PRINTER'S NO. 557
No. 519 Session of 1999
INTRODUCED BY MELLOW, MARCH 9, 1999
REFERRED TO COMMUNICATIONS AND HIGH TECHNOLOGY, MARCH 9, 1999
AN ACT
1 Relating to digital signatures; and imposing penalties.
2 TABLE OF CONTENTS
3 Section 1. Short title.
4 Section 2. Purposes and construction.
5 Section 3. Definitions.
6 Section 4. Role of division.
7 Section 5. Licensure and qualifications of certification
8 authorities.
9 Section 6. Performance audits and investigations.
10 Section 7. Enforcement of requirements for licensed certificate
11 authorities.
12 Section 8. Dangerous activities by any certification authority
13 prohibited.
14 Section 9. General requirements for certification authorities.
15 Section 10. Issuance of certificate.
16 Section 11. Warranties and obligations of certification
17 authority upon issuance of certificate.
1 Section 12. Representations and duties upon acceptance of
2 certificate.
3 Section 13. Control of private key.
4 Section 14. Suspension of certificate.
5 Section 15. Revocation of certificate.
6 Section 16. Expiration of certificate.
7 Section 17. Recommended reliance limits and liability.
8 Section 18. Collection based on suitable guaranty.
9 Section 19. Satisfaction of signature requirements.
10 Section 20. Unreliable digital signatures.
11 Section 21. Digitally signed document is written.
12 Section 22. Digitally signed originals.
13 Section 23. Certificate as acknowledgment.
14 Section 24. Presumptions in adjudicating disputes.
15 Section 25. Recognition of repositories.
16 Section 26. Liability of repositories.
17 Section 27. Confidential records.
18 Section 28. Effective date.
19 The General Assembly of the Commonwealth of Pennsylvania
20 hereby enacts as follows:
21 Section 1. Short title.
22 This act shall be known and may be cited as the Digital
23 Signature Act.
24 Section 2. Purposes and construction.
25 This act shall be construed consistent with what is
26 commercially reasonable under the circumstances and to
27 effectuate the following purposes:
28 (1) Facilitate commerce by means of reliable electronic
29 messages.
30 (2) Minimize the incidence of forged digital signatures
19990S0519B0557 - 2 -
1 and fraud in electronic commerce.
2 (3) Implement legally the general import of relevant
3 standards, such as X.509 of the International
4 Telecommunication Union, formerly known as the International
5 Telegraph and Telephone Consultative Committee or as CCITT.
6 (4) Establish, in coordination with multiple states,
7 uniform rules regarding the authentication and reliability of
8 electronic messages.
9 Section 3. Definitions.
10 The following words and phrases when used in this act shall
11 have the meanings given to them in this section unless the
12 context clearly indicates otherwise:
13 "Accept a certificate." To manifest approval of a
14 certificate, while knowing or having notice of its contents, to
15 apply to a licensed certification authority for a certificate,
16 without canceling or revoking the application, if the
17 certification authority subsequently issues a certificate based
18 on the application.
19 "Asymmetic cryptosystem." An algorithm or series of
20 algorithms which provide a secure key pair.
21 "Certificate." A computer-based record which:
22 (1) identifies the certification authority issuing it;
23 (2) names or identifies its subscriber;
24 (3) contains the subscriber's public key; and
25 (4) is digitally signed by the certification authority
26 issuing it.
27 "Certification authority." A person who issues a
28 certificate.
29 "Certification authority disclosure record." An on-line,
30 publicly accessible record which concerns a licensed
19990S0519B0557 - 3 -
1 certification authority and is kept by the division. A
2 certification authority disclosure record has the contents
3 specified by rule of the division pursuant to section 4.
4 "Certification practice statement." A declaration of the
5 practices which a certification authority employs in issuing
6 certificates generally or employs in issuing a material
7 certificate.
8 "Certify." Declare material facts by the certification
9 authority regarding a certificate.
10 "Confirm." Ascertain through appropriate inquiry and
11 investigation.
12 "Correspond." To belong to the same key pair.
13 "Digital signature." A transformation of a message using an
14 asymmetric cryptosystem such that a person having the initial
15 message and the signer's public key can accurately determine
16 whether the transformation was created using the private key
17 that corresponds to the signer's public key and whether the
18 message has been altered since the transformation was made.
19 "Division." The UCC and Certification Division of the
20 Corporation Bureau of the Department of State.
21 "Forge a digital signature." Either of the following:
22 (1) To create a digital signature without the
23 authorization of the rightful holder of the private key; or
24 (2) To create a digital signature verifiable by a
25 certificate listing as subscriber a person who does not exist
26 or who does not hold the private key corresponding to the
27 public key listed in the certificate.
28 "Hold a private key." To be able to utilize a private key.
29 "Incorporate by reference." To make one message a part of
30 another message by identifying the message to be incorporated
19990S0519B0557 - 4 -
1 and expressing the intention that it be incorporated.
2 "Issue a certificate." The acts of a certification authority
3 in creating a certificate and notifying the subscriber listed in
4 the certificate of the contents of the certificate.
5 "Key pair." A private key and its corresponding public key
6 in an asymmetric cryptosystem, keys which have the property that
7 the public key can verify a digital signature that the private
8 key creates.
9 "Licensed certification authority." A certification
10 authority to whom a license has been issued by the division and
11 whose license is in effect.
12 "Message." A digital representation of information.
13 "Notify." To communicate a fact to another person in a
14 manner reasonably likely under the circumstances to impart
15 knowledge of the information to the other person.
16 "Operative personnel." One or more natural persons acting as
17 a certification authority or its agent, or in the employment of
18 or under contract with a certification authority and who have
19 either of the following:
20 (1) managerial or policymaking responsibilities for the
21 certification authority; or
22 (2) duties directly involving the issuance of
23 certificates, creation of private keys or administration of a
24 certification authority's computing facilities.
