ARRANGEMENT OF REGULATIONS Preamble
IN exercise of the powers conferred by section 91 of the Digital Signature Act 1997 [Act 562], the Minister makes the following regulations:
PART I -PRELIMINARY
Regulation 1. Citation and commencement. - (1)
- These regulations may be cited as the Digital Signature Regulations 1998.
- (2)
- These Regulations shall come into operation on 1 October 1998.
Regulation 2. Interpretation.
In these Regulations, unless the context otherwise requires "approved digital signature scheme" means a digital signature scheme approved under regulation 29; "approved fee" means a fee or charge imposed by a licensed certification authority, a recognised repository
and a recognised date/time stamp service under the Act and these Regulations that is approved by the Controller under regulations 40, 50 and 63 respectively;
"certified public accountant" means a public accountant registered under the Accountants Act 1967 [Act 94]; "distinguished name" means a set of data that identifies a real-world entity, such as a person, in a computer-based context;
"hardware based" means in a token or smart card or other external device; "hash function" means an algorithm mapping or translating one sequence of bits into another generally smaller set, known as the hash result, such that - (a)
- a message yields the same hash result every time the algorithm is executed using the same message as input;
- (b)
- it is computationally infeasible that a message can be derived or reconstituted from the hash result produced by the algorithm; and
- (c)
- it is computationally infeasible that two messages can be found that produce the same hash result using the algorithm;
"hash result" means the output produced by a hash function upon processing a message;
"licensed" means to be issued with the operation stage of the licence;
"public-key algorithm" means an algorithm designed to create different signing and verification keys where the verification key can be made public and the signing key cannot in a reasonable amount of time be calculated from the verification key;
"qualified auditor" means a certified public accountant or an accredited computer security professional
registered as a qualified auditor under regulation 41; "qualified right to payment" means an award of damages against a licensed certification authority by a court having jurisdiction over the licensed certification authority in a civil action under the Act;
"recognised" means to be issued with the operation stage of the certificate of recognition; "software based" means in the computer system or programmes; "subliminal channel" means a channel within a digital signature that allows subliminal text to be sent within
the digital signature; "suitable guarantee" means a suitable guarantee under regulation 23.
Regulation 3. Forms.
The forms in the First Schedule are prescribed for use under these Regulations.
Regulation 4. Fees.
(1) The fees in the Second Schedule are prescribed for the purposes of these Regulations.
(2) The fees shall be paid to the Controller by such means and in such manner as the Controller may direct.
PART II -LICENSING OF CERTIFICATION AUTHORITIES
Regulation 5. Stages of licence. - (1)
- A licence to carry on or operate as a certification authority shall be issued in two stages, namely
- (a)
- the establishment stage; and
- (b)
- the operation stage.
- (2)
- No person shall carry on or operate, or hold himself out as carrying on or operating, as a licensed certification authority unless that person has been issued with the operation stage of the licence.
- (3)
- A person who contravenes subregulation (2) shall be deemed to carry on or operate as a certification authority without a valid licence.
- (4)
- The establishment stage of a licence may be issued for any period not exceeding one year.
- (5)
- An application for a licence shall be deemed to be withdrawn and shall not be further proceeded with,
without prejudice to a fresh application being made by the applicant, if - (a)
- the applicant fails to apply for the operation stage of the licence before the expiry of the period specified in subregulation (4); or
- (b)
- on an application for the operation stage of the licence having duly been made within the period specified in subregulation (4), the applicant is not issued with the operation stage of the licence.
(6) Nothing in these Regulations shall be construed so as to require an applicant to apply for the establishment stage of a licence as a condition for applying for the operation stage of a licence if the applicant is otherwise able to satisfy the prescribed requirements to apply for the operation stage of a
licence.
Regulation 6. Qualification requirements.
