CERTIFICATION OF ENROLLMENT

 

                   ENGROSSED SENATE BILL 5962

 

 

                   Chapter 287, Laws of 1999

 

 

                        56th Legislature

                      1999 Regular Session

 

 

DIGITAL SIGNATURES--CERTIFICATION AUTHORITY

 

 

 

                    EFFECTIVE DATE:  5/13/99

Passed by the Senate April 22, 1999

  YEAS 42   NAYS 3

 

 

               BRAD OWEN

President of the Senate

 

Passed by the House April 15, 1999

  YEAS 94   NAYS 0

             CERTIFICATE

 

I, Tony M. Cook, Secretary of the Senate of the State of Washington, do hereby certify that the attached is  ENGROSSED SENATE BILL 5962 as passed by the Senate and the House of Representatives on the dates hereon set forth.

 

 

             CLYDE BALLARD

Speaker of the

      House of Representatives

            TONY M. COOK

                            Secretary

 

 

 

              FRANK CHOPP

Speaker of the

      House of Representatives

 

 

Approved May 13, 1999 Place Style On Codes above, and Style Off Codes below.  

                                FILED          

 

 

             May 13, 1999 - 3:21 p.m.

 

 

 

              GARY LOCKE

Governor of the State of Washington

                 Secretary of State

                 State of Washington


          _______________________________________________

 

                    ENGROSSED SENATE BILL 5962

          _______________________________________________

 

                      AS AMENDED BY THE HOUSE

 

             Passed Legislature - 1999 Regular Session

 

State of Washington      56th Legislature     1999 Regular Session

 

By Senators Brown, Horn and Finkbeiner; by request of Secretary of State and Governor Locke

 

Read first time 02/18/1999.  Referred to Committee on Energy, Technology & Telecommunications.

Promoting electronic commerce through digital signatures.  


    AN ACT Relating to the promotion of electronic commerce through digital signatures; amending RCW 19.34.010, 19.34.020, 19.34.030, 19.34.100, 19.34.110, 19.34.111, 19.34.120, 19.34.130, 19.34.200, 19.34.210, 19.34.231, 19.34.250, 19.34.280, 19.34.330, 19.34.400, 19.34.410, and 43.105.320; adding a new section to chapter 19.34 RCW; creating a new section; providing an expiration date; and declaring an emergency.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

 

    Sec. 1.  RCW 19.34.010 and 1996 c 250 s 102 are each amended to read as follows:

    This chapter shall be construed consistently with what is commercially reasonable under the circumstances and to effectuate the following purposes:

    (1) To facilitate commerce by means of reliable electronic messages;

    (2) To ensure that electronic signatures are not denied legal recognition solely because they are in electronic form;

    (3) To provide a voluntary licensing mechanism for digital signature certification authorities by which businesses, consumers, courts, government agencies, and other entities can reasonably be assured as to the integrity, authenticity, and nonrepudiation of a digitally signed electronic communication;

    (4) To establish procedures governing the use of digital signatures for official public business to provide reasonable assurance of the integrity, authenticity, and nonrepudiation of an electronic communication;

    (5) To minimize the incidence of forged digital signatures and fraud in electronic commerce;

    (((3))) (6) To implement legally the general import of relevant standards((, such as X.509 of the international telecommunication union, formerly known as the international telegraph and telephone consultative committee)); and

    (((4))) (7) To establish, in coordination with ((multiple)) states and other jurisdictions, uniform rules regarding the authentication and reliability of electronic messages.

 

    Sec. 2.  RCW 19.34.020 and 1997 c 27 s 30 are each amended to read as follows:

    Unless the context clearly requires otherwise, the definitions in this section apply throughout this chapter:

    (1) "Accept a certificate" means ((either:

    (a))) to manifest approval of a certificate, while knowing or having notice of its contents((; or

    (b) To apply to a licensed certification authority for a certificate, without canceling or revoking the application by delivering notice of the cancellation or revocation to the certification authority and obtaining a signed, written receipt from the certification authority, if the certification authority subsequently issues a certificate based on the application)).  Such approval may be manifested by the use of the certificate.

    (2) "Accept a digital signature" means to verify a digital signature or take an action in reliance on a digital signature.

    (3) "Asymmetric cryptosystem" means an algorithm or series of algorithms that provide a secure key pair.

    (4) "Certificate" means a computer-based record that:

    (a) Identifies the certification authority issuing it;

    (b) Names or identifies its subscriber;

    (c) Contains the subscriber's public key; and


    (d) Is digitally signed by the certification authority issuing it.

    (5) "Certification authority" means a person who issues a certificate.

    (6) "Certification authority disclosure record" means an on-line, publicly accessible record that concerns a licensed certification authority and is kept by the secretary.  ((A certification authority disclosure record has the contents specified by rule by the secretary under RCW 19.34.030.))

    (7) "Certification practice statement" means a declaration of the practices that a certification authority employs in issuing certificates ((generally, or employed in issuing a material certificate)).

    (8) "Certify" means to declare with reference to a certificate, with ample opportunity to reflect, and with a duty to apprise oneself of all material facts.

