S-0767.3 _______________________________________________
SENATE BILL 5959
_______________________________________________
State of Washington 54th Legislature 1995 Regular Session
By Senator Sutherland
Read first time 02/17/95. Referred to Committee on Energy, Telecommunications & Utilities.
AN ACT Relating to ensuring security of document transmissions using common carrier, broadcast, and computer technologies; reenacting and amending RCW 42.17.310; adding a new chapter to Title 19 RCW; and prescribing penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
NEW SECTION. Sec. 1. This chapter may be known and cited as the "Washington state digital signature act."
NEW SECTION. Sec. 2. This chapter shall be construed liberally to effectuate the following purposes:
(1) To minimize the incidence of forged digital signatures and enable the reliable authentication of computer-based information;
(2) To enable and foster the verification of digital signatures on computer-based documents;
(3) To facilitate commerce by means of computerized communications; and
(4) To give legal effect to the general import of the following and other similar standards:
(a) Standard X.509 of the international telecommunication union; and
(b) Standard X.9.30 of the American national standards institute.
NEW SECTION. Sec. 3. Unless the context clearly requires otherwise, the definitions in this section apply throughout this chapter.
(1) "Accept a certificate" means:
(a) To take physical delivery of a certificate; or
(b) To apply for a certificate without cancelling or revoking the application by delivering notice of the cancellation or revocation to the certification authority, and obtaining a signed, written receipt from the certification authority.
(2) "Asymmetric cryptosystem" means a computer algorithm or series of algorithms that use two different keys with the following characteristics:
(a) One key encrypts a given message;
(b) One key decrypts a given message; and
(c) The keys have the property that, knowing one key, it is computationally infeasible to discover the other key.
(3) "Bit" means a binary digit, or a number, often encoded in a computer-readable form, that has a value of either zero or one.
(4) "Certificate" means:
(a) A computer-based record identifying a subscriber and containing the subscriber's public key; or
(b) If the certificate is issued by a licensed certification authority, a computer-based record identifying a subscriber containing the subscriber's public key, and additional data about the subscriber as specified in section 4 of this act.
(5) "Certification authority" means a person who issues one or more certificates.
(6) "Certification authority disclosure record" means an on-line, publicly accessible computer record concerning a licensed certification authority maintained by the department in accordance with section 7 of this act.
(7) "Certify" means to declare with reference to a certificate, that all material facts in the certificate are true.
(8) "Confirm" means to ascertain through inquiry and investigation carried out with all the effort and resources commercially reasonable under the circumstances.
(9) "Correspond" means, when referring to keys, that one key belongs to the same key pair as the other.
(10) "Department" means the department of licensing.
(11) "Digital signature" means a sequence of bits which a person intending to sign creates in relation to a clearly delimited message by running the message through a one-way function, then encrypting the resulting message digest using an asymmetrical cryptosystem and the person's private key.
(12) "Distinguished name" means a sequence of alphanumeric characters uniquely identifying the person bearing the name.
(13) "Forge a digital signature" means to create an apparent digital signature without the authorization of the rightful holder of the private key.
(14) "Issue a certificate" means to create and digitally sign a certificate and to deliver a copy of the certificate to the subscriber named in the certificate.
(15) "Key pair" means a private key and its corresponding public key which are the keys in an asymmetric cryptosystem having the property that one of the pair will decrypt what the other encrypts.
(16) "Licensed certification authority" means a certification authority to whom a license has been issued by the department.
(17) "Material" means germane to having substantial consequences for an actual transaction involving a digital signature.
(18)(a) "Message" means a writing or recording recorded by means of any medium and intended to be signed.
(b) For the purpose of this subsection, "writings" and "recordings" consist of letters, words, numbers, or their equivalent, set down by handwriting, typewriting, printing, photostating, photographing, magnetic impulse, mechanical or electronic recording, or other form of data compilation.
(19) "One-way function" means an algorithm mapping or translating one set of bits into another set in such a way that:
(a) A message yields the same result every time it is passed through the one-way function;
(b) It is computationally infeasible that a message passed through the one-way function can be derived or reconstituted from the results of the function; and
(c) There is at most only a negligible probability that two messages passing through the same one-way function will produce the same result.
(20) "Operative personnel" means one or more persons:
(a) Acting as a certification authority or its agent;
(b) Having managerial or policy-making responsibilities for the certification authority; or
(c) Having duties directly involving the issuance of certificates, creation of keys, or administration of computing facilities.
(21) "Person" means a natural person, corporation, partnership, governmental body, or any other entity capable of signing a document.
(22) "Private key" means a sequence of bits in an asymmetric cryptosystem used to affix a digital signature to a message. A private key is intended to be known only by the rightful holder of the key.
(23) "Public key" means a sequence of bits in an asymmetric cryptosystem used to verify a digital signature. A public key may be known and used by anyone in order to verify a signature.
(24) "Publish" means to record or place on file in a repository accessible by multiple persons in the ordinary course of business.
(25) "Recognized repository" means a repository recognized by the department under section 25 of this act.
(26) "Recommended reliance limit" means the limit of an issuing certification authority's liability and financial responsibility specified in a certificate.
(27) "Record address" means:
(a) The address on file with the secretary of state or a foreign corporation authorized to do business in Washington state; or
(b) The principal, official, or record address on file with another governmental entity if no address is on file with the department; or
(c) If no address is reasonably ascertainable with a governmental entity, the last known address of the subscriber ascertained, whenever possible, independently of any representations made in applying for a certificate.
(28) "Record leaders" are:
(a) The officers and directors or trustees listed for a corporation on the most recent report to the department or its counterpart in another state;
(b) The general partners listed for a limited partnership in the records of the department or its counterpart in another state; and
(c) The natural persons having authority to manage or direct the affairs of the subscriber, ascertained whenever possible from information sources other than representations made in applying for a certificate.
(29) "Repository" means a data base of certificates accessible on-line.
(30) "Repository operator" means the person operating and responsible for the repository.
(31)(a) "Revoke a certificate" means to make a certificate ineffective from a specified time and forward perpetually.
(b) Revocation is effected by notation or inclusion in a set of revoked certificates, and does not imply that a revoked certificate is destroyed or made illegible.
