PART 3. Duties of certification authority and subscriber
Utah Code §§ 46-3-301 to 46-3-309
46-3-301 Issuing a certificate.
46-3-302 Representations by the subscriber accepting a certificate.
46-3-303 Control of the private key.
46-3-304 Duties of a licensed certification authority in issuing a
certificate.
46-3-305 Suspension of a certificate.
46-3-306 Revocation of a certificate.
46-3-307 Expiration of a certificate.
46-3-308 Liability of a licensed certification authority.
46-3-309 Collection based on suitable guaranty.
46-3-301 Issuing a certificate.
(1) (a) A licensed certification authority may issue a
certificate to a subscriber only after all of the following conditions
are satisfied:
(i) the certification authority has received a signed request for
issuance of a certificate by the prospective subscriber;
(ii) the certification authority confirms that:
(A) the prospective subscriber is the person identified in the
request and the person to be identified in the certificate to be
issued;
(B) if the prospective subscriber is acting through an agent, the
subscriber duly authorized the agent to have custody of the
subscriber's private key and to request issuance of a certificate
listing the corresponding public key;
(C) the prospective subscriber bears a distinguished name; and
(D) the prospective subscriber rightfully holds the private key
corresponding to the public key to be listed in the certificate;
(iii) the certification authority confirms that the prospective
subscriber holds a key pair capable of:
(A) affixing a digital signature by the private key corresponding
to the public key to be listed in the certificate; and
(B) verifying that a digital signature has been affixed by the
corresponding private key through the use of the public key.
(b) The requirements of this subsection may not be waived or
disclaimed by the licensed certification authority or the subscriber.
(2) (a) If a certificate is requested by an agent or an apparent
agent of the subscriber, the certification authority may not issue the
certificate until after the certification authority has given ten
days' written notice to the prospective subscriber through all of its
record leaders at its record address.
(b) The notice shall express the certification authority's intent
to issue a certificate for the prospective subscriber to the
requesting agent and the date on which the certificate is to be
issued.
(c) The requirement of notice in this subsection may be waived or
disclaimed only by:
(i) a writing signed by all of the record leaders of the
prospective subscriber; and
(ii) confirmation of the authenticity of the waiver by the
certification authority.
(3) (a) If the subscriber accepts the certificate, the
certification authority shall publish a signed copy of the certificate
in the repository provided by the division or in one or more
recognized repositories agreed upon by the certification authority and
the subscriber named in the certificate.
(b) The contract between the certification authority and the
subscriber may provide that the certificate may not be published.
(c) If the subscriber does not accept the certificate, a licensed
certification authority may not publish the certificate in the
repository provided by the division.
(4) Nothing in this section precludes a licensed certification
authority from conforming to standards, security policies, or
contractual requirements more rigorous than, but consistent with, this
section.
(5) (a) If a licensed certification authority confirms that a
certificate was not issued as required by this section, the
certification authority:
(i) shall immediately revoke the certificate; or
(ii) may suspend the certificate while investigating to confirm
grounds for revocation.
(b) The certification authority shall give notice as soon as
practicable to the subscriber of a certificate revoked or suspended
pursuant to this subsection.
(6) The division may order the licensed certification authority
to suspend or revoke a certificate which the certification authority
issued if, after notice and an opportunity for the certification
authority and subscriber to be heard in accordance with the
Administrative Procedures Act, the division determines that:
(a) a certificate was issued without substantial compliance to
this section; and
(b) the noncompliance poses a significant hazard to parties
relying on the certificate.
46-3-302 Representations by the subscriber accepting a certificate.
(1) By accepting a certificate issued by a licensed certification
authority, the subscriber identified in the certificate certifies to
all who justifiably rely on the information contained in the
certificate that:
(a) each digital signature affixed by means of the private key
corresponding to the public key listed in the certificate is a legally
valid signature of the subscriber, unless the certificate:
(i) is suspended;
(ii) is revoked by the certification authority; or
(iii) has expired;
(b) no unauthorized person has access to the private key
corresponding to the public key listed in the certificate;
(c) all representations made by the subscriber to the
certification authority which are material to information contained in
the certificate are true; and
(d) the information contained in the certificate is true.
(2) By requesting on behalf of a principal the issuance of a
certificate naming the principal as subscriber, a person certifies to
all who justifiably rely on the information contained in the
certificate that:
(a) the person holds all authority legally required for issuance
of a certificate naming the principal as subscriber; and
(b) the person has authority to sign digitally on behalf of the
principal, and, if that authority is limited in any way, safeguards
exist to prevent a digital signature exceeding the bounds of the
person's authority.
(3) A person may not disclaim or rebut the representations
implied in this section or obtain indemnity for them, if the effect of
the disclaimer or indemnity is to limit liability for wrongful
issuance of a certificate as against persons justifiably relying on
the certificate.
