BILL AS INTRODUCED

Download this document in WordPerfect 6.1 format

S.206

Introduced by Senator Hallowell of Chittenden County and Senator Illuzzi of Essex-Orleans County

Referred to Committee on

Date:

Subject: Commerce and trade; digital signatures

Statement of purpose: This bill proposes a digital mechanism to authorize the signing and authentication of documents.

AN ACT RELATING TO DIGITAL SIGNATURES

It is hereby enacted by the General Assembly of the State of Vermont:

Sec. 1. 9 V.S.A. chapter 145 is added to read:

CHAPTER 145. DIGITAL SIGNATURES

§ 4621. PURPOSES AND CONSTRUCTION

This chapter shall be construed consistent with what is commercially reasonable under the circumstances and to effectuate the following purposes:

(1) to facilitate commerce by means of reliable electronic messages;

(2) to minimize the incidence of forged digital signatures and fraud in electronic commerce;

(3) to implement legally the general import of relevant standards, such as X.509 of the International Telecommunication Union (formerly International Telegraph and Telephone Consultative Committee or CCITT); and

(4) to establish, in coordination with multiple states, uniform rules regarding the authentication and reliability of electronic messages.

§ 4622. DEFINITIONS

For purposes of this chapter:

(1) "Accept a certificate" means:

(A) to manifest approval of a certificate, while knowing or having notice of its contents; or

(B) to apply to a licensed certification authority for a certificate, without canceling or revoking the application, if the certification authority subsequently issues a certificate based on the application.

(2) "Asymmetric cryptosystem" means an algorithm or series of algorithms which provide a secure key pair.

(3) "Certificate" means a computer-based record which:

(A) identifies the certification authority issuing it;

(B) names or identifies its subscriber;

(D) is digitally signed by the certification authority issuing it.

(4) "Certification authority" means a person who issues a certificate.

(5) "Certification authority disclosure record" means an on-line, publicly accessible record which concerns a licensed certification authority and is kept by the secretary of state. A certification authority disclosure record has the contents specified by rule of the secretary of state pursuant to section 4623 of this title.

(6) "Certification practice statement" means a declaration of the practices which a certification authority employs in issuing certificates generally, or employs in issuing a material certificate.

(7) "Certify" means the declaration of material facts by the certification authority regarding a certificate.

(8) "Confirm" means to ascertain through appropriate inquiry and investigation.

(9) "Correspond," with reference to keys, means to belong to the same key pair.

(10) "Digital signature" means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine whether:

(A) the transformation was created using the private key that corresponds to the signer's public key; and

(B) the message has been altered since the transformation was made.

(11) "Forge a digital signature" means either:

(A) to create a digital signature without the authorization of the rightful holder of the private key; or

(B) to create a digital signature verifiable by a certificate listing as subscriber aperson who either:

(i) does not exist; or

(ii) does not hold the private key corresponding to the public key listed in the certificate.

(12) "Hold a private key" means to be able to utilize a private key.

(13) "Incorporate by reference" means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated.

(14) "Issue a certificate" means the acts of a certification authority in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate.

(15) "Key pair" means a private key and its corresponding public key in an asymmetric cryptosystem, keys which have the property that the public key can verify a digital signature that the private key creates.

(16) "Licensed certification authority" means a certification authority to whom a license has been issued by the secretary of state and whose license is in effect.

(17) "Message" means a digital representation of information.

(18) "Notify" means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person.

(19) "Operative personnel" means one or more natural persons acting as a certification authority or its agent, or in the employment of or under contract with acertification authority, and who have:

(A) managerial or policy-making responsibilities for the certification authority; or

(B) duties directly involving the issuance of certificates, creation of private keys, or administration of a certification authority's computing facilities.

(20) "Person" means a human being or any organization capable of signing a document, either legally or as a matter of fact.

(21) "Private key" means the key of a key pair used to create a digital signature.

(22) "Public key" means the key of a key pair used to verify a digital signature.

(23) "Publish" means to record or file in a repository.

(24) "Qualified right to payment" means an award of damages against a licensed certification authority by a court having jurisdiction over the certification authority in a civil action for violation of this chapter.

(25) "Recipient" means a person who receives or has a digital signature and is in a position to rely on it.

(26) "Recognized repository" means a repository recognized by the secretary of state pursuant to section 4642 of this title.

(27) "Recommended reliance limit" means the limitation on the monetary amount recommended for reliance on a certificate pursuant to section 4635 of this title.