(32) "Rightfully hold a private key" means to know or be able to readily ascertain a private key:
(a) For which a corresponding public key has not been published in a certificate on file in the repository provided by the department or in a recognized repository;
(b) Which the holder or the holder's agent has not revealed to any person in violation of section 14(1) of this act; and
(c) Which the holder has not obtained through theft, deceit, eavesdropping, or other unlawful means.
(33) "Subscriber" means a person holding a private key which corresponds to a public key listed in a certificate identifying the subscriber.
(34)(a) "Suitable guaranty" means either a surety bond executed by a surety firm authorized by the insurance commissioner to do business in this state, or an irrevocable letter of credit issued by a financial institution authorized to do business in this state, which satisfies all of the following requirements:
(i) It is issued for the benefit of claimants under this chapter and is conditioned upon the certification authority conducting business as required by this chapter;
(ii) It is in an amount equal to or exceeding the greater of either:
(A) One hundred percent of the largest recommended reliance limit of a certificate to be issued or published by the filing certification authority during the term of the certification authority's license; or
(B) At least thirty-five percent of the recommended reliance limits of all certificates published by the filing certification authority which have not expired or been revoked;
(iii) It states that it is issued for filing under this chapter;
(iv) It specifies a term of effectiveness extending at least as long as the term of the license to be issued to the certification authority; and
(v) It is in a form approved by department rule.
(b) A suitable guaranty may provide that the total annual liability on the guaranty to all persons making claims based on it may not exceed the face amount of the guaranty.
(35)(a) "Suspend" means to make the certificate ineffective or void temporarily from a specified time forward.
(b) "Suspend" does not imply that the certificate is destroyed or made illegible.
(36) "Time-stamp" means either:
(a) To append to a message a digitally signed notation indicating the date, time, and identity of the person appending the notation; or
(b) The notation appended according to (a) of this subsection.
(37) "Verify a digital signature" means:
(a) To decrypt a digital signature using the public key listed in a valid certificate;
(b) To pass the message through the one-way function used in affixing the digital signature; and
(c) To then correctly determine that the results of passing the message through the one-way function and the decrypted digital signature are identical.
NEW SECTION. Sec. 4. (1) A certificate issued by a licensed certification authority shall contain:
(a) The name by which the subscriber is generally known;
(b) The distinguished name of the subscriber;
(c) A public key corresponding to a private key held by the subscriber;
(d) A brief description of any algorithms with which the subscriber's public key was intended to be used in a form prescribed by the department;
(e) The serial number of the certificate, which must be unique among the certificates issued by the issuing certification authority;
(f) The date and time on which the certificate was issued and accepted, which is the date on which the certificate takes effect;
(g) The date and time on which the certificate expires;
(h) The distinguished name of the certification authority issuing the certificate;
(i) A brief description of the algorithm used to sign the certificate, in a form prescribed by the department;
(j) The recommended reliance limit for transactions relying on the certificate; and
(k) Other items the department requires by rule.
(2) A certificate issued by a licensed certification authority may, at the option of the subscriber and certification authority, contain any of the following:
(a) A secondary public key and its identifier or usage indicator;
(b) Information material to the certificate's reliability and to any claims based on it;
(c) References incorporating specified and available documents material to the certificate, the issuing certification authority, or the accepting subscriber; and
(d) Other items permitted by rule by the department.
(3)(a) The department may by rule require additional information in a certificate, so long as the certificate conforms to generally accepted standards for digital signature certificates and nothing in the certificate disclaims or limits the representations of the subscriber and the certification authority implied in sections 12 through 20 of this act.
(b) The certificate shall be in a data base form specified by department rule.
(4)(a) The department may, at the joint request of a subscriber and licensed certification authority, create a secret field in its data base. The department may disclose the contents of the secret field in its data base only to:
(i) The licensed certification authority publishing the certificate;
(ii) Authorized personnel of the department; and
(iii) A court clerk or county clerk who has received a request for suspension of the pertinent certificate.
(b) The contents of the secret field should be a password or fact likely to be known only by the subscriber, and may, in the discretion of the entity processing a request for suspension, be used to determine the identity of the requester.
NEW SECTION. Sec. 5. (1) To obtain or retain a license as a certification authority by the department, a certification authority must:
(a) Be either:
(i) An attorney admitted to practice before the courts of this state, that attorney's partnership that engages principally in the practice of law if the attorney is a partner, or a professional corporation in which the attorney named in the license is a shareholder;
(ii) A financial institution, a corporation authorized to conduct a trust business, or an insurance company, if authorized to do business in this state;
(iii) A title insurance or abstract company authorized to do business in this state; or
(iv) The governor, a department or agency of state government, the attorney general, a state court, a city, a code city, a county, or the legislature provided that:
(A) Each of the governmental entities acts through designated officials authorized by ordinance, rule, or statute to perform certification authority functions; and
(B) The state or one of the governmental entities is the subscriber of all certificates issued by the certification authority;
(b) Be the subscriber of a certificate published in the repository provided by the department or in a recognized repository;
(c) Qualify and hold an appointment as a notary public or employ at least one notary public;
(d) Employ as operative personnel only persons who have not been convicted of a felony or a crime involving fraud, false statement, or deception;
(e) Employ as operative personnel only persons who have demonstrated knowledge and proficiency in following the requirements of this chapter;
(f) File with the department a suitable guaranty, unless the certification authority is a governmental entity listed in (a)(iv) of this subsection;
(g) Have access to hardware and software suitable for fulfilling the requirements of this chapter according to department rules;
(h) Maintain an office in Washington or have established a registered agent for service of process in Washington; and
(i) Comply with all licensing requirements established by department rule.
(2) The department shall issue a license to a certification authority that:
(a) Is qualified under subsection (1) of this section;
(b) Applies in writing to the department for a license; and
(c) Pays the required filing fee.
(3)(a) A license may specify that its scope is limited to:
(i) A specified number of certificates; or
(ii) A specified cumulative maximum of recommended reliance limits in certificates issued by the certification authority.
(b) If the scope of a license is limited, a certification authority acts as an unlicensed certification authority when issuing a certificate exceeding the limits of the license.
