PRINTER'S NO. 557
No. 519 Session of 1999
INTRODUCED BY MELLOW, MARCH 9, 1999
REFERRED TO COMMUNICATIONS AND HIGH TECHNOLOGY, MARCH 9, 1999
AN ACT 1 Relating to digital signatures; and imposing penalties. 2 TABLE OF CONTENTS 3 Section 1. Short title. 4 Section 2. Purposes and construction. 5 Section 3. Definitions. 6 Section 4. Role of division. 7 Section 5. Licensure and qualifications of certification 8 authorities. 9 Section 6. Performance audits and investigations. 10 Section 7. Enforcement of requirements for licensed certificate 11 authorities. 12 Section 8. Dangerous activities by any certification authority 13 prohibited. 14 Section 9. General requirements for certification authorities. 15 Section 10. Issuance of certificate. 16 Section 11. Warranties and obligations of certification 17 authority upon issuance of certificate.
1 Section 12. Representations and duties upon acceptance of 2 certificate. 3 Section 13. Control of private key. 4 Section 14. Suspension of certificate. 5 Section 15. Revocation of certificate. 6 Section 16. Expiration of certificate. 7 Section 17. Recommended reliance limits and liability. 8 Section 18. Collection based on suitable guaranty. 9 Section 19. Satisfaction of signature requirements. 10 Section 20. Unreliable digital signatures. 11 Section 21. Digitally signed document is written. 12 Section 22. Digitally signed originals. 13 Section 23. Certificate as acknowledgment. 14 Section 24. Presumptions in adjudicating disputes. 15 Section 25. Recognition of repositories. 16 Section 26. Liability of repositories. 17 Section 27. Confidential records. 18 Section 28. Effective date. 19 The General Assembly of the Commonwealth of Pennsylvania 20 hereby enacts as follows: 21 Section 1. Short title. 22 This act shall be known and may be cited as the Digital 23 Signature Act. 24 Section 2. Purposes and construction. 25 This act shall be construed consistent with what is 26 commercially reasonable under the circumstances and to 27 effectuate the following purposes: 28 (1) Facilitate commerce by means of reliable electronic 29 messages. 30 (2) Minimize the incidence of forged digital signatures 19990S0519B0557 - 2 -
1 and fraud in electronic commerce. 2 (3) Implement legally the general import of relevant 3 standards, such as X.509 of the International 4 Telecommunication Union, formerly known as the International 5 Telegraph and Telephone Consultative Committee or as CCITT. 6 (4) Establish, in coordination with multiple states, 7 uniform rules regarding the authentication and reliability of 8 electronic messages. 9 Section 3. Definitions. 10 The following words and phrases when used in this act shall 11 have the meanings given to them in this section unless the 12 context clearly indicates otherwise: 13 "Accept a certificate." To manifest approval of a 14 certificate, while knowing or having notice of its contents, to 15 apply to a licensed certification authority for a certificate, 16 without canceling or revoking the application, if the 17 certification authority subsequently issues a certificate based 18 on the application. 19 "Asymmetic cryptosystem." An algorithm or series of 20 algorithms which provide a secure key pair. 21 "Certificate." A computer-based record which: 22 (1) identifies the certification authority issuing it; 23 (2) names or identifies its subscriber; 24 (3) contains the subscriber's public key; and 25 (4) is digitally signed by the certification authority 26 issuing it. 27 "Certification authority." A person who issues a 28 certificate. 29 "Certification authority disclosure record." An on-line, 30 publicly accessible record which concerns a licensed 19990S0519B0557 - 3 -
1 certification authority and is kept by the division. A 2 certification authority disclosure record has the contents 3 specified by rule of the division pursuant to section 4. 4 "Certification practice statement." A declaration of the 5 practices which a certification authority employs in issuing 6 certificates generally or employs in issuing a material 7 certificate. 8 "Certify." Declare material facts by the certification 9 authority regarding a certificate. 10 "Confirm." Ascertain through appropriate inquiry and 11 investigation. 12 "Correspond." To belong to the same key pair. 13 "Digital signature." A transformation of a message using an 14 asymmetric cryptosystem such that a person having the initial 15 message and the signer's public key can accurately determine 16 whether the transformation was created using the private key 17 that corresponds to the signer's public key and whether the 18 message has been altered since the transformation was made. 19 "Division." The UCC and Certification Division of the 20 Corporation Bureau of the Department of State. 21 "Forge a digital signature." Either of the following: 22 (1) To create a digital signature without the 23 authorization of the rightful holder of the private key; or 24 (2) To create a digital signature verifiable by a 25 certificate listing as subscriber a person who does not exist 26 or who does not hold the private key corresponding to the 27 public key listed in the certificate. 28 "Hold a private key." To be able to utilize a private key. 29 "Incorporate by reference." To make one message a part of 30 another message by identifying the message to be incorporated 19990S0519B0557 - 4 -
1 and expressing the intention that it be incorporated. 2 "Issue a certificate." The acts of a certification authority 3 in creating a certificate and notifying the subscriber listed in 4 the certificate of the contents of the certificate. 5 "Key pair." A private key and its corresponding public key 6 in an asymmetric cryptosystem, keys which have the property that 7 the public key can verify a digital signature that the private 8 key creates. 9 "Licensed certification authority." A certification 10 authority to whom a license has been issued by the division and 11 whose license is in effect. 12 "Message." A digital representation of information. 13 "Notify." To communicate a fact to another person in a 14 manner reasonably likely under the circumstances to impart 15 knowledge of the information to the other person. 16 "Operative personnel." One or more natural persons acting as 17 a certification authority or its agent, or in the employment of 18 or under contract with a certification authority and who have 19 either of the following: 20 (1) managerial or policymaking responsibilities for the 21 certification authority; or 22 (2) duties directly involving the issuance of 23 certificates, creation of private keys or administration of a 24 certification authority's computing facilities. 25 "Person." A human being or any organization capable of 26 signing a document, either legally or as a matter of fact. 27 "Private key." The key of a key pair used to create a 28 digital signature. 29 "Public key." The key of a key pair used to verify a digital 30 signature. 19990S0519B0557 - 5 -