25 "Person." A human being or any organization capable of
26 signing a document, either legally or as a matter of fact.
27 "Private key." The key of a key pair used to create a
28 digital signature.
29 "Public key." The key of a key pair used to verify a digital
30 signature.
19990S0519B0557 - 5 -
1 "Publish." To record or file in a repository.
2 "Qualified right to payment." An award of damages against a
3 licensed certification authority by a court having jurisdiction
4 over the certification authority in a civil action for violation
5 of this act.
6 "Recipient." A person who receives or has a digital
7 signature and is in a position to rely on it.
8 "Recognized repository." A repository recognized by the
9 division pursuant to section 25.
10 "Recommended reliance limit." The limitation on the monetary
11 amount recommended for reliance on a certificate pursuant to
12 section 17(a).
13 "Repository." A system for storing and retrieving
14 certificates and other information relevant to digital
15 signatures.
16 "Revoke a certificate." To make a certificate ineffective
17 permanently from a specified time forward. Revocation is
18 effected by notation or inclusion in a set of revoked
19 certificates and does not imply that a revoked certificate is
20 destroyed or made illegible.
21 "Rightfully hold a private key." To be able to utilize a
22 private key which the holder or the holder's agents have not
23 disclosed to any person in violation of section 13(a) and which
24 the holder has not obtained through theft, deceit, eavesdropping
25 or other unlawful means.
26 "Signer." A person who creates a digital signature for a
27 message.
28 "Subscriber." A person who is the subject listed in a
29 certificate, accepts the certificate and holds a private key
30 which corresponds to a public key listed in that certificate.
19990S0519B0557 - 6 -
1 "Suitable guaranty." Either a surety bond executed by a
2 surety authorized by the Insurance Department to do business in
3 this Commonwealth or an irrevocable letter of credit issued by a
4 financial institution authorized to do business in this
5 Commonwealth by the Department of Banking, which, in either
6 event, satisfies all of the following requirements:
7 (1) It is issued payable to the division for the benefit
8 of persons holding qualified rights of payment against the
9 licensed certification authority named as the principal of
10 the bond or customer of the letter of credit.
11 (2) It is an amount specified by rule of the division
12 pursuant to section 4.
13 (3) It states that it is issued for filing pursuant to
14 this act.
15 (4) It specifies a term of effectiveness extending at
16 least as long as the term of the license to be issued to the
17 certification authority.
18 (5) It is in a form prescribed by rule of the division.
19 A suitable guaranty may also provide that the total annual
20 liability on the guaranty to all persons making claims based on
21 it may not exceed the face amount of the guaranty.
22 "Suspend a certificate." To make a certificate ineffective
23 temporarily from a specified time forward.
24 "Time stamp." Either of the following:
25 (1) To append or attach to a message, digital signature
26 or certificate a digitally signed notation indicating at
27 least the date and time the notation was appended or attached
28 and the identity of the person appending or attaching the
29 notation.
30 (2) The notation appended or attached as stated in
19990S0519B0557 - 7 -
1 paragraph (1).
2 "Transactional certificate." A valid certificate
3 incorporating by reference one or more digital signatures.
4 "Trustworthy system." Computer hardware and software which
5 are reasonably secure from intrusion and misuse, which provide a
6 reasonable level of availability, reliability and correct
7 operation and which are reasonably suited to performing their
8 intended functions.
9 "Valid certificate." A certificate which a licensed
10 certification authority has issued, which the subscriber listed
11 in it has accepted, which has not been revoked or suspended and
12 which has not expired. A transactional certificate is a valid
13 certificate only in relation to the digital signature
14 incorporated in it by reference.
15 "Verify a digital signature." In relation to a given digital
16 signature, message and public key, to determine accurately that:
17 (1) The digital signature was created by the private key
18 corresponding to the public key.
19 (2) The message has not been altered since its digital
20 signature was created.
21 Section 4. Role of division.
22 (a) Certification authority.--The division shall be a
23 certification authority and may issue, suspend and revoke
24 certificates in the manner prescribed for licensed certification
25 authorities in this act.
26 (b) Data base.--The division shall maintain a publicly
27 accessible data base containing a certification authority
28 disclosure record for each licensed certification authority. The
29 division shall publish the contents of the data base in at least
30 one recognized repository.
19990S0519B0557 - 8 -
1 (c) Regulations.--The division shall promulgate regulations
2 as required by this act and in furtherance of its purposes,
3 including rules:
4 (1) governing licensed certification authorities, their
5 practice and the termination of a certification authority's
6 practice;
7 (2) determining an amount appropriate for a suitable
8 guaranty, in light of:
9 (i) the burden a suitable guaranty places upon
10 licensed certification authorities; and
11 (ii) the assurance of financial responsibility it
12 provides to persons who rely on certificates issued by
13 licensed certification authorities;
14 (3) for reviewing software for use in creating digital
15 signatures and publish reports concerning software;
16 (4) specifying reasonable requirements for the form of
17 certificates issued by licensed certification authorities, in
18 accordance with generally accepted standards for digital
19 signature certificates;
20 (5) specifying reasonable requirements for recordkeeping
21 by licensed certification authorities;
22 (6) specifying reasonable requirements for the content,
23 form and sources of information in certification authority
24 disclosure records, the updating and timeliness of such
25 information and other practices and policies relating to
26 certification authority disclosure records; and
27 (7) specifying the form of certification practice
28 statements.
29 Section 5. Licensure and qualifications of certification
30 authorities.