(4)(a) The department may revoke or suspend a certification authority's license for failure to comply with this chapter, or for failure to remain qualified under subsection (1) of this section.
(b) The department's actions under (a) of this subsection are subject to the administrative procedure act, chapter 34.05 RCW.
(5) Unless the parties provide otherwise by contract between themselves, the licensing requirements in this section do not affect the validity of a certificate or digital signature issued by an unlicensed certification authority, except that:
(a) The presumptions created in sections 21 through 27 of this act do not apply to a certificate issued by an unlicensed certification authority; and
(b) The limitation of liability created in section 19 of this act does not apply to a certificate issued by an unlicensed certification authority.
NEW SECTION. Sec. 6. (1) A certified public accountant approved by rule by the department shall audit the operations of each licensed certification authority at least once each year to evaluate compliance with this chapter.
(2)(a) Based on information gathered in the audit, the auditor shall categorize the licensed certification authority's compliance as one of the following:
(i) Full compliance: The certification authority appears to conform to all applicable statutory and regulatory requirements;
(ii) Substantial compliance: The certification authority generally appears to comply with all applicable statutory and regulatory requirements. However, some instances of noncompliance or inability to demonstrate compliance were found in the audited sample which were likely to be inconsequential;
(iii) Partial compliance: The certification authority appears to comply with some statutory and regulatory requirements, but was found not to have complied or not able to demonstrate compliance with one or more statutory or regulatory requirements; or
(iv) Noncompliance: The certification authority complies with few or none of the statutory and regulatory requirements, or fails to keep adequate records to demonstrate compliance with more than a few requirements, or refused to submit to an audit.
(b) The department shall publish in the certification authority disclosure record the date of the audit and the resulting categorization of the certification authority.
(3)(a) A licensed certification authority is exempt from the requirements of subsection (1) of this section if:
(i) The certification authority requests exemption in writing;
(ii) The most recent audit, if any, of the certification authority resulted in a finding of full or substantial compliance; and
(iii) The certification authority states under oath or affirmation that one or more of the following is true with respect to the certification authority:
(A) The certification authority has issued fewer than six certificates during the past year and the recommended reliance limits of all of the certificates do not exceed ten thousand dollars;
(B) The aggregate lifetime of all certificates issued by the certification authority during the past year is less than thirty days and the recommended reliance limits of all of the certificates do not exceed ten thousand dollars; or
(C) The recommended reliance limits of all certificates outstanding and issued by the certification authority total less than one thousand dollars.
(b) If a licensed certification authority is exempt under this subsection (3), the department shall publish in the certification authority disclosure record that the certification authority is exempt from the audit requirement.
NEW SECTION. Sec. 7. (1) A certification authority disclosure record shall contain:
(a) The name, address, and telephone number of the certification authority;
(b) The distinguished name of the certification authority;
(c) The current public key of the certification authority;
(d) The categorization of the certification authority based on the most recent performance audit of the certification authority's activities, and the date of the most recent performance audit;
(e) If the certification authority's certificate has been revoked since licensure, the public key contained in the revoked certificate, date of revocation, and grounds for revocation;
(f) The amount of the certification authority's suitable guaranty;
(g) If the certification authority's license has been revoked or is currently suspended, the date of revocation or suspension, and the grounds for revocation or suspension;
(h) The limits, if any, placed on the certification authority's license;
(i) Any event or activity that substantially affects the certification authority's ability to conduct its business, or the validity of more than ten of the certificates listed in the repository provided by the department or in a recognized repository;
(j) If the certificate containing the public key required to verify one or more certificates issued by the certification authority has been revoked or is currently suspended, the date of its revocation or suspension;
(k) A statement dated within one year of the current date, containing additional rules or policies, and not exceeding two kilobytes in length, if the certification authority submits such a statement in a form prescribed by rule by the department; and
(l) Other information required by rule by the department.
(2) The department shall maintain an electronic data base in its repository containing the disclosure record described in this section for each licensed certification authority.
NEW SECTION. Sec. 8. (1) Department actions under this section must be made in accordance with the administrative procedure act, chapter 34.05 RCW.
(2) The department may:
(a) Investigate the activities of a licensed certification authority that are material to the requirements of this chapter; and
(b) Issue orders to a certification authority to secure compliance with this chapter.
(3) The department may suspend or revoke the license of a certification authority for serious noncompliance with an order of the department.
(4) A person may obtain punitive damages against a certification authority in a civil action against the certification authority if:
(a) The department has issued an order in accordance with subsection (2) of this section expressly permitting punitive damages to be assessed against the certification authority;
(b) The certification authority has not complied with the order;
(c) The person has suffered a loss caused by noncompliance with the order; and
(d) The department has granted permission for punitive damages.
(5) The department may order a certification authority that it has found to have violated a requirement of this chapter to pay the costs incurred by the department in prosecuting and adjudicating proceedings related to the enforcement of the order.
(6)(a) A licensed certification authority may obtain judicial review of the department's actions.
(b) The department may seek an injunction to compel compliance with any of its orders.
(7) Nothing in this section restricts local law enforcement authorities from investigating and prosecuting violations of criminal laws.
NEW SECTION. Sec. 9. (1) A licensed certification authority shall maintain detailed records documenting compliance with this chapter and all actions taken with respect to each certificate issued by the certification authority. The records shall include evidence supporting the identification of the person named in a certificate with the distinguished name and public key set forth in the certificate. Except for requests for suspension of a certificate, the licensed certification authority may require a subscriber or agent of a subscriber to submit reasonable documentation sufficient to enable the certification authority to comply with this chapter.
(2)(a) A licensed certification authority shall retain its records of the issuance, and any suspension or revocation of a certificate, for a period of not less than forty years after the certificate is issued.
(b) The licensed certification authority may:
(i) Contract with another licensed certification authority for the record retention required by this section; or
(ii) Place the records required by this section into the custody of the department of licensing upon ceasing to act as a certification authority.
(c) A licensed certification authority shall secure its records in a manner that is commercially reasonable in light of the recommended reliance limits of the certificates.