A person intending to carry on or operate as a certification authority shall satisfy the following requirements: - (a)
- it is a body corporate incorporated in Malaysia or a partnership within the meaning of the Partnership Act 1961 [Act 135];
- (b)
- it maintains a registered office in Malaysia;
- (c)
- it has working capital reasonably sufficient, according to the requirements of the Controller, to enable it to carry on or operate as a certification authority;
- (d)
- it files with the Controller a suitable guarantee;
- (e)
- it uses a trustworthy system for the generation and management of key pairs and certificates;
- (f)
- it uses an approved digital signature scheme for the generation of key pairs and for the creation and verification of digital signatures;
- (g)
- it has an operating procedure that includes a certification practice statement, the measures to be taken to check the identity of subscribers to be listed in certificates, and the repositories and date/time stamp services to be used;
- (h)
- it employs as operative personnel only persons who
- (i)
- have not been convicted within the past fifteen years of an offence involving fraud, false statement or deception; and
- (ii)
- have demonstrated knowledge and proficiency in following the requirements of the Act and these Regulations;
- (i)
- it complies with the licensing, standards and technical requirements under the Act and these Regulations; and
- (j)
- it complies with such other requirements as the Controller thinks fit.
•
Regulation 7. Application for licence. - (1)
- An application for a licence shall be made in Form 1.
- (2)
- If the applicant has more than one office, the applicant shall specify each of the offices in the application.
- (3)
- An application under subregulation (1) shall be accompanied by
- (a)
- the information required under regulation 8 or 9, as the case may be;
- (b)
- the prescribed fee; and
- (c)
- such other information or document as the Controller may require.
- (4)
- The Controller may, on an application for the operation stage of a licence, require the applicant to demonstrate any part of its operating procedure and may require independent testing of the software, hardware, technical components, algorithms, standards and other pertinent parameters and other equipment to be used by the applicant, at the applicant's expense, for the purpose of ascertaining its security and trustworthiness.
- (5)
- If any information or document required under subregulation (3) is not provided by the applicant or any demonstration or test required under subregulation (4) is not complied with within the time specified in the requirement or any extension thereof granted by the Controller, the application shall be deemed to be withdrawn and shall not be further proceeded with, without prejudice to a fresh application being made by the applicant.
Regulation 8. Information required for establishment stage.
An application for the establishment stage of a licence shall contain the following information: - (a)
- the particulars of the applicant;
- (b)
- the anticipated operational costs and proposed financing;
- (c)
- details of the personnel to be employed and their qualifications, if available;
- (d)
- the proposed operating procedure; and
- (e)
- the services to be provided and the fees and charges to be imposed therefor.
•
Regulation 9. Information required for operation stage.
An application for the operation stage of a licence shall contain - (a)
- all valid information submitted for the establishment stage;
- (b)
- all new information and all the changes to the information submitted for the establishment stage, if any;
- (c)
- a suitable guarantee; and
- (d)
- a report from a qualified auditor certifying that the prescribed licensing, standards and technical requirements have been satisfied.
•
Regulation 10. Issue of licence. - (1)
- A licence to operate as a certification authority shall be in Form 2.
- (2)
- The Controller shall specify the stage for which the licence is issued and the duration of the licence in the licence.
- (3)
- The prescribed granting fee and annual operating fee for the first year of operation shall be payable to the Controller on the issuance of the operation stage of the licence.
- (4)
- The prescribed annual operating fee for the second and subsequent years of operation shall be payable at such time as may be determined by the Controller.
Regulation 11. Implied conditions.