    (9) "Confirm" means to ascertain through appropriate inquiry and investigation.

    (10) "Correspond," with reference to keys, means to belong to the same key pair.

    (11) "Digital signature" means an electronic signature that is a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine:

    (a) Whether the transformation was created using the private key that corresponds to the signer's public key; and

    (b) Whether the initial message has been altered since the transformation was made.

    (12) "Electronic" means electrical, digital, magnetic, optical, electromagnetic, or any other form of technology that entails capabilities similar to these technologies.

    (13) "Electronic record" means a record generated, communicated, received, or stored by electronic means for use in an information system or for transmission from one information system to another.

    (14) "Electronic signature" means a signature in electronic form attached to or logically associated with an electronic record, including but not limited to a digital signature.

    (15) "Financial institution" means a national or state-chartered commercial bank or trust company, savings bank, savings association, or credit union authorized to do business in the state of Washington and the deposits of which are federally insured.

    (((13))) (16) "Forge a digital signature" means either:

    (a) To create a digital signature without the authorization of the rightful holder of the private key; or

    (b) To create a digital signature verifiable by a certificate listing as subscriber a person who either:

    (i) Does not exist; or

    (ii) Does not hold the private key corresponding to the public key listed in the certificate.

    (((14))) (17) "Hold a private key" means to be authorized to utilize a private key.

    (((15))) (18) "Incorporate by reference" means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated.

    (((16))) (19) "Issue a certificate" means the acts of a certification authority in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate.

    (((17))) (20) "Key pair" means a private key and its corresponding public key in an asymmetric cryptosystem, keys which have the property that the public key can verify a digital signature that the private key creates.

    (((18))) (21) "Licensed certification authority" means a certification authority to whom a license has been issued by the secretary and whose license is in effect.

    (((19))) (22) "Message" means a digital representation of information.

    (((20))) (23) "Notify" means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person.

    (((21))) (24) "Official public business" means any legally authorized transaction or communication among state agencies, tribes, and local governments, or between a state agency, tribe, or local government and a private person or entity.

    (25) "Operative personnel" means one or more natural persons acting as a certification authority or its agent, or in the employment of, or under contract with, a certification authority, and who have:

    (a) ((Managerial or policymaking responsibilities for the certification authority; or

    (b))) Duties directly involving the issuance of certificates, creation of private keys((, or administration of a certification authority's computing facilities));

    (b) Responsibility for the secure operation of the trustworthy system used by the certification authority or any recognized repository;

    (c) Direct responsibility, beyond general supervisory authority, for establishing or adopting policies regarding the operation and security of the certification authority; or

    (d) Such other responsibilities or duties as the secretary may establish by rule.

    (((22))) (26) "Person" means a human being or an organization capable of signing a document, either legally or as a matter of fact.

    (((23))) (27) "Private key" means the key of a key pair used to create a digital signature.

    (((24))) (28) "Public key" means the key of a key pair used to verify a digital signature.

    (((25))) (29) "Publish" means to ((record or file in a repository)) make information publicly available.

    (((26))) (30) "Qualified right to payment" means an award of damages against a licensed certification authority by a court having jurisdiction over the certification authority in a civil action for violation of this chapter.

    (((27))) (31) "Recipient" means a person who has received a certificate and a digital signature verifiable with reference to a public key listed in the certificate and is in a position to rely on it.

    (((28))) (32) "Recognized repository" means a repository recognized by the secretary under RCW 19.34.400.

    (((29))) (33) "Recommended reliance limit" means the monetary amount recommended for reliance on a certificate under RCW 19.34.280(1).

    (((30))) (34) "Repository" means a system for storing and retrieving certificates and other information relevant to digital signatures.

    (((31))) (35) "Revoke a certificate" means to make a certificate ineffective permanently from a specified time forward.  Revocation is effected by notation or inclusion in a set of revoked certificates, and does not imply that a revoked certificate is destroyed or made illegible.

    (((32))) (36) "Rightfully hold a private key" means the authority to utilize a private key:

    (a) That the holder or the holder's agents have not disclosed to a person in violation of RCW 19.34.240(1); and

    (b) That the holder has not obtained through theft, deceit, eavesdropping, or other unlawful means.

    (((33))) (37) "Secretary" means the secretary of state.

    (((34))) (38) "Subscriber" means a person who:

    (a) Is the subject listed in a certificate;

    (b) Applies for or accepts the certificate; and

    (c) Holds a private key that corresponds to a public key listed in that certificate.

    (((35))) (39) "Suitable guaranty" means either a surety bond executed by a surety authorized by the insurance commissioner to do business in this state, or an irrevocable letter of credit issued by a financial institution authorized to do business in this state, which, in either event, satisfies all of the following requirements:

    (a) It is issued payable to the secretary for the benefit of persons holding qualified rights of payment against the licensed certification authority named as the principal of the bond or customer of the letter of credit;

    (b) It is in an amount specified by rule by the secretary under RCW 19.34.030;

    (c) It states that it is issued for filing under this chapter;

    (d) It specifies a term of effectiveness extending at least as long as the term of the license to be issued to the certification authority; and

    (e) It is in a form prescribed or approved by rule by the secretary.

