Download Zipped Introduced WP 8.0 SB0076.ZIP 7,581 Bytes
[Status][Bill Documents][Fiscal Note][Bills Directory]
S.B. 76
1
2
3
4
5 AN ACT RELATING TO DIGITAL SIGNATURES; AMENDING PROVISIONS MANDATING
6 THAT THE DIVISION OF CORPORATIONS AND COMMERCIAL CODE BE A
7 CERTIFICATION AUTHORITY AND RELATED PROVISIONS; AMENDING THE
8 EXEMPTION OF A CERTIFICATION AUTHORITY FROM THE AUDIT REQUIREMENT;
9 AND MAKING CONFORMING AMENDMENTS.
10 This act affects sections of Utah Code Annotated 1953 as follows:
11 AMENDS:
12 46-3-104, as repealed and reenacted by Chapter 205, Laws of Utah 1996
13 46-3-202, as last amended by Chapter 205, Laws of Utah 1996
14 Be it enacted by the Legislature of the state of Utah:
15 Section 1. Section 46-3-104 is amended to read:
16 46-3-104. Role of the division.
17 (1) The division [
18 revoke certificates in the manner prescribed for licensed certification authorities in Part 3 of this
19 chapter.
20 (2) The division shall maintain a publicly accessible database containing a certification
21 authority disclosure record for each licensed certification authority. [
22 as a certification authority, the division shall publish the contents of the database in at least one
23 recognized repository.
24 (3) In accordance with Title 63, Chapter 46a, Utah Administrative Rulemaking Act, the
25 division shall make rules as required by this chapter and in furtherance of its purposes, including
26 rules:
27 (a) governing licensed certification authorities, their practice, and the termination of a
28 certification authority's practice;
29 (b) determining an amount appropriate for a suitable guaranty, in light of:
30 (i) the burden a suitable guaranty places upon licensed certification authorities; and
31 (ii) the assurance of financial responsibility it provides to persons who rely on certificates
32 issued by licensed certification authorities;
33 (c) for reviewing software for use in creating digital signatures and publish reports
34 concerning software;
35 (d) specifying reasonable requirements for the form of certificates issued by licensed
36 certification authorities, in accordance with generally accepted standards for digital signature
37 certificates;
38 (e) specifying reasonable requirements for recordkeeping by licensed certification
39 authorities;
40 (f) specifying reasonable requirements for the content, form, and sources of information
41 in certification authority disclosure records, the updating and timeliness of such information, and
42 other practices and policies relating to certification authority disclosure records; and
43 (g) specifying the form of certification practice statements.
44 Section 2. Section 46-3-202 is amended to read:
45 46-3-202. Performance audits and investigations.
46 (1) A certified public accountant having expertise in computer security, or an accredited
47 computer security professional, shall audit the operations of each licensed certification authority
48 at least once each year to evaluate compliance with this chapter. The division may specify
49 qualifications for auditors in greater detail by rule.
50 (2) (a) Based on information gathered in the audit, the auditor shall categorize the licensed
51 certification authority's compliance as one of the following:
52 (i) full compliance, which means the certification authority appears to conform to all
53 applicable statutory and regulatory requirements;
54 (ii) substantial compliance, which means the certification authority generally appears to
55 conform to all applicable statutory and regulatory requirements; however, one or more instances
56 of noncompliance or inability to demonstrate compliance were found in the audited sample, but
57 were likely to be inconsequential;
58 (iii) partial compliance, which means the certification authority appears to comply with
59 some statutory and regulatory requirements, but was found not to have complied or not to be able
60 to demonstrate compliance with one or more important safeguards; or
61 (iv) noncompliance, which means the certification authority complies with few or none
62 of the statutory and regulatory requirements, fails to keep adequate records to demonstrate
63 compliance with more than a few requirements, or refused to submit to an audit.
64 (b) The auditor shall report the date of the audit of the licensed certification authority and
65 resulting categorization to the division.
66 (c) The division shall publish in the certification authority disclosure record it maintains
67 for the certification authority, the date of the audit, and the resulting categorization of the
68 certification authority.
69 [
70
71 [
72 [
73
74 [
75
76 [
77
78 [
79
80
81 [
82
83 [
84
85
86 [
87
88
Legislative Review Note
as of 11-17-99 12:51 PM
A limited legal review of this legislation raises no obvious constitutional or statutory concerns.
Office of Legislative Research and General Counsel
Committee Note
The Public Utilities and Technology Interim Committee recommended this bill.
[Bill Documents][Bills Directory]