NCSL: Comparison of Digital Signature Legislation

Add to MyNCSL

Comparison of Digital Signatures Legislation
Information Policy and Technology Series
by Anneliese May

Note: This is a 22-page document

June 1997

Return to Communications Home Page

CONTENTS

How Do Digital Signatures Work?
About this Comparison
How to Use this Comparison
Citations of Enacted Legislation
Selected Provisions

Statutory Construction/Legislative Intent
Licensing of Certification Authorities
Regulation of Licensed Certification Authorities
General Requirements for Certification Authorities and Subscribers
Issuing a Certificate
Reliability of the Certificate/Digital Signature
Acceptance of a Certificate
Suspension of a Certificate
Revocation of a Certificate
Expiration of a Certificate
Signature Requirements
Unreliable Digital Signature
Digitally Signed Document Is Written
Presumptions in Adjudicating Disputes

Appendix: Citations of Recent Legislation

How Do Digital Signatures Work?

A digital signature is a number that is transmitted with an electronic message to identify the message's sender or recipient. Because the number provides authentication to a document, it has the same function as a written signature. Thus, the number is called a "digital signature" - but it is not a digitized handwritten signature.

A digital signature is a pair of mathematical programs called a "key pair." Each "key" is merely a long sequence of 0s and 1s, or binary digits. A key may also be represented as an alphanumeric sequence that is much shorter than the binary sequence, yet still very long. A key pair consists of a "public key" and a "private key." The two keys are mathematically related, but one cannot be used to determine the other. Either key can, however, be used to scramble, or encrypt, a message. The other key in the pair is the only key that can be used to unscramble, or decrypt, the information.

For example, a computer user can create a key pair using widely available software. The key pair owner can then freely share his or her public key with others. Anyone wishing to communicate with the key pair owner uses the key pair owner's public key to encrypt a message and send it to the key pair owner. The recipient, the key pair owner, uses his or her private key to decrypt the message. Because only one private key will decrypt a message encrypted with the matching public key, the sender is assured that only the intended recipient may read the message.

Alternatively, digital signatures can be used to verify the sender of a message. In this example a computer user creates a message, encrypts it using his or her private key, and sends it to the recipient. The recipient uses the sender's public key to decrypt the message and is thus assured of the identity of the sender.

Digital signatures are also capable of ensuring that the encrypted message has not been modified from the time it is encrypted to the time it is decrypted. Any modification in the message would also modify the digital signature, rendering the key pair incompatible.

One potential problem of this scheme is the possibility of a third party using someone else's key. The third party has therefore assumed the identity of the other person for purposes of sending or receiving digitally signed messages. To avoid this problem, trusted entities may be used to verify the identity of the person disseminating the public key. These entities, called certification authorities, function like notaries public, certifying that the person signing a document is the actual person. Recipients of messages signed with a certified digital signature can then rely on the certification authority as the guarantor of the identity of the key pair owner. A few states, acknowledging the importance of certification authorities, have passed legislation to license them.

In addition to digital signatures using key pair encryption, as described above, there are electronic signatures that make use of other technologies. For instance, a digitized rendition of an inked signature or a biometric "signature" such as a digitized fingerprint are considered electronic signatures. A handful of states have recognized these alternatives to digital signatures when drafting legislation.

About this Comparison

This document is a comparison of digital and electronic signature laws. Only legislation that attempts to regulate digital and electronic signatures in a general manner is addressed. The legislation compared in this document is of a broad general nature, focusing on electronic commerce. Note that many states have passed much more limited legislation that applies only to digital or electronic signatures used in specific circumstances; this comparison does not address legislation of this type.

The comparison provides a limited summary of selected general digital and electronic signature provisions from six states and the ABA Information Security Committee's Digital Signature Guidelines. Not all provisions from each state or the guidelines are included, nor are all the elements of each provision. The comparison is intended to be a helpful general reference and guide to similarities and differences in digital and electronic signature legislation. For each provision, similar language and treatments among the states and the guidelines are emphasized. Certain differences among the states are also noted by the use of italics. However, these variances are not all-inclusive; the legislation may differ in other ways, which are not noted. Because a detailed analysis was not attempted, this comparison should be used as a reference tool and discussion guide only.

How to Use the Comparison

The states' legislation may be divided into three general categories:

The legislation in the first category is much more detailed than that of the other groups. The two states in this category, Utah and Washington, have enacted comprehensive laws. Utah and Washington focus on one particular type of signature technology and establish provisions for certifying, validating and relying on digital signatures. The ABA Guidelines are also considered part of this category.
The second category of legislation is less comprehensive than the legislation in the first category. Arizona, California, Mississippi, New Mexico and Virginia have enacted general legislation to regulate digital signatures. The legislation in this group differs greatly from state-to-state.
The third category consists of legislation concerning electronic signatures. This category includes Florida and Georgia. These states do not focus on one particular type of technology; they include digital signatures as one of many possibilities for electronic signatures.

Each provision from each state is named and is followed by a summary of each state's and the ABA's treatment of the provision. Because Utah and Washington often use similar language, their summaries are also similar. Differences in the summary language between these two states are highlighted by italics.

Citations of Enacted Legislation

Category One - Comprehensive regulation of digital signatures
Utah	Utah Code Ann. §46-3-101 to §46-3-503 (1996).
Washington	Wash. Rev. Code §19.34.010 to §19.34.410 (1996), and WA S.B. 5308, 55th Legis., 1997 Reg. Sess. (1997).
ABA	Digital Signature Guidelines, Information Security Committee (1996).
Category Two - Regulation of digital signatures
Arizona	Ariz. Rev. Stat. Ann. §41-121(13) (1996).
California	Cal. Gov't Code §16.5 (1995).
New Mexico	N.M. Stat. Ann. §14-15-1 to §14-15-6 (1996).
Mississippi	MS H.B. 752, 1997 Reg. Sess. (1997).
Virginia	VA S.B. 923, 1997 Reg. Sess. (1997).
Category Three - Regulation of electronic signatures
Florida	Fla. Stat. §282.70 to §282.75 (1996 Supp.).
Georgia	GA S.B. 103, 1997 Reg. Sess. (1997).

