DAR File No. 30642

Commerce, Corporations and Commercial Code

R154-10

Utah Digital Signatures Act Rules

NOTICE OF PROPOSED RULE

DAR File No.: 30642
Filed: 11/01/2007, 04:39
Received by: NL

RULE ANALYSIS

Purpose of the rule or reason for the change:

The umbrella statute was repealed (S.B. 20, 2006 General Session) so the rule needs to be repealed as well. (DAR NOTE: S.B. 20 (2006) is found at Chapter 21, Laws of Utah 2006, and was effective 05/01/2006.)

Summary of the rule or change:

This rule is repealed in its entirety.

State statutory or constitutional authorization for this rule:

Title 46, Chapter 2, and Title 46, Chapter 3

Anticipated cost or savings to:

the state budget:

There would be no cost or savings the the state budget because the law has not been used for several years now.

local governments:

There would be no cost or savings to local governments because the law has not been used for several years now.

small businesses and persons other than businesses:

There would be no cost or savings to small businesses or other persons because the law has not been used for several years now.

Compliance costs for affected persons:

There would be no cost or savings to any person because the law has not been used for several years now.

Comments by the department head on the fiscal impact the rule may have on businesses:

No fiscal impact to businesses is anticipated, because the umbrella statute has been repealed and this rule is no longer necessary. Francine Giani, Executive Director

The full text of this rule may be inspected, during regular business hours, at the Division of Administrative Rules, or at:

Commerce
Corporations and Commercial Code
HEBER M WELLS BLDG
160 E 300 S
SALT LAKE CITY UT 84111-2316

Direct questions regarding this rule to:

Kathy Berg at the above address, by phone at 801-530-6216, by FAX at 801-530-6438, or by Internet E-mail at kberg@utah.gov

Interested persons may present their views on this rule by submitting written comments to the address above no later than 5:00 p.m. on:

12/17/2007

This rule may become effective on:

12/24/2007

Authorized by:

Francine Giani, Executive Director

R154. Commerce, Corporations and Commercial Code.

[R154-10. Utah Digital Signature Act Rules.

R154-10-100. Authority and Purpose.

These rules are adopted by the division under the authority of Subsection 46-3-104(3), to enable the division to facilitate the implementation of the Utah Digital Signature Act and Subsections 46-1-3(5)(b), to enable the division to facilitate the implementation of Electronic Communication between a signer and a Notary Public using a Digital Signature.

 

R154-10-101. Definitions.

For purposes of these rules, in addition to the definitions set forth in Section 46-3-103, the following terms are herein defined:

(1) "Distinguished name" means data unambiguously identifying the person or entity bearing the name.

(2) "ISO" means the International Organization for Standardization.

(3) "Primary certification practice statement" means a certification practice statement which includes references to all other material certification practice statements.

(4) "Utah Act" means the Utah Digital Signature Act as found in Section 46-3-101 et seq.

(5) "Working Capital" means the difference obtained by subtracting current liabilities from current assets.

 

R154-10-102. Certification Authority Filing Amounts.

A certification authority, upon filing an application for a license or renewal, shall pay the following amounts annually:

(1) a $500.00 filing fee; and

(2) additional costs that reflect expenses incurred to evaluate software and hardware systems if they have not been previously approved by the division. Additional amount(s) shall be paid when the actual cost is incurred by the division to have an information systems consultant evaluate whether the software and hardware systems utilized by the certification authority are trustworthy systems and meet prevailing national and international standards.

 

R154-10-103. Application or Renewal for Certification Authority License.