(28) "Repository" means a system for storing and retrieving certificates and other information relevant to digital signatures.

(29) "Revoke a certificate" means to make a certificate ineffective permanently from a specified time forward. Revocation is effected by notation or inclusion in a set of revoked certificates, and does not imply that a revoked certificate is destroyed or made illegible.

(30) "Rightfully hold a private key" means to be able to utilize a private key:

(A) which the holder or the holder's agents have not disclosed to any person in violation of section 4631 of this title; and

(B) which the holder has not obtained through theft, deceit, eavesdropping, or other unlawful means.

(31) "Signer" means a person who creates a digital signature for a message.

(32) "Subscriber" means a person who:

(A) is the subject listed in a certificate;

(B) accepts the certificate; and

(33)(A) "Suitable guaranty" means either a surety bond executed by a surety authorized by the department of banking, insurance, securities, and health care administration to do business in this state, or an irrevocable letter of credit issued by a financial institution authorized to do business in this state by the department, which, in either event, satisfies all of the following requirements, that it:

(i) is issued payable to the secretary of state for the benefit of persons holdingqualified rights of payment against the licensed certification authority named as the principal of the bond or customer of the letter of credit;

(ii) is in an amount specified by rule of the secretary of state pursuant to section 4623 of this title;

(iii) states that it is issued for filing pursuant to this chapter;

(iv) specifies a term of effectiveness extending at least as long as the term of the license to be issued to the certification authority; and

(v) is in a form prescribed by rule of the secretary of state.

(B) A suitable guaranty may also provide that the total annual liability on the guaranty to all persons making claims based on it may not exceed the face amount of the guaranty.

(C) A financial institution acting as a certification authority may satisfy the requirements of this subdivision from its assets or capital, to the extent of its lending limit.

(34) "Suspend a certificate" means to make a certificate ineffective temporarily from a specified time forward.

(35) "Time-stamp" means either:

(A) to append or attach to a message, digital signature, or certificate a digitally signed notation indicating at least the date and time the notation was appended or attached, and the identity of the person appending or attaching the notation; or

(B) the notation thus appended or attached.

(36) "Transactional certificate" means a valid certificate incorporating by referenceone or more digital signatures.

(37) "Trustworthy system" means computer hardware and software which:

(A) are reasonably secure from intrusion and misuse;

(B) provide a reasonable level of availability, reliability, and correct operation; and

(38)(A) "Valid certificate" means a certificate which:

(i) a licensed certification authority has issued;

(ii) the subscriber listed in it has accepted;

(iii) has not been revoked or suspended; and

(iv) has not expired.

(B) A transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference.

(39) "Verify a digital signature" means, in relation to a given digital signature, message, and public key, to determine accurately that:

(A) the digital signature was created by the private key corresponding to the public key; and

(B) the message has not been altered since its digital signature was created.

§ 4623. ROLE OF THE SECRETARY OF STATE

(a) The secretary of state shall be a certification authority, and may issue, suspend, and revoke certificates in the manner prescribed for licensed certification authorities in Part 3of this chapter. The secretary may delegate the powers and duties granted under this chapter to officers and employees of the corporations division.

(b) The secretary shall maintain a publicly accessible database containing a certification authority disclosure record for each licensed certification authority. The secretary shall publish the contents of the database in at least one recognized repository.

(1) governing licensed certification authorities, their practice, and the termination of a certification authority's practice;

(2) determining an amount appropriate for a suitable guaranty, in light of:

(A) the burden a suitable guaranty places upon licensed certification authorities; and

(B) the assurance of financial responsibility it provides to persons who rely on certificates issued by licensed certification authorities;

(3) for reviewing software for use in creating digital signatures and publish reports concerning software;

(4) specifying reasonable requirements for the form of certificates issued by licensed certification authorities, in accordance with generally accepted standards for digital signature certificates;

(5) specifying reasonable requirements for record keeping by licensed certification authorities;

(6) specifying reasonable requirements for the content, form, and sources of information in certification authority disclosure records, the updating and timeliness of such information, and other practices and policies relating to certification authority disclosure records; and

(7) specifying the form of certification practice statements.