Selected Provisions

Statutory Construction/Legislative Intent

Category One - Comprehensive regulation of digital signatures

Utah

Statutory construction should be consistent with what is commercially reasonable under the circumstances and should effect: (1) the facilitation of reliable electronic commerce, (2) the minimization of fraud in electronic commerce, (3) the legal implementation of relevant standards, such as those of the International Telecommunication Union and (4) the establishment of uniform rules regarding the reliability of electronic messages in coordination with other states.

Washington

Statutory construction should be consistent with what is commercially reasonable under the circumstances and should effect: (1) the facilitation of reliable electronic commerce, (2) the minimization of fraud in electronic commerce, (3) the legal implementation of relevant standards, such as those of the International Telecommunication Union and (4) the establishment of uniform rules regarding the reliability of electronic messages in coordination with other states.

ABA

The guidelines should be interpreted consistently with what is commercially reasonable under the circumstances.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

None specified.

New Mexico

The purposes of the legislation are: (1) to provide a centralized, public, electronic registry for authenticating electronic documents by means of a public and private key system, (2) to promote commerce and (3) to facilitate electronic information and document transactions.

Mississippi

Legislative intent is: (1) to facilitate economic development and efficient delivery of government services through electronic messages, (2) to foster the development of electronic commerce, (3) to assure authenticity and integrity of writings in any electronic medium, (4) to enhance public confidence in the use of digital signatures and (5) to minimize the incidence of forged digital signatures and fraud in electronic commerce.

Virginia

None specified.

Category Three - Regulation of electronic signatures

Florida

Legislative intent includes: (1) the facilitation of economic development and government efficiency, (2) the enhancement of public confidence in electronic messages, (3) the minimization of fraud in electronic commerce, (4) the development of electronic commerce and the integrity of electronic messages and (5) the accountability and oversight of agency-conducted electronic commerce.

Georgia

The act shall be construed to promote the development of electronic government and electronic commerce.

Licensing of Certification Authorities

Category One - Comprehensive regulation of digital signatures

Utah

A certification authority shall fulfill the following requirements to obtain a license: the authority shall (1) be the subscriber of a certificate published in a recognized repository, (2) not employ personnel who have been convicted of a felony or crime involving fraud, false statement, or deception, (3) employ only those who have knowledge and proficiency in following the requirements of the statute, (4) file with the division a suitable guaranty, (5) have the right to use a trustworthy system and ensure the security of its private key, (6) have enough working capital to conduct business as a certification authority, (7) maintain an office or an agent for service of process in Utah, (8) comply with all other licensing requirements that may be established, (9) apply in writing for the license and (10) pay the filing fee. Licenses may be issued with limitations; the certification authority acts as an unlicensed authority when it issues certificates that exceed the limits of the license. Licenses may be revoked or suspended for failure to comply with the statute or for failure to remain qualified as detailed above. The division's actions under this subsection are subject to the state's Administrative Procedures Act. Certification authorities licensed by other states may be recognized if the licensing requirements are substantially similar to those of Utah. Unless the parties contract otherwise, these licensing requirements do not effect the effectiveness, enforceability, or validity of a digital signature.

Washington

A certification authority must fulfill the following requirements to obtain a license: the authority must (1) be the subscriber of a certificate published in a recognized repository, (2) not employ personnel who have been convicted within the past fifteen years of a felony or have ever been convicted of a crime involving fraud, false statement, or deception, (3) employ only those who have knowledge and proficiency in following the requirements of the statute, (4) file with the secretary a suitable guaranty, (5) use a trustworthy system and ensure the security of its private key, (6) have enough working capital to conduct business as a certification authority, (7) maintain an office or an agent for service of process in Washington, (8) comply with all other licensing requirements that may be established, (9) apply in writing for the license and (10) pay the filing fee. Licenses may be issued with limitations; the liability limits of this act do not apply to a certificate issued by a certification authority that exceeds the restrictions of the certification authority's license. Licenses may be revoked or suspended for failure to comply with the statute or for failure to remain qualified as detailed above. Certification authorities licensed by other states may be recognized if the licensing requirements are substantially similar to those of Washington. Unless the parties contract otherwise, these licensing requirements do not effect the effectiveness, enforceability, or validity of a digital signature. A certification authority that has not obtained a license is not subject to the provisions of the statute except as specifically provided.

ABA

No licensing requirements specified. The guidelines, however, do require certification authorities to use trustworthy systems, to have sufficient financial resources to maintain their duties and to bear the risk of liability of subscribers and others relying on the digital signatures listed in the certificates, to formulate and follow personnel practices assuring the trustworthy system, and to document and retain all material facts pertaining to the issuance, suspension, or revocation of certificates.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

None specified.

Mississippi

The secretary of state shall license private certification authorities once they have shown: (1) that they possess proficiency in encryption technology, (2) that they possess working capital and (3) that they maintain an office in the state or have established a registered agent for process in the state.

New Mexico

None specified.

Virginia

None specified.

Category Three - Regulation of electronic signatures

Florida

Requires the secretary of state to study whether it is in the public interest for the secretary to license, certify, or register certification authorities in the state. The secretary shall report the findings and recommendations of the study to the Joint Legislative Committee on Information Technology Resources by Dec. 1, 1996.