19990S0519B0557 - 9 -
1 (a) License.--To obtain or retain a license a certification
2 authority shall:
3 (1) be the subscriber of a certificate published in a
4 recognized repository;
5 (2) employ as operative personnel only persons who have
6 not been convicted of a felony or a crime involving fraud,
7 false statement or deception;
8 (3) employ as operative personnel only persons who have
9 demonstrated knowledge and proficiency in following the
10 requirements of this act;
11 (4) file with the division a suitable guaranty unless
12 the certification authority is the Governor, a department or
13 division of State government, Attorney General, Auditor
14 General, State Treasurer, a city, a county or the General
15 Assembly or its staff offices provided that:
16 (i) each of the entities may act through designated
17 officials authorized by ordinance, regulation or statute
18 to perform certification authority functions; and
19 (ii) one of the entities is the subscriber of all
20 certificates issued by the certification authority;
21 (5) have the right to use a trustworthy system,
22 including a secure means for controlling usage of its private
23 key;
24 (6) present proof to the division of having working
25 capital reasonably sufficient, according to rules of the
26 division, to enable the applicant to conduct business as a
27 certification authority;
28 (7) maintain an office in this Commonwealth or have
29 established a registered agent for service of process in this
30 Commonwealth; and
19990S0519B0557 - 10 -
1 (8) comply with all other licensing requirements
2 established by the division.
3 (b) Issuance.--The division shall issue a license to a
4 certification authority which:
5 (1) is qualified under subsection (a);
6 (2) applies in writing to the division for a license;
7 and
8 (3) pays the required filing fee.
9 (c) Classification.--
10 (1) The division may classify and issue licenses
11 according to specified limitations, such as a maximum number
12 of outstanding certificates, cumulative maximum of
13 recommended reliance limits in certificates issued by the
14 certification authority or issuance only within a single firm
15 or organization.
16 (2) A certification authority acts as an unlicensed
17 certification authority when issuing a certificate exceeding
18 the limits of the license.
19 (d) Revocation.--The division may revoke or suspend a
20 certification authority's license for failure to comply with
21 this act or for failure to remain qualified pursuant to
22 subsection (a). The division's actions under this subsection are
23 subject to the procedures for adjudicative proceedings in 2
24 Pa.C.S. (relating to administrative law and procedure).
25 (e) Other states.--The division may recognize by regulation
26 the licensing or authorization of certification authorities by
27 other governmental entities, provided that those licensing or
28 authorization requirements are substantially similar to those of
29 this Commonwealth. If licensing by another governmental entity
30 is recognized, the liability limits of section 17 apply to the
19990S0519B0557 - 11 -
1 certification authorities licensed or authorized by that
2 governmental entity in the same manner as they apply to licensed
3 certification authorities of this Commonwealth.
4 (f) Exceptions.--
5 (1) Unless the parties provide otherwise by contract
6 between themselves, the licensing requirements in this
7 section do not affect the effectiveness, enforceability or
8 validity of any digital signature.
9 (2) The liability limits of section 17 do not apply to
10 unlicensed certification authorities.
11 Section 6. Performance audits and investigations.
12 (a) Audit.--A certified public accountant having expertise
13 in computer security or an accredited computer security
14 professional shall audit the operations of each licensed
15 certification authority at least once each year to evaluate
16 compliance with this act. The division may specify
17 qualifications for auditors in greater detail by regulation.
18 (b) Categorization.--
19 (1) Based on information gathered in the audit, the
20 auditor shall categorize the licensed certification
21 authority's compliance as one of the following:
22 (i) Full compliance, which means the certification
23 authority appears to conform to all applicable statutory
24 and regulatory requirements.
25 (ii) Substantial compliance, which means the
26 certification authority generally appears to conform to
27 all applicable statutory and regulatory requirements;
28 however, one or more instances of noncompliance or
29 inability to demonstrate compliance were found in the
30 audited sample, but were likely to be inconsequential.
19990S0519B0557 - 12 -
1 (iii) Partial compliance, which means the
2 certification authority appears to comply with some
3 statutory and regulatory requirements, but was found not
4 to have complied or not to be able to demonstrate
5 compliance with one or more important safeguards.
6 (iv) Noncompliance, which means the certification
7 authority complies with few or none of the statutory and
8 regulatory requirements, fails to keep adequate records
9 to demonstrate compliance with more than a few
10 requirements or refused to submit to an audit.
11 (2) The auditor shall report the date of the audit of
12 the licensed certification authority and resulting
13 categorization to the division.
14 (3) The division shall publish in the certification
15 authority disclosure record it maintains for the
16 certification authority, the date of the audit and the
17 resulting categorization of the certification authority.
18 (c) Exemptions.--
19 (1) The division may exempt a licensed certification
20 authority from the requirements of subsection (a) if:
21 (i) the certification authority to be exempted
22 requests exemption in writing;
23 (ii) the most recent performance audit, if any, of
24 the certification authority resulted in a finding of full
25 or substantial compliance; and
26 (iii) the certification authority declares under
27 oath or affirmation that one or more of the following is
28 true with respect to the certification authority:
29 (A) The certification authority has issued fewer
30 than six certificates during the past year and the
19990S0519B0557 - 13 -
1 total of the recommended reliance limits of all such
2 certificates does not exceed $10,000.
3 (B) The aggregate lifetime of all certificates
4 issued by the certification authority during the past
5 year is less than 30 days and the total of the
6 recommended reliance limits of all such certificates
7 does not exceed $10,000.
8 (C) The recommended reliance limits of all
9 certificates outstanding and issued by the
10 certification authority total less than $1,000.
11 (2) If the certification authority's declaration
12 pursuant to paragraph (1) falsely states a material fact, the
13 certification authority shall have failed to comply with the
14 performance audit requirement of this section.
15 (3) If a licensed certification authority is exempt
16 under this section, the division shall publish in the
17 certification authority disclosure record it maintains for
18 the certification authority a statement that the
19 certification authority is exempt from the performance audit
20 requirement.
21 Section 7. Enforcement of requirements for licensed certificate
22 authorities.
23 (a) Investigations.--The division may investigate the
24 activities of a licensed certification authority material to its
25 compliance with this act and issue orders to a certification
26 authority to further its investigation and insure compliance
27 with this act.