§ 4624. LICENSURE AND QUALIFICATIONS OF CERTIFICATION

AUTHORITIES

(a) To obtain or retain a license a certification authority shall:

(1) be the subscriber of a certificate published in a recognized repository;

(2) employ as operative personnel only persons who have not been convicted of a felony or a crime involving fraud, false statement, or deception;

(3) employ as operative personnel only persons who have demonstrated knowledge and proficiency in following the requirements of this chapter;

(4) file with the secretary of state a suitable guaranty, unless the certification authority is the governor, an agency of state government, the attorney general, state auditor, state treasurer, the supreme court, a municipality, a county, or the general assembly or its staff offices provided that:

(A) each of the above-named governmental entities may act through designated officials authorized by ordinance, rule, or statute to perform certification authority functions; and

(B) one of the above-named governmental entities is the subscriber of allcertificates issued by the certification authority;

(5) have the right to use a trustworthy system, including a secure means for controlling usage of its private key;

(6) present proof to the secretary of state of having working capital reasonably sufficient, according to rules of the secretary of state, to enable the applicant to conduct business as a certification authority;

(7) maintain an office in this state or have established a registered agent for service of process in this state; and

(8) comply with all other licensing requirements established by rule of the secretary of state.

(b) The secretary of state shall issue a license to a certification authority which:

(1) is qualified under subsection (a) of this section;

(2) applies in writing to the secretary of state for a license; and

(3) pays the required filing fee.

(c)(1) The secretary of state may classify and issue licenses according to specified limitations, such as a maximum number of outstanding certificates, cumulative maximum of recommended reliance limits in certificates issued by the certification authority, or issuance only within a single firm or organization.

(2) A certification authority acts as an unlicensed certification authority when issuing a certificate exceeding the limits of the license.

(d)(1) The secretary of state may revoke or suspend a certification authority's licensefor failure to comply with this chapter, or for failure to remain qualified pursuant to subsection (a) of this section.

(2) The secretary of state’s actions under this subsection are subject to the procedures for adjudicative proceedings under 3 V.S.A. chapter 25.

(e) The secretary of state may recognize by rule the licensing or authorization of certification authorities by other governmental entities, provided that those licensing or authorization requirements are substantially similar to those of this state. If licensing by another governmental entity is so recognized:

(1) Sections 4637 through 4641 of this title, relating to presumptions and legal effects, apply to certificates issued by the certification authorities licensed or authorized by that governmental entity in the same manner as they apply to licensed certification authorities of this state; and

(2) The liability limits of section 4635 of this title apply to the certification authorities licensed or authorized by that governmental entity in the same manner as they apply to licensed certification authorities of this state.

(f) Unless the parties provide otherwise by contract between themselves, the licensing requirements in this section do not affect the effectiveness, enforceability, or validity of any digital signature except that sections 4637 through 4641 of this title do not apply to a digital signature which cannot be verified by a certificate issued by a licensed certification authority. Further, the liability limits of section 4635 of this title do not apply to unlicensed certification authorities.

§ 4625. ENFORCEMENT OF REQUIREMENTS FOR LICENSED CERTIFICATE

AUTHORITIES

(a) The secretary of state may investigate the activities of a licensed certification authority material to its compliance with this chapter and issue orders to a certification authority to further its investigation and insure compliance with this chapter.

(b) As provided in section 4623 of this title, the secretary of state may restrict a certification authority's license for its failure to comply with an order of the secretary, or may suspend or revoke the license of a certification authority.

(c) Any person who knowingly or intentionally violates an order of the secretary of state issued pursuant to this section or section 4626 of this title is subject to a civil penalty of not more than $5,000.00 per violation or 90 percent of the recommended reliance limit of a material certificate, whichever is less.

(d) The secretary of state may order a certification authority in violation of this chapter to pay the costs incurred by the secretary of state in prosecuting and adjudicating proceedings relative to, and in enforcement of, the order.

(e) Pursuant to 3 V.S.A. chapter 25 (Administrative Procedure Act):

(1) the secretary of state shall exercise his or her authority under this section in accordance with procedures for adjudicative proceedings;

(2) a licensed certification authority may obtain judicial review of the secretary’s actions under this section; and

(3) if the secretary seeks injunctive relief, as provided in section 4626 of this title, tocompel compliance with any of its orders, the secretary may collect the cost of enforcement.

§ 4626. DANGEROUS ACTIVITIES BY ANY CERTIFICATION AUTHORITY

PROHIBITED

(a) A certification authority, whether licensed or not, may not conduct its business in a manner that creates an unreasonable risk of loss to subscribers of the certification authority, to persons relying on certificates issued by the certification authority, or to a repository.