Georgia

None specified.

Regulation of Licensed Certification Authorities

Category One - Comprehensive regulation of digital signatures

Utah

The division may revoke or suspend a certification authority's license for failing to comply with the license requirements. Each licensed certification authority shall be audited annually by a certified public accountant having expertise in computer security to evaluate compliance with the act. Results of the audit shall be published. (There are exceptions to the audit requirement.) The division may investigate the activities of a licensed certification authority and issue orders to ensure compliance with the act. All certification authorities, licensed or not, shall not conduct their business in a manner that creates an unreasonable risk of loss to subscribers, to persons relying on the certificates, and/or to repositories. Penalties for non-compliance are specified.

Washington

Licenses expire one year after issuance, unless the secretary provides by rule fur a longer duration. The secretary may revoke or suspend a certification authority's license for failing to comply with the license requirements. Each licensed certification authority shall be audited annually. Results of the audit shall be published. (There are exceptions to the audit requirement.) The commission may investigate the activities of a licensed certification authority and issue orders to ensure compliance with the act. All certification authorities, licensed or not, shall not conduct their business in a manner that creates an unreasonable risk of loss to subscribers, to persons relying on the certificates, and/or to repositories. Penalties for non-compliance are specified.

ABA

None specified.

Category Two - Regulation of digital signatures

Arizona

Although there are no specifications for certification authorities, the secretary of state shall adopt rules to implement the use and acceptance of digital signatures by state agencies.

California

Although there are no specifications for certification authorities, the secretary of state shall adopt regulations for the use and acceptance of digital signatures. Initial regulations are to be adopted no later than Jan. 1, 1997.

Mississippi

The secretary of state shall have the authority to revoke any license granted under the terms of the act upon notice and a show of good cause.

New Mexico

The secretary of state shall adopt regulations to accomplish the purposes of the act. The regulations shall address the registration of public keys, the revocation of public keys and reasonable public access to public keys maintained by the office of electronic documentation. The regulations may address the circumstances under which the office may reject an application for registration of a public key, the circumstances under which the office may cancel the listing of a public key and the circumstances under which the office may reject an attempt to revoke registration of a public key.

Virginia

None specified

Category Three - Regulation of electronic signatures

Florida

Although there are no specifications for certification authorities, the secretary of state shall have the authority to issue certificates, and to take other actions as necessary to achieve the purposes of the act. The secretary must also study these issues and report findings to the Joint Legislative Committee on Information Technology Resources by Dec. 1, 1996.

Georgia

None specified.

General Requirements for Certification Authorities and Subscribers

Category One - Comprehensive regulation of digital signatures

Utah

Licensed certification authorities and subscribers shall use only a trustworthy system to: (1) issue, suspend, or revoke a certificate, (2) publish or give notice of the issuance, suspension, or revocation of a certificate and (3) create a public key. Licensed certification authorities must disclose any material facts of the reliability of a certificate it has issued. The authority may require a signed, written and specific inquiry along with a reasonable fee before disclosure.

Washington

Licensed certification authorities and subscribers shall use only a trustworthy system to: (1) issue, suspend, or revoke a certificate, (2) publish or give notice of the issuance, suspension, or revocation of a certificate and (3) create a public key. Licensed certification authorities must disclose any material facts of the reliability of a certificate it has issued. The authority may require a signed, written and specific inquiry along with a reasonable fee before disclosure.

ABA

The certification authority must use trustworthy systems in performing its services. Certification authorities must disclose any material facts of the reliability of a certificate it has issued. The authority may require a signed, written and specific inquiry along with a reasonable fee before disclosure. In the event of an occurrence that materially affects a certification authority's trustworthy system, the authority must notify any persons known to be or foreseeably affected by that occurrence.

Category Two - Regulation of digital signatures

Arizona

The secretary of state shall approve for use by all other state agencies, and accept, digital signatures for documents filed with the office of the secretary of state.

California

None specified.

Mississippi

The secretary of state shall serve as the certification authority to verify the digital signature of any public entity. The secretary of state shall license private certification authorities once they have shown: (1) that they possess proficiency in encryption technology, (2) that they possess working capital and (3) that they maintain an office in the state or have established a registered agent for process in the state.

New Mexico

The act established an office of electronic documentation under the secretary of state. The office shall maintain a register of public keys and shall register public keys for public officials, persons who wish to transact business with the state and any other person when registration will promote the purposes of the act.

Virginia

None specified.

Category Three - Regulation of electronic signatures

Florida

The secretary of state shall have the authority to issue certificates for the purpose of verifying digital signatures. The secretary may impose a reasonable fee to cover the expenses associated with administering this function.

Georgia

None specified.

Issuing a Certificate

Category One - Comprehensive regulation of digital signatures

Utah

Requests for certificates must be received in writing. The certification authority must verify the following before issuing the certificate: (1) the prospective subscriber is the person to be listed in the certificate, (2) if the subscriber is acting through an agent, the agent has the authority to have custody of the subscriber's private key and to request a certificate listing the corresponding public key, (3) all information in the certificate is accurate after due diligence, (4) the prospective subscriber rightfully holds the private key corresponding to the public key in the certificate, (5) the private key is capable of creating a digital signature and (6) the public key in the certificate can be used to verify a digital signature. If the subscriber accepts the certificate, the certification authority shall publish a signed copy of the certificate in a recognized repository. These requirements shall not be waived or disclaimed. Once a certificate has been issued, the certification authority shall revoke a certificate immediately if the above requirements were not met. The certification authority may suspend a certificate for no longer than 48 hours in order to investigate a possible revocation. The division may order revocation or suspension of a certificate if it determines that the above requirements were not met and that there is a significant risk to persons relying on the certificate. Notice of revocation or suspension shall be given to the subscriber.