In every licence granted under the Act, there shall be implied on the part of the licensed certification authority that - (a)
- the licensed certification authority shall keep and maintain working capital reasonably sufficient to carry on or operate as a certification authority;
- (b)
- the licensed certification authority shall keep its operating procedures under review and shall not make any substantial changes to its operating procedures without the Controller's prior written approval;
- (c)
- the licensed certification authority shall only use an approved digital signature scheme;
- (d)
- the licensed certification authority shall make, keep and maintain the necessary arrangements with a recognised repository and a recognised date/time stamp service for its own use and for the use of its subscribers if it does not also provide those services;
- (e)
- the licensed certification authority shall establish and maintain a secure system and infrastructure to safeguard its private key and for key distribution, key management, key storage and key disposal;
- (f)
- the licensed certification authority shall establish and maintain a secure system and data base for the storage of information and documents obtained from a subscriber under the Act and these Regulations;
- (g)
- the licensed certification authority shall at all times maintain the confidentiality of information and documents obtained from a subscriber under the Act and these Regulations and be subject to the directions of the subscriber in relation to the release or disclosure of such information and documents;
- (h)
- the licensed certification authority shall keep and maintain the suitable guarantee as required under these Regulations;
- (i)
- if the licensed certification authority intends to discontinue its operations, the licensed certification authority shall give to the subscriber of each unrevoked or unexpired certificate issued by the licensed certification authority at least ninety days written notice of such intention;
- (j)
- the licensed certification authority shall keep and maintain detailed written records of its transactions as required under these Regulations;
- (k)
- the licensed certification authority shall keep and maintain books of account as required under these Regulations; and
- (l)
- the licensed certification authority shall comply with any directions of the Controller issued under the Act and these Regulations.
Regulation 12. Renewal of licence. - (1)
- An application for the renewal of a licence shall be made in Form 1.
- (2)
- An application under subregulation (1) shall be accompanied by
- (a)
- the prescribed fee; and
- (b)
- the annual compliance audit report for the relevant year or years.
•
Regulation 13. Replacement of l icence.
- (1)
- An application for a replacement licence shall be made in Form 3.
- (2)
- If the Controller is satisfied as to the reasons for the loss of the licence, the Controller may issue a replacement licence in Form 2 with the words "DUPLICATE" endorsed on the licence.
Regulation 14. Amendment of licence on request. - (1)
- A licensed certification authority may apply to the Controller to amend
- (a)
- the particulars of the licence; or
- (b)
- the conditions attached to the licence.
- (2)
- An application under subregulation (1) shall be in writing and shall be submitted to the Controller.
- (3)
- If the Controller approves the amendment, the Controller shall amend the licence accordingly and allow the licence to continue to have effect, as amended, until its expiry.
Regulation 15. Power to amend, etc. conditions of licence. - (1)
- The Controller may, during the currency of a licence, amend, vary, add to, revoke, suspend or revive any condition attached to the licence or attach new conditions to it and shall notify the licensed certification authority in writing accordingly.
- (2)
- The Controller shall, before taking any action under subregulation (1), take into consideration
- (a)
- the estimated cost to be incurred by the licensed certification authority to comply with the varied or new conditions; and
- (b)
- the nature and size of the business being carried out in the business premises.
- (3)
- If the Controller amends, varies, adds to or attaches any condition to a licence under subregulation (1), such condition shall have no effect until the licensed certification authority is given a reasonable opportunity of being heard.
Regulation 16. Transfer or assignment of licence. - (1)
- A licence shall not be transferred except with the written approval of the Controller.
- (2)
- An application for approval under subregulation (1) shall be made by the licensed certification authority in writing and shall be submitted to the Controller.
- (3)
- An application under subregulation (1) shall be accompanied by the prescribed fee.
- (4)
- If the licensed certification authority
- (a)
- in the case of a company, is wound up; or
- (b)
- in the case of a partnership, is dissolved,
the Controller may, on application in writing, by endorsement on the licence and subject to such conditions as he thinks fit, assign the licence to a fit and proper person for the benefit of the licensed certification authority until the expiration of the licence or such earlier date as the Controller thinks fit and such person
shall be deemed to be the licensed certification authority for the purposes of the Act and these Regulations.
Regulation 17. Partnerships in licence. - (1)
- If a licence is issued to a partnership, all the partners shall be named as licensees in the licence.
- (2)
- If any change occurs in the partnership, the remaining partners or any of them shall, within one month of such change, inform the Controller in writing accordingly.
- (3)
- If the Controller is satisfied that the partnership has not been dissolved and, in the case of an addition of a partner to the partnership, that the new partner is a fit and proper person, the Controller may amend the licence accordingly and allow the licence to continue to have effect, as amended, until its expiry.
- (4)
- An amendment under subregulation (3) shall be deemed to be an amendment made under regulation 14.