Any person applying or renewing to be licensed as a certification authority must file an application pursuant to this chapter demonstrating compliance with the requirements of the Utah Digital Signature Act (U.C.A. Section 46-3-101, et seq.). To apply for a license or renewal, an applicant must submit in writing (in light of the Utah Digital Signature Act, documents submitted electronically and digitally signed are considered written) all of the following to the Utah Digital Signature Program, Division of Corporations and Commercial Code, Utah Department of Commerce, 160 East 300 South, Box 146705, Salt Lake City, Utah 84114-6705, or E-mail: DigSig@state.ut.us:

(1) The name of the applicant;

(2) The distinguished name of the applicant, in accordance with Utah Administrative Code R154-10-101(1);

(3) The mailing and physical business address of the applicant;

(4) The telephone number of the applicant and the facsimile transmission machine;

(5) The electronic mail address of the applicant;

(6) The name and address of the applicant's Utah registered agent for service of process and documentation certifying acceptance as applicant's registered agent;

(7) A certificate issued by a licensed certification authority that shows the applicant as subscriber and is published in a recognized repository, pursuant U.C.A. Section 46-3-201(1)(a).

(8) A written acknowledgment certifying that all the operative personnel employed by the applicant have undergone a criminal background check demonstrating that they have not been convicted of a felony or a crime involving fraud, false statement, or deception within the past fifteen years, pursuant to U.C.A. Section 46-3-201(1)(b) and Utah Administrative Code R154-10-107;

(9) A written acknowledgment certifying that all the operative personnel employed by the applicant have demonstrated knowledge and proficiency in the requirements of the Utah Digital Signature Act and Administrative Rules, pursuant to U.C.A. Section 46-3-201(1)(c) and Utah Administrative Code R154-10-107;

(10) A filing fee of five hundred dollars ($500.00), pursuant to Utah Administrative Code R154-10-102;

(11) A suitable guarantee in the amount of seventy-five thousand dollars ($75,000.00), pursuant to Utah Administrative Code R154-10-201, unless the applicant is the governor, a department or division of state government, the attorney general, state auditor, state treasurer, the judicial council, a city, a county, or the Legislature or its staff office;

(12) A written acknowledgment certifying that the applicant has working capital reasonably sufficient to conduct business for a period of at least one year and no less than ten thousand dollars ($10,000.00) in working capital, pursuant to Utah Administrative Code R154-10-203;

(13) Documentation in the form of an information systems audit report from a qualified, independent third-party information systems auditor establishing that the applicant has the right to use a trustworthy system as defined by Utah Administrative Code R154-10-106, including a secure means for controlling usage of its private key. The information systems audit report is not required to establish anything more than that the applicant has the use of a trustworthy system and is signed by the information systems auditor;

(14) The applicant's written certification practice statement, its location in the form of a Universal Resource Locator, and method or procedure by which it may be retrieved, in accordance with Utah Administrative Code R154-10-302; and

(15) The current public key(s) of the applicant on a floppy disk, in addition to an electronic document digitally signed by the applicant, by which its digital signature(s) may be verified.

 

R154-10-104. Issuance of License or Renewal.

(1) The division shall, within a reasonable time, issue or renew a license as a certification authority if the applicant has:

(a) complied with and submitted all documentation and fees required by Utah Administrative Code R154-10-103; and

(b) the division has determined that the applicant meets all requirements for licensure pursuant to U.C.A. Section 46-3-201.

(2) Issuance or renewal of a license shall be valid for a period of one year.

(3) The division shall not provide a notice of expiration of the certification authority license. It is the applicant's responsibility to renew their license within 30 days prior to the expiration of their license.

(4) Failure to receive a notice of the need to renew a license is an insufficient reason for failing to file the required application for renewal.

(5) If any of the information presented on the application changes, the certification authority has ten days to submit information to the division to update its record. There is no fee for the amendment.

 

R154-10-105. Revocation or Suspension of Certification Authority License.

(1) The division may revoke or suspend a license, pursuant to U.C.A. Section 46-3-201(4)(a), for failure to comply with any requirement of chapter 3, title 46, entitled, Utah Digital Signature Act or this chapter, for failure to remain qualified for a license pursuant to chapter 3, title 46, or this chapter, or for failure to comply with a lawful order of the division pursuant to U.C.A. Section 46-3-203(2).

(2) The division shall inform a licensed certification authority by written order, by mail directed to the mailing address or electronic mail address listed on the licensee's application, of a decision to revoke or suspend the license. The notification shall state when the revocation or suspension shall be effective, which shall not be less than 30 days following the issuance of the order.

