(1) A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:
(a) The certification authority has received a request for issuance signed by the prospective subscriber; and
(b) The certification authority has confirmed that:
(i) The prospective subscriber is the person to be listed in the certificate to be issued;
(ii) If the prospective subscriber is acting through one or more agents, the subscriber duly authorized the agent or agents to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;
(iii) The information in the certificate to be issued is accurate;
(iv) The prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;
(v) The prospective subscriber holds a private key capable of creating a digital signature;
(vi) The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber; and
(vii) The certificate provides information sufficient to locate or identify one or more repositories in which notification of the revocation or suspension of the certificate will be listed if the certificate is suspended or revoked.
(c) The requirements of this subsection may not be waived or disclaimed by either the licensed certification authority, the subscriber, or both.
(2) In confirming that the prospective subscriber is the person to be listed in the certificate to be issued, a licensed certification authority shall make a reasonable inquiry into the subscriber's identity in light of:
(a) Any statements made by the certification authority regarding the reliability of the certificate;
(b) The reliance limit of the certificate;
(c) Any recommended uses or applications for the certificate; and
(d) Whether the certificate is a transactional certificate or not.
(3) A certification authority shall be presumed to have confirmed that the prospective subscriber is the person to be listed in a certificate where:
(a) The subscriber appears before the certification authority and presents identification documents consisting of at least one of the following:
(i) A current identification document issued by or under the authority of the United States, or such similar identification document issued under the authority of another country;
(ii) A current driver's license issued by a state of the United States; or
(iii) A current personal identification card issued by a state of the United States; and
(b) Operative personnel certified according to law or a notary has reviewed and accepted the identification information of the subscriber.
(4) The certification authority may establish policies regarding the publication of certificates in its certification practice statement, which must be adhered to unless an agreement between the certification authority and the subscriber provides otherwise. If the certification authority does not establish such a policy, the certification authority must publish a signed copy of the certificate in a recognized repository.
(5) Nothing in this section precludes a licensed certification authority from conforming to standards, certification practice statements, security plans, or contractual requirements more rigorous than, but nevertheless consistent with, this chapter.
(6) After issuing a certificate, a licensed certification authority must revoke it immediately upon confirming that it was not issued as required by this section. A licensed certification authority may also suspend a certificate that it has issued for a period not exceeding five business days as needed for an investigation to confirm grounds for revocation under this subsection. The certification authority must give notice to the subscriber as soon as practicable after a decision to revoke or suspend under this subsection.
(7) The secretary may order the licensed certification authority to suspend or revoke a certificate that the certification authority issued, if, after giving any required notice and opportunity for the certification authority and subscriber to be heard in accordance with the administrative procedure act, chapter 34.05 RCW, the secretary determines that:
(a) The certificate was issued without substantial compliance with this section; and
(b) The noncompliance poses a significant risk to persons relying on the certificate.
Upon determining that an emergency requires an immediate remedy, and in accordance with the administrative procedure act, chapter 34.05 RCW, the secretary may issue an order suspending a certificate for a period not to exceed five business days.
[1999 c 287 § 11; 1997 c 27 § 9; 1996 c 250 § 302.]
Notes: Effective date -- 1999 c 287: See note following RCW 19.34.010.
Effective date -- Severability -- 1997 c 27: See notes following RCW 19.34.030.