PART 5. State services and reorganized repositories
Utah Code §§ 46-3-501 to 46-3-504
46-3-501 Division duties -- Rulemaking -- Fees.
46-3-502 Recognition of repositories.
46-3-503 Liability of repositories limited.
46-3-504 Exemptions.
46-3-501 Division duties -- Rulemaking -- Fees.
(1) (a) The division shall be a certification authority, and may
issue, suspend, and revoke certificates in the manner prescribed for
licensed certification authorities.
(b) The provisions of Part 4 apply to the division with respect
to the certificates it issues.
(2) The division shall provide for an on-line, publicly
accessible database as a repository containing:
(a) certificates published in the repository by licensed
certification authorities;
(b) all orders and advisory statements designated for publication
by the division;
(c) certification authority disclosure records for all currently
or formerly licensed certification authorities;
(d) notices of suspended or revoked certificates published by
licensed certification authorities;
(e) references to recognized repositories;
(f) information required to be kept by a recognized repository;
and
(g) other information as determined by division rule.
(3) In conjunction with the repository it provides, the division
shall make available a system for reliably time-stamping digital
signatures.
(4) The division may promulgate rules consistent with this
chapter in order to:
(a) govern licensed certification authorities and their
licensure;
(b) approve asymmetric cryptosystems for use in signing
certificates issued by licensed certification authorities; and
(c) maintain the database required by Section 46-3-203.
(5) The division's rules shall address at least the following:
(a) design and implementation requirements limiting the equipment
and software to fulfill the requirements of this chapter;
(b) validating that the hardware and software to be used are
limited to those determined to meet the design and implementation
requirements;
(c) suitability of algorithms for use in fulfilling the
requirements of this chapter;
(d) the form of suitable guarantees in accordance with Subsection
46-3- 103(34);
(e) items included in certificates issued by licensed
certification authorities in accordance with Subsection 46-3-104(2);
(f) approval of persons authorized to audit licensed
certification authorities under Section 46-3-202;
(g) the contents of a certification authority disclosure record
required in Section 46-3-203;
(h) the termination of certification authority activities under
Section 46- 3-206, including the form of notice and required
statements; and
(i) prohibitions against altering obligations under Subsection
46-3-309(3).
(6) The division may establish fees for the use of the repository
provided for in Subsection (2), for licensing certification
authorities, for publishing certificates and other records, and for
its other activities required by this chapter.
46-3-502 Recognition of repositories.
(1) The division shall recognize a repository kept by a licensed
certification authority, if the division concludes that:
(a) the repository includes a database of certificates
substantially similar in content and operation to the repository kept
by the division;
(b) the information in the repository appears to be true,
accurate, and reasonably reliable;
(c) the repository, its operator, and the certification
authorities issuing the certificates in the repository conform to
legally binding rules which the division finds to be substantially
similar to, or more stringent toward the certificate authorities than
those of Utah;
(d) the repository provides a time-stamping service which the
division finds to be reasonably trustworthy;
(e) the repository keeps an archive of suspended, revoked, or
expired certificates; and
(f) the repository has expressed in writing its intention to
continue acting as a repository for the foreseeable future and is able
to do so as indicated from its managerial and financial capabilities.
(2) A repository may apply to the division for recognition by
filing a written request and providing evidence to the division that
the conditions for recognition are satisfied.
(3) The division may withdraw or discontinue recognition of a
repository in accordance with the procedures for adjudicative
proceedings prescribed by Title 63, Chapter 46b, Administrative
Procedures Act, if it concludes that the repository no longer
satisfies the conditions for recognition listed in this section.
(4) The division shall publish in its repository the names,
addresses, and public keys of all recognized repositories.
46-3-503 Liability of repositories limited.
A recognized repository, the division in providing for a
repository, or the division's repository operator is not liable for
any loss arising from:
(1) misrepresentation in a certificate published by a licensed
certification authority;
(2) accurately recording or reporting information which a
licensed certification authority, a county or court clerk, or the
division has published as required by this chapter, including
information about suspension or revocation of a certificate;
(3) reporting information about a certification authority, a
certificate, or a subscriber, if the information is published as
required by this chapter or by division rule, or is published by order
of the division in the performance of its licensing and regulatory
duties under this chapter; and
(4) failure to record publication of a certificate, suspension,
or revocation, unless the repository has received notice of
publication and a commercially reasonable time of not more than one
business day has elapsed for processing of the publication.
46-3-504 Exemptions.
(1) The following governmental entity records are exempt from
Title 63, Chapter 2, Government Records Access and Management Act:
(a) records containing information that would disclose, or might
lead to the disclosure of private keys, asymmetric cryptosystems, or
algorithms; or
(b) records, the disclosure of which might jeopardize the
security of an issued certificate or a certificate to be issued.
(2) For purposes of this section, "record" has the meaning
described in Section 63-2-103.