    A suitable guaranty may also provide that the total annual liability on the guaranty to all persons making claims based on it may not exceed the face amount of the guaranty.

    (((36))) (40) "Suspend a certificate" means to make a certificate ineffective temporarily for a specified time forward.

    (((37))) (41) "Time stamp" means either:

    (a) To append or attach ((to a message, digital signature, or certificate)) a digitally signed notation indicating at least the date, time, and identity of the person appending or attaching the notation to a message, digital signature, or certificate; or

    (b) The notation thus appended or attached.

    (((38))) (42) "Transactional certificate" means a valid certificate incorporating by reference one or more digital signatures.

    (((39))) (43) "Trustworthy system" means computer hardware and software that:

    (a) Are reasonably secure from intrusion and misuse; and

    (b) ((Provide a reasonable level of availability, reliability, and correct operation; and

    (c) Are reasonably suited to performing their intended functions)) Conform with the requirements established by the secretary by rule.

    (((40))) (44) "Valid certificate" means a certificate that:

    (a) A licensed certification authority has issued;

    (b) The subscriber listed in it has accepted;

    (c) Has not been revoked or suspended; and

    (d) Has not expired.

    However, a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference.

    (((41))) (45) "Verify a digital signature" means, in relation to a given digital signature, message, and public key, to determine accurately that:

    (a) The digital signature was created by the private key corresponding to the public key; and

    (b) The message has not been altered since its digital signature was created.

 

    NEW SECTION.  Sec. 3.  A new section is added to chapter 19.34 RCW to read as follows:

    The presumptions of validity and reasonableness of conduct, and the limitations on liability in this chapter do not apply to electronic records or electronic signatures except for digital signatures created in conformance with all of the requirements of this chapter and rules adopted under this chapter.

 

    Sec. 4.  RCW 19.34.030 and 1997 c 27 s 1 are each amended to read as follows:

    (1) The secretary must ((maintain a publicly accessible data base containing)) publish a certification authority disclosure record for each licensed certification authority, and a list of all judgments filed with the secretary, within the previous five years, under RCW 19.34.290.  ((The secretary must publish the contents of the data base in at least one recognized repository.))

    (2) The secretary may adopt rules consistent with this chapter and in furtherance of its purposes:

    (a) To ((govern licensed)) license certification authorities ((and)), ((recognized)) recognize repositories,((their practice, and the termination of a licensed certification authority's or recognized repository's practice)) certify operative personnel, and govern the practices of each;

    (b) To determine ((an)) the form and amount reasonably appropriate for a suitable guaranty, in light of the burden a suitable guaranty places upon licensed certification authorities and the assurance of quality and financial responsibility it provides to persons who rely on certificates issued by licensed certification authorities;

    (c) To specify reasonable requirements for information to be contained in or the form of certificates, including transactional certificates, issued by licensed certification authorities, in accordance with generally accepted standards for digital signature certificates;

    (d) To specify reasonable requirements for recordkeeping by licensed certification authorities;

    (e) To specify reasonable requirements for the content, form, and sources of information in certification authority disclosure records, the updating and timeliness of the information, and other practices and policies relating to certification authority disclosure records;

    (f) To specify the form of and information required in certification practice statements, as well as requirements regarding the publication of certification practice statements;

    (g) To specify the procedure and manner in which a certificate may be suspended or revoked, as consistent with this chapter; ((and))

    (h) To specify the procedure and manner by which the laws of other jurisdictions may be recognized, in order to further uniform rules regarding the authentication and reliability of electronic messages; and

    (i) Otherwise to give effect to and implement this chapter.

    (3) The secretary may act as a certification authority, and the certificates issued by the secretary shall be treated as having been issued by a licensed certification authority.

 

    Sec. 5.  RCW 19.34.100 and 1998 c 33 s 1 are each amended to read as follows:

    (1) To obtain or retain a license, a certification authority must:

    (a) ((Be the subscriber of a certificate published in a recognized repository, which may include any repository maintained by the secretary;

    (b) Knowingly employ as operative personnel only persons who have not been convicted within the past seven years of a felony and have never been convicted of a crime involving fraud, false statement, or deception.  The secretary may provide by rule for the manner in which criminal background information is provided as part of the licensing process.  For purposes of this provision, a certification authority knowingly employs such a person if the certification authority knew of a conviction, or should have known based upon the background information required by rule of the secretary;

    (c) Employ as operative personnel only persons who have demonstrated knowledge and proficiency in following the requirements of this chapter;

    (d))) Provide proof of identity to the secretary;

    (b) Employ only certified operative personnel in appropriate positions;

    (c) File with the secretary ((a)) an appropriate, suitable guaranty, unless the certification authority is a city or county that is self-insured or the department of information services;

    (((e))) (d) Use a trustworthy system((, including a secure means for limiting access to its private key));

    (((f))) (e) Maintain an office in this state or have established a registered agent for service of process in this state; and

    (((g))) (f) Comply with all further licensing and practice requirements established by rule by the secretary.