28 (b) Restrictions.--As provided in section 5, the division
29 may restrict a certification authority's license for its failure
30 to comply with an order of the division or may suspend or revoke
19990S0519B0557 - 14 -
1 the license of a certification authority.
2 (c) Penalties.--Any person who knowingly or intentionally
3 violates an order of the division issued pursuant to this
4 section or section 8 is subject to a civil penalty of not more
5 than $5,000 per violation or 90% of the recommended reliance
6 limit of a material certificate, whichever is less.
7 (d) Costs.--The division may order a certification authority
8 in violation of this act to pay the costs incurred by the
9 division in prosecuting and adjudicating proceedings relative to
10 and in enforcement of the order.
11 Section 8. Dangerous activities by any certification authority
12 prohibited.
13 (a) General rule.--A certification authority, whether
14 licensed or not, may not conduct its business in a manner that
15 creates an unreasonable risk of loss to subscribers of the
16 certification authority, to persons relying on certificates
17 issued by the certification authority or to a repository.
18 (b) Publication.--
19 (1) The division may publish in one or more recognized
20 repositories brief statements advising subscribers, persons
21 relying on digital signatures and repositories about any
22 activities of a licensed or unlicensed certification
23 authority of which the division has actual knowledge and
24 which create a risk prohibited by subsection (a).
25 (2) The certification authority named in a statement as
26 creating such a risk may protest the publication of the
27 statement by filing a brief, written defense. Upon receipt of
28 such a protest, the division shall:
29 (i) Publish the written defense along with the
30 division's statement.
19990S0519B0557 - 15 -
1 (ii) Publish notice that a hearing has been
2 scheduled to determine the facts and to decide the
3 matter.
4 (iii) Promptly give the protesting certification
5 authority notice and a hearing.
6 (3) Following the hearing, the division shall:
7 (i) rescind the advisory statement if its
8 publication was unwarranted pursuant to this section;
9 (ii) cancel the advisory statement if its
10 publication is no longer warranted;
11 (iii) continue or amend the advisory statement it if
12 remains warranted; or
13 (iv) take further legal action to eliminate or
14 reduce a risk prohibited by subsection (a).
15 (4) The division shall publish its decision in one or
16 more recognized repositories.
17 (c) Injunction.--The division may issue orders and obtain
18 injunctions or other civil relief to prevent or restrain a
19 certification authority from violating this section, regardless
20 of whether the certification authority is licensed. This section
21 does not create a right of action in any person other than the
22 division.
23 Section 9. General requirements for certification authorities.
24 (a) Trustworthy system.--A licensed certification authority
25 or subscriber shall use only a trustworthy system to issue,
26 suspend or revoke a certificate to publish or give notice of the
27 issuance, suspension or revocation of a certificate and to
28 create a private key.
29 (b) Disclosure.--A licensed certification authority shall
30 disclose any material certification practice statement and any
19990S0519B0557 - 16 -
1 fact material to either the reliability of a certificate which
2 it has issued or its ability to perform its services. A
3 certification authority may require a signed, written and
4 reasonably specific inquiry from an identified person and
5 payment of reasonable compensation as conditions precedent to
6 effecting a disclosure required in this section.
7 Section 10. Issuance of certificate.
8 (a) Conditions.--A licensed certification authority may
9 issue a certificate to a subscriber only after all of the
10 following conditions are satisfied:
11 (1) The certification authority has received a request
12 for issuance signed by the prospective subscriber.
13 (2) The certification has confirmed that:
14 (i) The prospective subscriber is the person to be
15 listed in the certificate to be issued.
16 (ii) If the prospective subscriber is acting through
17 one or more agents, the subscriber authorized the agent
18 or agents to have custody of the subscriber's private key
19 and to request issuance of a certificate listing the
20 corresponding public key.
21 (ii) The information in the certificate to be issued
22 is accurate after due diligence.
23 (iv) The prospective subscriber rightfully holds the
24 private key corresponding to the public key to be listed
25 in the certificate.
26 (v) The prospective subscriber holds a private key
27 capable of creating a digital signature.
28 (vi) The public key to be listed in the certificate
29 can be used to verify a digital signature affixed by the
30 private key held by the prospective subscriber.
19990S0519B0557 - 17 -
1 The requirements of this subsection may not be waived or
2 disclaimed by the licensed certification authority or the
3 subscriber.
4 (b) Publication.--
5 (1) If the subscriber accepts the issued certificate,
6 the certification authority shall publish a signed copy of
7 the certificate in a recognized repository agreed upon by the
8 certification authority and the subscriber named in the
9 certificate unless the contract between the certification
10 authority and the subscriber provides otherwise.
11 (2) If the subscriber does not accept the certificate, a
12 licensed certification authority shall not publish the
13 certificate or shall cancel its publication if the
14 certificate has already been published.
15 (c) Higher standards.--Nothing in this section precludes a
16 licensed certification authority from conforming to standards,
17 certification practice statements, security plans or contractual
18 requirements more rigorous than, but consistent with this act.
19 (d) Revocation.--
20 (1) A licensed certification authority which has issued
21 a certificate:
22 (i) shall revoke a certificate immediately upon
23 confirming that it was not issued as required by this
24 section; or
25 (ii) may suspend, for a reasonable period of time
26 not to exceed 48 hours, a certificate which it has issued
27 in order to conduct an investigation to confirm grounds
28 for revocation under subparagraph (i).
29 (2) The certification authority shall give notice of the
30 revocation or suspension to the subscriber as soon as
19990S0519B0557 - 18 -
1 practicable.
2 (3) (i) The division may order the licensed
3 certification authority to suspend or revoke a
4 certificate which the certification authority issued if,
5 after giving the certification authority and subscriber
6 any required notice and opportunity for a hearing, the
7 division determines that the certificate was issued
8 without substantial compliance with this section and the
9 noncompliance poses a significant risk to persons
10 reasonably relying on the certificate.
