UTAH DIGITAL SIGNATURE PROGRAM
Amount of Suitable Guaranty
Issue: Under the Utah Digital Signature Act, the Utah Dept. of Commerce, Division of
Corporations is tasked with the role of determining an amount appropriate for a suitable
guaranty, in light of:
(i) the burden a suitable guaranty places upon licensed CA's; and
(ii) the assurance of financial responsibility it provides to persons who rely on
certificates issued by licensed CA's.
*U.C.A 46-3-104(3)(b)
Definition of suitable guaranty:
"Suitable guaranty" means either a surety bond executed by a surety authorized by the
Utah Insurance Department to do business in this state, or an irrevocable letter of credit issued by a
financial institution authorized to do business in this state by the Utah Department of Financial
Institutions, which, in either event, satisfies all of the following requirements, that it:
(i) is issued payable to the division for the benefit of persons holding qualified rights of
payment against the licensed certification authority named as the principal of the bond or
customer of the letter of credit:
(ii) is an amount specified by rule of the division pursuant to Section 46-3-104;
(iii) states that it is issued for filing pursuant to this chapter;
(iv) specifies a term of effectiveness extending at least as long as the term of the license to
be issued to the certification authority; and
(v) is in a form prescribed by rule of the division.
(b) A suitable guaranty may also provide that the total annual liability on the guaranty to all
persons making claims based on it may not exceed the face amount of the guaranty.
*U.C.A 46-3-103(34)(a)
Proposed Rule:
R154-10-201. Amount of Suitable Guaranty.
A suitable guaranty shall be in an amount equal to or exceeding the greater of either:
(1) 100% of the largest recommended reliance limit of a certificate to be issued by the
filing certification authority during the term of the certification authority's license; or
(2) 35% of the total recommended reliance limits of all certificates published by the filing
certification authority, which certificates have not expired or been revoked.
COMMENTS ON PROPOSED AMOUNT OF SUITABLE GUARANTY
Private Industry:
"[T]he amount of bond required under the proposed rule far exceeds the amount of bond required
for similar types of risks under Utah law, and that the bond amount required should be
significantly reduced. Not only would the bond amount contemplated by the proposed rule be
inconsistent with established practices in the State of Utah, it will end up hurting the digital
signature user through significantly higher certification costs, and will hurt those who rely on
digital signatures as certification authorities will be forced to dramatically cut the anticipated
reliance limits. The cost will damage the entire industry in Utah and significantly reduce
competitiveness with foreign certification authorities. "
"We anticipates that all licensed certification authorities will want to take advantage of the limited
liability benefits of reliance limits. However, the costs to a CA under the proposed rule may result
in a CA not being able to take advantage of the limited liability protection due to the expense both
of the bond and the additional accounting procedures required."
"Digital signature subscribers and users will be affected because CA's will dramatically curtail the
reliance limits offered in order to keep control of their bond prices. Where we have been
anticipating standard reliance limits in the $1,000.00 - $5,000.00 range, it would not be surprising
to find reliance limits generally issued at less than $100.00. Abnormally low reliance limits will
have a dramatic effect on the applications available for digital signature use. The likely result
would be a slowing of the acceptance and use of digital signatures throughout Utah and the
nation."
"If the division decides to require liability bonds, we strongly urge the committee to reduce the
percentage requirements from its current 35% to an percentage amount not in excess of 5%,
a flat suitable guaranty in the amount of one hundred thousand dollars ($100,000), or in the
alternative, a graduate scale (i.e. aggregate reliance limit up to $75,000 = $15,000 bond;
aggregate reliance limit up to $150,000 = $25,000 bond; aggregate reliance above $150,000 =
$50,000 bond)."
Public Sector:
"I strongly argue for a much lower bonding requirement and think that the 35% requirement would
kill off the industry. I think the 5% suggestion is also too high and suggest a 1% of the highest
reliance limit, or $50,000, whichever is higher."
"I recommend we keep the suitable guaranty at the current 35% level. This is a new industry and
we should set the threshold high and then make adjustments to lower the amount if warranted. It
will be much easier to lower the amount than to increase the amount at a later point in time.
Currently, in the CA industry, the majority of the certificates issued will have zero value reliance
limits, therefore, the 35% bonding requirement will not place a great financial burden on most
CA's. In addition, the 35% bonding requirement will allow for a reasonable financial assurance
when a CA is negligent in performing its duty."
Resolution:
After receiving the limited responses from the ABA Information Security Committee, Utah
has chosen to strike " (2) 35% of the total recommended reliance limits of all certificates
published by the filing certification authority, which certificates have not expired or been
revoked." Comments reflected that the 35% was an unjustifiably high percentage amount and
would prevent some CA's from licensing because of the high financial burden placed them.
Consequently, Utah has chosen to a hybrid approach and test the waters. The proposed
administrative rule will be as follows:
R154-10-201. Amount of Suitable Guaranty.
A suitable guaranty shall be in an amount equal to or
exceeding the greater of either:
(1) 100% of the largest recommended reliance limit of a
certificate to be issued by the filing certification authority
during the term of the certification authority's license; or
(2) A fixed amount of sixty thousand dollars ($60,000.00).
(3) The suitable guaranty, in the form of a bond or letter
of credit, shall specify an expiration date of no less than six
(6) years after the expiration of the last certificate issued by
the certification authority.