Washington

Requests for certificates must be received in writing. The certification authority must verify the following before issuing the certificate: (1) the prospective subscriber is the person to be listed in the certificate, (2) if the subscriber is acting through an agent, the agent has the authority to have custody of the subscriber's private key and to request a certificate listing the corresponding public key, (3) all information in the certificate is accurate, (4) the prospective subscriber rightfully holds the private key corresponding to the public key in the certificate, (5) the private key is capable of creating a digital signature, (6) the public key in the certificate can be used to verify a digital signature and (7) the certificate specifies the location of one or more repositories in which notification of suspension or revocation of the certificate would be listed. If the subscriber accepts the certificate, the certification authority shall publish a signed copy of the certificate in a recognized repository. These requirements shall not be waived or disclaimed. Once a certificate has been issued, the certification authority shall revoke a certificate immediately if the above requirements were not met. The certification authority may suspend a certificate for no longer than 96 hours in order to investigate a possible revocation. The commission may order revocation or suspension of a certificate if it determines that the above requirements were not met and that there is a significant risk to persons relying on the certificate. Notice of revocation or suspension shall be given to the subscriber.

ABA

By issuing a certificate, the certification authority represents to any person relying on the certificate that the authority has confirmed that: (1) the certification authority has complied with all requirements in the guidelines and that the subscriber has accepted the certificate, (2) the subscriber holds the private key corresponding to the public key in the certificate, (3) if the subscriber is acting through agents, that the agents have authority to accept the certificate for the subscriber, (4) the subscriber's private and public keys are a functioning key pair, (5) all information in the certificate is accurate, unless noted otherwise and (6) there are no known material facts omitted from the certificate which would adversely effect its reliability. The authority must suspend or revoke a certificate if it confirms that a material fact in the certificate is false, any of the above requirements were not met, or the trustworthy system was compromised so as to make the certificate unreliable. Notice of revocation or suspension must be given to the subscriber, and upon request, to a relying party.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

None specified.

Mississippi

None specified.

New Mexico

None specified.

Virginia

None specified.

Category Three - Regulation of electronic signatures

Florida

The secretary of state shall have the authority to issue certificates for the purpose of verifying digital signatures. The secretary may also suspend or revoke certificates.

Georgia

None specified.

Reliability of the Certificate/Digital Signature

Category One - Comprehensive regulation of digital signatures

Utah

By issuing a certificate, a licensed certification authority warrants to the subscriber named in the certificate all of the following: (1) the certificate contains no information known to be false to the authority, (2) all requirements of the statute have been met and (3) the certification authority has not exceeded the limits of its license in issuing the certificate. These warranties may not be disclaimed or limited. By issuing a certificate, a licensed certification authority certifies to all who reasonably rely on the certificate all of the following: (1) all information in the certificate is accurate, (2) all foreseeable information material to the reliability of the certificate is contained in the certificate, (3) the subscriber has accepted the certificate and (4) the authority has complied with all applicable laws of the state. By publishing a certificate, a licensed certification authority certifies to the repository and to all relying parties that the certificate has been issued to the subscriber.

Washington

By issuing a certificate, a licensed certification authority warrants to the subscriber named in the certificate all of the following: (1) the certificate contains no information known to be false to the authority, (2) all requirements of the statute have been met and (3) the certification authority has not exceeded the limits of its license in issuing the certificate. These warranties may not be disclaimed or limited. By issuing a certificate, a licensed certification authority certifies to all who reasonably rely on the certificate or on a digital signature verifiable by the public key listed in the certificate, all of the following: (1) all information in the certificate is accurate, (2) all foreseeable information material to the reliability of the certificate is contained in the certificate, (3) the subscriber has accepted the certificate and (4) the authority has complied with all applicable laws of the state. By publishing a certificate, a licensed certification authority certifies to the repository and to all relying parties that the certificate has been issued to the subscriber.

ABA

A certification authority that complies with these guidelines and any applicable law or contract is not liable for any loss which: (1) is incurred by the subscriber or any other person or (2) is caused by reliance upon a certificate, a digital signature verifiable by the public key in a certificate, or information in a certificate or repository. Unless otherwise provided by law or contract, a relying party assumes the risk that a digital signature is invalid, or the reliance is not reasonable. Reasonable reliance includes the following factors: (1) facts which the relying party knows or has notice, including all acts contained in the certificate, (2) the value or importance of the digitally signed message, (3) the course of dealing between the relying person and the subscriber and (4) the usage of trade.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

The use of a digital signature shall have the same force and effect of a manual signature if and only if it: (1) is unique to the person using it, (2) is capable of verification, (3) is under the sole control of the person using it, (4) is linked to the data in such a manner that if the data are changed, the digital signature is invalidated and (5) it conforms to the regulations adopted by the secretary of state.

Mississippi

A digital signature which has been verified by a licensed certification authority may be used to sign a writing and shall have the same force and effect as a written signature.

New Mexico

None specified.

Virginia

Where law requires a signature or provides for certain consequences in the absence of a signature, that law is satisfied by a digital signature. Each public entity may receive digital signatures in lieu of manual signatures.

Category Three - Regulation of electronic signatures

Florida

Unless otherwise provided by law, an electronic signature may be used to sign a writing and shall have the same force and effect as a written signature. The head of each agency shall be responsible for adopting and implementing control processes and procedures to ensure adequate integrity, security, confidentiality, and auditibility of business transactions conducted using electronic commerce.

Georgia

Where a person or other entity accepts or agrees to be bound by an electronic record executed or adopted with an electronic signature, then any rule of law which requires a record of that type to be in writing is satisfied and any rule of law which requires a signature is satisfied.