1 "Publish." To record or file in a repository. 2 "Qualified right to payment." An award of damages against a 3 licensed certification authority by a court having jurisdiction 4 over the certification authority in a civil action for violation 5 of this act. 6 "Recipient." A person who receives or has a digital 7 signature and is in a position to rely on it. 8 "Recognized repository." A repository recognized by the 9 division pursuant to section 25. 10 "Recommended reliance limit." The limitation on the monetary 11 amount recommended for reliance on a certificate pursuant to 12 section 17(a). 13 "Repository." A system for storing and retrieving 14 certificates and other information relevant to digital 15 signatures. 16 "Revoke a certificate." To make a certificate ineffective 17 permanently from a specified time forward. Revocation is 18 effected by notation or inclusion in a set of revoked 19 certificates and does not imply that a revoked certificate is 20 destroyed or made illegible. 21 "Rightfully hold a private key." To be able to utilize a 22 private key which the holder or the holder's agents have not 23 disclosed to any person in violation of section 13(a) and which 24 the holder has not obtained through theft, deceit, eavesdropping 25 or other unlawful means. 26 "Signer." A person who creates a digital signature for a 27 message. 28 "Subscriber." A person who is the subject listed in a 29 certificate, accepts the certificate and holds a private key 30 which corresponds to a public key listed in that certificate. 19990S0519B0557 - 6 -
1 "Suitable guaranty." Either a surety bond executed by a 2 surety authorized by the Insurance Department to do business in 3 this Commonwealth or an irrevocable letter of credit issued by a 4 financial institution authorized to do business in this 5 Commonwealth by the Department of Banking, which, in either 6 event, satisfies all of the following requirements: 7 (1) It is issued payable to the division for the benefit 8 of persons holding qualified rights of payment against the 9 licensed certification authority named as the principal of 10 the bond or customer of the letter of credit. 11 (2) It is an amount specified by rule of the division 12 pursuant to section 4. 13 (3) It states that it is issued for filing pursuant to 14 this act. 15 (4) It specifies a term of effectiveness extending at 16 least as long as the term of the license to be issued to the 17 certification authority. 18 (5) It is in a form prescribed by rule of the division. 19 A suitable guaranty may also provide that the total annual 20 liability on the guaranty to all persons making claims based on 21 it may not exceed the face amount of the guaranty. 22 "Suspend a certificate." To make a certificate ineffective 23 temporarily from a specified time forward. 24 "Time stamp." Either of the following: 25 (1) To append or attach to a message, digital signature 26 or certificate a digitally signed notation indicating at 27 least the date and time the notation was appended or attached 28 and the identity of the person appending or attaching the 29 notation. 30 (2) The notation appended or attached as stated in 19990S0519B0557 - 7 -
1 paragraph (1). 2 "Transactional certificate." A valid certificate 3 incorporating by reference one or more digital signatures. 4 "Trustworthy system." Computer hardware and software which 5 are reasonably secure from intrusion and misuse, which provide a 6 reasonable level of availability, reliability and correct 7 operation and which are reasonably suited to performing their 8 intended functions. 9 "Valid certificate." A certificate which a licensed 10 certification authority has issued, which the subscriber listed 11 in it has accepted, which has not been revoked or suspended and 12 which has not expired. A transactional certificate is a valid 13 certificate only in relation to the digital signature 14 incorporated in it by reference. 15 "Verify a digital signature." In relation to a given digital 16 signature, message and public key, to determine accurately that: 17 (1) The digital signature was created by the private key 18 corresponding to the public key. 19 (2) The message has not been altered since its digital 20 signature was created. 21 Section 4. Role of division. 22 (a) Certification authority.--The division shall be a 23 certification authority and may issue, suspend and revoke 24 certificates in the manner prescribed for licensed certification 25 authorities in this act. 26 (b) Data base.--The division shall maintain a publicly 27 accessible data base containing a certification authority 28 disclosure record for each licensed certification authority. The 29 division shall publish the contents of the data base in at least 30 one recognized repository. 19990S0519B0557 - 8 -
1 (c) Regulations.--The division shall promulgate regulations 2 as required by this act and in furtherance of its purposes, 3 including rules: 4 (1) governing licensed certification authorities, their 5 practice and the termination of a certification authority's 6 practice; 7 (2) determining an amount appropriate for a suitable 8 guaranty, in light of: 9 (i) the burden a suitable guaranty places upon 10 licensed certification authorities; and 11 (ii) the assurance of financial responsibility it 12 provides to persons who rely on certificates issued by 13 licensed certification authorities; 14 (3) for reviewing software for use in creating digital 15 signatures and publish reports concerning software; 16 (4) specifying reasonable requirements for the form of 17 certificates issued by licensed certification authorities, in 18 accordance with generally accepted standards for digital 19 signature certificates; 20 (5) specifying reasonable requirements for recordkeeping 21 by licensed certification authorities; 22 (6) specifying reasonable requirements for the content, 23 form and sources of information in certification authority 24 disclosure records, the updating and timeliness of such 25 information and other practices and policies relating to 26 certification authority disclosure records; and 27 (7) specifying the form of certification practice 28 statements. 29 Section 5. Licensure and qualifications of certification 30 authorities. 19990S0519B0557 - 9 -