 

R154-10-106. Trustworthy System.

A system shall be regarded as trustworthy if it materially satisfies the most current adopted version of:

106.1 Common Criteria (CC) Protection Profile (PP) for Commercial Security 2 (CS2), (CCPPCS), developed by the National Institute of Standards and Technology (NIST). or;

106.2 Web Trust Program for Certification Authorities, version 1.0, as approved by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants.

106.3 The determination of whether a departure from CCPPCS is material shall be governed by Utah Administrative Code R154-10-403.

 

R154-10-107. Certification of Operative Personnel.

The certification authority shall be responsible for determining whether an individual employed or acting as operative personnel qualifies to act as operative personnel. The determination must be made after a criminal background check of the individual and based on the individual's knowledge of chapter 3, title 46, entitled, Utah Digital Signature Act, this chapter and other information pertinent to asymmetric cryptosystems. The steps that a certification authority takes to assess an individual's qualification to be employed as operative personnel must be disclosed in the certification practice statement.

 

R154-10-201. Amount and Form of Suitable Guaranty.

(1) A suitable guaranty shall be in an amount of seventy-five thousand dollars ($75,000.00);

(2) The suitable guaranty shall specify a term of one (1) year commencing on the effective date of the certification authority license and terminating upon the expiration, revocation or termination of the license; and

(3) The suitable guaranty shall provide coverage for a claim made against a certification authority where:

(a) the claimed violation occurred within the period that the certification authority license was in effect; and

(b) the claimant filed a written notice of the claim with the division within two (2) years following the occurrence of the incident that gave rise to the claim.

 

R154-10-202. Certification Authority Disclosure Records.

(1) A certification authority disclosure record shall contain:

(a) an indication that the certification authority disclosure record is provided and maintained by this state;

(b) the name, street address, and voice telephone number of the certification authority;

(c) the telephone number of the certification authority's facsimile transmission machine, if the certification authority has such a machine;

(d) the electronic mail or other address by which the certification authority may be contacted electronically;

(e) the distinguished name of the certification authority;

(f) the current public key or keys of the certification authority by which its digital signatures on published certificates may be verified;

(g) the restrictions, if any, placed on the certification authority's license pursuant to Subsection 46-3-201(3);

(h) if the certification authority's license has been revoked or is currently suspended, the date of revocation or suspension, and the grounds for revocation or suspension;

(i) the amount of the certification authority's suitable guaranty, to be updated periodically, as specified by the Division;

(j) the total amount of all claims filed with the Division for payment from the suitable guaranty filed by the certification authority, to be updated periodically, as specified by the Division;

(k) a brief description of any limit known to the Division and applicable to the certification authority's liability or legal capacity to pay damages in tort, or for breach of a duty prescribed in this chapter, unless the limitation is specified in this chapter;

(l) the categorization pursuant to Subsection 46-3-202(2) of the certification authority's compliance with this chapter and resulting from the most recent performance audit of the certification authority's activities, and the date of the most recent performance audit;

(m) any event which substantially affects the certification authority's ability to conduct its business or the validity of a certificate published in the repository provided by the Division or in a recognized repository;

(n) if a certificate containing the public key required to verify one or more certificates issued by the certification authority has been revoked or is currently suspended, the date of its revocation or suspension; and

(o) if the certification authority has a material, primary certification practice statement, indications of its location, the method or procedure by which it may be retrieved, its form and structure, its authorship, and its date, as prescribed in rule 302.

(2) A certification authority disclosure record shall be digitally signed by the Division in its official capacity.

(3) Certification authority disclosure records are public records of the state of Utah pursuant to the Utah Government Records Access and Management Act, Chapter 2 of Title 63.

(4) The contents of the certification disclosure record shall be in a form and method specified by the Division.

 

R154-10-203. Certification Authority Proof of Sufficient Working Capital.

A certification authority, upon filing an application for a license or renewal, shall provide the division with a written acknowledgment stating the following:

(1) that the certification authority has working capital reasonably sufficient to conduct business as a certification authority for a period of one year; and

(2) that the certification authority has no less than $10,000.00 in working capital.