(b)(1) The secretary of state may publish in one or more recognized repositories brief statements advising subscribers, persons relying on digital signatures, and repositories about any activities of a licensed or unlicensed certification authority, of which the secretary has actual knowledge, which create a risk prohibited by subsection (a) of this section.

(2) The certification authority named in a statement as creating such a risk may protest the publication of the statement by filing a brief, written defense. Upon receipt of such a protest, the secretary of state shall:

(A) publish the written defense along with the secretary's statement;

(B) publish notice that a hearing has been scheduled to determine the facts and to decide the matter; and

(C) promptly give the protesting certification authority notice and a hearing as provided in 3 V.S.A. chapter 25 (Administrative Procedure Act).

(3)(A) Following the hearing, the secretary shall:

(i) rescind the advisory statement if its publication was unwarranted pursuant to this section;

(ii) cancel the advisory statement if its publication is no longer warranted;

(iii) continue or amend the advisory statement if it remains warranted; or

(iv) take further legal action to eliminate or reduce a risk prohibited by subsection (a) of this section.

(B) The secretary shall publish its decision in one or more recognized repositories.

(c) The secretary of state may issue orders and obtain injunctions or other civil relief to prevent or restrain a certification authority from violating this section, regardless of whether the certification authority is licensed. This section does not create a right of action in any person other than the secretary of state.

§ 4627. GENERAL REQUIREMENTS FOR CERTIFICATION AUTHORITIES

(a) A licensed certification authority or subscriber shall use only a trustworthy system:

(1) to issue, suspend, or revoke a certificate;

(2) to publish or give notice of the issuance, suspension, or revocation of a certificate; and

(3) to create a private key.

(b) A licensed certification authority shall disclose any material certification practice statement, and any fact material to either the reliability of a certificate which it has issuedor its ability to perform its services. A certification authority may require a signed, written, and reasonably specific inquiry from an identified person, and payment of reasonable compensation, as conditions precedent to effecting a disclosure required in this subsection.

§ 4628. ISSUANCE OF A CERTIFICATE

(a) A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:

(1) The certification authority has received a request for issuance signed by the prospective subscriber.

(2) The certification authority has confirmed that:

(A) the prospective subscriber is the person to be listed in the certificate to be issued;

(B) if the prospective subscriber is acting through one or more agents, the subscriber authorized the agent or agents to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;

(D) the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;

(E) the prospective subscriber holds a private key capable of creating a digital signature; and

(F) the public key to be listed in the certificate can be used to verify a digitalsignature affixed by the private key held by the prospective subscriber.

(3) The requirements of this subsection may not be waived or disclaimed by the licensed certification authority or the subscriber.

(b)(1) If the subscriber accepts the issued certificate, the certification authority shall publish a signed copy of the certificate in a recognized repository agreed upon by the certification authority and the subscriber named in the certificate, unless the contract between the certification authority and the subscriber provides otherwise.

(2) If the subscriber does not accept the certificate, a licensed certification authority shall not publish the certificate or shall cancel its publication if the certificate has already been published.

(c) Nothing in this section precludes a licensed certification authority from conforming to standards, certification practice statements, security plans, or contractual requirements more rigorous than, but consistent with, this chapter.

(d)(1) A licensed certification authority which has issued a certificate:

(A) shall revoke a certificate immediately upon confirming that it was not issued as required by this section; or

(B) may suspend, for a reasonable period of time not to exceed 48 hours, a certificate which it has issued in order to conduct an investigation to confirm grounds for revocation under subdivision (A) of this subsection.

(2) The certification authority shall give notice of the revocation or suspension to the subscriber as soon as practicable.

(e)(1) The secretary of state may order the licensed certification authority to suspend or revoke a certificate which the certification authority issued if, after giving the certification authority and subscriber any required notice and opportunity for a hearing, the secretary of state determines that:

(A) the certificate was issued without substantial compliance with this section; and

(B) the noncompliance poses a significant risk to persons reasonably relying on the certificate.

(2) The secretary of state may suspend a certificate for a reasonable period of time not to exceed 48 hours upon determining that an emergency requires an immediate remedy and in accordance with 3 V.S.A. chapter 25.

§ 4629. WARRANTIES AND OBLIGATIONS OF CERTIFICATION

AUTHORITY UPON ISSUANCE OF A CERTIFICATE

(a)(1) By issuing a certificate, a licensed certification authority warrants to the subscriber named in the certificate that:

(A) the certificate contains no information known to the certification authority to be false;

(B) the certificate satisfies all material requirements of this chapter; and

(2) The certification authority may not disclaim or limit the warranties of thissubsection.