(4) (a) If a subscriber makes a false, material and written
representation of fact, or fails to disclose a material fact, with
either the intent to deceive the certification authority or a person
relying on the certificate, or with negligence, the subscriber, by
accepting a certificate, becomes obligated to indemnify the issuing
certification authority for any loss or damage caused by the
misrepresentation or negligence.
(b) If the certification authority issued the certificate at the
request of agents of the subscriber, both the agents and the
subscriber shall indemnify the certification authority in accordance
with this subsection.
(c) The indemnity provided in this subsection may not be
disclaimed or superseded by contract between the certification
authority and the subscriber.
(5) To obtain information required for issuance of a certificate,
the certification authority may require a subscriber to testify under
oath or an affirmation of truthfulness.
46-3-303 Control of the private key.
(1) By accepting a certificate issued by a licensed certification
authority, the subscriber identified in the certificate assumes a duty
to exercise reasonable care in retaining control of the private key
and keeping it confidential.
(2) A private key is the property of the subscriber who
rightfully holds it.
(3) (a) If a certification authority holds the private key
corresponding to a public key listed in a certificate which it issued,
it holds the private key as a fiduciary of the subscriber named in the
certificate, regardless of any provision to the contrary in a contract
between the subscriber and the certification authority.
(b) A certification authority holding the subscriber's private
key may use it only upon the prior written consent of the subscriber.
46-3-304 Duties of a licensed certification authority in issuing a
certificate.
(1) (a) By issuing a certificate, a licensed certification
authority warrants to the subscriber named in the certificate that:
(i) the certificate contains no information known to the
certification authority to be false;
(ii) the certificate satisfies the requirements of this chapter
and does not exceed any limitations of the certification authority's
license; and
(iii) the certification authority has not exceeded any limitation
of its license in issuing the certificate.
(b) The warranties described in this subsection may not be
limited or disclaimed by contract.
(2) Unless the parties otherwise agree, a certification
authority, by issuing a certificate, promises to the subscriber:
(a) to notify the subscriber within a reasonable time of any
facts known to the certification authority which affect the validity
or reliability of the certificate once it is issued; and
(b) to act promptly to suspend or revoke a certificate in
accordance with Section 46-3-305.
(3) By issuing a certificate, a licensed certification authority
certifies to all who justifiably rely on the information contained in
the certificate that the certification authority has complied with all
applicable requirements for issuance of the certificate.
(4) By publishing a certificate, a licensed certification
authority certifies to the repository and to all who justifiably rely
on the information contained in the certificate that the certification
authority has issued the certificate to the subscriber.
46-3-305 Suspension of a certificate.
(1) (a) Unless the certification authority and the subscriber
otherwise agree, the licensed certification authority which issued a
certificate shall suspend the certificate for a period of 48 hours:
(i) upon request by a person identifying himself as:
(A) the subscriber named in the certificate;
(B) an agent of the subscriber;
(C) a business associate of the subscriber;
(D) an employee of the subscriber; or
(E) a member of the immediate family of the subscriber; or
(ii) upon order of the division pursuant to Subsection
46-3-301(6).
(b) The certification authority need not confirm the identity or
division of the person requesting suspension.
(2) (a) Unless the certificate or other records in the repository
indicate otherwise, the division, a court clerk, or a county clerk may
suspend a certificate issued by a licensed certification authority for
a period of 48 hours, if:
(i) a person identifying himself as the subscriber named in the
certificate, or as an agent, business associate, employee, or member
of the immediate family of the subscriber requests suspension; and
(ii) the requester represents that the certification authority
which issued the certificate is unavailable.
(b) The division or clerk may:
(i) require the requester to provide evidence of his identity,
authorization, and the unavailability of the issuing certification
authority;
(ii) inquire of the contents of the certificate and the secret
field described in Subsection 46-3-104(4); and
(iii) decline to suspend the certificate with or without cause.
(c) The division or law enforcement agencies may investigate
multiple suspensions by the division, court clerk, or county clerks
for possible wrongdoing.
(3) (a) Immediately upon suspension of a certificate, the
suspending certification authority, court clerk, or county clerk shall
publish signed notice of the suspension in all repositories in which
the certificate was published.
(b) If the repository described in Subsection (a) no longer
exists, or if the person suspending the certificate does not know all
the repositories in which the certificate was published, the
certification authority shall publish the notice of suspension in the
repository provided by the division.
(4) (a) A certification authority shall terminate the suspension
of a certificate that was suspended by request if:
(i) the subscriber named in the suspended certificate requests
that the suspension be terminated and, the certification authority
confirms the identity of the person making the request, and when the
requester is acting as agent, the agent's authorization by the
subscriber; or
(ii) the certification authority discovers and confirms that the
request for the suspension was made without authorization by the
subscriber.
(b) This subsection does not obligate the certification authority
to confirm a request for suspension.
(5) The contract between a subscriber and a licensed
certification authority may:
(a) limit or eliminate suspension by the certification authority
upon request; or
(b) provide for termination of a suspension or disclosure of
information about a suspension that varies from the requirements of
Subsections (1), (2), (4), and (5), except that if the contract varies
from the requirements of this section, the certificate must indicate
the differences for the contractual variation to be valid.