 

R154-10-204. Recovery Against Suitable Guaranty.

(1) To recover a qualified right to payment against a surety or issuer of a suitable guaranty, pursuant to U.C.A. Section 46-3-310, the claimant must:

(a) File a signed notice of the claim with the division stating the name and address of the claimant, the amount claimed, the grounds for the qualified right to payment, the date of the occurrence of the violation forming the basis of the claim; and

(b) Append to the notice a certified copy of the judgment on which the qualified right to payment is based, except as provided in paragraph (2) of this section.

(2) If the notice pursuant to paragraph (1)(a) of this section is filed prior to entry of judgment, the division shall hold such notice on file, without further action, until the claimant files a copy of the judgment. If the division determines that the litigation identified in the notice has been finally resolved without a judgment providing the claimant with a qualified right to payment, the division may expunge the notice from their records. The division shall not expunge a notice until two years have elapsed since it was first filed.

(3) The division shall reject a notice for filing if the date of the occurrence of the violation is more than two years prior to the filing of the notice.

(4) If a notice and judgment are filed pursuant to paragraph (1) of this section, the division shall provide the notice and judgment to the surety or issuer.

 

R154-10-301. Certificate Content and Form.

(1) A certificate issued by a licensed certification authority shall contain or incorporate by reference:

(a) an indication that the form and type of the certificate is in accordance with this rule;

(b) an indication that the certification authority issuing the certificate is licensed by this state;

(c) the serial number of the certificate, which must be unique among the certificates issued by the certification authority;

(d) the name by which the subscriber is generally known;

(e) the distinguished name of the subscriber;

(f) a public key corresponding to a private key held by the subscriber;

(g) an identifier of the algorithms with which the subscriber's public key was intended to be used;

(h) the date and time on which the certificate was both issued and accepted;

(i) the date and time on which the certificate expires;

(j) the distinguished name of the certification authority issuing the certificate;

(k) an identifier of the algorithm(s) used to sign the certificate, in the form generally accepted in the subscriber's industry;

(l) the recommended reliance limit for the certificate;

(m) either the distinguished name of one or more repositories designated for publication of notice of revocation or suspension, or a specification of the method by which notice of revocation or suspension is to be given pursuant to Subsections 46-3-306(3) and 46-3-307(5);

(n) if a primary certification practice statement applies to the certificate, an indication of its location, the method or procedure by which it may be retrieved, its form and structure, its authorship, and its date as prescribed in Section R154-10-302.

(2) A transactional certificate shall substantially comply with these requirements, and may include additional data.

(3) A certificate issued by a licensed certification authority may, at the option of the subscriber and certification authority, contain or incorporate by reference additional information as determined by the licensed certification authority.

(4) The data in a certificate shall be specified in the form generally accepted for the transactions for which the subscriber expects that the certificate will be used. Further, unless another form is generally accepted for such transactions:

(a) the certificate shall be in the form specified by standard X.509v.3 of the International Telecommunication Union.

(5) The contents of the certificate shall be in a form and method specified by the Division.

 

R154-10-302. Form of Certification Practice Statement.

(1) If a certificate indicates or incorporates a certification practice statement by reference, or if a certification authority disclosure record refers to a primary certification practice statement, the certificate or certification authority disclosure record shall provide the following information in the form prescribed in Sections R154-10-301 and R154-10-302, and Section R154-10-202:

(a) the location of the certification practice statement, in the form of a Universal Resource Locator or by another form generally accepted for the transactions in which the subscriber expects the certificate to be used;

(b) the method or procedure by which the certification practice statement may be retrieved or by another form generally accepted for the transactions in which the subscriber expects the certificate to be used;

(c) the form and structure of the certification practice statement, which shall be either the form recommended in subsection (2) of this rule, in the Hypertext Markup Language version 2.0, or in the form generally accepted for the transactions in which the subscriber expects the certificate to be used;

(d) the authorship of the certification practice statement, either in the form recommended in subsection (2) of this rule, or in a form generally accepted in the transactions for which the subscriber expects that the certificate will be used; and

(e) its date, either in the form recommended in subsection (2) of this rule or in a form generally accepted in the transactions for which the subscriber expects that the certificate will be used.