1 (a) License.--To obtain or retain a license a certification 2 authority shall: 3 (1) be the subscriber of a certificate published in a 4 recognized repository; 5 (2) employ as operative personnel only persons who have 6 not been convicted of a felony or a crime involving fraud, 7 false statement or deception; 8 (3) employ as operative personnel only persons who have 9 demonstrated knowledge and proficiency in following the 10 requirements of this act; 11 (4) file with the division a suitable guaranty unless 12 the certification authority is the Governor, a department or 13 division of State government, Attorney General, Auditor 14 General, State Treasurer, a city, a county or the General 15 Assembly or its staff offices provided that: 16 (i) each of the entities may act through designated 17 officials authorized by ordinance, regulation or statute 18 to perform certification authority functions; and 19 (ii) one of the entities is the subscriber of all 20 certificates issued by the certification authority; 21 (5) have the right to use a trustworthy system, 22 including a secure means for controlling usage of its private 23 key; 24 (6) present proof to the division of having working 25 capital reasonably sufficient, according to rules of the 26 division, to enable the applicant to conduct business as a 27 certification authority; 28 (7) maintain an office in this Commonwealth or have 29 established a registered agent for service of process in this 30 Commonwealth; and 19990S0519B0557 - 10 -
1 (8) comply with all other licensing requirements 2 established by the division. 3 (b) Issuance.--The division shall issue a license to a 4 certification authority which: 5 (1) is qualified under subsection (a); 6 (2) applies in writing to the division for a license; 7 and 8 (3) pays the required filing fee. 9 (c) Classification.-- 10 (1) The division may classify and issue licenses 11 according to specified limitations, such as a maximum number 12 of outstanding certificates, cumulative maximum of 13 recommended reliance limits in certificates issued by the 14 certification authority or issuance only within a single firm 15 or organization. 16 (2) A certification authority acts as an unlicensed 17 certification authority when issuing a certificate exceeding 18 the limits of the license. 19 (d) Revocation.--The division may revoke or suspend a 20 certification authority's license for failure to comply with 21 this act or for failure to remain qualified pursuant to 22 subsection (a). The division's actions under this subsection are 23 subject to the procedures for adjudicative proceedings in 2 24 Pa.C.S. (relating to administrative law and procedure). 25 (e) Other states.--The division may recognize by regulation 26 the licensing or authorization of certification authorities by 27 other governmental entities, provided that those licensing or 28 authorization requirements are substantially similar to those of 29 this Commonwealth. If licensing by another governmental entity 30 is recognized, the liability limits of section 17 apply to the 19990S0519B0557 - 11 -
1 certification authorities licensed or authorized by that 2 governmental entity in the same manner as they apply to licensed 3 certification authorities of this Commonwealth. 4 (f) Exceptions.-- 5 (1) Unless the parties provide otherwise by contract 6 between themselves, the licensing requirements in this 7 section do not affect the effectiveness, enforceability or 8 validity of any digital signature. 9 (2) The liability limits of section 17 do not apply to 10 unlicensed certification authorities. 11 Section 6. Performance audits and investigations. 12 (a) Audit.--A certified public accountant having expertise 13 in computer security or an accredited computer security 14 professional shall audit the operations of each licensed 15 certification authority at least once each year to evaluate 16 compliance with this act. The division may specify 17 qualifications for auditors in greater detail by regulation. 18 (b) Categorization.-- 19 (1) Based on information gathered in the audit, the 20 auditor shall categorize the licensed certification 21 authority's compliance as one of the following: 22 (i) Full compliance, which means the certification 23 authority appears to conform to all applicable statutory 24 and regulatory requirements. 25 (ii) Substantial compliance, which means the 26 certification authority generally appears to conform to 27 all applicable statutory and regulatory requirements; 28 however, one or more instances of noncompliance or 29 inability to demonstrate compliance were found in the 30 audited sample, but were likely to be inconsequential. 19990S0519B0557 - 12 -
1 (iii) Partial compliance, which means the 2 certification authority appears to comply with some 3 statutory and regulatory requirements, but was found not 4 to have complied or not to be able to demonstrate 5 compliance with one or more important safeguards. 6 (iv) Noncompliance, which means the certification 7 authority complies with few or none of the statutory and 8 regulatory requirements, fails to keep adequate records 9 to demonstrate compliance with more than a few 10 requirements or refused to submit to an audit. 11 (2) The auditor shall report the date of the audit of 12 the licensed certification authority and resulting 13 categorization to the division. 14 (3) The division shall publish in the certification 15 authority disclosure record it maintains for the 16 certification authority, the date of the audit and the 17 resulting categorization of the certification authority. 18 (c) Exemptions.-- 19 (1) The division may exempt a licensed certification 20 authority from the requirements of subsection (a) if: 21 (i) the certification authority to be exempted 22 requests exemption in writing; 23 (ii) the most recent performance audit, if any, of 24 the certification authority resulted in a finding of full 25 or substantial compliance; and 26 (iii) the certification authority declares under 27 oath or affirmation that one or more of the following is 28 true with respect to the certification authority: 29 (A) The certification authority has issued fewer 30 than six certificates during the past year and the 19990S0519B0557 - 13 -
1 total of the recommended reliance limits of all such 2 certificates does not exceed $10,000. 3 (B) The aggregate lifetime of all certificates 4 issued by the certification authority during the past 5 year is less than 30 days and the total of the 6 recommended reliance limits of all such certificates 7 does not exceed $10,000. 8 (C) The recommended reliance limits of all 9 certificates outstanding and issued by the 10 certification authority total less than $1,000. 11 (2) If the certification authority's declaration 12 pursuant to paragraph (1) falsely states a material fact, the 13 certification authority shall have failed to comply with the 14 performance audit requirement of this section. 15 (3) If a licensed certification authority is exempt 16 under this section, the division shall publish in the 17 certification authority disclosure record it maintains for 18 the certification authority a statement that the 19 certification authority is exempt from the performance audit 20 requirement. 21 Section 7. Enforcement of requirements for licensed certificate 22 authorities. 23 (a) Investigations.--The division may investigate the 24 activities of a licensed certification authority material to its 25 compliance with this act and issue orders to a certification 26 authority to further its investigation and insure compliance 27 with this act. 28 (b) Restrictions.--As provided in section 5, the division 29 may restrict a certification authority's license for its failure 30 to comply with an order of the division or may suspend or revoke 19990S0519B0557 - 14 -