11 (ii) The division may suspend a certificate for a
12 reasonable period of time not to exceed 48 hours upon
13 determining that an emergency requires an immediate
14 remedy.
15 Section 11. Warranties and obligations of certification
16 authority upon issuance of certificate.
17 (a) General rule.--
18 (1) By issuing a certificate, a licensed certification
19 authority warrants to the subscriber named in the certificate
20 that:
21 (i) The certificate contains no information known to
22 the certification authority to be false.
23 (ii) The certificate satisfies all material
24 requirements of this act.
25 (iii) The certification authority has not exceeded
26 any limits of its license in issuing the certificate.
27 (2) The certification authority may not disclaim or
28 limit the warranties of this subsection.
29 (b) Revocation.--Unless the subscriber and certification
30 authority otherwise agree, a certification authority, by issuing
19990S0519B0557 - 19 -
1 a certificate, shall:
2 (1) act promptly to suspend or revoke a certificate in
3 accordance with sections 14 and 15; and
4 (2) notify the subscriber within a reasonable time of
5 any facts known to the certification authority which
6 significantly affect the validity or reliability of the
7 certificate once it is issued.
8 (c) Reasonable reliance.--By issuing a certificate, a
9 licensed certification authority certifies to all who reasonably
10 rely on the information contained in the certificate that:
11 (1) The information in the certificate and listed as
12 confirmed by the certification authority is accurate.
13 (2) All foreseeable information material to the
14 reliability of the certificate is stated or incorporated by
15 reference within the certificate.
16 (3) The subscriber has accepted the certificate.
17 (4) The licensed certification authority has complied
18 with all applicable laws of this Commonwealth governing
19 issuance of the certificate.
20 (d) Publication.--By publishing a certificate, a licensed
21 certification authority certifies to the repository in which the
22 certificate is published and to all who reasonably rely on the
23 information contained in the certificate that the certification
24 authority has issued the certificate to the subscriber.
25 Section 12. Representations and duties upon acceptance of
26 certificate.
27 (a) General rule.--By accepting a certificate issued by a
28 licensed certification authority, the subscriber listed in the
29 certificate certifies to all who reasonably rely on the
30 information contained in the certificate that:
19990S0519B0557 - 20 -
1 (1) The subscriber rightfully holds the private key
2 corresponding to the public key listed in the certificate.
3 (2) All representations made by the subscriber to the
4 certification authority and material to information listed in
5 the certificate are true.
6 (3) All material representations made by the subscriber
7 to a certification authority or made in the certificate and
8 not confirmed by the certification authority in issuing the
9 certificate are true.
10 (b) Agents.--An agent requesting on behalf of a principal
11 that a certificate be issued naming the principal as subscriber
12 certifies that the agent:
13 (1) Holds all authority legally required to apply for
14 issuance of a certificate naming the principal as subscriber.
15 (2) Has authority to sign digitally on behalf of the
16 principal and, if that authority is limited in any way, that
17 adequate safeguards exist to prevent a digital signature
18 exceeding the bounds of the person's authority.
19 (c) Disclaimer.--A person may not disclaim or contractually
20 limit the application of this section nor obtain indemnity for
21 its effects if the disclaimer, limitation or indemnity restricts
22 liability for misrepresentation as against persons reasonably
23 relying on the certificate.
24 (d) Acceptance of certificate.--
25 (1) By accepting a certificate, a subscriber undertakes
26 to indemnify the issuing certification authority for any loss
27 or damage caused by issuance or publication of a certificate
28 in reliance on a false and material representation of fact by
29 the subscriber or the failure by the subscriber to disclose a
30 material fact if the representation or failure to disclose
19990S0519B0557 - 21 -
1 was made either with intent to deceive the certification
2 authority or a person relying on the certificate or was made
3 with negligence.
4 (2) If the certification authority issued the
5 certificate at the request of an agent of the subscriber, the
6 agent personally undertakes to indemnify the certification
7 authority pursuant to paragraph (1) as if the agent was an
8 accepting subscriber in his own right. The indemnity provided
9 in paragraph (1) may not be disclaimed or contractually
10 limited in scope; however, a contract may provide consistent,
11 additional terms regarding the indemnification.
12 (e) Certification.--In obtaining information of the
13 subscriber material to issuance of a certificate, the
14 certification authority may require the subscriber to certify
15 the accuracy of relevant information under oath or affirmation
16 of truthfulness and under penalty of criminal prohibitions
17 against false, sworn statements.
18 Section 13. Control of private key.
19 (a) Duty.--By accepting a certificate issued by a licensed
20 certification authority, the subscriber identified in the
21 certificate assumes a duty to exercise reasonable care to retain
22 control of the private key and prevent its disclosure to any
23 person not authorized to create the subscriber's digital
24 signature.
25 (b) Personal property.--A private key is the personal
26 property of the subscriber who rightfully holds it.
27 (c) Public key.--If a certification authority holds the
28 private key corresponding to a public key listed in a
29 certificate which it has issued, the certification authority
30 holds the private key as a fiduciary of the subscriber named in
19990S0519B0557 - 22 -
1 the certificate and may use that private key only with the
2 subscriber's prior, written approval unless the subscriber
3 expressly grants the private key to the certification authority
4 and expressly permits the certification authority to hold the
5 private key according to other terms.
6 Section 14. Suspension of certificate.
7 (a) General rule.--
8 (1) Unless the certification authority and the
9 subscriber agree otherwise, the licensed certification
10 authority which issued a certificate which is not a
11 transactional certificate shall suspend the certificate for a
12 period not exceeding 48 hours:
13 (i) upon request by a person identifying himself as
14 the subscriber named in the certificate or as a person in
15 a position likely to know of a compromise of the security
16 of a subscriber's private key, such as an agent, business
17 associate, employee or member of the immediate family of
18 the subscriber; or
19 (ii) by order of the division pursuant to subsection
20 10(d).