NEW SECTION. Sec. 10. (1) Before ceasing to act as a certification authority, a licensed certification authority shall:
(a) Give to the subscriber of each unrevoked or unexpired certificate ninety days' written notice of the certification authority's intention to discontinue acting as a certification authority;
(b) Ninety days after the notice required in (a) of this subsection, revoke all certificates that then remain unrevoked or unexpired, regardless of whether the subscriber has requested revocation;
(c) Give written notice of revocation to the subscriber of each certificate revoked pursuant to (b) of this subsection;
(d) Unless the contract between the certification authority and the subscriber provides otherwise, pay reasonable restitution to the subscriber for revoking the certificate before its expiration date.
(2)(a) To provide uninterrupted certification authority services, the discontinuing certification authority may arrange with another certification authority, including the department, for reissuance of the remaining certificates under the succeeding certification authority's digital signature for the unexpired term of the remaining certificates or one year, whichever is less.
(b) In reissuing a certificate under this subsection, the succeeding certification authority becomes subrogated to the rights and defenses of the discontinuing certification authority.
(3) The requirements of this section may be varied by contract, except that the contract may not permit the licensed certification authority to discontinue its use certification authority activities without first:
(a) Giving each subscriber of an unexpired or unrevoked certificate at least ten days' written notice; and
(b) Revoking all outstanding certificates upon cessation of certification authority activities.
(4)(a) A licensed certification authority shall notify the department of its intention to terminate acting as a certification authority.
(b) The notice shall be in a form specified by rule by the department and shall be submitted to the department at least two months, but not more than six months, before the date of termination.
(c) The department may by rule, or by order in a specific case, require additional statements to be filed in order to track compliance with this section.
(5)(a) If a certification authority dies while licensed, the estate of the certification authority shall comply with the procedures of this section for termination of the deceased certification authority's activities.
(b) If a certification authority becomes incapacitated, meaning a physical or mental inability to perform the duties of a certification authority as set out in this chapter, a court may either appoint a guardian as provided in chapter 11.88 RCW, or, on the petition of an interested party, appoint a receiver to terminate the incapacitated certification authority's business as provided in this section.
(c) The department may adopt rules to facilitate termination of certification authority activities or to protect subscribers and others in cases where the certification authority dies or becomes incapacitated.
NEW SECTION. Sec. 11. (1) A certification authority, whether licensed or not, may not conduct its business in a manner that creates a commercially unreasonable risk of loss to:
(a) Subscribers of the certification authority;
(b) Persons relying on certificates issued by certification authority; or
(c) A repository recognized under section 25 of this act.
(2)(a) The department may publish in the repository it provides, or elsewhere, statements advising subscribers, persons relying on digital signatures, or public repositories about activities of a certification authority, whether licensed or not, that create a risk prohibited by subsection (1) of this section.
(b) The certification authority named in a statement as creating or causing a risk may protest the publication of the statement.
(c) Upon receipt of a protest, the department shall:
(i) Include with its statement a comment that a protest has been received; and
(ii) Promptly give the protesting certification authority notice and an opportunity to be heard.
(d) Following the hearing, the department shall:
(i) Rescind the advisory statement if its publication was unwarranted;
(ii) Cancel it if its publication is no longer warranted;
(iii) Continue or amend it if it remains warranted; or
(iv) Take further legal action to eliminate or reduce a risk prohibited by subsection (1) of this section.
(e) The department shall publish its decision in the repository it provides.
(3) In the manner provided by the administrative procedure act, chapter 34.05 RCW, the department may issue orders and obtain injunctions or other civil relief to prevent or restrain a certification authority from violating this section, regardless of whether the certification authority is licensed. This section does not create a right of action in any person other than the department.
NEW SECTION. Sec. 12. (1)(a) A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:
(i) The certification authority has received a signed request for issuance of a certificate by the prospective subscriber;
(ii) The certification authority confirms that:
(A) The prospective subscriber is the person identified in the request and the person to be identified in the certificate to be issued;
(B) If the prospective subscriber is acting through an agent, the subscriber duly authorized the agent to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;
(C) The prospective subscriber bears a distinguished name; and
(D) The prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;
(iii) The certification authority confirms that the prospective subscriber holds a key pair capable of:
(A) Affixing a digital signature by the private key corresponding to the public key to be listed in the certificate; and
(B) Verifying that a digital signature has been affixed by the corresponding private key through the use of the public key.
(b) The requirements of this subsection may not be waived or disclaimed by the licensed certification authority or the subscriber.
(2)(a) If a certificate is requested by an agent or an apparent agent of the subscriber, the certification authority may not issue the certificate until after the certification authority has given ten days' written notice to the prospective subscriber through all of its record leaders at its record address.
(b) The notice shall express the certification authority's intent to issue a certificate for the prospective subscriber to the requesting agent and the date on which the certificate is to be issued.
(c) The requirement of notice in this subsection may be waived or disclaimed only by:
(i) A writing signed by all of the record leaders of the prospective subscriber; and
(ii) Confirmation of the authenticity of the waiver by the certification authority.
(3)(a) If the subscriber accepts the certificate, the certification authority shall publish a signed copy of the certificate in the repository provided by the department or in one or more recognized repositories agreed upon by the certification authority and the subscriber named in the certificate.
(b) The contract between the certification authority and the subscriber may provide that the certificate may not be published.
(c) If the subscriber does not accept the certificate a license certification authority may not publish the certificate in the repository provided by the department.
(4) Nothing in this section precludes a licensed certification authority from conforming to standards, security policies, or contractual requirements more rigorous than, but consistent with, this section.
(5)(a) If a licensed certification authority confirms that a certificate was not issued as required by this section, the certification authority:
(i) Shall immediately revoke the certificate; or
(ii) May suspend the certificate while investigating to confirm grounds for revocation.
(b) The certification authority shall give notice as soon as practicable to the subscriber of a certificate revoked or suspended pursuant to this subsection.
(6) The department may order the licensed certification authority to suspend or revoke a certificate that the certification authority issued if, after notice and an opportunity for the certification authority and subscriber to be heard in accordance with the administrative procedure act, chapter 34.05 RCW, the department determines that:
(a) A certificate was issued without substantial compliance to this section; and
(b) The noncompliance poses a significant hazard to parties relying on the certificate.