1 the license of a certification authority. 2 (c) Penalties.--Any person who knowingly or intentionally 3 violates an order of the division issued pursuant to this 4 section or section 8 is subject to a civil penalty of not more 5 than $5,000 per violation or 90% of the recommended reliance 6 limit of a material certificate, whichever is less. 7 (d) Costs.--The division may order a certification authority 8 in violation of this act to pay the costs incurred by the 9 division in prosecuting and adjudicating proceedings relative to 10 and in enforcement of the order. 11 Section 8. Dangerous activities by any certification authority 12 prohibited. 13 (a) General rule.--A certification authority, whether 14 licensed or not, may not conduct its business in a manner that 15 creates an unreasonable risk of loss to subscribers of the 16 certification authority, to persons relying on certificates 17 issued by the certification authority or to a repository. 18 (b) Publication.-- 19 (1) The division may publish in one or more recognized 20 repositories brief statements advising subscribers, persons 21 relying on digital signatures and repositories about any 22 activities of a licensed or unlicensed certification 23 authority of which the division has actual knowledge and 24 which create a risk prohibited by subsection (a). 25 (2) The certification authority named in a statement as 26 creating such a risk may protest the publication of the 27 statement by filing a brief, written defense. Upon receipt of 28 such a protest, the division shall: 29 (i) Publish the written defense along with the 30 division's statement. 19990S0519B0557 - 15 -
1 (ii) Publish notice that a hearing has been 2 scheduled to determine the facts and to decide the 3 matter. 4 (iii) Promptly give the protesting certification 5 authority notice and a hearing. 6 (3) Following the hearing, the division shall: 7 (i) rescind the advisory statement if its 8 publication was unwarranted pursuant to this section; 9 (ii) cancel the advisory statement if its 10 publication is no longer warranted; 11 (iii) continue or amend the advisory statement it if 12 remains warranted; or 13 (iv) take further legal action to eliminate or 14 reduce a risk prohibited by subsection (a). 15 (4) The division shall publish its decision in one or 16 more recognized repositories. 17 (c) Injunction.--The division may issue orders and obtain 18 injunctions or other civil relief to prevent or restrain a 19 certification authority from violating this section, regardless 20 of whether the certification authority is licensed. This section 21 does not create a right of action in any person other than the 22 division. 23 Section 9. General requirements for certification authorities. 24 (a) Trustworthy system.--A licensed certification authority 25 or subscriber shall use only a trustworthy system to issue, 26 suspend or revoke a certificate to publish or give notice of the 27 issuance, suspension or revocation of a certificate and to 28 create a private key. 29 (b) Disclosure.--A licensed certification authority shall 30 disclose any material certification practice statement and any 19990S0519B0557 - 16 -
1 fact material to either the reliability of a certificate which 2 it has issued or its ability to perform its services. A 3 certification authority may require a signed, written and 4 reasonably specific inquiry from an identified person and 5 payment of reasonable compensation as conditions precedent to 6 effecting a disclosure required in this section. 7 Section 10. Issuance of certificate. 8 (a) Conditions.--A licensed certification authority may 9 issue a certificate to a subscriber only after all of the 10 following conditions are satisfied: 11 (1) The certification authority has received a request 12 for issuance signed by the prospective subscriber. 13 (2) The certification has confirmed that: 14 (i) The prospective subscriber is the person to be 15 listed in the certificate to be issued. 16 (ii) If the prospective subscriber is acting through 17 one or more agents, the subscriber authorized the agent 18 or agents to have custody of the subscriber's private key 19 and to request issuance of a certificate listing the 20 corresponding public key. 21 (ii) The information in the certificate to be issued 22 is accurate after due diligence. 23 (iv) The prospective subscriber rightfully holds the 24 private key corresponding to the public key to be listed 25 in the certificate. 26 (v) The prospective subscriber holds a private key 27 capable of creating a digital signature. 28 (vi) The public key to be listed in the certificate 29 can be used to verify a digital signature affixed by the 30 private key held by the prospective subscriber. 19990S0519B0557 - 17 -
1 The requirements of this subsection may not be waived or 2 disclaimed by the licensed certification authority or the 3 subscriber. 4 (b) Publication.-- 5 (1) If the subscriber accepts the issued certificate, 6 the certification authority shall publish a signed copy of 7 the certificate in a recognized repository agreed upon by the 8 certification authority and the subscriber named in the 9 certificate unless the contract between the certification 10 authority and the subscriber provides otherwise. 11 (2) If the subscriber does not accept the certificate, a 12 licensed certification authority shall not publish the 13 certificate or shall cancel its publication if the 14 certificate has already been published. 15 (c) Higher standards.--Nothing in this section precludes a 16 licensed certification authority from conforming to standards, 17 certification practice statements, security plans or contractual 18 requirements more rigorous than, but consistent with this act. 19 (d) Revocation.-- 20 (1) A licensed certification authority which has issued 21 a certificate: 22 (i) shall revoke a certificate immediately upon 23 confirming that it was not issued as required by this 24 section; or 25 (ii) may suspend, for a reasonable period of time 26 not to exceed 48 hours, a certificate which it has issued 27 in order to conduct an investigation to confirm grounds 28 for revocation under subparagraph (i). 29 (2) The certification authority shall give notice of the 30 revocation or suspension to the subscriber as soon as 19990S0519B0557 - 18 -