21 (2) The certification authority need not confirm the
22 identity or agency of the person requesting suspension under
23 subsection (a)(1)(i).
24 (b) Additional grounds.--
25 (1) Unless the certificate provides otherwise or the
26 certificate, a transactional certificate, the division, a
27 court clerk or a county clerk may suspend a certificate
28 issued by a licensed certification authority for a period of
29 48 hours if:
30 (i) a person requests suspension and identifies
19990S0519B0557 - 23 -
1 himself as the subscriber named in the certificate or as
2 an agent, business associate, employee or member of the
3 immediate family of the subscriber; and
4 (ii) the requester represents that the certification
5 authority which issued the certificate is unavailable.
6 (2) The division, court clerk or county clerk may:
7 (i) require the person requesting suspension under
8 paragraph (1) to provide evidence, including a statement
9 under oath or affirmation, regarding any information
10 described in paragraph (1); and
11 (ii) suspend or decline to suspend the certificate
12 in its discretion.
13 (3) The division, Attorney General or county attorney
14 may investigate suspensions by the division, a court clerk or
15 a county clerk for possible wrongdoing by persons requesting
16 suspension under paragraph (1).
17 (c) Notice of suspension.--
18 (1) Immediately upon suspension of a certificate by a
19 licensed certification authority, the licensed certification
20 authority shall publish notice, signed by the licensed
21 certification authority, of the suspension in any
22 repositories specified in the certificate for publication of
23 notice of suspension. If any repository specified in the
24 certificate no longer exists or refuses to accept publication
25 or is no longer recognized pursuant to section 25, the
26 licensed certification authority shall publish the notice in
27 any recognized repository.
28 (2) If a certificate is suspended by the division, a
29 court clerk or a county clerk, the division or clerk shall
30 give notice as required in paragraph (1) for a licensed
19990S0519B0557 - 24 -
1 certification authority, provided that the person requesting
2 suspension pays in advance any fee required by a repository
3 for publication of the notice of suspension.
4 (d) Termination.--A certification authority shall terminate
5 a suspension initiated by request only:
6 (1) if the subscriber named in the suspended certificate
7 requests termination of the suspension and the certification
8 authority has conformed that the person requesting suspension
9 is the subscriber or an agent of the subscriber authorized to
10 terminate the suspension; or
11 (2) when the certification authority discovers and
12 confirms that the request for the suspension was made without
13 authorization by the subscriber, provided that this
14 subsection does not require the certification authority to
15 confirm a request for suspension.
16 (e) Limits on suspension authority.--The contract between a
17 subscriber and a licensed certification authority may limit or
18 preclude requested suspension by the certification authority or
19 may provide otherwise for termination of a requested suspension.
20 However, if the contract limits or precludes suspension by the
21 division, a court clerk or a county clerk when the issuing
22 certification authority is unavailable, the limitation or
23 preclusion shall be effective only if notice of the limitation
24 or preclusion is published in the certificate.
25 (f) Misrepresentation.--A person may not knowingly or
26 intentionally misrepresent to a certification authority his
27 identity or authorization in requesting suspension of a
28 certificate. Violation of this subsection is a misdemeanor of
29 the second degree.
30 (g) Effect of suspension.--While the certificate is
19990S0519B0557 - 25 -
1 suspended, the subscriber is released from the duty to keep the
2 private key secure pursuant to section 13(a).
3 Section 15. Revocation of certificate.
4 (a) General rule.--A licensed certification authority shall
5 revoke a certificate which it issued, but which is not a
6 transactional certificate, after:
7 (1) receiving a request for revocation by the subscriber
8 named in the certificate; and
9 (2) confirming that the person requesting revocation is
10 that subscriber or is an agent of that subscriber with
11 authority to request the revocation.
12 (b) Confirmation.--A licensed certification authority shall
13 confirm a request for revocation and revoke a certificate within
14 one business day after receiving both a subscriber's written
15 request and evidence reasonably sufficient to confirm the
16 identity and any agency of the person requesting the suspension.
17 (c) Death or dissolution.--A licensed certification
18 authority shall revoke a certificate which it issued:
19 (1) upon receiving a certified copy of the subscriber's
20 death certificate or upon confirming by other evidence that
21 the subscriber is dead; or
22 (2) upon presentation of documents effecting a
23 dissolution of the subscriber or upon confirming by other
24 evidence that the subscriber has been dissolved or has ceased
25 to exist.
26 (d) Unreliability.--A licensed certification authority may
27 revoke one or more certificates which it issued if the
28 certificates are or become unreliable, regardless of whether the
29 subscriber consents to the revocation.
30 (e) Publication.--Immediately upon revocation of a
19990S0519B0557 - 26 -
1 certificate by a licensed certification authority, the licensed
2 certification authority shall publish signed notice of the
3 revocation in any repository specified in the certificate for
4 publication of notice of revocation. If any repository specified
5 in the certificate no longer exists or refuses to accept
6 publication or is no longer recognized pursuant to section 25,
7 the licensed certification authority shall publish the notice in
8 any recognized repository.
9 (f) Release from duty.--A subscriber ceases to certify the
10 information, as provided in section 12, and has no further duty
11 to keep the private key secure, as required by section 13, in
12 relation to a certificate whose revocation the subscriber has
13 requested, beginning with the earlier of either:
14 (1) when notice of the revocation is published as
15 required in subsection (e); or
16 (2) two business days after the subscriber requests
17 revocation in writing, supplies to the issuing certification
18 authority information reasonably sufficient to confirm the
19 request and pays any contractually required fee.