(b) Unless the subscriber and certification authority otherwise agree, a certification authority, by issuing a certificate, shall:

(1) act promptly to suspend or revoke a certificate in accordance with sections 4632 and 4633 of this title; and

(2) notify the subscriber within a reasonable time of any facts known to the certification authority which significantly affect the validity or reliability of the certificate once it is issued.

(c) By issuing a certificate, a licensed certification authority certifies to all who reasonably rely on the information contained in the certificate that:

(1) the information in the certificate and listed as confirmed by the certification authority is accurate;

(2) all foreseeable information material to the reliability of the certificate is stated or incorporated by reference within the certificate;

(3) the subscriber has accepted the certificate; and

(4) the licensed certification authority has complied with all applicable laws of this state governing issuance of the certificate.

(d) By publishing a certificate, a licensed certification authority certifies to the repository in which the certificate is published and to all who reasonably rely on the information contained in the certificate that the certification authority has issued the certificate to the subscriber.

§ 4630. REPRESENTATIONS AND DUTIES UPON ACCEPTANCE OF A

CERTIFICATE

(a) By accepting a certificate issued by a licensed certification authority, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate that:

(1) the subscriber rightfully holds the private key corresponding to the public key listed in the certificate;

(2) all representations made by the subscriber to the certification authority and material to information listed in the certificate are true;

(3) all material representations made by the subscriber to a certification authority or made in the certificate and not confirmed by the certification authority in issuing the certificate are true.

(b) An agent, requesting on behalf of a principal that a certificate be issued naming the principal as subscriber, certifies that the agent:

(1) holds all authority legally required to apply for issuance of a certificate naming the principal as subscriber; and

(2) has authority to sign digitally on behalf of the principal, and, if that authority is limited in any way, that adequate safeguards exist to prevent a digital signature exceeding the bounds of the person's authority.

(c) A person may not disclaim or contractually limit the application of this section, nor obtain indemnity for its effects, if the disclaimer, limitation, or indemnity restricts liabilityfor misrepresentation as against persons reasonably relying on the certificate.

(d)(1) By accepting a certificate, a subscriber undertakes to indemnify the issuing certification authority for any loss or damage caused by issuance or publication of a certificate in reliance on a false and material representation of fact by the subscriber, or the failure by the subscriber to disclose a material fact if the representation or failure to disclose was made either with intent to deceive the certification authority or a person relying on the certificate or was made with negligence.

(2) If the certification authority issued the certificate at the request of an agent of the subscriber, the agent personally undertakes to indemnify the certification authority pursuant to subdivision (1) of this subsection as if the agent was an accepting subscriber in his own right. The indemnity provided in subdivision (1) of this subsection may not be disclaimed or contractually limited in scope, however, a contract may provide consistent, additional terms regarding the indemnification.

(e) In obtaining information of the subscriber material to issuance of a certificate, the certification authority may require the subscriber to certify the accuracy of relevant information under oath or affirmation of truthfulness and under penalty of criminal prohibitions against false, sworn statements.

§ 4631. CONTROL OF THE PRIVATE KEY

(a) By accepting a certificate issued by a licensed certification authority, the subscriber identified in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorized to create thesubscriber's digital signature.

(b) A private key is the personal property of the subscriber who rightfully holds it.

(c) If a certification authority holds the private key corresponding to a public key listed in a certificate which it has issued, the certification authority holds the private key as a fiduciary of the subscriber named in the certificate, and may use that private key only with the subscriber's prior, written approval, unless the subscriber expressly grants the private key to the certification authority and expressly permits the certification authority to hold the private key according to other terms.

§ 4632. SUSPENSION OF A CERTIFICATE -- CRIMINAL PENALTY

(a)(1) Unless the certification authority and the subscriber agree otherwise, the licensed certification authority which issued a certificate which is not a transactional certificate shall suspend the certificate for a period not exceeding 48 hours:

(A) upon request by a person identifying himself or herself as the subscriber named in the certificate, or as a person in a position likely to know of a compromise of the security of a subscriber's private key, such as an agent, business associate, employee, or member of the immediate family of the subscriber; or

(B) by order of the secretary of state pursuant to subsection 4628(e) of this title.