1 practicable. 2 (3) (i) The division may order the licensed 3 certification authority to suspend or revoke a 4 certificate which the certification authority issued if, 5 after giving the certification authority and subscriber 6 any required notice and opportunity for a hearing, the 7 division determines that the certificate was issued 8 without substantial compliance with this section and the 9 noncompliance poses a significant risk to persons 10 reasonably relying on the certificate. 11 (ii) The division may suspend a certificate for a 12 reasonable period of time not to exceed 48 hours upon 13 determining that an emergency requires an immediate 14 remedy. 15 Section 11. Warranties and obligations of certification 16 authority upon issuance of certificate. 17 (a) General rule.-- 18 (1) By issuing a certificate, a licensed certification 19 authority warrants to the subscriber named in the certificate 20 that: 21 (i) The certificate contains no information known to 22 the certification authority to be false. 23 (ii) The certificate satisfies all material 24 requirements of this act. 25 (iii) The certification authority has not exceeded 26 any limits of its license in issuing the certificate. 27 (2) The certification authority may not disclaim or 28 limit the warranties of this subsection. 29 (b) Revocation.--Unless the subscriber and certification 30 authority otherwise agree, a certification authority, by issuing 19990S0519B0557 - 19 -
1 a certificate, shall: 2 (1) act promptly to suspend or revoke a certificate in 3 accordance with sections 14 and 15; and 4 (2) notify the subscriber within a reasonable time of 5 any facts known to the certification authority which 6 significantly affect the validity or reliability of the 7 certificate once it is issued. 8 (c) Reasonable reliance.--By issuing a certificate, a 9 licensed certification authority certifies to all who reasonably 10 rely on the information contained in the certificate that: 11 (1) The information in the certificate and listed as 12 confirmed by the certification authority is accurate. 13 (2) All foreseeable information material to the 14 reliability of the certificate is stated or incorporated by 15 reference within the certificate. 16 (3) The subscriber has accepted the certificate. 17 (4) The licensed certification authority has complied 18 with all applicable laws of this Commonwealth governing 19 issuance of the certificate. 20 (d) Publication.--By publishing a certificate, a licensed 21 certification authority certifies to the repository in which the 22 certificate is published and to all who reasonably rely on the 23 information contained in the certificate that the certification 24 authority has issued the certificate to the subscriber. 25 Section 12. Representations and duties upon acceptance of 26 certificate. 27 (a) General rule.--By accepting a certificate issued by a 28 licensed certification authority, the subscriber listed in the 29 certificate certifies to all who reasonably rely on the 30 information contained in the certificate that: 19990S0519B0557 - 20 -
1 (1) The subscriber rightfully holds the private key 2 corresponding to the public key listed in the certificate. 3 (2) All representations made by the subscriber to the 4 certification authority and material to information listed in 5 the certificate are true. 6 (3) All material representations made by the subscriber 7 to a certification authority or made in the certificate and 8 not confirmed by the certification authority in issuing the 9 certificate are true. 10 (b) Agents.--An agent requesting on behalf of a principal 11 that a certificate be issued naming the principal as subscriber 12 certifies that the agent: 13 (1) Holds all authority legally required to apply for 14 issuance of a certificate naming the principal as subscriber. 15 (2) Has authority to sign digitally on behalf of the 16 principal and, if that authority is limited in any way, that 17 adequate safeguards exist to prevent a digital signature 18 exceeding the bounds of the person's authority. 19 (c) Disclaimer.--A person may not disclaim or contractually 20 limit the application of this section nor obtain indemnity for 21 its effects if the disclaimer, limitation or indemnity restricts 22 liability for misrepresentation as against persons reasonably 23 relying on the certificate. 24 (d) Acceptance of certificate.-- 25 (1) By accepting a certificate, a subscriber undertakes 26 to indemnify the issuing certification authority for any loss 27 or damage caused by issuance or publication of a certificate 28 in reliance on a false and material representation of fact by 29 the subscriber or the failure by the subscriber to disclose a 30 material fact if the representation or failure to disclose 19990S0519B0557 - 21 -
1 was made either with intent to deceive the certification 2 authority or a person relying on the certificate or was made 3 with negligence. 4 (2) If the certification authority issued the 5 certificate at the request of an agent of the subscriber, the 6 agent personally undertakes to indemnify the certification 7 authority pursuant to paragraph (1) as if the agent was an 8 accepting subscriber in his own right. The indemnity provided 9 in paragraph (1) may not be disclaimed or contractually 10 limited in scope; however, a contract may provide consistent, 11 additional terms regarding the indemnification. 12 (e) Certification.--In obtaining information of the 13 subscriber material to issuance of a certificate, the 14 certification authority may require the subscriber to certify 15 the accuracy of relevant information under oath or affirmation 16 of truthfulness and under penalty of criminal prohibitions 17 against false, sworn statements. 18 Section 13. Control of private key. 19 (a) Duty.--By accepting a certificate issued by a licensed 20 certification authority, the subscriber identified in the 21 certificate assumes a duty to exercise reasonable care to retain 22 control of the private key and prevent its disclosure to any 23 person not authorized to create the subscriber's digital 24 signature. 25 (b) Personal property.--A private key is the personal 26 property of the subscriber who rightfully holds it. 27 (c) Public key.--If a certification authority holds the 28 private key corresponding to a public key listed in a 29 certificate which it has issued, the certification authority 30 holds the private key as a fiduciary of the subscriber named in 19990S0519B0557 - 22 -
1 the certificate and may use that private key only with the 2 subscriber's prior, written approval unless the subscriber 3 expressly grants the private key to the certification authority 4 and expressly permits the certification authority to hold the 5 private key according to other terms. 6 Section 14. Suspension of certificate. 7 (a) General rule.-- 8 (1) Unless the certification authority and the 9 subscriber agree otherwise, the licensed certification 10 authority which issued a certificate which is not a 11 transactional certificate shall suspend the certificate for a 12 period not exceeding 48 hours: 13 (i) upon request by a person identifying himself as 14 the subscriber named in the certificate or as a person in 15 a position likely to know of a compromise of the security 16 of a subscriber's private key, such as an agent, business 17 associate, employee or member of the immediate family of 18 the subscriber; or 19 (ii) by order of the division pursuant to subsection 20 10(d). 21 (2) The certification authority need not confirm the 22 identity or agency of the person requesting suspension under 23 subsection (a)(1)(i). 24 (b) Additional grounds.-- 25 (1) Unless the certificate provides otherwise or the 26 certificate, a transactional certificate, the division, a 27 court clerk or a county clerk may suspend a certificate 28 issued by a licensed certification authority for a period of 29 48 hours if: 30 (i) a person requests suspension and identifies 19990S0519B0557 - 23 -