(2) Unless the certificate of certification authority disclosure record clearly indicates otherwise and another form is generally accepted in the transactions for which the subscriber expects that the certificate will be used, a certification practice statement shall be in the form of a document marked in accordance with the Standard Generalized Markup Language, ISO standard 8879 (1986, as amended 1988),or in a form and method specified by the Division.

 

R154-10-303. Record-keeping by Certification Authorities.

(1) A licensed certification authority shall maintain documentation of compliance with the Utah Act. The documentation shall include evidence demonstrating that the certification authority has:

(a) accepted as evidence of identity such identification documents or other evidence presented by the person or entity named in a certificate that the certification authority has issued;

(b) accepted as evidence of identity such identification documents or other evidence presented by the person or entity requesting revocation of each certificate that the certification authority has revoked;

(c) evidence collected by the certification authority pertaining to the validity of all other facts listed in a certificate which the certification authority has issued; and

(d) complied with the Utah Act in issuing, publishing, suspending, and revoking a certificate.

(2) Identification of the person or entity named in a certificate shall be presumed to be established where a licensed certification authority has been presented identification documents consisting of at least one of the following:

(a) an identification document issued by or under the authority of the United States, or such similar identification document issued under the authority of another country;

(b) a birth certificate issued in the United States;

(c) a driver's license issued by a State of the United States; or

(d) a personal identification card issued by a State of the United States.

(3) Other forms of identification documents may be substituted for those listed in paragraph (2) above upon written approval of the division prior to the issuance of the certificate or class of certificates.

(4) Except for requests for suspension of a certificate, the licensed certification authority may require a subscriber or agent of a subscriber to submit documentation and other evidence reasonably sufficient to enable the certification authority to comply with this section.

(5) A licensed certification authority shall retain its records of the issuance, acceptance, and any suspension or revocation of a certificate for a period of not less than ten years after the certificate is revoked or expires. The licensed certification authority shall itself retain custody of such records unless the licensed certification authority turns over its records to the Division or another licensed certification authority upon ceasing to act as a certification authority.

(6) A licensed certification authority shall keep its records under circumstances of safekeeping and security which are commercially reasonable in light of the recommended reliance limits of the certificates.

(7) The contents of the records shall be in a form and method specified by the Division.

(8) All required information filed with the Division by the certification authority shall be in the English language.

(9) Documentation of all evidence and records required to be maintained by a licensed certification authority may be maintained in an electronic format approved by the Division.

 

R154-10-304. Cessation of Certification Authority Activities.

(1) Before ceasing to act as a certification authority, a licensed certification authority shall:

(a) give to the subscriber of each unrevoked or unexpired certificate issued by the certification authority at least 90 days written notice of the certification authority's intention to discontinue acting as a certification authority;

(b) 90 days or more after the notice required in Subsection (1)(a) of this section, revoke all certificates which then remain unrevoked or unexpired, regardless of whether the subscriber has requested revocation;

(c) give written notice of revocation to the subscriber of each certificate revoked pursuant to subsection (1)(b) of this section; and

(d) unless a contract between the certification authority and the subscriber provides otherwise, pay reasonable restitution to the subscriber for revoking the certificate before its expiration date.

(2) To provide uninterrupted certification authority services, the discontinuing certification authority may arrange with another certification authority for reissuance of the remaining certificates without charge , except as provided below for certification practice statements, or unless the subscriber of a certificate agrees to a charge. The succeeding certification authority shall create its own digital signature on all reissued certificates. In reissuing a certificate pursuant to this subsection:

(a) the succeeding certification authority becomes subrogated to the rights and defenses of the discontinuing certification authority; and

(b) unless the contract between the discontinuing certification authority and the subscriber provides otherwise, all certification practice statements of the discontinuing certification authority continue in effect under the new certification authority, unless the new certification authority gives sixty days' notice of the changes to be made in the applicable certification practice statements.