- (5)
- Every partner shall be deemed to be jointly and severally liable for the acts and omissions of the other partners unless the partner proves to the satisfaction of the court that
- (a)
- the act or omission was committed without that partner's knowledge, consent or connivance; and
- (b)
- the partner took all reasonable precautions and had exercised due diligence to prevent the act or omission.
Regulation 18. Register of Licences. - (1)
- The Controller shall keep and maintain a Register of Licences in such form as he thinks fit.
- (2)
- A person may inspect the Register of Licences and make copies of or take extracts from the Register.
- (3)
- The Controller shall publish a list of licensed certification authorities in such form and manner as he may determine.
Regulation 19. Certified copy of licence. - (1)
- A licensed certification authority may apply in writing to the Controller for a certified copy of the licence if
- (a)
- the licence issued to the licensed certification authority is lost, destroyed or mutilated; or
- (b)
- a certified copy of the licence is required for a valid reason.
- (2)
- An application shall be accompanied by a statutory declaration or police report by the licensed certification authority to the effect that the licence issued to the licensed certification authority is lost, destroyed or mutilated or by a statement specifying the reasons for the application, as the case may be.
- (3)
- The Controller or an officer authorised by the Controller may issue a certified copy of the licence to the applicant if the Controller or officer is satisfied that the original is lost, destroyed or mutilated or that a certified copy is required for a valid reason.
PART III -CERTIFICATION AUTHORITY DISCLOSURE RECORD
Regulation 20. Contents of certification authority disclosure record. - (1)
- The certification authority disclosure record of a licensed certification authority shall contain the following particulars:
- (a)
- a statement that the certification authority disclosure record is provided and maintained by the Controller;
- (b)
- the business name and registered address of the licensed certification authority;
- (c)
- the telephone and facsimile number of the licensed certification authority, if any;
- (d)
- the electronic mail or other address by which the licensed certification authority may be contacted electronically, if any;
- (e)
- the distinguished name of the licensed certification authority;
- (f)
- the licence number, the date and time of the issue, and the date and time of the expiry, of the licence issued to the licensed certification authority;
- (g)
- the restrictions imposed on the licence issued to the licensed certification authority under section 15 of the Act, if any;
- (h)
- if the revocation of a licence under section 9 of the Act has taken effect, the fact of the revocation and its effective date;
- (i)
- if a licence has been surrendered under section 11 of the Act, the fact of the surrender and its effective date;
- (j)
- if the licensed certification authority has no intention of renewing its licence under section 17 of the Act, a statement to that effect;
- (k)
- the current public key or keys of the licensed certification authority by which its digital signatures on published certificates may be verified;
- (l)
- the amount of the licensed certification authority's suitable guarantee;
- (m)
- the total amount of all claims filed with the Controller for payment from the suitable guarantee filed by the licensed certification authority;
- (n)
- a brief description of any limit known to the Controller and applicable to the licensed certification authority's liability or legal capacity to pay damages in tort or for breach of a duty under the Act or these Regulations, unless the limitation is specified in the Act or these Regulations;
- (o)
- a statement indicating the location of the licensed certification authority's certification practice statement, the method or procedure by which it may be retrieved, its form and structure, its authorship and its date;
- (p)
- the date and result of a compliance audit under section 20 of the Act;
- (q)
- if a licensed certification authority is exempted from a compliance audit under section 21 of the Act, a statement to that effect;
- (r)
- the repository used by the licensed certification authority;
- (s)
- if a certificate containing the public key required to verify one or more certificates issued by the licensed certification authority has been revoked or is currently suspended, the date and time of its revocation or suspension;
- (t)
- any event that substantially affects the licensed certification authority's ability to conduct its business or the validity of a certificate published in the repository provided by the Controller or in a recognised repository; and
- (u)
- any other particulars relating to the licensed certification authority the Controller thinks fit.
- (2)
- If the particulars required to be published in the certification authority disclosure record are within the
knowledge of the licensed certification authority concerned, whether solely or otherwise, the licensed certification authority shall, as soon as practicable, forward the particulars to the Controller.