1 himself as the subscriber named in the certificate or as 2 an agent, business associate, employee or member of the 3 immediate family of the subscriber; and 4 (ii) the requester represents that the certification 5 authority which issued the certificate is unavailable. 6 (2) The division, court clerk or county clerk may: 7 (i) require the person requesting suspension under 8 paragraph (1) to provide evidence, including a statement 9 under oath or affirmation, regarding any information 10 described in paragraph (1); and 11 (ii) suspend or decline to suspend the certificate 12 in its discretion. 13 (3) The division, Attorney General or county attorney 14 may investigate suspensions by the division, a court clerk or 15 a county clerk for possible wrongdoing by persons requesting 16 suspension under paragraph (1). 17 (c) Notice of suspension.-- 18 (1) Immediately upon suspension of a certificate by a 19 licensed certification authority, the licensed certification 20 authority shall publish notice, signed by the licensed 21 certification authority, of the suspension in any 22 repositories specified in the certificate for publication of 23 notice of suspension. If any repository specified in the 24 certificate no longer exists or refuses to accept publication 25 or is no longer recognized pursuant to section 25, the 26 licensed certification authority shall publish the notice in 27 any recognized repository. 28 (2) If a certificate is suspended by the division, a 29 court clerk or a county clerk, the division or clerk shall 30 give notice as required in paragraph (1) for a licensed 19990S0519B0557 - 24 -
1 certification authority, provided that the person requesting 2 suspension pays in advance any fee required by a repository 3 for publication of the notice of suspension. 4 (d) Termination.--A certification authority shall terminate 5 a suspension initiated by request only: 6 (1) if the subscriber named in the suspended certificate 7 requests termination of the suspension and the certification 8 authority has conformed that the person requesting suspension 9 is the subscriber or an agent of the subscriber authorized to 10 terminate the suspension; or 11 (2) when the certification authority discovers and 12 confirms that the request for the suspension was made without 13 authorization by the subscriber, provided that this 14 subsection does not require the certification authority to 15 confirm a request for suspension. 16 (e) Limits on suspension authority.--The contract between a 17 subscriber and a licensed certification authority may limit or 18 preclude requested suspension by the certification authority or 19 may provide otherwise for termination of a requested suspension. 20 However, if the contract limits or precludes suspension by the 21 division, a court clerk or a county clerk when the issuing 22 certification authority is unavailable, the limitation or 23 preclusion shall be effective only if notice of the limitation 24 or preclusion is published in the certificate. 25 (f) Misrepresentation.--A person may not knowingly or 26 intentionally misrepresent to a certification authority his 27 identity or authorization in requesting suspension of a 28 certificate. Violation of this subsection is a misdemeanor of 29 the second degree. 30 (g) Effect of suspension.--While the certificate is 19990S0519B0557 - 25 -
1 suspended, the subscriber is released from the duty to keep the 2 private key secure pursuant to section 13(a). 3 Section 15. Revocation of certificate. 4 (a) General rule.--A licensed certification authority shall 5 revoke a certificate which it issued, but which is not a 6 transactional certificate, after: 7 (1) receiving a request for revocation by the subscriber 8 named in the certificate; and 9 (2) confirming that the person requesting revocation is 10 that subscriber or is an agent of that subscriber with 11 authority to request the revocation. 12 (b) Confirmation.--A licensed certification authority shall 13 confirm a request for revocation and revoke a certificate within 14 one business day after receiving both a subscriber's written 15 request and evidence reasonably sufficient to confirm the 16 identity and any agency of the person requesting the suspension. 17 (c) Death or dissolution.--A licensed certification 18 authority shall revoke a certificate which it issued: 19 (1) upon receiving a certified copy of the subscriber's 20 death certificate or upon confirming by other evidence that 21 the subscriber is dead; or 22 (2) upon presentation of documents effecting a 23 dissolution of the subscriber or upon confirming by other 24 evidence that the subscriber has been dissolved or has ceased 25 to exist. 26 (d) Unreliability.--A licensed certification authority may 27 revoke one or more certificates which it issued if the 28 certificates are or become unreliable, regardless of whether the 29 subscriber consents to the revocation. 30 (e) Publication.--Immediately upon revocation of a 19990S0519B0557 - 26 -
1 certificate by a licensed certification authority, the licensed 2 certification authority shall publish signed notice of the 3 revocation in any repository specified in the certificate for 4 publication of notice of revocation. If any repository specified 5 in the certificate no longer exists or refuses to accept 6 publication or is no longer recognized pursuant to section 25, 7 the licensed certification authority shall publish the notice in 8 any recognized repository. 9 (f) Release from duty.--A subscriber ceases to certify the 10 information, as provided in section 12, and has no further duty 11 to keep the private key secure, as required by section 13, in 12 relation to a certificate whose revocation the subscriber has 13 requested, beginning with the earlier of either: 14 (1) when notice of the revocation is published as 15 required in subsection (e); or 16 (2) two business days after the subscriber requests 17 revocation in writing, supplies to the issuing certification 18 authority information reasonably sufficient to confirm the 19 request and pays any contractually required fee. 20 (g) Discharge of warranty.--Upon notification as required by 21 subsection (e), a licensed certification authority is discharged 22 of its warranties based on issuance of the revoked certificate 23 and ceases to certify the information, as provided in section 24 11, in relation to the revoked certificate. 25 Section 16. Expiration of certificate. 26 A certificate shall indicate the date on which it expires. 27 When a certificate expires, the subscriber and certification 28 authority cease to certify the information in the certificate as 29 provided in this act and the certification authority is 30 discharged of its duties based on issuance of that certificate. 19990S0519B0557 - 27 -