(6) (a) No person may knowingly or intentionally misrepresent to
a certification authority his identity, name, distinguished name, or
authorization when requesting suspension of a certificate.
(b) Violation of this subsection is a class B misdemeanor.
(7) The subscriber is released from the duty to keep the private
key secure pursuant to Section 46-3-303 during the period the
certificate is suspended.
46-3-306 Revocation of a certificate.
(1) (a) A licensed certification authority shall revoke a
certificate which it issued after receiving and confirming a request
for revocation by the subscriber named in the certificate in
accordance with Subsection (b).
(b) A licensed certification authority shall confirm a request
for revocation and revoke a certificate within one business day after:
(i) receiving a subscriber's written request accompanied by
evidence reasonably sufficient to confirm the request; and
(ii) receiving any required fee.
(2) A licensed certification authority shall revoke a certificate
which it issued upon receiving a certified copy of the subscriber's
death certificate or upon confirming by other evidence that the
subscriber is dead.
(3) (a) A licensed certification authority may revoke one or more
certificates which it issued if the certificates are or become
unreliable regardless of whether the subscriber consents to the
revocation.
(b) Unless the contract between the certification authority and
the subscriber provides otherwise, the certification authority shall
pay reasonable restitution to the subscriber and compensate the
subscriber for any interruption to the subscriber's business due to
the revocation of the certificate under the circumstances described in
Subsection (3)(a).
(4) (a) Immediately upon revocation of a certificate, the
revoking certification authority shall publish signed notice of the
revocation in all repositories in which the certification authority
published the certificate.
(b) If the repositories described in Subsection (a) no longer
exist, or if all are unrecognized repositories, the certification
authority shall publish the notice in the repository provided by the
division.
(5) A subscriber ceases to certify as provided in Section
46-3-302, and has no further duty to keep the private key secure as
required by Section 46-3-303 when either:
(a) notice of the revocation is published as required in
Subsection (4); or
(b) the certification authority is required to revoke under
Subsection (1).
(6) Upon publication as required by Subsection 46-3-305(3), a
licensed certification authority is:
(a) discharged of its warranties based on issuance of the revoked
certificate; and
(b) ceases to certify as provided in Subsection 46-3-304(2) and
(3) in relation to the revoked certificate.
46-3-307 Expiration of a certificate.
(1) (a) A certificate shall indicate the date on which it
expires.
(b) A certificate's expiration date may be no later than three
years after its issuance.
(2) When a certificate expires:
(a) the subscriber and certification authority cease as provided
in Sections 46-3-302 and 46-3-304; and
(b) the certification authority is discharged of its duties based
on issuance, in relation to the expired certificate.
46-3-308 Liability of a licensed certification authority.
(1) By specifying a recommended reliance limit in a certificate,
the issuing certification authority and accepting subscriber recommend
that persons rely on the certificate only in transactions in which the
total amount at risk does not exceed the recommended reliance limit.
(2) Except as designated in Subsection 46-3-201(5):
(a) a licensed certification authority is not liable for any loss
caused by a false or forged digital signature of a subscriber, if,
with respect to the false or forged digital signature, the
certification authority complied with the requirements of this
chapter;
(b) a licensed certification authority is not liable for a
misrepresentation in the certificate, or for error in issuing the
certificate in excess of the amount specified in the certificate as
the recommended reliance limit; and
(c) a licensed certification authority is not liable for punitive
or exemplary damages, except as provided in Section 46-3-204.
46-3-309 Collection based on suitable guaranty.
(1) (a) Notwithstanding any provision in the suitable guaranty to
the contrary:
(i) if the suitable guaranty is a surety bond, a person may
recover from the bond surety the full amount of a claim against the
bond principal or, if there is more than one such claim during the
term of the bond, a ratable share, up to a maximum total liability of
the surety equal to the face amount of the bond; or
(ii) if the suitable guaranty is a letter of credit, a person may
recover from the issuing financial institution a claim against the
customer named in the credit, or, if there is more than one claim
during the term of the letter of credit, a ratable share, up to a
maximum total liability of the issuer equal to the face amount of the
credit.
(b) Claimants may recover successively on the same suitable
guaranty, provided that the total liability on the guaranty to all
persons making claims during its term may not exceed the face amount
of the guaranty.
(2) In addition to the actual damages suffered by the claimant,
the claimant may recover from the proceeds of a suitable guaranty,
until depleted, reasonable attorney fees, and court costs incurred by
the claimant in collecting the claim.
(3) (a) A claim against a surety or issuer of a suitable guaranty
must be filed in writing with the division and the surety or issuer,
within one year after the claim arose.
(b) A claim must include a statement of the amount claimed and
the basis for the claim.
(c) An action or suit against the surety or issuer of the
suitable guaranty must be filed with the court within one year after
the claim is filed with the division.
(d) Except as prohibited by division rule, a suitable guaranty
may, by contract, alter the obligations under this subsection.