- (3)
- A person who contravenes subregulation (2) commits an offence and shall on conviction be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding one year or to both.
- (4)
- The Controller shall review the certification authority disclosure record on a regular basis and shall ensure that all information received is inserted into the certification authority disclosure record as soon as possible after it is received.
Regulation 21. Form of certification authority disclosure record.
The Controller shall maintain the certification authority disclosure record of a licensed certification authority in such form as the Controller thinks fit.
Regulation 22. Retention of certification authority disclosure record.
The certification authority disclosure record of a licensed certification authority shall, unless the Controller otherwise directs, be retained for not less than ten years from the date of the last entry.
PART IV -SUITABLE GUARANTEES AND CLAIMS
Regulation 23. Suitable guarantee. - (1)
- A suitable guarantee shall satisfy the following requirements:
- (a)
- it is in a form approved by the Controller;
- (b)
- it is issued payable to the Controller for the benefit of persons holding qualified rights of payment against the licensed certification authority;
- (c)
- it is in an amount specified in subregulation (2) or (3), as the case may be;
- (d)
- it states that it is issued for the purposes of the Act and these Regulations; and
- (e)
- it specifies a term of effectiveness extending at least as long as the term of the licence to be issued to the certification authority.
- (2)
- A suitable guarantee shall be in an amount equal to or exceeding the greater of either
- (a)
- 100 per centum of the largest recommended reliance limit of a certificate to be issued by the certification authority during the term of the certification authority's licence; or
- (b)
- 35 per centum of the total recommended reliance limits of all certificates issued by the licensed certification authority, which certificates have not expired or been revoked.
- (3)
- Notwithstanding subregulation (2), the Controller may, on a request in writing by the certification authority and if the Controller thinks it is reasonable in the circumstances to do so, specify an amount that is less than the amount determined under subregulation (2) to be the suitable guarantee provided that the amount so specified shall not be less than two million ringgit.
- (4)
- A suitable guarantee may in addition provide that the total annual liability on the guarantee to all persons making claims based on it may not exceed the face amount of the guarantee.
- (5)
- The Controller shall hold the suitable guarantee for the period for which the licence is issued and as provided under regulation 24.
Regulation 24. Return of suitable guarantee. - (1)
- If a licence has expired and will not be renewed or has sooner been revoked or surrendered, the Controller shall return the suitable guarantee or the balance of the suitable guarantee, if any, as the case may be, to the certification authority concerned after all claims on it are settled or after the expiry of a period of three years after such expiry, revocation or surrender, whichever is the later.
- (2)
- If the term of the suitable guarantee would expire in the period referred to in subregulation (1), the Controller shall require the certification authority concerned to renew or extend the term of the suitable guarantee for that period or submit a new suitable guarantee for the period.
- (3)
- A person who contravenes the Controller's request under subregulation (2) commits an offence and shall on conviction be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding one year or to both.
Regulation 25. Collection on suitable guarantee.
(1) Notwithstanding any provision in the suitable guarantee to the contrary, a person may recover from the issuer of the suitable guarantee the full amount of a qualified right to payment against the person named in the suitable guarantee, or, if there is more than one such qualified right to payment during the term of the suitable guarantee, a rateable share, up to a maximum total liability of the issuer of the suitable guarantee equal to the amount of the suitable guarantee. - (2)
- Claimants may recover successively on the same suitable guarantee, provided that the total liability on the suitable guarantee to all persons making qualified rights of payment during its term shall not exceed the amount of the suitable guarantee.
- (3)
- In addition to recovering the amount of a qualified right to payment, a claimant may recover from the proceeds of the suitable guarantee, until depleted, legal fees, reasonable in amount, and court costs incurred by the claimant in collecting the claim, provided that the total liability on the suitable guarantee to all persons making qualified rights of payment or recovering legal fees or court costs during its term shall not exceed the amount of the suitable guarantee.
Regulation 26. Procedure for claim. - (1)
- Subject to regulation 27, a person who asserts that that person has a qualified right to payment against the issuer of a suitable guarantee shall, within thirty days of the judgment of the court on which the qualified right to payment is based, submit a written notice of the claim in Form 4 to the Controller.