Acceptance of a Certificate

Category One - Comprehensive regulation of digital signatures

Utah

By accepting a certificate issued by a licensed certification authority, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate that: (1) the subscriber rightfully holds the private key corresponding to the public key in the certificate, (2) all representations made by the subscriber to the authority and material to the certificate are true and (3) all material representations made by the subscriber to a certification authority or made in the certificate and not confirmed by the authority are true. An agent, requesting on behalf of the subscriber that a certificate be issued, certifies the following: (1) the agent holds all authority legally required to apply for issuance of a certificate naming the subscriber and (2) the agent has the authority to sign digitally on behalf of the subscriber. By accepting a certificate, a subscriber undertakes to indemnify the issuing certification authority for loss or damage caused by issuance or publication of the certificate in reliance on the subscriber. If the certificate was issued at the request of an agent, the agent personally undertakes to indemnify the certification authority. By accepting a certificate, a subscriber assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to unauthorized persons.

Washington

By accepting a certificate issued by a licensed certification authority, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate that: (1) the subscriber rightfully holds the private key corresponding to the public key in the certificate, (2) all representations made by the subscriber to the authority and material to the certificate are true and (3) all material representations made by the subscriber to a certification authority or made in the certificate and not confirmed by the authority are true. An agent, requesting on behalf of the subscriber that a certificate be issued, certifies the following: (1) the agent holds all authority legally required to apply for issuance of a certificate naming the subscriber and (2) the agent has the authority to sign digitally on behalf of the subscriber. By accepting a certificate, a subscriber undertakes to indemnify the issuing certification authority for loss or damage caused by issuance or publication of the certificate in reliance on the subscriber. If the certificate was issued at the request of an agent, the agent personally undertakes to indemnify the certification authority. By accepting a certificate, a subscriber assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to unauthorized persons. The subscriber is released from this duty if the certificate expires or is revoked.

ABA

A subscriber has the obligation to make only material representations to the certification authority which are accurate to the best of the subscriber's knowledge and belief. The subscriber shall not compromise the private key corresponding to the public key listed in a certificate during the operational period of the valid certificate, or during any period of suspension.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

None specified.

Mississippi

None specified.

New Mexico

None specified.

Virginia

None specified.

Category Three - Regulation of electronic signatures

Florida

None specified.

Georgia

None specified.

Suspension of a Certificate

Category One- Comprehensive regulation of digital signatures

Utah

A licensed certification authority shall suspend a certificate for a period not exceeding 48 hours if one or both of the following occur: (1) upon request of the subscriber, agent or other person in a position likely to know of a compromise in the security of the subscriber's private key or (2) by order of the division. The division, a court clerk or a county clerk may, in his or her discretion, also suspend the certificate upon request if the certification authority is unavailable. Upon suspension, notice shall be published in any repository specified in the certificate. Suspension initiated by request shall be terminated under one or both of the following conditions: (1) the subscriber requests termination of the suspension and the certification authority confirms that the person requesting the termination is authorized to do so or (2) when the certification authority discovers and confirms that the request for suspension was made without authorization by the subscriber. A person may not knowingly or intentionally misrepresent to a certification authority his or her identity or authorization in requesting suspension of a certificate.

Washington

A licensed certification authority shall suspend a certificate for a period not exceeding 96 hours if one or both of the following occur: (1) upon request of the subscriber, a person authorized to act for that subscriber, or a person acting on behalf of an unavailable subscriber, or (2) by order of the secretary. The secretary may, in his or her discretion, also suspend the certificate upon request if the certification authority is unavailable. Upon suspension, notice shall be published in any repository specified in the certificate. Suspension initiated by request shall be terminated under one or both of the following conditions: (1) the subscriber requests termination of the suspension and the certification authority confirms that the person requesting the termination is authorized to do so or (2) when the certification authority discovers and confirms that the request for suspension was made without authorization by the subscriber. A person may not knowingly or intentionally misrepresent to a certification authority his or her identity or authorization in requesting suspension of a certificate.

ABA

A certification authority must suspend a certificate as soon as possible after a request by a person whom the certification authority reasonably believes to be (1) the subscriber listed in the certificate, (2) a person duly authorized to act for the subscriber or (3) a person acting on behalf of the subscriber, who is unavailable. A subscriber who has accepted a certificate must request the suspension of the certificate if the private key corresponding to the public key listed in the certificate has been compromised. A certification authority must suspend or revoke a certificate regardless of whether the subscriber consents, if the certification authority confirms that (1) a material fact represented in the certificate is false, (2) a material prerequisite to issuance of the certificate was not satisfied or (3) the certification authority's private key or trustworthy system was compromised in a manner materially affecting the certificate's reliability. Promptly upon suspending a certificate, a certification authority must publish notice, promptly notify the subscriber, and otherwise disclose the suspension on inquiry by a relying party.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

None specified.

Mississippi

The secretary of state shall have the authority to revoke any license granted under the terms of the act upon notice and a show of good cause.

New Mexico

The secretary of state shall adopt regulations to accomplish the purposes of the act. The regulations shall address the registration of public keys, the revocation of public keys and reasonable public access to public keys maintained by the office of electronic documentation. The regulations may address the circumstances under which the office may reject an application for registration of a public key, the circumstances under which the office may cancel the listing of a public key and the circumstances under which the office may reject an attempt to revoke registration of a public key.

Virginia

None specified.

Category Three - Regulation of electronic signatures

Florida

The secretary of state may suspend or revoke certificates which the secretary has issued.

Georgia

None specified.