20 (g) Discharge of warranty.--Upon notification as required by
21 subsection (e), a licensed certification authority is discharged
22 of its warranties based on issuance of the revoked certificate
23 and ceases to certify the information, as provided in section
24 11, in relation to the revoked certificate.
25 Section 16. Expiration of certificate.
26 A certificate shall indicate the date on which it expires.
27 When a certificate expires, the subscriber and certification
28 authority cease to certify the information in the certificate as
29 provided in this act and the certification authority is
30 discharged of its duties based on issuance of that certificate.
19990S0519B0557 - 27 -
1 Section 17. Recommended reliance limits and liability.
2 (a) Reliance limit.--By specifying a recommended reliance
3 limit in a certificate, the issuing certification authority and
4 the accepting subscriber recommend that persons rely on the
5 certificate only to the extent that the total amount at risk
6 does not exceed the recommended reliance limit.
7 (b) Liability.--Unless a licensed certification authority
8 waives application of this subsection, a licensed certification
9 authority is:
10 (1) not liable for any loss caused by reliance on a
11 false or forged digital signature of a subscriber if, with
12 respect to the false or forged digital signature, the
13 certification authority complied with all material
14 requirements of this act.
15 (2) not liable in excess of the amount specified in the
16 certificate as its recommended reliance limit for either:
17 (i) a loss caused by reliance on a misrepresentation
18 in the certificate of any fact that the licensed
19 certification authority is required to confirm; or
20 (ii) failure to comply with section 10 in issuing
21 the certificate;
22 (3) liable only for direct compensatory damages in any
23 action to recover a loss due to reliance on the certificate,
24 which damages do not include:
25 (i) punitive or exemplary damages;
26 (ii) damages for lost profits, savings, or
27 opportunity; or
28 (iii) damages for pain or suffering.
29 Section 18. Collection based on suitable guaranty.
30 (a) General rule.--
19990S0519B0557 - 28 -
1 (1) Notwithstanding any provision in the suitable
2 guaranty to the contrary:
3 (i) if the suitable guaranty is a surety bond, a
4 person may recover from the surety the full amount of a
5 qualified right to payment against the principal named in
6 the bond or, if there is more than one such qualified
7 right to payment during the term of the bond, a ratable
8 share up to a maximum total liability of the surety equal
9 to the amount of the bond; or
10 (ii) if the suitable guaranty is a letter of a
11 credit, a person may recover from the issuing financial
12 institution the full amount of a qualified right to
13 payment against the customer named in the letter of
14 credit or, if there is more than one qualified right to
15 payment during the term of the letter of credit, a
16 ratable share up to a maximum total liability of the
17 issuer equal to the amount of the credit.
18 (2) Claimants may recover successively on the same
19 suitable guaranty, provided that the total liability on the
20 suitable guaranty to all persons making claims based upon
21 qualified rights of payment during its term may not exceed
22 the amount of the suitable guaranty.
23 (b) Attorney fees.--In addition to recovering the amount of
24 a qualified right to payment, a claimant may recover from the
25 proceeds of the guaranty, until depleted, reasonable attorney
26 fees and court costs incurred by the claimant in collecting the
27 claim, provided that the total liability on the suitable
28 guaranty to all persons making claims based upon qualified
29 rights of payment or recovering attorney fees and court costs
30 during its term may not exceed the amount of the suitable
19990S0519B0557 - 29 -
1 guaranty.
2 (c) Right to payment.--To recover a qualified right to
3 payment against a surety or issuer of a suitable guaranty, the
4 claimant shall file written notice of the claim with the
5 division stating the name and address of the claimant, the
6 amount claimed, the grounds for the qualified right to payment
7 and any other information required by regulation.
8 (d) Recovery barred.--Recovery of a qualified right to
9 payment from the proceeds of the suitable guaranty shall be
10 forever barred unless the claimant substantially complies with
11 subsection (c) and notice of the claim is filed within two years
12 after the occurrence of the violation of this act which is the
13 basis for the claim.
14 Section 19. Satisfaction of signature requirements.
15 (a) General rule.--Where a rule of law requires a signature
16 or provides for certain consequences in the absence of a
17 signature, that rule is satisfied by a digital signature if:
18 (1) that digital signature is verified by reference to
19 the public key listed in a valid certificate issued by a
20 licensed certification authority;
21 (2) that digital signature was affixed by the signer
22 with the intention of signing the message; and
23 (3) the recipient has no knowledge or notice that the
24 signer either:
25 (i) breached a duty as a subscriber; or
26 (ii) does not rightfully hold the private key used
27 to affix the digital signature.
28 (b) Other law.--Nothing in this act precludes any symbol
29 from being valid as a signature under other applicable law.
30 Section 20. Unreliable digital signatures.
19990S0519B0557 - 30 -
1 Unless otherwise provided by law or contract, the recipient
2 of a digital signature assumes the risk that a digital signature
3 is forged if reliance on the digital signature is not reasonable
4 under the circumstances. If the recipient determines not to rely
5 on a digital signature pursuant to this section, the recipient
6 shall promptly notify the signer of its determination not to
7 rely on the digital signature.
8 Section 21. Digitally signed document is written.
9 (a) General rule.--A message is as valid, enforceable and
10 effective as if it had been written on paper if it:
11 (1) bears in its entirety a digital signature; and
12 (2) that digital signature is verified by the public key
13 listed in a certificate which was issued by a licensed
14 certification authority and was valid at the time the digital
15 signature was created.
16 (b) Other law.--Nothing in this act precludes any message,
17 document or record from being considered written or in writing
18 under other applicable law.
19 Section 22. Digitally signed originals.
20 A copy of a digitally signed message is as effective, valid
21 and enforceable as the original of the message unless it is
22 evident that the signer designated an instance of the digitally
23 signed message to be a unique original, in which case only that
24 instance constitutes the valid, effective and enforceable
25 message.