1 Section 17. Recommended reliance limits and liability. 2 (a) Reliance limit.--By specifying a recommended reliance 3 limit in a certificate, the issuing certification authority and 4 the accepting subscriber recommend that persons rely on the 5 certificate only to the extent that the total amount at risk 6 does not exceed the recommended reliance limit. 7 (b) Liability.--Unless a licensed certification authority 8 waives application of this subsection, a licensed certification 9 authority is: 10 (1) not liable for any loss caused by reliance on a 11 false or forged digital signature of a subscriber if, with 12 respect to the false or forged digital signature, the 13 certification authority complied with all material 14 requirements of this act. 15 (2) not liable in excess of the amount specified in the 16 certificate as its recommended reliance limit for either: 17 (i) a loss caused by reliance on a misrepresentation 18 in the certificate of any fact that the licensed 19 certification authority is required to confirm; or 20 (ii) failure to comply with section 10 in issuing 21 the certificate; 22 (3) liable only for direct compensatory damages in any 23 action to recover a loss due to reliance on the certificate, 24 which damages do not include: 25 (i) punitive or exemplary damages; 26 (ii) damages for lost profits, savings, or 27 opportunity; or 28 (iii) damages for pain or suffering. 29 Section 18. Collection based on suitable guaranty. 30 (a) General rule.-- 19990S0519B0557 - 28 -
1 (1) Notwithstanding any provision in the suitable 2 guaranty to the contrary: 3 (i) if the suitable guaranty is a surety bond, a 4 person may recover from the surety the full amount of a 5 qualified right to payment against the principal named in 6 the bond or, if there is more than one such qualified 7 right to payment during the term of the bond, a ratable 8 share up to a maximum total liability of the surety equal 9 to the amount of the bond; or 10 (ii) if the suitable guaranty is a letter of a 11 credit, a person may recover from the issuing financial 12 institution the full amount of a qualified right to 13 payment against the customer named in the letter of 14 credit or, if there is more than one qualified right to 15 payment during the term of the letter of credit, a 16 ratable share up to a maximum total liability of the 17 issuer equal to the amount of the credit. 18 (2) Claimants may recover successively on the same 19 suitable guaranty, provided that the total liability on the 20 suitable guaranty to all persons making claims based upon 21 qualified rights of payment during its term may not exceed 22 the amount of the suitable guaranty. 23 (b) Attorney fees.--In addition to recovering the amount of 24 a qualified right to payment, a claimant may recover from the 25 proceeds of the guaranty, until depleted, reasonable attorney 26 fees and court costs incurred by the claimant in collecting the 27 claim, provided that the total liability on the suitable 28 guaranty to all persons making claims based upon qualified 29 rights of payment or recovering attorney fees and court costs 30 during its term may not exceed the amount of the suitable 19990S0519B0557 - 29 -
1 guaranty. 2 (c) Right to payment.--To recover a qualified right to 3 payment against a surety or issuer of a suitable guaranty, the 4 claimant shall file written notice of the claim with the 5 division stating the name and address of the claimant, the 6 amount claimed, the grounds for the qualified right to payment 7 and any other information required by regulation. 8 (d) Recovery barred.--Recovery of a qualified right to 9 payment from the proceeds of the suitable guaranty shall be 10 forever barred unless the claimant substantially complies with 11 subsection (c) and notice of the claim is filed within two years 12 after the occurrence of the violation of this act which is the 13 basis for the claim. 14 Section 19. Satisfaction of signature requirements. 15 (a) General rule.--Where a rule of law requires a signature 16 or provides for certain consequences in the absence of a 17 signature, that rule is satisfied by a digital signature if: 18 (1) that digital signature is verified by reference to 19 the public key listed in a valid certificate issued by a 20 licensed certification authority; 21 (2) that digital signature was affixed by the signer 22 with the intention of signing the message; and 23 (3) the recipient has no knowledge or notice that the 24 signer either: 25 (i) breached a duty as a subscriber; or 26 (ii) does not rightfully hold the private key used 27 to affix the digital signature. 28 (b) Other law.--Nothing in this act precludes any symbol 29 from being valid as a signature under other applicable law. 30 Section 20. Unreliable digital signatures. 19990S0519B0557 - 30 -
1 Unless otherwise provided by law or contract, the recipient 2 of a digital signature assumes the risk that a digital signature 3 is forged if reliance on the digital signature is not reasonable 4 under the circumstances. If the recipient determines not to rely 5 on a digital signature pursuant to this section, the recipient 6 shall promptly notify the signer of its determination not to 7 rely on the digital signature. 8 Section 21. Digitally signed document is written. 9 (a) General rule.--A message is as valid, enforceable and 10 effective as if it had been written on paper if it: 11 (1) bears in its entirety a digital signature; and 12 (2) that digital signature is verified by the public key 13 listed in a certificate which was issued by a licensed 14 certification authority and was valid at the time the digital 15 signature was created. 16 (b) Other law.--Nothing in this act precludes any message, 17 document or record from being considered written or in writing 18 under other applicable law. 19 Section 22. Digitally signed originals. 20 A copy of a digitally signed message is as effective, valid 21 and enforceable as the original of the message unless it is 22 evident that the signer designated an instance of the digitally 23 signed message to be a unique original, in which case only that 24 instance constitutes the valid, effective and enforceable 25 message. 26 Section 23. Certificate as acknowledgment. 27 Unless otherwise provided by law or contract, a certificate 28 issued by a licensed certification authority is an 29 acknowledgment of a digital signature verified by reference to 30 the public key listed in the certificate, regardless of whether 19990S0519B0557 - 31 -