Revocation of a Certificate

Category One - Comprehensive regulation of digital signatures

Utah

A licensed certification authority shall revoke a certificate that it issued after both of the following occur: (1) receiving a request for revocation by the subscriber listed in the certificate and (2) confirming that the person requesting the revocation is the subscriber, or is an agent of the subscriber with authority to request a revocation. The confirmation and revocation should occur within one business day after receiving both a subscriber's written request and evidence sufficient to confirm the identity and agency of the requester. A licensed certification authority shall revoke a certificate that it issued if one or both of the following occur: (1) confirming by death certificate or other evidence that the subscriber is dead or (2) confirming by documents effecting a dissolution of the subscriber or other evidence that the subscriber has been dissolved or ceased to exist. A licensed certification authority may also revoke certificates if they are or become unreliable, regardless of whether the subscriber consents. Immediately upon revocation, the certification authority shall publish notice in any repository specified in the certificate. A subscriber ceases to accept the certificate and has no further duty to keep the private key secure, beginning with the earlier of either: (1) published notice or (2) two business days after requesting the revocation in writing and supplying information reasonably sufficient to confirm the request. Upon published notification, a certification authority is discharged of its warranties and certified information in relation to the revoked certificate.

Washington

A licensed certification authority shall revoke a certificate that it issued after both of the following occur: (1) receiving a request for revocation by the subscriber listed in the certificate and (2) confirming that the person requesting the revocation is the subscriber, or is an agent of the subscriber with authority to request a revocation. The confirmation and revocation should occur within one business day after receiving both a subscriber's written request and evidence sufficient to confirm the identity and agency of the requester. A licensed certification authority shall revoke a certificate that it issued if one or both of the following occur: (1) confirming by death certificate or other evidence that the subscriber is dead or (2) confirming by documents effecting a dissolution of the subscriber or other evidence that the subscriber has been dissolved or ceased to exist. A licensed certification authority may also revoke certificates if they are or become unreliable, regardless of whether the subscriber consents. Immediately upon revocation, the certification authority shall publish notice in any repository specified in the certificate. A subscriber ceases to accept the certificate and has no further duty to keep the private key secure, beginning with the earlier of either: (1) published notice or (2) one business day after requesting the revocation in writing, and supplying information reasonably sufficient to confirm the request. Upon notification, a certification authority is discharged of its warranties and certified information in relation to the revoked certificate.

ABA

A certification authority must revoke a certificate it has issued at the request of the subscriber listed in it, if the certification authority has confirmed: (1) that the person requesting the revocation is the subscriber or (2) if the requester is an agent, that the requester has sufficient authority to effect revocation. A subscriber who has accepted a certificate must request the revocation of the certificate if the private key corresponding to the public key listed in the certificate has been compromised. A certification authority must suspend or revoke a certificate regardless of whether the subscriber consents, if the certification authority confirms that (1) a material fact represented in the certificate is false, (2) a material prerequisite to issuance of the certificate was not satisfied or (3) the certification authority's private key or trustworthy system was compromised in a manner materially affecting the certificate's reliability. Promptly upon revoking a certificate, a certification authority must publish notice, promptly notify the subscriber, and otherwise disclose the suspension on inquiry by a relying party.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

None specified.

Mississippi

The secretary of state shall have the authority to revoke any license granted under the terms of the act upon notice and a show of good cause.

New Mexico

The secretary of state shall adopt regulations to accomplish the purposes of the act. The regulations shall address the registration of public keys, the revocation of public keys and reasonable public access to public keys maintained by the office of electronic documentation. The regulations may address the circumstances under which the office may reject an application for registration of a public key, the circumstances under which the office may cancel the listing of a public key and the circumstances under which the office may reject an attempt to revoke registration of a public key.

Virginia

None specified.

Category Three - Regulation of electronic signatures

Florida

The secretary of state may revoke certificates issued by the secretary.

Georgia

None specified.

Expiration of Certificates

Category One - Comprehensive regulation of digital signatures

Utah

A certificate shall indicate the date on which it expires. When the certificate expires, the subscriber and certification authority cease to certify the information in the certificate and the certification authority is discharged of its duties based on the issuance of the certificate.

Washington

A certificate shall indicate the date on which it expires. When the certificate expires, the subscriber and certification authority cease to certify the information in the certificate and the certification authority is discharged of its duties based on the issuance of the certificate.

ABA

None specified.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

None specified.

Mississippi

None specified.

New Mexico

None specified.

Virginia

None specified.

Category Three - Regulation of electronic signatures

Florida

None specified.

Georgia

None specified.

Signature Requirements

Category One - Comprehensive regulation of digital signatures

Utah

If a rule of law requires a signature, that rule is satisfied by a digital signature if: (1) it is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority, (2) it was affixed by the signer with the intention of signing the message and (3) the recipient has no knowledge or notice that the signer either breached a duty as a subscriber or does not rightfully hold the private key used to affix the digital signature. Nothing in this act precludes a symbol from being valid as a signature under other applicable law, including the Uniform Commercial Code.

Washington

If a rule of law requires a signature, that rule is satisfied by a digital signature if: (1) the digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority, (3) it was affixed by the signer with the intention of signing the message and (4) the recipient has no knowledge or notice that the signer either breached a duty as a subscriber or does not rightfully hold the private key used to affix the digital signature. Nothing in this act: (1) precludes a symbol from being valid as a signature under other applicable law, (2) obligates a recipient to accept a digital signature or (3) precludes the recipient from establishing the conditions under which he or she will accept a digital signature.