(3) The requirements of this section may be varied by contract, except that the contract shall not permit the licensed certification authority to discontinue its certification authority activities without first giving each subscriber of an unexpired or unrevoked certificate at least ten days written notice, or without revoking all outstanding certificates upon cessation of certification authority activities.

(4) Before ceasing to act as a certification authority, a licensed certification authority shall notify the Division of its intention to cease acting as a certification authority. The written notice shall be filed with the Division at least two months, but not more than six months, before the certification authority ceases to act as a certification authority. Further, the written notice shall be entitled "Notice of Intention to Discontinue Certification Authority Business" and include the following information:

(a) name of certification authority;

(b) distinguished name of withdrawing certification authority;

(c) number of certificates issued and currently valid;

(d) date on which the certification authority intends to discontinue business;

(e) date on which notice will be given to subscribers of issued and valid certificates (append copy of notice to subscribers);

(f) indicate whether the withdrawing certification authority will be succeeded by another licensed certification authority;

(g) name of succeeding certification authority, if any;

(h) distinguished name of succeeding certification authority, if any;

(5) If a certification authority dies while licensed, the estate of the certification authority shall comply with the procedures of this section or any applicable contract for termination of the deceased certification authority's activities. If a certification authority becomes incapacitated within the meaning of Subsection 75-1-201(18), a court may either appoint a guardian as provided in the Utah Uniform Probate Code article 5, part 3, or, on the petition of an interested party, appoint a receiver to terminate the incapacitated certification authority's business as required by this section.

 

R154-10-401. Recognition of Repositories.

(1) For a repository to be recognized as provided in Section 46-3-501, the licensed certification authority operating the repository shall file with the Division a request which:

(a) states the full name, postal mailing address, address for service of process, physical location of hardware containing the repository, telephone number, electronic mail address, and distinguished name of the person or entity filing the application;

(b) states the full name, address, telephone number, electronic mail address, and distinguished name of the licensed certification authority under whose direction the repository is operated;

(c) describes in detail, noting compliance with any applicable technical standards:

(i) the design and implementation of the repository's trustworthy system;

(ii) the contents of the repository;

(iii) all form requirements applicable to contents of the repository;

(iv) the criteria for determining who may publish information in the repository;

(v) procedures for processing newly published certificates and notices of suspension and revocation;

(vi) processes to account for usage of the repository and access to the information published in it; and

(vii) fees to be charged, if any for access to certification authority disclosure records and orders or advisory statements issued by the Division, if recognition is granted.

(d) promises, if recognition is granted, to effect prompt publication of:

(i) all certification authority disclosure records published in the repository by the Division;

(ii) all updates or cancellations of existing certification authority disclosure records published in the repository by the Division;

(iii) all orders or advisory statements published in the repository by the Division.

(e) includes a copy of all applicable certification practice statements of the repository and the repository's archival policy. However, nothing in this section requires a repository to disclose trade secrets or information that could adversely affect the security of the trustworthy system;

(f) acknowledges that the licensed certification authority operating the repository has and will continuously maintain in this state:

(i) an office or a registered agent who is either an individual resident in this state, a domestic corporation, or a foreign corporation authorized to transact business in this state; and

(ii) a custodian of the data and records of the repository (regardless of whether the hardware containing the repository is located outside of the State of Utah), upon whom any process, notice, or demand required or permitted by law may be served. The custodian of the records may be the same person or entity as the registered agent.

(g) states the full name, address, telephone number, electronic mail address and address for service of process of the agent and the custodian referred to in the preceding subsection;

(h) acknowledges that the licensed certification authority operating the repository submits the repository data to all lawful process, notice, demand, and orders issued by the State of Utah and its political subdivisions;

(i) the licensed certification authority operating the repository shall promptly notify the Division of any changes in the information required by this rule; and

(j) includes an annual filing fee of $250.00.