(2) The certification authority need not confirm the identity or agency of the person requesting suspension under subdivision (1)(A) of this subsection.

(b)(1) Unless the certificate provides otherwise or the certificate is a transactional certificate, the secretary of state, or a superior court clerk may suspend a certificate issuedby a licensed certification authority for a period of 48 hours, if:

(A) a person requests suspension and identifies himself or herself as the subscriber named in the certificate or as an agent, business associate, employee, or member of the immediate family of the subscriber; and

(B) the requester represents that the certification authority which issued the certificate is unavailable.

(2) The secretary of state, or superior court clerk may:

(A) require the person requesting suspension under subdivision (1) of this subsection to provide evidence, including a statement under oath or affirmation, regarding any information described in subdivision (1); and

(B) suspend or decline to suspend the certificate in its discretion.

(3) The secretary of state, attorney general, or state’s attorney may investigate suspensions by the secretary, or a superior court clerk for possible wrongdoing by persons requesting suspension under subdivision (1) of this subsection.

(c)(1) Immediately upon suspension of a certificate by a licensed certification authority, the licensed certification authority shall publish notice, signed by the licensed certification authority, of the suspension in any repositories specified in the certificate for publication of notice of suspension. If any repository specified in the certificate no longer exists or refuses to accept publication, or is no longer recognized pursuant to section 4642 of this title, the licensed certification authority shall publish the notice in any recognized repository.

(2) If a certificate is suspended by the secretary, or a superior court clerk, the secretary of state or clerk shall give notice as required in subdivision (1) of this subsection for a licensed certification authority, provided that the person requesting suspension pays in advance any fee required by a repository for publication of the notice of suspension.

(d) A certification authority shall terminate a suspension initiated by request only:

(1) if the subscriber named in the suspended certificate requests termination of the suspension and the certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorized to terminate the suspension; or

(2) when the certification authority discovers and confirms that the request for the suspension was made without authorization by the subscriber, provided that this subsection does not require the certification authority to confirm a request for suspension.

(e) The contract between a subscriber and a licensed certification authority may limit or preclude requested suspension by the certification authority, or may provide otherwise for termination of a requested suspension. However, if the contract limits or precludes suspension by the secretary of state, or a superior court clerk when the issuing certification authority is unavailable, the limitation or preclusion shall be effective only if notice of the limitation or preclusion is published in the certificate.

(f) A person may not knowingly or intentionally misrepresent to a certification authority his identity or authorization in requesting suspension of a certificate. A person who violates the provisions of this subsection shall be fined not more that $500.00 orimprisoned not more than 10 years, or both.

(g) While the certificate is suspended, the subscriber is released from the duty to keep the private key secure pursuant to section 4631 of this title.

§ 4633. REVOCATION OF A CERTIFICATE

(a) A licensed certification authority shall revoke a certificate which it issued, but which is not a transactional certificate, after:

(1) receiving a request for revocation by the subscriber named in the certificate; and

(2) confirming that the person requesting revocation is that subscriber, or is an agent of that subscriber with authority to request the revocation.

(b) A licensed certification authority shall confirm a request for revocation and revoke a certificate within one business day after receiving both a subscriber's written request and evidence reasonably sufficient to confirm the identity and any agency of the person requesting the suspension.

(1) upon receiving a certified copy of the subscriber's death certificate, or upon confirming by other evidence that the subscriber is dead; or

(2) upon presentation of documents effecting a dissolution of the subscriber, or upon confirming by other evidence that the subscriber has been dissolved or has ceased to exist.

(d) A licensed certification authority may revoke one or more certificates which it issued if the certificates are or become unreliable, regardless of whether the subscriberconsents to the revocation.

(e) Immediately upon revocation of a certificate by a licensed certification authority, the licensed certification authority shall publish signed notice of the revocation in any repository specified in the certificate for publication of notice of revocation. If any repository specified in the certificate no longer exists or refuses to accept publication, or is no longer recognized pursuant to section 4642 of this title, the licensed certification authority shall publish the notice in any recognized repository.

(f) A subscriber ceases to certify the information, as provided in section 4630 of this title, and has no further duty to keep the private key secure, as required by section 4631 of this title, in relation to a certificate whose revocation the subscriber has requested, beginning with the earlier of either:

(1) when notice of the revocation is published as required in subsection (e) of this section; or

(2) two business days after the subscriber requests revocation in writing, supplies to the issuing certification authority information reasonably sufficient to confirm the request, and pays any contractually required fee.