NEW SECTION. Sec. 13. (1) By accepting a certificate issued by a licensed certification authority, the subscriber identified in the certificate certifies to all who justifiably rely on the information contained in the certificate that:
(a) Each digital signature affixed by means of the private key corresponding to the public key listed in the certificate is a legally valid signature of the subscriber, unless the certificate:
(i) Is suspended;
(ii) Is revoked by the certification authority; or
(iii) Has expired;
(b) No unauthorized person has access to the private key corresponding to the public key listed in the certificate;
(c) All representations made by the subscriber to the certification authority that are material to information contained in the certificate are true; and
(d) The information contained in the certificate is true.
(2) By requesting on behalf of a principal the issuance of a certificate naming the principal as subscriber, a person certifies to all who justifiably rely on the information contained in the certificate that:
(a) The person holds all authority legally required for issuance of a certificate naming the principal as subscriber; and
(b) The person has authority to sign digitally on behalf of the principal, and, if that authority is limited in any way, safeguards exist to prevent a digital signature exceeding the bounds of the person's authority.
(3) A person may not disclaim or rebut the representations implied in this section or obtain indemnity for them, if the effect of the disclaimer or indemnity is to limit liability for wrongful issuance of a certificate as against persons justifiably relying on the certificate.
(4)(a) If a subscriber makes a false, material, and written representation of fact, or fails to disclose a material fact, with either the intent to deceive the certification authority or a person relying on the certificate, or with negligence, the subscriber, by accepting a certificate, becomes obligated to indemnify the issuing certification authority for any loss or damage caused by the misrepresentation or negligence.
(b) If the certification authority issued the certificate at the request of agents of the subscriber, both the agents and the subscriber shall indemnify the certification authority in accordance with this subsection.
(c) The indemnity provided in this subsection may not be disclaimed or superseded by contract between the certification authority and the subscriber.
(5) To obtain information required for issuance of a certificate, the certification authority may require a subscriber to testify under oath or an affirmation of truthfulness.
NEW SECTION. Sec. 14. (1) By accepting a certificate issued by a licensed certification authority, the subscriber identified in the certificate assumes a duty to exercise reasonable care in retaining control of the private key and keeping it confidential.
(2) A private key is the property of the subscriber who rightfully holds it.
(3)(a) If a certification authority holds the private key corresponding to a public key listed in a certificate which it issued, it holds the private key as a fiduciary of the subscriber named in the certificate, regardless of any provision to the contrary in a contract between the subscriber and the certification authority.
(b) A certification authority holding the subscriber's private key may use it only upon the prior written consent of the subscriber.
NEW SECTION. Sec. 15. (1)(a) By issuing a certificate, a licensed certification authority warrants to the subscriber named in the certificate that:
(i) The certificate contains no information known to the certification authority to be false;
(ii) The certificate satisfies the requirements of this chapter and does not exceed any limitations of the certification authority's license; and
(iii) The certification authority has not exceeded any limitation of its license in issuing the certificate.
(b) The warranties described in this subsection (1) may not be limited or disclaimed by contract.
(2) Unless the parties otherwise agree, a certification authority, by issuing a certificate, promises to the subscriber;
(a) To notify the subscriber within a reasonable time of facts known to the certification authority that affect the validity or reliability of the certificate once it is issued; and
(b) To act promptly to suspend or revoke a certificate in accordance with section 16 of this act.
(3) By issuing a certificate, a licensed certification authority certifies to all who justifiably rely on the information contained in the certificate that the certification authority has complied with all applicable requirements for issuance of the certificate.
(4) By publishing a certificate, a licensed certification authority certifies to the repository and to all who justifiably rely on the information contained in the certificate that the certification authority has issued the certificate to the subscriber.
NEW SECTION. Sec. 16. (1)(a) Unless the certification authority and the subscriber otherwise agree, the licensed certification authority that issued a certificate shall suspend the certificate for a period of twenty-four hours;
(a) Upon request by a person identifying him or herself as;
(A) The subscriber named in the certificate;
(B) An agent of the subscriber;
(C) A business associate of the subscriber;
(D) An employee of the subscriber; or
(E) A member of the immediate family of the subscriber; or
(ii) Upon order of the department under section 11(b) of this act.
(b) The certification authority need not confirm the identity or department of the person requesting suspension.
(2)(a) Unless the certificate or other records in the repository indicate otherwise, the department or a court clerk may suspend a certificate issued by a licensed certification authority for a period of forty-eight hours, if:
(i) A person identifying him or herself as the subscriber named in the certificate, or as an agent, business associate, employee, or member of the immediate family of the subscriber requests suspension; and
(ii) The requester represents that the certification authority that issues the certificate is unavailable.
(b) The department or clerk may:
(i) Require the requester to provide evidence of his or her identity, authorization, and the unavailability of the issuing certification authority;
(ii) Inquire of the contents of the certificate and the secret field described in section 4(4) of this act; and
(iii) Decline to suspend the certificate with or without cause.
(c) The department or law enforcement agencies may investigate multiple suspensions by the department or court clerk for possible wrongdoing.
(3)(a) Immediately upon suspension of a certificate, the suspending certification authority or court clerk shall publish a signed notice of the suspension in all repositories in which the certificate was published.
(b) If the repository described in (a) of this subsection no longer exists, or if the person suspending the certificate does not know all the repositories in which the certificate was published, the certification authority shall publish the notice of suspension in the repository provided by the department.
(4)(a) A certification authority shall terminate the suspension of a certificate that was suspended by request if:
(i) The subscriber named in the suspended certificate requests that the suspension be terminated and, the certification authority confirms the identity of the person making the request, and when the requester is acting as agent, the agent's authorization by the subscriber; or
(ii) The certification authority discovers and confirms that the request for the suspension was made without authorization by the subscriber.
(b) This subsection does not obligate the certification authority to confirm a request for suspension.
(5) The contract between a subscriber and a licensed certification authority may:
(a) Limit or eliminate suspension by the certification authority upon request; or
(b) Provide for termination of a suspension or disclosure of information about a suspension that varies from the requirements of this subsection and subsections (1), (2), and (4) of this section, except that if the contract varies from the requirements of this section, the certificate must indicate the differences for the contractual variation to be valid.