    (2) ((The secretary must issue a license to a certification authority that:

    (a) Is qualified under subsection (1) of this section;

    (b) Applies in writing to the secretary for a license; and

    (c) Pays a filing fee adopted by rule by the secretary.

    (3))) The secretary may by rule ((classify licenses)) create license classifications according to specified limitations, ((such as a maximum number of outstanding certificates, cumulative maximum of recommended reliance limits in certificates issued by the certification authority, or issuance only within a single firm or organization,)) and the secretary may issue licenses restricted according to the limits of each classification.  ((The liability limits of RCW 19.34.280 do not apply to a certificate issued by a certification authority that exceeds the restrictions of the certification authority's license.))

    (3) The secretary may impose license restrictions specific to the practices of an individual certification authority.  The secretary shall set forth in writing and maintain as part of the certification authority's license application file the basis for such license restrictions.

    (4) The secretary may revoke or suspend a certification authority's license, in accordance with the administrative procedure act, chapter 34.05 RCW, for failure to comply with this chapter or for failure to remain qualified under subsection (1) of this section.  The secretary may order the summary suspension of a license pending proceedings for revocation or other action, which must be promptly instituted and determined, if the secretary includes within a written order a finding that the certification authority has either:

    (a) Utilized its license in the commission of a violation of a state or federal criminal statute or of chapter 19.86 RCW; or

    (b) Engaged in conduct giving rise to a serious risk of loss to public or private parties if the license is not immediately suspended.

    (5) The secretary may recognize by rule the licensing or authorization of certification authorities by other governmental entities, in whole or in part, provided that those licensing or authorization requirements are substantially similar to those of this state.  If licensing by another government is so recognized:

    (a) RCW 19.34.300 through 19.34.350 apply to certificates issued by the certification authorities licensed or authorized by that government in the same manner as it applies to licensed certification authorities of this state; and

    (b) The liability limits of RCW 19.34.280 apply to the certification authorities licensed or authorized by that government in the same manner as they apply to licensed certification authorities of this state.

    (6) ((Unless the parties provide otherwise by contract between themselves, the licensing requirements in this section do not affect the effectiveness, enforceability, or validity of any digital signature, except that RCW 19.34.300 through 19.34.350 do not apply to a certificate, and associated digital signature, issued by an unlicensed certification authority.

    (7))) A certification authority that has not obtained a license is not subject to the provisions of this chapter, except as specifically provided.

 

    Sec. 6.  RCW 19.34.110 and 1997 c 27 s 5 are each amended to read as follows:

    (1) A licensed certification authority shall obtain a compliance audit((, as may be more fully defined by rule of the secretary, at least once every year.  The auditor shall issue an opinion evaluating the degree to which the certification authority conforms to the requirements of this chapter and the administrative rules adopted by)) at such times and in such manner as directed by rule of the secretary.  If the certification authority is also a recognized repository, the audit must include the repository.

    (2) The certification authority shall file a copy of the audit report with the secretary.  The secretary may provide by rule for filing of the report in an electronic format((.  The secretary shall)) and may publish the report in the certification authority disclosure record it maintains for the certification authority.

 

    Sec. 7.  RCW 19.34.111 and 1997 c 27 s 6 are each amended to read as follows:

    (1)(((a))) An auditor signing a report of opinion as to a compliance audit required by RCW 19.34.110 must:

    (((i))) (a) Be a certified public accountant, licensed under chapter 18.04 RCW or equivalent licensing statute of another jurisdiction; ((or)) and

    (((ii))) (b) Meet such other qualifications as the secretary may establish by rule.

    (((b) Auditors must either possess such computer security qualifications as are necessary to conduct the audit or employ, contract, or associate with firms or individuals who do.  The secretary may adopt rules establishing qualifications as to expertise or experience in computer security.))

    (2) The compliance audits of state agencies and local governments who are licensed certification authorities, and the secretary, must be performed under the authority of the state auditor.  The state auditor may contract with private entities as needed to comply with this chapter.

 

    Sec. 8.  RCW 19.34.120 and 1997 c 27 s 7 are each amended to read as follows:

    (1) The secretary may investigate the activities of a licensed certification authority material to its compliance with this chapter and issue orders to a certification authority to further its investigation and secure compliance with this chapter.

    (2) The secretary may suspend or revoke the license of a certification authority for its failure to comply with an order of the secretary.

    (3) The secretary may by order impose and collect a civil ((monetary)) penalty against a licensed certification authority for a violation of this chapter ((in an amount)).  The penalty shall not ((to)) exceed ten thousand dollars per incident, or ninety percent of the recommended reliance limit of a material certificate, whichever is less.  In case of a violation continuing for more than one day, each day is considered a separate incident.  The secretary may adopt rules setting forth the standards governing the exercise of the secretary's discretion as to penalty amounts.  In the case of a state agency authorized by law to be a licensed certification authority, the sole penalty imposed under this subsection shall consist of specific findings of noncompliance and an order requiring compliance with this chapter and the rules of the secretary.  Any penalty imposed under this chapter and chapter 34.05 RCW shall be enforceable in any court of competent jurisdiction.