ABA

Where a rule of law requires a signature, that rule is satisfied by a digital signature which is: (1) affixed by the signer with the intention of signing the message and (2) verified by reference to the public key listed in a valid certificate.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

The use of a digital signature shall have the same force and effect as the use of a manual signature if and only if it embodies all of the following attributes: (1) it is unique to the person using it, (2) it is capable of verification, (3) it is under the sole control of the person using it, (4) it is linked to data in such a manner that if the data are changed, the digital signature is invalidated and (5) it conforms to regulations adopted by the secretary of state.

Mississippi

A digital signature which has been verified by a licensed certification authority may be used to sign a writing and shall have the same force and effect as a written signature.

New Mexico

None specified.

Virginia

Where law requires a signature or provides for certain consequences in the absence of a signature, that law is satisfied by a digital signature. Each public entity may receive digital signatures in lieu of manual signatures.

Category Three - Regulation of electronic signatures

Florida

None specified.

Georgia

Where a person or other entity accepts or agrees to be bound by an electronic record executed or adopted with an electronic signature, then any rule of law which requires a record of that type to be in writing is satisfied and any rule of law which requires a signature is satisfied.

Unreliable Digital Signatures

Category One - Comprehensive regulation of digital signatures

Utah

Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances. If the recipient determines not to rely on the signature, the recipient shall promptly notify the signer of its determination.

Washington

Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances.

ABA

Unless otherwise provided by law or contract, a relying party assumes the risk that a digital signature is invalid, if reliance on the signature is not reasonable under the circumstances in accordance with the following factors, among others: (1) facts which the relying party knows of or has notice of, (2) the value or importance of the digitally signed message, (3) the course of dealing between the relying person and the subscriber, and the available indicia of reliability or unreliability and (4) the usage of trade.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

None specified.

Mississippi

None specified.

New Mexico

None specified.

Virginia

In assessing whether a digital signature was executed or adopted with respect to a record by a particular person, the trier of fact may consider any relevant information or circumstances, including whether the digital signature is unique to the signer, is capable of verification, is under the signer's sole control, is linked to the record in such a manner that if the data is changed the signature is invalidated and whether the method used to create the signature was appropriately reliable for the purpose for which the digital signature was used.

Category Three - Regulation of electronic signatures

Florida

None specified.

Georgia

A person whose electronic signature is used in an unauthorized fashion may recover or obtain any or all of the following against the person who engaged in such unauthorized use, provided that the use of such electronic signature in an unauthorized fashion was negligent, reckless, or intentional: (1) actual damages, (2) equitable relief, including, but not limited to, an injunction or restitution of money or property, (3) punitive damages, (4) reasonable attorneys' fees and (5) any other relief to court deems proper.

Digitally Signed Document is Written

Category One- Comprehensive regulation of digital signatures

Utah

A message is valid, enforceable, and effective as if it had been written on paper, if: (1) it bears in its entirety a digital signature and (2) it is verified by the public key listed in a certificate which: (a) was issued by a licensed certification authority and (b) was valid at the time the signature was created. A copy of a digitally signed message is as effective, valid and enforceable as the original of the message, unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, effective and enforceable message.

Washington

A message is valid, enforceable, and effective as if it had been written on paper, if: (1) it bears in its entirety a digital signature and (2) it is verified by the public key listed in a certificate which: (a) was issued by a licensed certification authority and (b) was valid at the time the signature was created. Nothing in this act shall be construed to eliminate, modify or condition any other requirements for a contract to be valid, enforceable and effective. A copy of a digitally signed message is as effective, valid and enforceable as the original of the message, unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, effective and enforceable message.

ABA

A message bearing a digital signature verified by the public key listed in a valid certificate is as valid, effective and enforceable as if the message had been written on paper.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

The use of a digital signature shall have the same force and effect as the use of a manual signature if and only if it embodies all of the following attributes: (1) it is unique to the person using it, (2) it is capable of verification, (3) it is under the sole control of the person using it, (4) it is linked to data in such a manner that if the data are changed, the digital signature is invalidated, and (5) it conforms to regulations adopted by the secretary of state.

Mississippi

A digital signature which has been verified by a licensed certification authority may be used to sign a writing and shall have the same force and effect as a written signature.

New Mexico

None specified.

Virginia

Where law requires a signature or provides for certain consequences in the absence of a signature, that law is satisfied by a digital signature. Each public entity may receive digital signatures in lieu of manual signatures.

Category Three - Regulation of electronic signatures

Florida

Unless otherwise provided by law, an electronic signature may be used to sign a writing and shall have the same force and effect as a written signature.

Georgia

Where a person or other entity accepts or agrees to be bound by an electronic record executed or adopted with an electronic signature, then any rule of law which requires a record of that type to be in writing is satisfied and any rule of law which requires a signature is satisfied.

Presumptions in Adjudicating Disputes

Category One - Comprehensive regulation of digital signatures

Utah

In adjudicating a dispute involving a digital signature, a court of this state shall presume all of the following: (1) a certificate signed by a licensed certification authority and either published in a recognized repository or made available by the certification authority or the subscriber, is issued by the certification authority and is accepted by the subscriber; (2) the information listed in a valid certificate and confirmed by a licensed certification authority issuing the certificate is accurate; (3) if a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority, that: (a) the digital signature is the signature of the subscriber, (b) the signature was affixed by the signer with the intention of signing the message and (c) the recipient of the digital signature has no knowledge or notice that the signer breached a duty as a subscriber or does not rightfully hold the private key used to affix the digital signature and (4) the digital signature was created before it was time-stamped by a disinterested person using a trustworthy system.