(6)(a) No person may knowingly or intentionally misrepresent to a certification authority his or her identity, name, distinguished name, or authorization when requesting suspension of a certificate.
(b) Violation of this subsection is a gross misdemeanor as set out under RCW 9A.20.010.
(7) The subscriber is released from the duty to keep the private key secure under section 14 of this act during the period the certificate is suspended.
NEW SECTION. Sec. 17. (1)(a) A licensed certification authority shall revoke a certificate that it issued after receiving and confirming a request for revocation by the subscriber named in the certificate in accordance with (b) of this subsection.
(b) A licensed certification authority shall confirm a request for revocation and revoke a certificate within one business day after:
(i) Receiving a subscriber's written request accompanied by evidence reasonably sufficient to confirm the request; and
(ii) Receiving any required fee.
(2) A licensed certification authority shall revoke a certificate that it issued upon receiving a certified copy of the subscriber's death certificate or upon confirming by other evidence that the subscriber is dead.
(3)(a) A licensed certification authority may revoke one or more certificates that it issued if the certificates are or become unreliable regardless of whether the subscriber consents to the revocation.
(b) Unless the contract between the certification authority and the subscriber provides otherwise, the certification authority shall pay reasonable restitution to the subscriber and compensate the subscriber for any interruption to the subscriber's business due to the revocation of the certificate under the circumstances described in (a) of this subsection.
(4)(a) Immediately upon revocation of a certificate, the revoking certification authority shall publish a signed notice of the revocation in all repositories in which the certification authority published the certificate.
(b) If the repositories described in (a) of this subsection no longer exist, or if all are unrecognized repositories, the certification authority shall publish the notice in the repository provided by the department.
(5) A subscriber ceases to certify, as provided in section 13 of this act, and has no further duty to keep the private key secure as required by section 14 of this act when either:
(a) Notice of the revocation is published as required in subsection (4) of this section; or
(b) The certification authority is required to revoke under subsection (1) of this section.
(6) Upon publication as required by section 16(3) of this act, a licensed certification authority is:
(a) Discharged of its warranties based on issuance of the revoked certificate; and
(b) Ceases to certify as provided in section 15 (2) and (3) of this act in relation to the revoked certificate.
NEW SECTION. Sec. 18. (1)(a) A certificate shall indicate the date it expires.
(b) A certificate's expiration date may be no later than three years after its issuance.
(2) When a certificate expires:
(a) The subscriber and certification authority cease as provided in sections 13 and 14 of this act; and
(b) The certification authority is discharged of its duties based on issuance, in relation to the expired certificate.
NEW SECTION. Sec. 19. (1) By specifying a recommended reliance limit in a certificate, the issuing certification authority and accepting subscriber recommend that persons rely on the certificate only in transactions in which the total amount at risk does not exceed the recommended reliance limit.
(2) Except as designated in section 5(6) of this act;
(a) A licensed certification authority is not liable for a loss caused by a false or forged digital signature of a subscriber, if, with respect to the false or forged digital signature, the certification authority complied with the requirements of this chapter;
(b) A licensed certification authority is not liable for a misrepresentation in the certificate, or for error in issuing the certificate in excess of the amount specified in the certificate as the recommended reliance limit; and
(c) A licensed certification authority is not liable for punitive or exemplary damages, except as provided in section 8 of this act.
NEW SECTION. Sec. 20. (1)(a) Notwithstanding any provision in the suitable guaranty to the contrary:
(i) If the suitable guaranty is a surety bond, a person may recover from the bond surety the full amount of a claim against the bond principal or, if there is more than one claim during the term of the bond, a ratable share, up to a maximum total liability of the surety equal to the face amount of the bond; or
(ii) If the suitable guaranty is a letter of credit, a person may recover from the issuing financial institution a claim against the customer named in the credit, or, if there is more than one claim during the term of the letter of credit, a ratable share, up to a maximum total liability of the issuer equal to the face amount of the credit.
(b) Claimants may recover successively on the same suitable guaranty, provided that the total liability on the guaranty to all persons making claims during its term may not exceed the face amount of the guaranty.
(2) In addition to the actual damages suffered by the claimant, the claimant may recover from the proceeds of a suitable guaranty, until depleted, reasonable attorneys' fees and court costs incurred by the claimant in collecting the claim.
(3)(a) A claim against a surety or issuer of a suitable guaranty must be filed in writing with the department and the surety or issuer within one year after the claim arose.
(b) A claim must include a statement of the amount claimed and the basis for the claim.
(c) An action or suit against the surety or issuer of the suitable guaranty must be filed with the court within one year after the claim is filed with the department.
(d) Except as prohibited by rule by the department, a suitable guaranty may, by contract, alter the obligations under this subsection.
NEW SECTION. Sec. 21. (1) The presumptions established in this section and sections 22 and 23 of this act do not apply to a certificate issued by an unlicensed certification authority.
(2) A certificate is presumed to be an acknowledgment of any digital signature verified using the public key listed in the certificate, regardless of whether words of an express acknowledgment appear with the digital signature in any document, or in relation to the message if:
(a) The certificate is in the repository provided by the department or in a recognized repository; and
(b) The certificate was not revoked, suspended, or expired at the time of signature.
(3) A digital signature verified using a public key is presumed to have been affixed with the intention of the subscriber to authenticate the message and to be bound by the contents of the message if:
(a) The public key is listed in a certificate that is in the repository provided by the department or a recognized repository; and
(b) The certificate was not revoked, suspended, or expired at the time of signature.
(4)(a) If a signature is time-stamped by the department or a recognized repository, and unless the message otherwise provides, the time-stamp is prima facie evidence that the time-stamped signature took effect as of the date and time indicated in the time-stamp.
(b) This subsection does not preclude a finder of fact from concluding, based on other evidence, that the date and time of signature are other than as shown in a time-stamp of the department or a recognized repository.
(5) The presumptions established in this section may be rebutted:
(a) By evidence indicating that a digital signature cannot be verified by a reference to a certificate issued by a licensed certification authority;
(b) By evidence that the rightful holder of the private key by which the digital signature was affixed had lost exclusive control of the private key, without violating any duty imposed by this chapter, at the time when the digital signature was affixed;
(c) By evidence showing a lack of a signature at common law; or
(d) By a showing that reliance on the presumption was not commercially reasonable under the circumstances.