    (4) The secretary may order a certification authority, which it has found to be in violation of this chapter, to pay the costs incurred by the secretary in prosecuting and adjudicating proceedings relative to the order, and enforcing it.

    (5) The secretary must exercise authority under this section in accordance with the administrative procedure act, chapter 34.05 RCW, and a licensed certification authority may obtain judicial review of the secretary's actions as prescribed by chapter 34.05 RCW.  The secretary may also seek injunctive relief to compel compliance with an order.

 

    Sec. 9.  RCW 19.34.130 and 1996 c 250 s 204 are each amended to read as follows:

    (1) No certification authority, whether licensed or not, may conduct its business in a manner that creates an unreasonable risk of loss to subscribers of the certification authority, to persons relying on certificates issued by the certification authority, or to a repository.

    (2) The secretary may publish ((in the repository it provides, or elsewhere,)) brief statements advising subscribers, persons relying on digital signatures, or other repositories about activities of a certification authority, whether licensed or not, that create a risk prohibited by subsection (1) of this section.  The certification authority named in a statement as creating or causing such a risk may protest the publication of the statement by filing a written defense of ten thousand bytes or less.  Upon receipt of such a protest, the secretary must publish the protest along with the secretary's statement, and must promptly give the protesting certification authority notice and an opportunity to be heard.  Following the hearing, the secretary must rescind the advisory statement if its publication was unwarranted under this section, cancel it if its publication is no longer warranted, continue or amend it if it remains warranted, or take further legal action to eliminate or reduce a risk prohibited by subsection (1) of this section.  The secretary must publish its decision in the repository it provides.

    (3) In the manner provided by the administrative procedure act, chapter 34.05 RCW, the secretary may issue orders and obtain injunctions or other civil relief to prevent or restrain a certification authority from violating this section, regardless of whether the certification authority is licensed.  This section does not create a right of action in a person other than the secretary.

 

    Sec. 10.  RCW 19.34.200 and 1997 c 27 s 8 are each amended to read as follows:

    (1) A licensed certification authority ((or subscriber)) shall use only a trustworthy system((:

    (a))) to issue, suspend, or revoke ((a certificate;

    (b))) certificates.  A licensed certification authority shall use a recognized repository to publish or give notice of the issuance, suspension, or revocation of a certificate((; or

    (c) To create a private key)).

    (2) A licensed certification authority ((must disclose any material certification practice statement, and any fact material to either the reliability of a certificate that it has issued or its ability to perform its services.  A certification authority may require a signed, written, and reasonably specific inquiry from an identified person, and payment of reasonable compensation, as conditions precedent to effecting a disclosure required in this subsection.)) shall publish a certification practice statement in accordance with the rules established by the secretary.  The secretary shall publish the certification practice statements of licensed certification authorities submitted as part of the licensing process in a manner similar to the publication of the certification authority disclosure record.

    (3) A licensed certification authority shall knowingly employ as operative personnel only persons who have not been convicted within the past seven years of a felony and have never been convicted of a crime involving fraud, false statement, or deception.  For purposes of this subsection, a certification authority knowingly employs such a person if the certification authority knew of a conviction, or should have known based on information required by rule of the secretary.  Operative personnel employed by a licensed certification authority must also be persons who have demonstrated knowledge and proficiency in following the requirements of this chapter.  The secretary may provide by rule for the certification of operative personnel, and provide by rule for the manner in which criminal background information is provided as part of the certification process, as well as the manner in which knowledge and proficiency in following the requirements of this chapter may be demonstrated.

 

    Sec. 11.  RCW 19.34.210 and 1997 c 27 s 9 are each amended to read as follows:

    (1) A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:

    (a) The certification authority has received a request for issuance signed by the prospective subscriber; and

    (b) The certification authority has confirmed that:

    (i) The prospective subscriber is the person to be listed in the certificate to be issued;

    (ii) If the prospective subscriber is acting through one or more agents, the subscriber duly authorized the agent or agents to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;

    (iii) The information in the certificate to be issued is accurate;

    (iv) The prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;

    (v) The prospective subscriber holds a private key capable of creating a digital signature;

    (vi) The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber; and

    (vii) The certificate provides information sufficient to locate or identify one or more repositories in which notification of the revocation or suspension of the certificate will be listed if the certificate is suspended or revoked.

    (c) The requirements of this subsection may not be waived or disclaimed by either the licensed certification authority, the subscriber, or both.

    (2) ((If the subscriber accepts the issued certificate, the certification authority must publish a signed copy of the certificate in a recognized repository, as the certification authority and the subscriber named in the certificate may agree, unless a contract)) In confirming that the prospective subscriber is the person to be listed in the certificate to be issued, a licensed certification authority shall make a reasonable inquiry into the subscriber's identity in light of:

    (a) Any statements made by the certification authority regarding the reliability of the certificate;

    (b) The reliance limit of the certificate;

    (c) Any recommended uses or applications for the certificate; and

    (d) Whether the certificate is a transactional certificate or not.