1 words of an express acknowledgment appear with the digital 2 signature or whether the signer physically appeared before the 3 certification authority when the digital signature was created, 4 if that digital signature is verifiable by that certificate and 5 affixed when that certificate was valid. 6 Section 24. Presumptions in adjudicating disputes. 7 In adjudicating a dispute involving a digital signature, a 8 court shall presume that: 9 (1) a certificate digitally signed by a licensed 10 certification authority and either published in a recognized 11 repository or made available by the issuing certification 12 authority or by the subscriber listed in the certificate is 13 issued by the certification authority which digitally signed 14 it and is accepted by the subscriber listed in it; 15 (2) the information listed in a valid certificate, as 16 defined in section 3, and confirmed by a licensed 17 certification authority issuing the certificate is accurate; 18 (3) if a digital signature is verified by the public key 19 listed in a valid certificate issued by a licensed 20 certification authority: 21 (i) that the digital signature is the digital 22 signature of the subscriber listed in that certificate; 23 (ii) that the digital signature was affixed by the 24 signer with the intention of signing the message; and 25 (iii) that the recipient of that digital signature 26 has no knowledge or notice that the signer breached a 27 duty as a subscriber or does not rightfully hold the 28 private key used to affix the digital signature; and 29 (4) a digital signature was created before it was time 30 stamped by a disinterested person utilizing a trustworthy 19990S0519B0557 - 32 -
1 system. 2 Section 25. Recognition of repositories. 3 (a) Application for recognition.--A repository may apply to 4 the division for recognition by filing a written request and 5 providing evidence to the division that the repository meets the 6 requirements of subsection (b). The division shall determine 7 whether to grant or deny the request. 8 (b) Grounds for recognition.--The division shall recognize a 9 repository, after finding that the repository: 10 (1) is operated under the direction of a licensed 11 certification authority; 12 (2) includes a data base containing: 13 (i) Certificates published in the repository. 14 (ii) Notices of suspended or revoked certificates 15 published by licensed certification authorities or other 16 persons suspending or revoking certificates as provided 17 in sections 14 and 15. 18 (iii) Certification authority disclosure records for 19 licensed certification authorities. 20 (iv) All orders or advisory statements published by 21 the division in regulating certification authorities. 22 (v) Other information as determined by regulations. 23 (3) operates by means of a trustworthy system; 24 (4) contains no significant amount of information which 25 the division finds is known or likely to be untrue, 26 inaccurate or not reasonably reliable; 27 (5) contains certificates published by certification 28 authorities required to conform to rules of practice which 29 the division finds to be substantially similar to or more 30 stringent toward the certification authorities than those of 19990S0519B0557 - 33 -
1 this Commonwealth; 2 (6) keeps an archive of certificates that have been 3 suspended or revoked or that have expired within at least the 4 past three years; and 5 (7) complies with other requirements prescribed by 6 regulation. 7 (c) Request for discontinuance.--The division's recognition 8 of a repository may be discontinued upon the repository's 9 written request for discontinuance filed with the division at 10 least 30 days before discontinuance. 11 (d) Grounds for discontinuance.--The division may 12 discontinue recognition of a repository: 13 (1) upon passage of an expiration date specified by the 14 division in granting recognition; or 15 (2) if after a hearing the division concludes that the 16 repository no longer satisfies the conditions for recognition 17 listed in this section or in the regulations. 18 Section 26. Liability of repositories. 19 (a) General rule.--Notwithstanding any disclaimer by the 20 repository or any contract to the contrary between the 21 repository, a certification authority or a subscriber, a 22 repository is liable for a loss incurred by a person reasonably 23 relying on a digital signature verified by the public key listed 24 in a suspended or revoked certificate if: 25 (1) the loss was incurred more than one business day 26 after receipt by the repository of a request to publish 27 notice of the suspension or revocation; and 28 (2) the repository had failed to publish the notice of 29 suspension or revocation when the person relied on the 30 digital signature. 19990S0519B0557 - 34 -
1 (b) Recognized repositories.--Unless waived, a recognized 2 repository or the owner or operator of a recognized repository 3 is: 4 (1) not liable: 5 (i) for failure to publish notice of a suspension or 6 revocation unless the repository has received notice of 7 publication and one business day has elapsed since the 8 notice was received; 9 (ii) for any damages pursuant to subsection (a) in 10 excess of the amount specified in the certificate as the 11 recommended reliance limit; 12 (iii) for misrepresentation in a certificate 13 published by a licensed certification authority; 14 (iv) for accurately recording or reporting 15 information which a licensed certification authority, the 16 division, a county clerk or court clerk has published as 17 provided in this act including information about 18 suspension or revocation of a certificate; or 19 (v) for reporting information about a certification 20 authority, a certificate or a subscriber if such 21 information is published as provided in this act or a 22 regulation or is published by order of the division in 23 the performance of its licensing and regulatory duties 24 pursuant to this act; and 25 (2) liable pursuant to subsection (a) only for direct 26 compensatory damages, which do not include: 27 (i) punitive or exemplary damages; 28 (ii) damages for lost profits, savings or 29 opportunity; or 30 (iii) damages for pain or suffering. 19990S0519B0557 - 35 -
1 Section 27. Confidential records. 2 The following governmental entity records shall be 3 confidential: 4 (1) records containing information that would disclose 5 or might lead to the disclosure of private keys, asymmetric 6 cryptosystems or algorithms; and 7 (2) records which, if they are disclosed, might 8 jeopardize the security of an issued certificate or a 9 certificate to be issued. 10 Section 28. Effective date. 11 This act shall take effect in 180 days. B11L12RLE/19990S0519B0557 - 36 -