NEW SECTION. Sec. 22. (1) A digitally signed document is as valid as if it had been written on paper.
(2) This section does not limit the authority of the department of revenue to prescribe the form of tax returns or other documents filed with the department of revenue.
NEW SECTION. Sec. 23. Notwithstanding any other provisions of this chapter, a digital signature that would make a negotiable instrument payable to bearer is void, unless the digital signature effectuates either a funds transfer, as defined under RCW 62A.4A-104 or a transaction between banks or other financial institutions.
NEW SECTION. Sec. 24. (1)(a) The department shall be a certification authority, and may issue, suspend, and revoke certificates in the manner prescribed for licensed certification authorities.
(b) The provisions of sections 21 through 23 of this act apply to the department with respect to the certificates it issues.
(2) The department shall provide for an on-line, publicly accessible data base as a repository containing:
(a) Certificates published in the repository by licensed certification authorities;
(b) All orders and advisory statements designated for publication by the department;
(c) Certification authority disclosure records for all currently or formerly licensed certification authorities;
(d) Notices of suspended or revoked certificates published by licensed certification authorities;
(e) References to recognized repositories;
(f) Information required to be kept by a recognized repository; and
(g) Other information as determined by rule by the department.
(3) In conjunction with the repository it provides, the department shall make available a system for reliably time-stamping digital signatures.
(4) The department may adopt rules consistent with this chapter in order to:
(a) Govern licensed certification authorities and their licensure;
(b) Approve asymmetric cryptosystems for use in signing certificates issued by licensed certification authorities; and
(c) Maintain the data base required by section 7 of this act.
(5) The department's rules shall, at a minimum, address the following:
(a) Design and implementation requirements limiting the equipment and software to fulfill the requirements of this chapter;
(b) Validating that the hardware and software to be used are limited to those determined to meet the design and implementation requirements;
(c) Suitability of algorithms for use in fulfilling the requirements of this chapter;
(d) The form of suitable guarantees in accordance with section 3(36) of this act;
(e) Items included in certificates issued by licensed certification authorities in accordance with section 4(2) of this act;
(f) Approval of persons authorized to audit licensed certification authorities under section 6 of this act;
(g) The contents of a certification authority disclosure record required in section 7 of this act;
(h) The termination of certification authority activities under section 10 of this act, including the form of notice and required statements; and
(i) Prohibitions against altering obligations under section 20(3) of this act.
(6) The department may establish fees for the use of the repository provided for in subsection (2) of this section, for licensing certification authorities, for publishing certificates and other records, and for its other activities required by this chapter.
NEW SECTION. Sec. 25. (1) The department shall recognize a repository kept by a licensed certification authority, if the department concludes that:
(a) The repository includes a data base of certificates substantially similar in content and operation to the repository kept by the department;
(b) The information in the repository appears to be true, accurate, and reasonably reliable;
(c) The repository, its operator, and the certification authorities issuing the certificates in the repository conform to legally binding rules that the department finds to be substantially similar to, or more stringent toward, the certificate authorities than those of Washington state;
(d) The repository provides a time-stamping service that the department finds to be reasonably trustworthy;
(e) The repository keeps an archive of suspended, revoked, or expired certificates; and
(f) The repository has expressed in writing its intention to continue acting as a repository for the foreseeable future and is able to do so as indicated from its managerial and financial capabilities.
(2) A repository may apply to the department for recognition by filing a written request and providing evidence to the department that the conditions for recognition are satisfied.
(3) The department may withdraw or discontinue recognition of repository in accordance with the procedures for the administrative procedure act, chapter 34.05 RCW, if it concludes that the repository no longer satisfies the conditions for recognition listed in this section.
(4) The department shall publish in its repository the names, addresses, and public keys of all recognized repositories.
NEW SECTION. Sec. 26. A recognized repository, the department in providing for a repository, or the department's repository operator is not liable for a loss arising from:
(1) Misrepresentation in a certificate published by a licensed certification authority;
(2) Accurately recording or reporting information that a licensed certification authority, a county or court clerk, or the department has published as required by this chapter, including information about suspension or revocation of a certificate;
(3) Reporting information about a certification authority, a certificate, or a subscriber, if the information is published as required by this chapter or by rule by the department, or is published by order of the department in the performance of its licensing and regulatory duties under this chapter; and
(4) Failure to record publication of a certificate, suspension, or revocation, unless the repository has received notice of publication and a commercially reasonable time of not more than one business day has elapsed for processing of the publication.
Sec. 27. RCW 42.17.310 and 1994 c 233 s 2 and 1994 c 182 s 1 are each reenacted and amended to read as follows:
(1) The following are exempt from public inspection and copying:
(a) Personal information in any files maintained for students in public schools, patients or clients of public institutions or public health agencies, or welfare recipients.
(b) Personal information in files maintained for employees, appointees, or elected officials of any public agency to the extent that disclosure would violate their right to privacy.
(c) Information required of any taxpayer in connection with the assessment or collection of any tax if the disclosure of the information to other persons would (i) be prohibited to such persons by RCW 82.32.330 or (ii) violate the taxpayer's right to privacy or result in unfair competitive disadvantage to the taxpayer.
(d) Specific intelligence information and specific investigative records compiled by investigative, law enforcement, and penology agencies, and state agencies vested with the responsibility to discipline members of any profession, the nondisclosure of which is essential to effective law enforcement or for the protection of any person's right to privacy.
(e) Information revealing the identity of persons who are witnesses to or victims of crime or who file complaints with investigative, law enforcement, or penology agencies, other than the public disclosure commission, if disclosure would endanger any person's life, physical safety, or property. If at the time a complaint is filed the complainant, victim or witness indicates a desire for disclosure or nondisclosure, such desire shall govern. However, all complaints filed with the public disclosure commission about any elected official or candidate for public office must be made in writing and signed by the complainant under oath.
(f) Test questions, scoring keys, and other examination data used to administer a license, employment, or academic examination.