    (3) A certification authority shall be presumed to have confirmed that the prospective subscriber is the person to be listed in a certificate where:

    (a) The subscriber appears before the certification authority and presents identification documents consisting of at least one of the following:

    (i) A current identification document issued by or under the authority of the United States, or such similar identification document issued under the authority of another country;

    (ii) A current driver's license issued by a state of the United States; or

    (iii) A current personal identification card issued by a state of the United States; and

    (b) Operative personnel certified according to law or a notary has reviewed and accepted the identification information of the subscriber.

    (4) The certification authority may establish policies regarding the publication of certificates in its certification practice statement, which must be adhered to unless an agreement between the certification authority and the subscriber provides otherwise.  If the ((subscriber does not accept the certificate, a licensed certification authority must not publish it, or must cancel its publication if the certificate has already been published)) certification authority does not establish such a policy, the certification authority must publish a signed copy of the certificate in a recognized repository.

    (((3))) (5) Nothing in this section precludes a licensed certification authority from conforming to standards, certification practice statements, security plans, or contractual requirements more rigorous than, but nevertheless consistent with, this chapter.

    (((4))) (6) After issuing a certificate, a licensed certification authority must revoke it immediately upon confirming that it was not issued as required by this section.  A licensed certification authority may also suspend a certificate that it has issued for a ((reasonable)) period not exceeding ((ninety-six hours)) five business days as needed for an investigation to confirm grounds for revocation under this subsection.  The certification authority must give notice to the subscriber as soon as practicable after a decision to revoke or suspend under this subsection.

    (((5))) (7) The secretary may order the licensed certification authority to suspend or revoke a certificate that the certification authority issued, if, after giving any required notice and opportunity for the certification authority and subscriber to be heard in accordance with the administrative procedure act, chapter 34.05 RCW, the secretary determines that:

    (a) The certificate was issued without substantial compliance with this section; and

    (b) The noncompliance poses a significant risk to persons ((reasonably)) relying on the certificate.

    Upon determining that an emergency requires an immediate remedy, and in accordance with the administrative procedure act, chapter 34.05 RCW, the secretary may issue an order suspending a certificate for a period not to exceed ((ninety-six hours)) five business days.

 

    Sec. 12.  RCW 19.34.231 and 1997 c 27 s 10 are each amended to read as follows:

    (1) If a signature of a unit of state or local government, including its appropriate officers or employees, ((may)) is required by statute, administrative rule, court rule, or requirement of the office of financial management, that unit of state or local government shall become a subscriber to a certificate issued by a licensed certification authority for purposes of conducting official public business((, but only if the certificate is issued by a licensed certification authority.  A unit of state government, except the secretary and the department of information services, may not act as a certification authority)) with electronic records.

    (2) A city or county may become a licensed certification authority under RCW 19.34.100 for purposes of providing services to local government, if authorized by ordinance adopted by the city or county legislative authority.

    (3) ((The limitation to licensed certification authorities in subsection (1) of this section does not apply to uses of digital signatures or key pairs limited to internal agency procedures, as to which the signature is not required by statute, administrative rule, court rule, or requirement of the office of financial management.)) A unit of state government, except the secretary and the department of information services, may not act as a certification authority.

 

    Sec. 13.  RCW 19.34.250 and 1997 c 27 s 12 are each amended to read as follows:

    (1) Unless the certification authority ((and the subscriber agree)) provides otherwise in the certificate or its certification practice statement, the licensed certification authority that issued a certificate that is not a transactional certificate must suspend the certificate for a period not to exceed ((ninety-six hours)) five business days:

    (a) Upon request by a person whom the certification authority reasonably believes to be:  (i) The subscriber named in the certificate; (ii) a person duly authorized to act for that subscriber; or (iii) a person acting on behalf of the unavailable subscriber; or

    (b) By order of the secretary under RCW 19.34.210(5).

    The certification authority need not confirm the identity or agency of the person requesting suspension.  The certification authority may require the person requesting suspension to provide evidence, including a statement under oath or affirmation, regarding the requestor's identity, authorization, or the unavailability of the subscriber.  Law enforcement agencies may investigate suspensions for possible wrongdoing by persons requesting suspension.

    (2) Unless the ((certificate)) certification authority provides otherwise ((or)) in the certificate ((is a transactional certificate)) or its certification practice statement, the secretary may suspend a certificate issued by a licensed certification authority for a period not to exceed ((ninety-six hours)) five business days, if:

    (a) A person identifying himself or herself as the subscriber named in the certificate, a person authorized to act for that subscriber, or a person acting on behalf of that unavailable subscriber [requests suspension]; and

    (b) The requester represents that the certification authority that issued the certificate is unavailable.

    The secretary may require the person requesting suspension to provide evidence, including a statement under oath or affirmation, regarding his or her identity, authorization, or the unavailability of the issuing certification authority, and may decline to suspend the certificate in its discretion.  Law enforcement agencies may investigate suspensions by the secretary for possible wrongdoing by persons requesting suspension.