(g) Upon notification as required by subsection (e) of this section, a licensed certification authority is discharged of its warranties based on issuance of the revoked certificate and ceases to certify the information, as provided in section 4629 of this title, in relation to the revoked certificate.

§ 4634. EXPIRATION OF A CERTIFICATE

A certificate shall indicate the date on which it expires. When a certificate expires, the subscriber and certification authority cease to certify the information in the certificate as provided in this chapter and the certification authority is discharged of its duties based on issuance of that certificate.

§ 4635. RECOMMENDED RELIANCE LIMITS AND LIABILITY

(a) By specifying a recommended reliance limit in a certificate, the issuing certification authority and the accepting subscriber recommend that persons rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit.

(b) Unless a licensed certification authority waives application of this subsection, a licensed certification authority is:

(1) not liable for any loss caused by reliance on a false or forged digital signature of a subscriber, if, with respect to the false or forged digital signature, the certification authority complied with all material requirements of this chapter;

(2) not liable in excess of the amount specified in the certificate as its recommended reliance limit for either:

(A) a loss caused by reliance on a misrepresentation in the certificate of any fact that the licensed certification authority is required to confirm; or

(B) failure to comply with section 4628 of this title in issuing the certificate;

(3) liable only for direct, compensatory damages in any action to recover a loss due to reliance on the certificate, which damages do not include:

(A) punitive or exemplary damages;

(B) damages for lost profits, savings, or opportunity; or

§ 4636. COLLECTION BASED ON SUITABLE GUARANTY

(a)(1) Notwithstanding any provision in the suitable guaranty to the contrary:

(A) if the suitable guaranty is a surety bond, a person may recover from the surety the full amount of a qualified right to payment against the principal named in the bond, or, if there is more than one such qualified right to payment during the term of the bond, a ratable share, up to a maximum total liability of the surety equal to the amount of the bond; or

(B) if the suitable guaranty is a letter of credit, a person may recover from the issuing financial institution the full amount of a qualified right to payment against the customer named in the letter of credit, or, if there is more than one qualified right to payment during the term of the letter of credit, a ratable share, up to a maximum total liability of the issuer equal to the amount of the credit.

(2) Claimants may recover successively on the same suitable guaranty, provided that the total liability on the suitable guaranty to all persons making claims based upon qualified rights of payment during its term may not exceed the amount of the suitable guaranty.

(b) In addition to recovering the amount of a qualified right to payment, a claimant may recover from the proceeds of the guaranty, until depleted, reasonable attorney feesand court costs incurred by the claimant in collecting the claim, provided that the total liability on the suitable guaranty to all persons making claims based upon qualified rights of payment or recovering attorney fees and court costs during its term may not exceed the amount of the suitable guaranty.

(c) To recover a qualified right to payment against a surety or issuer of a suitable guaranty, the claimant shall file written notice of the claim with the secretary of state stating the name and address of the claimant, the amount claimed, and the grounds for the qualified right to payment, and any other information required by rule of the secretary of state.

(d) Recovery of a qualified right to payment from the proceeds of the suitable guaranty shall be forever barred unless:

(1) the claimant substantially complies with subsection (c) of this section; and

(2) notice of the claim is filed within two years after the occurrence of the violation of this chapter which is the basis for the claim.

§ 4637. SATISFACTION OF SIGNATURE REQUIREMENTS

(a) Where a rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is satisfied by a digital signature if:

(1) that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;

(2) that digital signature was affixed by the signer with the intention of signing the message; and

(3) the recipient has no knowledge or notice that the signer either:

(A) breached a duty as a subscriber; or

(B) does not rightfully hold the private key used to affix the digital signature.

(b) Nothing in this chapter precludes any symbol from being valid as a signature under other applicable law, including Uniform Commercial Code, section 1-201(39) of Title 9A.

(c) This section does not limit the authority of the commissioner of taxes to prescribe the form of tax returns or other documents filed with the department of taxes.

§ 4638. UNRELIABLE DIGITAL SIGNATURES

Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances. If the recipient determines not to rely on a digital signature pursuant to this section, the recipient shall promptly notify the signer of its determination not to rely on the digital signature.

§ 4639. DIGITALLY SIGNED DOCUMENT IS WRITTEN

(a) A message is as valid, enforceable, and effective as if it had been written on paper, if:

(1) it bears in its entirety a digital signature; and

(2) that digital signature is verified by the public key listed in a certificate which:

(A) was issued by a licensed certification authority; and

(B) was valid at the time the digital signature was created.