(g) Except as provided by chapter 8.26 RCW, the contents of real estate appraisals, made for or by any agency relative to the acquisition or sale of property, until the project or prospective sale is abandoned or until such time as all of the property has been acquired or the property to which the sale appraisal relates is sold, but in no event shall disclosure be denied for more than three years after the appraisal.
(h) Valuable formulae, designs, drawings, and research data obtained by any agency within five years of the request for disclosure when disclosure would produce private gain and public loss.
(i) Preliminary drafts, notes, recommendations, and intra-agency memorandums in which opinions are expressed or policies formulated or recommended except that a specific record shall not be exempt when publicly cited by an agency in connection with any agency action.
(j) Records which are relevant to a controversy to which an agency is a party but which records would not be available to another party under the rules of pretrial discovery for causes pending in the superior courts.
(k) Records, maps, or other information identifying the location of archaeological sites in order to avoid the looting or depredation of such sites.
(l) Any library record, the primary purpose of which is to maintain control of library materials, or to gain access to information, which discloses or could be used to disclose the identity of a library user.
(m) Financial information supplied by or on behalf of a person, firm, or corporation for the purpose of qualifying to submit a bid or proposal for (i) a ferry system construction or repair contract as required by RCW 47.60.680 through 47.60.750 or (ii) highway construction or improvement as required by RCW 47.28.070.
(n) Railroad company contracts filed prior to July 28, 1991, with the utilities and transportation commission under RCW 81.34.070, except that the summaries of the contracts are open to public inspection and copying as otherwise provided by this chapter.
(o) Financial and commercial information and records supplied by private persons pertaining to export services provided pursuant to chapter 43.163 RCW and chapter 53.31 RCW.
(p) Financial disclosures filed by private vocational schools under chapter 28C.10 RCW.
(q) Records filed with the utilities and transportation commission or attorney general under RCW 80.04.095 that a court has determined are confidential under RCW 80.04.095.
(r) Financial and commercial information and records supplied by businesses or individuals during application for loans or program services provided by chapters 43.163, 43.160, 43.330, and 43.168 RCW, or during application for economic development loans or program services provided by any local agency.
(s) Membership lists or lists of members or owners of interests of units in timeshare projects, subdivisions, camping resorts, condominiums, land developments, or common-interest communities affiliated with such projects, regulated by the department of licensing, in the files or possession of the department.
(t) All applications for public employment, including the names of applicants, resumes, and other related materials submitted with respect to an applicant.
(u) The residential addresses and residential telephone numbers of employees or volunteers of a public agency which are held by the agency in personnel records, employment or volunteer rosters, or mailing lists of employees or volunteers.
(v) The residential addresses and residential telephone numbers of the customers of a public utility contained in the records or lists held by the public utility of which they are customers.
(w)(i) The federal social security number of individuals governed under chapter 18.130 RCW maintained in the files of the department of health, except this exemption does not apply to requests made directly to the department from federal, state, and local agencies of government, and national and state licensing, credentialing, investigatory, disciplinary, and examination organizations; (ii) the current residential address and current residential telephone number of a health care provider governed under chapter 18.130 RCW maintained in the files of the department, if the provider requests that this information be withheld from public inspection and copying, and provides to the department an accurate alternate or business address and business telephone number. On or after January 1, 1995, the current residential address and residential telephone number of a health care provider governed under RCW 18.130.140 maintained in the files of the department shall automatically be withheld from public inspection and copying if the provider has provided the department with an accurate alternative or business address and telephone number.
(x) Information obtained by the board of pharmacy as provided in RCW 69.45.090.
(y) Information obtained by the board of pharmacy or the department of health and its representatives as provided in RCW 69.41.044, 69.41.280, and 18.64.420.
(z) Financial information, business plans, examination reports, and any information produced or obtained in evaluating or examining a business and industrial development corporation organized or seeking certification under chapter 31.24 RCW.
(aa) Financial and commercial information supplied to the state investment board by any person when the information relates to the investment of public trust or retirement funds and when disclosure would result in loss to such funds or in private loss to the providers of this information.
(bb) Financial and valuable trade information under RCW 51.36.120.
(cc) Client records maintained by an agency that is a domestic violence program as defined in RCW 70.123.020 or 70.123.075 or a rape crisis center as defined in RCW 70.125.030.
(dd) Information that identifies a person who, while an agency employee: (i) Seeks advice, under an informal process established by the employing agency, in order to ascertain his or her rights in connection with a possible unfair practice under chapter 49.60 RCW against the person; and (ii) requests his or her identity or any identifying information not be disclosed.
(ee) Investigative records compiled by an employing agency conducting a current investigation of a possible unfair practice under chapter 49.60 RCW or of a possible violation of other federal, state, or local laws prohibiting discrimination in employment.
(ff) Business related information protected from public inspection and copying under RCW 15.86.110.
(gg) Financial, commercial, operations, and technical and research information and data submitted to or obtained by the clean Washington center in applications for, or delivery of, program services under chapter 70.95H RCW.
(hh) Records containing information that would disclose, or might lead to the disclosure of private keys, asymmetric cryptosystems, or algorithms as defined under chapter 19.-- RCW (sections 1 through 26 of this act).
(ii) Records, the disclosure of which might jeopardize the security of an issued certificate or a certificate to be issued as defined under chapter 19.-- RCW (sections 1 through 26 of this act).
(2) Except for information described in subsection (1)(c)(i) of this section and confidential income data exempted from public inspection pursuant to RCW 84.40.020, the exemptions of this section are inapplicable to the extent that information, the disclosure of which would violate personal privacy or vital governmental interests, can be deleted from the specific records sought. No exemption may be construed to permit the nondisclosure of statistical information not descriptive of any readily identifiable person or persons.
(3) Inspection or copying of any specific records exempt under the provisions of this section may be permitted if the superior court in the county in which the record is maintained finds, after a hearing with notice thereof to every person in interest and the agency, that the exemption of such records is clearly unnecessary to protect any individual's right of privacy or any vital governmental function.
(4) Agency responses refusing, in whole or in part, inspection of any public record shall include a statement of the specific exemption authorizing the withholding of the record (or part) and a brief explanation of how the exemption applies to the record withheld.
NEW SECTION. Sec. 28. Sections 1 through 26 of this act shall constitute a new chapter in Title 19 RCW.
--- END ---