    (3) Immediately upon suspension of a certificate by a licensed certification authority, the licensed certification authority must give notice of the suspension according to the specification in the certificate.  If one or more repositories are specified, then the licensed certification authority must publish a signed notice of the suspension in all the repositories.  If a repository no longer exists or refuses to accept publication, or if no repository is recognized under RCW 19.34.400, the licensed certification authority must also publish the notice in a recognized repository.  If a certificate is suspended by the secretary, the secretary must give notice as required in this subsection for a licensed certification authority, provided that the person requesting suspension pays in advance any fee required by a repository for publication of the notice of suspension.

    (4) A certification authority must terminate a suspension initiated by request only:

    (a) If the subscriber named in the suspended certificate requests termination of the suspension, the certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorized to terminate the suspension; or

    (b) When the certification authority discovers and confirms that the request for the suspension was made without authorization by the subscriber.  However, this subsection (4)(b) does not require the certification authority to confirm a request for suspension.

    (5) The contract between a subscriber and a licensed certification authority may limit or preclude requested suspension by the certification authority, or may provide otherwise for termination of a requested suspension.  However, if the contract limits or precludes suspension by the secretary when the issuing certification authority is unavailable, the limitation or preclusion is effective only if notice of it is published in the certificate.

    (6) No person may knowingly or intentionally misrepresent to a certification authority his or her identity or authorization in requesting suspension of a certificate.  Violation of this subsection is a gross misdemeanor.

    (7) The secretary may authorize other state or local governmental agencies to perform any of the functions of the secretary under this section upon a regional basis.  The authorization must be formalized by an agreement under chapter 39.34 RCW.  The secretary may provide by rule the terms and conditions of the regional services.

    (8) A suspension under this section must be completed within twenty-four hours of receipt of all information required in this section.

 

    Sec. 14.  RCW 19.34.280 and 1997 c 27 s 14 are each amended to read as follows:

    (1) By clearly specifying a recommended reliance limit in a certificate and in the certification practice statement, the issuing certification authority recommends that persons rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit.

    (2) Subject to subsection (3) of this section, unless a licensed certification authority waives application of this subsection, a licensed certification authority is:

    (a) Not liable for a loss caused by reliance on a false or forged digital signature of a subscriber, if, with respect to the false or forged digital signature, the certification authority complied with all material requirements of this chapter;

    (b) Not liable in excess of the amount specified in the certificate as its recommended reliance limit for either:

    (i) A loss caused by reliance on a misrepresentation in the certificate of a fact that the licensed certification authority is required to confirm; or

    (ii) Failure to comply with RCW 19.34.210 in issuing the certificate;

    (c) Not liable for:

    (i) Punitive or exemplary damages.  Nothing in this chapter may be interpreted to permit punitive or exemplary damages that would not otherwise be permitted by the law of this state; or

    (ii) Damages for pain or suffering.

    (3) Nothing in subsection (2)(a) of this section relieves a licensed certification authority of its liability for breach of any of the warranties or certifications it gives under RCW 19.34.220 or for its lack of good faith, which warranties and obligation of good faith may not be disclaimed.  However, the standards by which the performance of a licensed certification authority's obligation of good faith is to be measured may be determined by agreement or notification complying with subsection (4) of this section if the standards are not manifestly unreasonable.  The liability of a licensed certification authority under this subsection is subject to the limitations in subsection (2)(b) and (c) of this section unless the limits are waived by the licensed certification authority.

    (4) Consequential or incidental damages may be liquidated, or may otherwise be limited, altered, or excluded unless the limitation, alteration, or exclusion is unconscionable.  A licensed certification authority may liquidate, limit, alter, or exclude consequential or incidental damages as provided in this subsection by agreement or by notifying any person who will rely on a certificate of the liquidation, limitation, alteration, or exclusion before the person relies on the certificate.

 

    Sec. 15.  RCW 19.34.330 and 1996 c 250 s 404 are each amended to read as follows:

    A ((copy of a)) digitally signed message ((is as effective, valid, and enforceable as the original of the message, unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, effective, and enforceable)) shall be deemed to be an original of the message.

 

    Sec. 16.  RCW 19.34.400 and 1997 c 27 s 23 are each amended to read as follows:

    (1) The secretary must recognize one or more repositories, after finding that a repository to be recognized:

    (a) Is a licensed certification authority;

    (b) Includes, or will include, a data base containing:

    (i) Certificates published in the repository;

    (ii) Notices of suspended or revoked certificates published by licensed certification authorities or other persons suspending or revoking certificates; and

    (iii) ((Certification authority disclosure records for licensed certification authorities;

    (iv) All orders or advisory statements published by the secretary in regulating certification authorities; and

    (v))) Other information adopted by rule by the secretary;

    (c) Operates by means of a trustworthy system, that may, under administrative rule of the secretary, include additional or different attributes than those applicable to a certification authority that does not operate as a recognized repository;

    (d) Contains no significant amount of information that is known or likely to be untrue, inaccurate, or not reasonably reliable;

    (e) ((Contains certificates published by certification authorities that conform to legally binding requirements that the secretary finds to be substantially similar to, or more stringent toward the certification authorities, than those of this state;

    (f))) Keeps ((an archive)) a record of certificates that have been suspended or revoked, or that have expired, ((within at least the past three years)) in accordance with requirements adopted by rule by the secretary; and

    (g) Complies with other reasonable requirements adopted by rule by the secretary.