(2) The Division will proceed in the manner provided for formal adjudicative proceedings in the Utah Administrative Procedures Act, title 63, chapter 46b, to review the request for recognition and the evidence supporting it, unless:

(a) the request is to renew recognition;

(b) the request is filed within three months of the date on which recognition is scheduled to expire; and

(c) the Division determines in light of the repository's prior record of service and performance that a hearing is not necessary.

(3) The Division hereby delegates to each recognized repository all privileges held by the Division at common law with respect to the publication of certification authority disclosure records and the orders or advisory statements of the Division.

 

R154-10-402. Qualification of Auditors.

(1) An Auditor performing an audit of a licensed certification authority, as provided in Subsection 46-3-202(1), shall have the following qualifications:

(a) be a licensed certified public accountant (CPA) in good standing;

(b) have knowledge of trusted computer information systems, trusted telecommunications networking environments, and the professional audit techniques to test these systems; and

(c) have knowledge of digital signature technology, standards and practices.

(2) The Auditor performing an audit of a licensed certification authority, upon the filing of audit results, shall provide the division with an affirmative statement that auditor meets the foregoing requirements.

 

R154-10-403. Performance Audit.

(1) A licensed certification authority shall obtain a performance audit at least once every year pursuant to U.C.A. Section 46-3-202. The qualified auditor shall issue an opinion evaluating the degree to which the certification authority conforms to the requirements of this chapter and of chapter 3, title 46, entitled, Utah Digital Signature Act. If the certification authority is also a recognized repository, the audit must include the repository.

(2) For purposes of the opinion required by this section, the qualified auditor shall exercise reasonable professional judgment as to whether a condition that does not strictly comply with legal requirements is or is not material, taking into consideration the circumstances and context. Noncompliance as to any of the following shall be deemed material, in addition to any others the qualified auditor may judge to be material:

(a) any condition of noncompliance with statute or rule that relates to the validity of a certificate;

(b) any employee performing the functions of operative personnel who has not qualified pursuant to U.C.A. section 46-3-201(1)(c); or

(c) any material indication that the certification authority has used any system other than a trustworthy system.

(3) An audit may be performed by a qualified auditor pursuant to Utah Administrative Code R154-10-402. Any qualified auditor, or group of qualified auditors, performing an audit pursuant to this section shall include at least one individual who has been issued a current and valid certificate as either a Certified Information Systems Auditor, by the Information Systems Audit and Control Foundation, or as a Certified Information Systems Security Professional, by the International Information Systems Security Certification Consortium. The names of all individuals possessing such certificates shall be disclosed in the audit report, or in a cover letter accompanying that report.

(4) The certification authority shall file a copy of the performance audit report with the Division, 30 days prior to the date the certification authority must renew its license pursuant to Utah Administrative Code R154-10-104. At the certification authority's option, it shall be sufficient to file a portion of the report if that report summarizes all audit exceptions and conditions of noncompliance (including those stated in paragraph (2) of this section) stated in the full report, and bears the auditor's signature. The report may be filed electronically, if it is validly digitally signed by the auditor, using a licensed certification authority. The Division shall publish the report, or summary, in the certification authority disclosure record it maintains for the certification authority.

 

R154-10-404. Recognition of Foreign Licenses.

(1) A certification authority licensed as such by a governmental entity other than the State of Utah, may act as a licensed certification authority in Utah only if, in addition to meeting any other requirements established by law for the transaction of business, it either:

(a) obtains a license as a certification authority from the Division; or

(b) provides to the Division a certified copy of a license issued by a governmental entity whose licensing or authorization requirements the Division has found to be substantially similar to those of Utah, together with the fee required by Utah Administrative Code R154-10-102. A license recognized under this subsection shall be valid in Utah only during the time it is valid in the issuing jurisdiction.