26 Section 23. Certificate as acknowledgment.
27 Unless otherwise provided by law or contract, a certificate
28 issued by a licensed certification authority is an
29 acknowledgment of a digital signature verified by reference to
30 the public key listed in the certificate, regardless of whether
19990S0519B0557 - 31 -
1 words of an express acknowledgment appear with the digital
2 signature or whether the signer physically appeared before the
3 certification authority when the digital signature was created,
4 if that digital signature is verifiable by that certificate and
5 affixed when that certificate was valid.
6 Section 24. Presumptions in adjudicating disputes.
7 In adjudicating a dispute involving a digital signature, a
8 court shall presume that:
9 (1) a certificate digitally signed by a licensed
10 certification authority and either published in a recognized
11 repository or made available by the issuing certification
12 authority or by the subscriber listed in the certificate is
13 issued by the certification authority which digitally signed
14 it and is accepted by the subscriber listed in it;
15 (2) the information listed in a valid certificate, as
16 defined in section 3, and confirmed by a licensed
17 certification authority issuing the certificate is accurate;
18 (3) if a digital signature is verified by the public key
19 listed in a valid certificate issued by a licensed
20 certification authority:
21 (i) that the digital signature is the digital
22 signature of the subscriber listed in that certificate;
23 (ii) that the digital signature was affixed by the
24 signer with the intention of signing the message; and
25 (iii) that the recipient of that digital signature
26 has no knowledge or notice that the signer breached a
27 duty as a subscriber or does not rightfully hold the
28 private key used to affix the digital signature; and
29 (4) a digital signature was created before it was time
30 stamped by a disinterested person utilizing a trustworthy
19990S0519B0557 - 32 -
1 system.
2 Section 25. Recognition of repositories.
3 (a) Application for recognition.--A repository may apply to
4 the division for recognition by filing a written request and
5 providing evidence to the division that the repository meets the
6 requirements of subsection (b). The division shall determine
7 whether to grant or deny the request.
8 (b) Grounds for recognition.--The division shall recognize a
9 repository, after finding that the repository:
10 (1) is operated under the direction of a licensed
11 certification authority;
12 (2) includes a data base containing:
13 (i) Certificates published in the repository.
14 (ii) Notices of suspended or revoked certificates
15 published by licensed certification authorities or other
16 persons suspending or revoking certificates as provided
17 in sections 14 and 15.
18 (iii) Certification authority disclosure records for
19 licensed certification authorities.
20 (iv) All orders or advisory statements published by
21 the division in regulating certification authorities.
22 (v) Other information as determined by regulations.
23 (3) operates by means of a trustworthy system;
24 (4) contains no significant amount of information which
25 the division finds is known or likely to be untrue,
26 inaccurate or not reasonably reliable;
27 (5) contains certificates published by certification
28 authorities required to conform to rules of practice which
29 the division finds to be substantially similar to or more
30 stringent toward the certification authorities than those of
19990S0519B0557 - 33 -
1 this Commonwealth;
2 (6) keeps an archive of certificates that have been
3 suspended or revoked or that have expired within at least the
4 past three years; and
5 (7) complies with other requirements prescribed by
6 regulation.
7 (c) Request for discontinuance.--The division's recognition
8 of a repository may be discontinued upon the repository's
9 written request for discontinuance filed with the division at
10 least 30 days before discontinuance.
11 (d) Grounds for discontinuance.--The division may
12 discontinue recognition of a repository:
13 (1) upon passage of an expiration date specified by the
14 division in granting recognition; or
15 (2) if after a hearing the division concludes that the
16 repository no longer satisfies the conditions for recognition
17 listed in this section or in the regulations.
18 Section 26. Liability of repositories.
19 (a) General rule.--Notwithstanding any disclaimer by the
20 repository or any contract to the contrary between the
21 repository, a certification authority or a subscriber, a
22 repository is liable for a loss incurred by a person reasonably
23 relying on a digital signature verified by the public key listed
24 in a suspended or revoked certificate if:
25 (1) the loss was incurred more than one business day
26 after receipt by the repository of a request to publish
27 notice of the suspension or revocation; and
28 (2) the repository had failed to publish the notice of
29 suspension or revocation when the person relied on the
30 digital signature.
19990S0519B0557 - 34 -
1 (b) Recognized repositories.--Unless waived, a recognized
2 repository or the owner or operator of a recognized repository
3 is:
4 (1) not liable:
5 (i) for failure to publish notice of a suspension or
6 revocation unless the repository has received notice of
7 publication and one business day has elapsed since the
8 notice was received;
9 (ii) for any damages pursuant to subsection (a) in
10 excess of the amount specified in the certificate as the
11 recommended reliance limit;
12 (iii) for misrepresentation in a certificate
13 published by a licensed certification authority;
14 (iv) for accurately recording or reporting
15 information which a licensed certification authority, the
16 division, a county clerk or court clerk has published as
17 provided in this act including information about
18 suspension or revocation of a certificate; or
19 (v) for reporting information about a certification
20 authority, a certificate or a subscriber if such
21 information is published as provided in this act or a
22 regulation or is published by order of the division in
23 the performance of its licensing and regulatory duties
24 pursuant to this act; and
25 (2) liable pursuant to subsection (a) only for direct
26 compensatory damages, which do not include:
27 (i) punitive or exemplary damages;
28 (ii) damages for lost profits, savings or
29 opportunity; or
30 (iii) damages for pain or suffering.
19990S0519B0557 - 35 -
1 Section 27. Confidential records.
2 The following governmental entity records shall be
3 confidential:
4 (1) records containing information that would disclose
5 or might lead to the disclosure of private keys, asymmetric
6 cryptosystems or algorithms; and
7 (2) records which, if they are disclosed, might
8 jeopardize the security of an issued certificate or a
9 certificate to be issued.
10 Section 28. Effective date.
11 This act shall take effect in 180 days.
B11L12RLE/19990S0519B0557 - 36 -