No
specific factors must be considered in evaluating the reasonableness of a
recipient=s reliance upon a certificate and its digital
signatures.
SUMMARY
OF BILL:
A
variety of changes are made to the Washington Electronic Authentication Act.
Duties
of the Secretary of State:
The
Secretary of State is authorized to issue certificates for itself and its
employees or agents, and may continue acting as a certification authority, even
if another certification authority becomes licensed in the state. A
certificate issued by the Secretary of State has the same effect as a
certificate issued by a licensed certification authority. The Secretary of State
is also authorized to license certification authorities.
The
Department of Information Services:
The
Department of Information Services may become a licensed certification
authority for the purpose of providing services to state and local government.
The department may only issue certificates in which the subscriber is: (1) the
state of Washington or a department, office, or agency of the state; (2) a
city, county, district, or other municipal corporation, or a department,
office, or agency of the city, county, district, or municipal corporation; or
(3) an agent or employee of an entity described in (1) or (2) for purposes of
official public business.
State
and local government units as subscribers and certification authorities:
A
state and local government unit, including its appropriate officers or
employees, may become a subscriber for the purposes of conducting official
business. The only state government units that may act as certification
authorities are the Secretary of State and the Department of Information
Services. A city or county, however, may become a licensed certification
authority for the purpose of providing services to local government, but only
if authorized by local ordinance.
Licensing
of certificated authorities:
Licenses
expire one year after they are issued, except that the Secretary of State may
provide by rule for a longer duration.
Performance
audits:
The
Secretary of State no longer may exempt a licensed certification authority from
performance audit requirements.
Discontinuance
of licensed certification authorities:
A
licensed certification authority that no longer provides certification
authority services must: (1) notify all subscribers listed in valid
certificates issued by the licensed certification authority; (2) minimize
disruption, to the extent commercially reasonable, to subscribers of the valid
certificates and parties relying on those certificates; and (3) make reasonable
arrangements for the preservation of the licensed certification authority=s records.
Recommended
reliance limits and penalties:
By
specifying a recommended reliance limit in a certificate, the issuing
certification authority only, and not the subscriber, recommends that persons
rely on the certificate only to the extent that the total amount at risk does
not exceed the recommended reliance limit. The licensed certification
authority is not liable for any loss in excess of the recommended reliance
limit.
The
Secretary of State may impose a maximum civil monetary penalty of ten thousand
dollars or ninety percent of the recommended reliance limit of a certificate,
whichever is greater, for a violation of the Washington Electronic
Authentication Act.
Revocation
and suspension of certificates:
A
certificate issued by a licensed certification authority must provide
information sufficient to locate or identify one or more repositories in which
notification of the certificate=s revocation or suspension will be listed if the
certificate is suspended or revoked.
In
addition to having the authority to suspend or revoke a certificate for
noncompliance, the Secretary of State may suspend a license pending revocation
proceedings or other actions. The Secretary of State must find the
certification authority has used its license to violate a state or federal
criminal statute or Washington=s consumer protection act or has engaged in conduct
giving rise to a serious risk of loss to public or private parties if the
license is not immediately suspended.
The
maximum length of time for which a certificate may be suspended by the
Secretary of State in an emergency or upon request is ninety-six hours.
The
maximum period of time for which a certificate may be suspended by a licensed
certification authority is ninety-six hours.
The
county clerk may no longer suspend certificates by a licensed certification
authority.
A
person who knowingly or intentionally misrepresents to a certification
authority his or her identity or authorization in requesting suspension of a certificate
is guilty of a gross misdemeanor.
Control
of private keys:
The
subscriber identified in a certificate issued by a licensed certification
authority has no duty to exercise reasonable care to retain control of the
private key and prevent its disclosure to a person not authorized to create the
subscriber=s digital signature if the certificate expires or
is revoked.
A
private key in the possession of a state or local agency is exempt from the
public inspection and copying requirements in Washington=s public record disclosure laws.
Satisfaction
of signature requirements:
Where
a signature is required by law, the absence of any objection to the use of
digital signatures in lieu of a signature is no longer required.
No
person is obligated to accept a digital signature or to respond to an
electronic message containing a digital signature, except that a person may not
refuse to honor, accept, or act upon a court order, writ, or warrant upon the
basis that it is electronic in form and signed with a digital signature, if the
digital signature was certified by a licensed certification authority or
otherwise issued under court rule. The Washington Electronic Authentication
Act does not limit the authority of the supreme court, the court of appeals, or
superior courts to adopt rules governing the use of electronic messages or
documents or the use of digital signatures in judicial proceedings.
Factors
used in evaluating reasonable reliance upon a certificate:
The
following factors are significant in evaluating the reasonableness of a
recipient=s reliance upon a certificate and the digital
signatures it lists: (1) facts which the relying party knows or of which the
relying party has notice; (2) the value or importance of the digitally signed
message, if known; (3) the course of dealing between the person and subscriber;
and (4) usage of trade, particulary trade conducted by trustworthy systems or
other computer-based means.
RULES
AUTHORITY: The bill does contain
provisions addressing the rule-making powers of an agency.
FISCAL
NOTE: Not requested.
EFFECTIVE
DATE: Ninety days after
adjournment of session in which bill is passed.