RI.gov R.I. Government Agencies | Privacy Policy |

Declaratory Rulings

State of Rhode Island - Division of Taxation

Declaratory Rulings

Ruling Request No. 2011-01

Request for Declaratory Ruling Regarding the Applicability the Sales and Use Tax Law to Digital Certificate and Authentication/Resolution Services

On behalf of our client, Company A (hereinafter "Taxpayer"), we are requesting a declaratory ruling from the Rhode Island Division of Taxation ("Division") regarding the sale of authentication and resolution services on a subscription basis through provision of a digital certificate

Facts

The Taxpayer is a provider of authentication solutions for businesses and individuals seeking to perform secure electronic commerce and communications over the internet. One such solution is the provision of a digital certificate and authentication and resolution services on a subscription basis.

Digital certificates are commonly used to facilitate the secure transmissions between end user browsers and the Taxpayer's customers' ("customers") servers. A digital certificate allows an end user to recognize that they are, indeed, accessing the customers' server. For illustration purposes, assume "InternetRetailer.com" is a customer of the Taxpayer. An end user of "InternetRetailer.com" will access the website and know that they are accessing the real "InternetRetailer.com" site and not a fraudulent site, because a check mark will appear on the real "InternetRetailer.com" site, indicating that the website is authenticated by the Taxpayer. This check mark, trademarked by the Taxpayer and recognized throughout the world, serves as the visible indication on the end user's screen that the customer's site is who it purports to be.

A digital certificate is provided through an online process, and the first step in this process is the customer's access of the Taxpayer's online portal to complete a registration form. As part of the customer's request of a certificate through registration, a private and public key pair is generated by the customer's web server. The private key is retained by the custorner on its web server. The public key is part of the information sent to the Taxpayer in the registration process.

The Taxpayer performs all due diligence necessary to authenticate the identity of the applicant, the related website and business, and the information presented by the customer during the registration process, including the public key. Once the Taxpayer authenticates the identity of the applicant, a digital certificate is lectronically sent to the customer. A digital certificate is a flat file containing: the customer's public key, metadata with information such as certificate expiration date, the certificate owners' name, the name of the issuer (certification authority, i.e. the Taxpayer), serial number of the certificate, and an electronic signature of the issuer.1 The flat file does not contain binary code.

The digital certificate is installed by the customer on a customer's web server. When end users connect to the customer's server through a web browser, the browser establishes the authenticity of the digital certificate (and thus the authenticity of the web site) by mathematically proving that the certificate contains the forementioned public key. It is described as a "public" key because the digital certificate (and key contained therein) is readily viewable by any browser.

The end user's web browser creates a session key that is used to encrypt the transmission between the customer's server and the end user's browser. However, the end user's browser must first use the public key to encrypt the session key and then transmit the session key to the web server. The web server will use the private key to decrypt the session key so that both the web server and browser can begin using the session key for the encrypted transmissions. After the initial handshake between the browser and web server, the session key is used for the encryption of the transmissions. The encryption strength of the transmission is directly related to the bit length of the session key. The encryption/decryption is performed by the cryptographic software built into the web browser and customer's server. This software is not provided by the Taxpayer.

In addition to authenticating the digital certificate and website, the end user's browser comrnunicates with the Taxpayer's servers to verify that the digital certificate is valid and not revoked (resolution service). If the certificate is valid, the end user's browser will show the end user a notification that the certificate is valid and has not been revoked. The charges for the authentication service, digital certificate, and resolution service are part of a lump sum subscription charge and must be renewed periodically.

Ruling requested

Whether the Taxpayer's sales of authentication services via provision of a digital certificate to the Taxpayer's customers for consideration are subject to the Rhode Island sales/use tax when provided to customers located in Rhode Island.

Discussion

Rhode Island is a full member state of the Streamlined Sales and Use Tax Agreement ("SSUTA"). Although Rhode Island statute does not specifically enumerate its tax treatment of digital products, it has issued informal guidance regarding its treatment of various items. Rhode Island's SSUTA taxability matrix notes that digital products such as digital audio visual works and digital books are not subject to tax.2

The digital certificates provided by the Taxpayer do not constitute computer software as they do not provide a set of coded instructions designed to perform a task. The certificate is a flat file containing only information (a public key, metadata with information such as certificate expiration date, the certificate owners name, name of the issuer, serial number, electronic signature, etc.). The flat file does not contain binary code and does not dictate statements, data or instructions that is used directly or indirectly to bring about a certain result. The Taxpayer's digital certificates would be more akin to information conveyed digitally. Rhode Island's SSUTA matrix notes that various digital products such as digital audio visual works, digital audio works, and digital books are not subject to tax. While the Taxpayer does not sell computer software, we understand that, even if the Taxpayer's digital certificates were deemed to be prewritten software, their sale is not taxable in the state. Prewritten software delivered electronically is not a sale of tangible personal property and is not subject to tax.3 The digital certificates do not fall within the definition of tangible personal property and as such, the transaction should not be subject to Rhode Island sales/use tax.

Rhode Island does not impose tax on services unless specifically enumerated in its statute.4 Included in these taxable services are certain telecommunications services;5 however, Rhode Island statute notes that telecommunications services do not include "data processing or information services that allow data to be generated, acquired, stored, processed, or retrieved and delivered by electronic transmission."6 Similarly, the Division has determined that services in which a company provided reports of processed data were not sales of tangible personal property and not subject to tax since customers were actually paying for a service and not property.7

As discussed herein, the Taxpayer provides no tangible personal property with its digital certificates. Similarly, there is no computer software transferred with the authentication services provided. Authentication services consist primarily of due diligence procedures to verify the identity of its customer (and the customer's website). Once verified, the digital certificate is installed by the customer onto the customer's server. All further encryption and decryption is performed entirely by software built into the web browser and the customer's server. This is not software provided by the Taxpayer. As such, the authentication services provided by the Taxpayer do not constitute an enumerated taxable service.

Ruling

Under Rhode Island law, tax is imposed on the retail sales of tangible personal property.8 Tangible personal property is defined as "personal property that can be seen, weighed, measured, felt, or touched, or that is in any manner perceptible to the senses" and includes "electricity, water, gas, steam, and prewritten computer software." 9 Rhode Island defines computer software as "a set of coded instructions designed to cause a computer or automatic data processing equipment to perform a task."10

Based on the available law, it appears that the Taxpayer's sales of authentication services via provision of a digital certificate to the Taxpayer's customers would not be subject to Rhode Island sales and use tax as the transaction is entirely service-based and does not involve the transfer of software, tangible personal property, or other materials.

David M. Sullivan
Tax Administrator
March 4, 2011

1Note that the exact contents of a certificate adhere to certain established standards such as the "X509" standard that specifies what can or cannot be contained on a certificate.
2 Rhode Island Streamlined Sales Tax Governing Board, Section 328 Taxability Matrix
3 R.I. Code R. SU 09-25 Rule 7(1)
4 R.I. Gen. Laws §44-18-7
5 R.I. Gen. Laws §44-18-7(9)
6 R.I. Gen. Laws §44-18-7.1(y)(G)(1)
7 Statewide Multiple Listing Service, Inc. v. John H. Norberg, Tax Administrator, 120 RI 937 (10/20/1978)
8 R.I. Gen. Laws § 44-18-18
9 R.I. Gen. Laws § 44-18-16
10 R.I. Gen. Laws § 44-18-7.1(g)(ii); R.I. Code R. SU 09-25 Rule 5