(b) Nothing in this chapter precludes any message, document, or record from beingconsidered written or in writing under other applicable state law.

§ 4640. DIGITALLY SIGNED ORIGINALS

A copy of a digitally signed message is as effective, valid, and enforceable as the original of the message, unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, effective, and enforceable message.

§ 4641. CERTIFICATE AS AN ACKNOWLEDGMENT

Unless otherwise provided by law or contract, a certificate issued by a licensed certification authority is an acknowledgment of a digital signature verified by reference to the public key listed in the certificate, regardless of whether words of an express acknowledgment appear with the digital signature or whether the signer physically appeared before the certification authority when the digital signature was created, if that digital signature is:

(1) verifiable by that certificate; and

(2) affixed when that certificate was valid.

§ 4642. RECOGNITION OF REPOSITORIES

(a) A repository may apply to the secretary of state for recognition by filing a written request and providing evidence to the secretary of state that the repository meets the requirements of subsection (b) of this section. The secretary of state shall determine whether to grant or deny the request after notice and an opportunity to be heard.

(b) The secretary of state shall recognize a repository, after finding that the repository:

(1) is operated under the direction of a licensed certification authority;

(2) includes a database containing:

(A) certificates published in the repository;

(B) notices of suspended or revoked certificates published by licensed certification authorities or other persons suspending or revoking certificates as provided in sections 4632 and 4633 of this title;

(D) all orders or advisory statements published by the secretary of state in regulating certification authorities; and

(E) other information as determined by rule of the secretary of state;

(3) operates by means of a trustworthy system;

(4) contains no significant amount of information which the secretary of state finds is known or likely to be untrue, inaccurate, or not reasonably reliable;

(5) contains certificates published by certification authorities required to conform to rules of practice which the secretary of state finds to be substantially similar to, or more stringent toward the certification authorities, than those of this state;

(6) keeps an archive of certificates that have been suspended or revoked, or that have expired within at least the past three years; and

(7) complies with other requirements prescribed by rule of the secretary of state.

(c) The secretary of state's recognition of a repository may be discontinued upon the repository's written request for discontinuance filed with the secretary at least 30 daysbefore discontinuance.

(d) The secretary of state may discontinue recognition of a repository:

(1) upon passage of an expiration date specified by the secretary in granting recognition; or

(2) after notice and an opportunity to be heard, if the secretary of state concludes that the repository no longer satisfies the conditions for recognition listed in this section or in rules of the secretary.

§ 4643. LIABILITY OF REPOSITORIES

(a) Notwithstanding any disclaimer by the repository or any contract to the contrary between the repository, a certification authority, or a subscriber, a repository is liable for a loss incurred by a person reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate if:

(1) the loss was incurred more than one business day after receipt by the repository of a request to publish notice of the suspension or revocation; and

(2) the repository had failed to publish the notice of suspension or revocation when the person relied on the digital signature.

(b) Unless waived, a recognized repository or the owner or operator of a recognized repository is:

(1) not liable:

(A) for failure to publish notice of a suspension or revocation, unless the repository has received notice of publication and one business day has elapsed since thenotice was received;

(B) for any damages pursuant to subsection (a) of this section in excess of the amount specified in the certificate as the recommended reliance limit;

(D) for accurately recording or reporting information which a licensed certification authority, the secretary of state, or superior court clerk has published as provided in this chapter, including information about suspension or revocation of a certificate; or

(E) for reporting information about a certification authority, a certificate, or a subscriber, if such information is published as provided in this chapter or a rule of the secretary of state, or is published by order of the secretary of state in the performance of its licensing and regulatory duties pursuant to this chapter; and

(2) liable pursuant to subsection (a) of this section only for direct compensatory damages, which do not include:

(A) punitive or exemplary damages;

(B) damages for lost profits, savings, or opportunity; or

§ 4644. EXEMPTIONS

(a) The following governmental entity records are exempt from 1 V.S.A. chapter 5, subchapter 3 (access to public records):

(1) records containing information that would disclose, or might lead to the disclosure of private keys, asymmetric cryptosystems, or algorithms; or

(2) records, the disclosure of which might jeopardize the security of an issued certificate or a certificate to be issued.

(b) For purposes of this section, "record" has the meaning described in 1 V.S.A.

§ 317(b).