    (2) A repository may apply to the secretary for recognition by filing a written request and providing evidence to the secretary sufficient for the secretary to find that the conditions for recognition are satisfied, in accordance with requirements adopted by rule by the secretary.

    (3) A repository may discontinue its recognition by filing thirty days' written notice with the secretary, upon meeting any conditions for discontinuance adopted by rule by the secretary.  In addition the secretary may discontinue recognition of a repository in accordance with the administrative procedure act, chapter 34.05 RCW, if the secretary concludes that the repository no longer satisfies the conditions for recognition listed in this section or in rules adopted by the secretary.

 

    Sec. 17.  RCW 19.34.410 and 1997 c 27 s 33 are each amended to read as follows:

    (1) Notwithstanding a disclaimer by the repository or a contract to the contrary between the repository, a certification authority, or a subscriber, a repository is liable for a loss incurred by a person reasonably relying on a digital signature verified by the public key listed in a certificate that has been suspended or revoked by the licensed certification authority that issued the certificate, if loss was incurred more than one business day after receipt by the repository of a request from the issuing licensed certification authority to publish notice of the suspension or revocation, and the repository had failed to publish the notice when the person relied on the digital signature.

    (2) Unless waived, a recognized repository or the owner or operator of a recognized repository is:

    (a) Not liable for failure to record publication of a suspension or revocation, unless the repository has received notice of publication and one business day has elapsed since the notice was received;

    (b) Not liable under subsection (1) of this section in excess of the amount specified in the certificate as the recommended reliance limit;

    (c) Not liable under subsection (1) of this section for:

    (i) Punitive or exemplary damages; or

    (ii) Damages for pain or suffering;

    (d) Not liable for misrepresentation in a certificate published by a licensed certification authority;

    (e) Not liable for accurately recording or reporting information that a licensed certification authority, or court clerk, or the secretary has published as required or permitted in this chapter, including information about suspension or revocation of a certificate;

    (f) Not liable for reporting information about a certification authority, a certificate, or a subscriber, if the information is published as required or permitted in this chapter or a rule adopted by the secretary, or is published by order of the secretary in the performance of the licensing and regulatory duties of that office under this chapter.

    (3) Consequential or incidental damages may be liquidated, or may otherwise be limited, altered, or excluded unless the limitation, alteration, or exclusion is unconscionable.  A recognized repository may liquidate, limit, alter, or exclude damages as provided in this subsection by agreement, or by notifying any person who will rely on a digital signature verified by the public key listed in a suspended or revoked certificate of the liquidation, limitation, alteration, or exclusion before the person relies on the certificate.

 

    Sec. 18.  RCW 43.105.320 and 1997 c 27 s 29 are each amended to read as follows:

    The department of information services may become a licensed certification authority, under chapter 19.34 RCW, for the purpose of providing services to ((state and local government)) agencies, local governments, and other entities and persons for purposes of official state business.  The department is not subject to RCW 19.34.100(1)(a).  The department shall only issue certificates, as defined in RCW 19.34.020, in which the subscriber is:

    (1) The state of Washington or a department, office, or agency of the state;

    (2) A city, county, district, or other municipal corporation, or a department, office, or agency of the city, county, district, or municipal corporation;

    (3) An agent or employee of an entity described by subsection (1) or (2) of this section, for purposes of official public business; ((or))

    (4) Any other person or entity engaged in matters of official public business, however, such certificates shall be limited only to matters of official public business.  The department may issue certificates to such persons or entities only if after issuing a request for proposals from certification authorities licensed under chapter 19.34 RCW and review of the submitted proposals, makes a determination that such private services are not sufficient to meet the department's published requirements.  The department must set forth in writing the basis of any such determination and provide procedures for challenge of the determination as provided by the state procurement requirements; or

    (5) An applicant for a license as a certification authority for the purpose of compliance with RCW 19.34.100(1)(a).

 

    NEW SECTION.  Sec. 19.   (1) If the department of information services issues certificates to nongovernmental entities or individuals pursuant to section 18(4) of this act, the office of financial management shall convene a task force, which shall include both governmental and nongovernmental representatives, to review the practice of the state issuing certificates to nongovernmental entities or individuals for the purpose of conducting official public business.  The task force shall prepare and submit its findings to the appropriate legislative committees by December 31, 2000.

    (2) This section expires June 30, 2001.

 

    NEW SECTION.  Sec. 20.  This act is necessary for the immediate preservation of the public peace, health, or safety, or support of the state government and its existing public institutions, and takes effect immediately.


    Passed the Senate April 22, 1999.

    Passed the House April 15, 1999.

Approved by the Governor May 13, 1999.

    Filed in Office of Secretary of State May 13, 1999.