Washington

In adjudicating a dispute involving a digital signature it is rebuttably presumed: (1) a certificate signed by a licensed certification authority and either published in a recognized repository or made available by the certification authority or the subscriber, is issued by the certification authority and is accepted by the subscriber; (2) the information listed in a valid certificate and confirmed by a licensed certification authority issuing the certificate is accurate; (3) if a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority, that: (a) the digital signature is the signature of the subscriber, (b) the signature was affixed by the signer with the intention of signing the message, (c) the recipient of the digital signature has no knowledge or notice that the signer breached a duty as a subscriber or does not rightfully hold the private key used to affix the digital signature and (d) the message associated with the digital signature has not been altered since the message was affixed; and (4) the digital signature was created before it was time-stamped by a disinterested person using a trustworthy system.
The following factors are significant in evaluating the reasonableness of a recipient's reliance upon a certificate and its digital signature: (1) facts which the relying party knows of or has notice of, (2) the value or importance of the digitally signed message, (3) the course of dealing between the relying person and subscriber and the available indicia of reliability or unreliability apart from the digital signature and (4) the usage of trade, particularly trade conducted by trustworthy systems or other computer-based means.

ABA

In resolving a dispute involving a digital signature, it is rebuttably presumed that: (1) the information listed in a valid certificate is correct, except for non-verified subscriber information, (2) a digital signature verified by reference to the public key listed in a valid certificate is the digital signature of the subscriber, (3) the message associated with a verified digital signature has not been altered from its original form, (4) a certificate of a certification authority, which is either published or made available to the subscriber listed in it, is issued by that certification authority and (5) a digital signature was created before it was time-stamped by a trustworthy system.

Category Two - Regulation of digital signatures

Arizona

None specified.

California

None specified.

Mississippi

None specified.

New Mexico

None specified.

Virginia

In assessing whether a digital signature was executed or adopted with respect to a record by a particular person, the trier of fact may consider any relevant information or circumstances, including whether the digital signature is unique to the signer, is capable of verification, is under the signer's sole control, is linked to the record in such a manner that if the data are changed the signature is invalidated and whether the method used to create the signature was appropriately reliable for the purpose for which the digital signature was used.

Category Three - Regulation of electronic signatures

Florida

None specified.

Georgia

A person whose electronic signature is used in an unauthorized fashion may recover or obtain any or all of the following against the person who engaged in such unauthorized use, provided that the use of such electronic signature in an unauthorized fashion was negligent, reckless, or intentional: (1) actual damages, (2) equitable relief, including, but not limited to, an injunction or restitution of money or property, (3) punitive damages, (4) reasonable attorneys' fees and (5) any other relief to court deems proper.

Appendix: Citations of Recent Legislation (current as of April 25, 1997)*

State	Citation	Status	Subject Matter
Connecticut	CT S.B. 1308 (1997)	In committee	Task force on digital signatures
Florida	FL H.B. 957 (same as S.B. 998) (1997)	In House (In Senate)	Allows for electronic notarization
Georgia	GA S.R. 621 (1996) GA S.B. 736 (1996) GA H.R. 1256 (1996)	Dead Dead Dead	Joint digital signatures study committee Comprehensive legislation House digital signatures study committee
Hawaii	HI H.B. 3759 (1996) HI S.B. 961 (1997)	Dead Dead	Comprehensive legislation Comprehensive legislation
Illinois	Draft IL Electronic Writing and Signature Act	Expected to be introduced next session
Indiana	IN H.B. 1945 (1997)	Passed House, passed Senate	Applies only to transactions with the state
Kansas	KS H.B. 2059 (1997)	Passed House, in Senate committee	Equates digital signatures with written signatures
Maryland	MD H.B. 1015 (same as S.B. 822) (1997) MD H.B. 1386 (1997)	Dead Dead	Comprehensive legislation Task force on digital signatures
Massachusetts	Draft MA Electronic Records and Signatures Act	Expected to be introduced next session
Michigan	MI S.B. 939 (1996) MI S.B. 204 (1997)	Dead In committee	Comprehensive legislation Comprehensive legislation
Minnesota	MN H.B. 56 (same as S.B. 173) (1997)	In House (In Senate)	Comprehensive legislation
Mississippi	MS S.B. 2904 (1997)	Dead	Allows secretary of state to license certification authorities
Nebraska	NE L.B. 286 (1997) NE L.B. 42 (1997)	In committee, probably will be held over to next session Dead	Allows use of digital signatures in transactions with the state Equates digital signatures with written signatures
New Hampshire	NH H.B. 290 (1997) NH S.B. 207 (1997)	Referred back to committee In Senate	Equates digital signatures with written signatures Comprehensive legislation
New York	NY H.B. 6183 (same as S.B. 2238) (1997)	In committee (In committee)	Comprehensive legislation
North Carolina	NC H.B. 290 (1997)	Dead	Legislative study commission on electronic commerce
Oklahoma	OK H.B. 1690 (1997)	Enacted	Task force on electronic signature technology
Oregon	OR H.B. 3046 (1997)	In committee	Equates digital signatures with written signatures
Rhode Island	RI H.B. 6118 (1997) RI S.B. 612 (1997) RI H.B. 8125 (1996)	In committee Held for further study in committee Dead	Equates digital signatures with written signatures Comprehensive legislation Allows for use of digital signatures in transactions with the state
Texas	TX H.B. 984 (1997) TX S.B. 748 (1997) TX S.B. 787 (1997)	Passed House, in Senate committee Dead Dead	Equates digital signatures with written signatures Allows for use of digital signatures in transactions with the state
Vermont	VT H.B. 60 (1997)	Dead	Comprehensive legislation
Virginia	VA H.B. 822 (1996) VA H.J.R. 129 (1996)	Dead Dead	Comprehensive legislation Joint digital signature subcommittee

Note: not included in this table is legislation discussed in the body of this report and legislation pertaining only to specific uses of digital signatures.