(2) The Division may certify that the requirements of another jurisdiction are substantially similar to those of Utah if, in order to obtain a license, the controlling law of the other jurisdiction requires that a licensed certification authority:

(a) issues certificates based upon a system of public key cryptography using a trustworthy system;

(b) provides for a suitable guaranty in an amount of at least $25,000;

(c) employs as operative personnel only individuals who have demonstrated knowledge and proficiency in the requirements of the law regarding digital signatures, and who are free of felony criminal conviction for a minimum of fifteen years; and

(d) is subject to a legally established system of enforcement of licensure requirements.

(3) The Division shall make available upon request, a list of those jurisdictions which the Division has certified pursuant to paragraph (2) of this section. If a jurisdiction is not included in the list, the Division shall consider whether certification of such jurisdiction should be added, upon request of either the jurisdiction or a certification authority licensed by that jurisdiction and upon receipt of an English language copy of the applicable laws and regulations of that jurisdiction.

 

R154-10-405. Revocation of Recognition of a Repository.

(1) This rule describes the Division's procedure for revoking the recognition of a repository, without also revoking the license of the certification authority that operates the repository. Because a valid license as a certification authority is a statutory requirement for recognition of a repository, the Division shall automatically revoke the recognition of any repository operated by a certification authority whose license is revoked, expired, or otherwise inoperative.

(2) The Division may revoke recognition of a repository, pursuant to U.C.A. Section 46-3-501(4), for failure to comply with any requirement for recognition of a repository pursuant to Utah Administrative Code R154-10-401, or for failure to comply with a lawful order of the Division.

(3) The Division shall inform a licensed certification authority that operates a recognized repository by written order, by mail directed to the mailing address listed on the licensee's application, of a decision to revoke recognition of the repository. The notification shall state when the revocation shall be effective, which shall not be less than 30 days following the issuance of the order.

(4) If the certification authority files an application for an adjudicative hearing, pursuant to Title 63, Chapter 46b, entitled Administrative Procedures Act, prior to the effective date of revocation, the revocation shall not take effect until so ordered by the presiding officer.

 

R154-10-406. Procedure upon discontinuance of business as a Recognized Repository.

A licensed certification authority that discontinues providing services as a recognized repository shall notify the Division of its discontinuance at least 30 days before discontinuance pursuant to U.C.A. Section 46-3-501(3), and republish the records published in their repository into another recognized repository.

 

R154-10-407. Renewal of Recognition of a Repository.

(1) The Division shall, within a reasonable time, renew a request for recognition of a repository from a licensed certification authority if the applicant has:

(a) complied with and submitted all documentation and fees required by Utah Administrative Code R154-10-401; and

(b) the Division has determined that the applicant meets all requirements for recognition pursuant to U.C.A. Section 46-3-501.

(2) Renewal for recognition of a repository shall be valid for a period of one year.

(3) The Division shall not provide a notice of expiration of recognition as a repository. It is the applicant's responsibility to renew their recognition as a repository within 30 days prior to the expiration of the recognition.

(4) Failure to receive a notice of the need to renew a recognition of a repository is an insufficient reason for failing to file the required application for renewal.

(5) If any of the information presented on the application changes, the certification authority has ten days to submit information to the Division to update its record. There is no fee for the amendment.

 

R154-10-501. Waiver of Requirements.

(1) The Division will duly consider requests to waive any requirement of this rule if conflicts arise in implementation of these standards and procedures.

 

R154-10-502. Notary Acknowledgment by Electronic Communication.

Any person(s) executing a notarization using their digital signature and electronic communication requires live audio and visual communication, demonstrating compliance with U.C.A. Section 46-1-2(1) and 46-1-2(11)(c). The following minimal specifications must be met and require:

1. Constant video frame rate of 15 frames per second or more.

2. Minimum video resolution of 320 x 240 picture elements (PIXELS).

3. Complies with desktop conferencing industry standard H.323 for communication via data networks and the Internet.

4. Full-duplex audio (this means audio in both directions at the same time.

 

KEY: commerce, electronic commerce, digital signature, electronic communication

Date of Enactment or Last Substantive Amendment: March 14, 2003

Notice of Continuation: October 8, 2003

Authorizing, and Implemented or Interpreted Law: 46-3-102(4); 46-1-2(1); 46-1-2(11)(c)]