Download Zipped Introduced WP 8.0 SB0076.ZIP 7,581 Bytes
[Status][Bill Documents][Fiscal Note][Bills Directory]

S.B. 76

             1     

AMENDMENTS TO DIGITAL SIGNATURE ACT

             2     
2000 GENERAL SESSION

             3     
STATE OF UTAH

             4     
Sponsor: David H. Steele

             5      AN ACT RELATING TO DIGITAL SIGNATURES; AMENDING PROVISIONS MANDATING
             6      THAT THE DIVISION OF CORPORATIONS AND COMMERCIAL CODE BE A
             7      CERTIFICATION AUTHORITY AND RELATED PROVISIONS; AMENDING THE
             8      EXEMPTION OF A CERTIFICATION AUTHORITY FROM THE AUDIT REQUIREMENT;
             9      AND MAKING CONFORMING AMENDMENTS.
             10      This act affects sections of Utah Code Annotated 1953 as follows:
             11      AMENDS:
             12          46-3-104, as repealed and reenacted by Chapter 205, Laws of Utah 1996
             13          46-3-202, as last amended by Chapter 205, Laws of Utah 1996
             14      Be it enacted by the Legislature of the state of Utah:
             15          Section 1. Section 46-3-104 is amended to read:
             16           46-3-104. Role of the division.
             17          (1) The division [shall] may be a certification authority, and may issue, suspend, and
             18      revoke certificates in the manner prescribed for licensed certification authorities in Part 3 of this
             19      chapter.
             20          (2) The division shall maintain a publicly accessible database containing a certification
             21      authority disclosure record for each licensed certification authority. [The] If the division operates
             22      as a certification authority, the division shall publish the contents of the database in at least one
             23      recognized repository.
             24          (3) In accordance with Title 63, Chapter 46a, Utah Administrative Rulemaking Act, the
             25      division shall make rules as required by this chapter and in furtherance of its purposes, including
             26      rules:
             27          (a) governing licensed certification authorities, their practice, and the termination of a

             28      certification authority's practice;
             29          (b) determining an amount appropriate for a suitable guaranty, in light of:
             30          (i) the burden a suitable guaranty places upon licensed certification authorities; and
             31          (ii) the assurance of financial responsibility it provides to persons who rely on certificates
             32      issued by licensed certification authorities;
             33          (c) for reviewing software for use in creating digital signatures and publish reports
             34      concerning software;
             35          (d) specifying reasonable requirements for the form of certificates issued by licensed
             36      certification authorities, in accordance with generally accepted standards for digital signature
             37      certificates;
             38          (e) specifying reasonable requirements for recordkeeping by licensed certification
             39      authorities;
             40          (f) specifying reasonable requirements for the content, form, and sources of information
             41      in certification authority disclosure records, the updating and timeliness of such information, and
             42      other practices and policies relating to certification authority disclosure records; and
             43          (g) specifying the form of certification practice statements.
             44          Section 2. Section 46-3-202 is amended to read:
             45           46-3-202. Performance audits and investigations.
             46          (1) A certified public accountant having expertise in computer security, or an accredited
             47      computer security professional, shall audit the operations of each licensed certification authority
             48      at least once each year to evaluate compliance with this chapter. The division may specify
             49      qualifications for auditors in greater detail by rule.
             50          (2) (a) Based on information gathered in the audit, the auditor shall categorize the licensed
             51      certification authority's compliance as one of the following:
             52          (i) full compliance, which means the certification authority appears to conform to all
             53      applicable statutory and regulatory requirements;
             54          (ii) substantial compliance, which means the certification authority generally appears to
             55      conform to all applicable statutory and regulatory requirements; however, one or more instances
             56      of noncompliance or inability to demonstrate compliance were found in the audited sample, but
             57      were likely to be inconsequential;
             58          (iii) partial compliance, which means the certification authority appears to comply with

             59      some statutory and regulatory requirements, but was found not to have complied or not to be able
             60      to demonstrate compliance with one or more important safeguards; or
             61          (iv) noncompliance, which means the certification authority complies with few or none
             62      of the statutory and regulatory requirements, fails to keep adequate records to demonstrate
             63      compliance with more than a few requirements, or refused to submit to an audit.
             64          (b) The auditor shall report the date of the audit of the licensed certification authority and
             65      resulting categorization to the division.
             66          (c) The division shall publish in the certification authority disclosure record it maintains
             67      for the certification authority, the date of the audit, and the resulting categorization of the
             68      certification authority.
             69          [(3) (a) The division may exempt a licensed certification authority from the requirements
             70      of Subsection (1) if:]
             71          [(i) the certification authority to be exempted requests exemption in writing;]
             72          [(ii) the most recent performance audit, if any, of the certification authority resulted in a
             73      finding of full or substantial compliance; and]
             74          [(iii) the certification authority declares under oath or affirmation that one or more of the
             75      following is true with respect to the certification authority:]
             76          [(A) the certification authority has issued fewer than six certificates during the past year
             77      and the total of the recommended reliance limits of all such certificates does not exceed $10,000;]
             78          [(B) the aggregate lifetime of all certificates issued by the certification authority during the
             79      past year is less than 30 days and the total of the recommended reliance limits of all such
             80      certificates does not exceed $10,000; or]
             81          [(C) the recommended reliance limits of all certificates outstanding and issued by the
             82      certification authority total less than $1,000.]
             83          [(b) If the certification authority's declaration pursuant to Subsection (3)(a) falsely states
             84      a material fact, the certification authority shall have failed to comply with the performance audit
             85      requirement of this subsection.]
             86          [(c) If a licensed certification authority is exempt under this subsection, the division shall
             87      publish in the certification authority disclosure record it maintains for the certification authority
             88      a statement that the certification authority is exempt from the performance audit requirement.]




Legislative Review Note
    as of 11-17-99 12:51 PM

A limited legal review of this legislation raises no obvious constitutional or statutory concerns.

Office of Legislative Research and General Counsel


Committee Note

The Public Utilities and Technology Interim Committee recommended this bill.

[Bill Documents][Bills Directory]