- (2)
- A notice under subregulation (1) shall be accompanied by
- (a)
- the prescribed fee; and
- (b)
- such information or document as the Controller may require.
(3) If the Controller finds that the claim is in order, the Controller may order the payment and satisfaction of the claim.
(4)
Regulation 27. Claims after suitable guarantee returned.
(1) No claim to recover a qualified right to payment from the proceeds of a suitable guarantee shall be
made to the Controller under regulation 26 after the Controller has returned the suitable guarantee to the certification authority under regulation 24.
(2) Nothing in subregulation (1) shall be construed as limiting the rights of the claimant to recover a qualified right to payment from the certification authority concerned in execution of the judgment of the court by any other means.
PART V -APPROVED DIGITAL SIGNATURE SCHEME AND KEY MANAGEMENT
Regulation 28. Approved digital signature scheme to be used.
An approved digital signature scheme shall be used for the purpose of generating a key pair, or creating, using or verifying a digital signature under the Act.
Regulation 29. Approved digital signature scheme. - (1)
- A digital signature scheme shall be approved for the purposes of the Act and these Regulations if
- (a)
- the digital signature scheme uses a secure public-key algorithm for the generation of the key pair and a secure public-key algorithm and hash function for the creation of the digital signature;
- (b)
- the digital signature scheme satisfies the technical component requirements under regulation 81; and
- (c)
- the digital signature created is not capable of being modified to contain a subliminal channel.
- (2)
- A key pair used to create and verify a digital signature shall not be used to encrypt and decrypt any messages.
Regulation 30. Storage of private keys.
(1) The data storage medium for the private key may be hardware based or software based. - (2)
- If the data storage medium of the private key is hardware based, the holder of the private key shall ensure that the token, smart card or other external device in which the private key is stored is kept in a secure place and in a secure manner.
- (3)
- If the data storage medium of the private key is software based, the holder of the private key shall ensure that the computer system in which the private key is stored is reasonably secure.
- (4)
- The personal identification numbers or other data used for the identification of the rightful holder of the private key in conjunction with the data storage medium for the private key shall be kept secret.
Regulation 31. Key length.
A licensed certification authority and a subscriber shall ensure that the key length of its key pair is adequately secure for its purposes.
Regulation 32. Prohibition against duplication of private key.
(1) No person, except the rightful holder of the private key, shall make or cause to be made any copy of a private key.
(2) A person who contravenes subregulation (1) commits an offence and shall on conviction be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
Regulation 33. Disposal of key pairs.
(1) If a key pair is no longer in use or to be used, or if the private key of the key pair is compromised, the holder of the key pair shall dispose of it in a suitable manner, including by destroying it. - (2)
- A secure means and method shall be used for the destruction of keys.
- (3)
- Notwithstanding subregulation (1), if the holder desires to retain a key pair that is no longer in use or to be used, or that has been compromised, the holder shall ensure that the key pair is stored by a reasonably secure method.
PART VI -REGULATION OF CERTIFICATION PRACTICE
Regulation 34. Key generation. - (1)
- A subscriber's key pair may be generated by
- (a)
- the subscriber; or
- (b)
- the licensed certification authority for the subscriber on a written request by the subscriber and on payment of the approved fee.
- (2)
- If the subscriber generates the key pair, the licensed certification authority shall reasonably ascertain whether the subscriber has used the prescribed technical components for the generation of the key pair and for the storage of the key pair.
- (3)
- If the licensed certification authority generates a key pair for the subscriber, the licensed certification authority shall ensure that
- (a)
- it uses a secure protocol that incorporates adequate safeguards and security features for the distribution or transmission of the private key to the subscriber; and
- (b)
- no copy of the subscriber's private key is retained or otherwise kept by the licensed certification authority.
- (4)
- A licensed certification authority that contravenes subregulation (3) commits an offence and shall on conviction be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
Regulation 35. Certification practice statement.
(1) A licensed certification authority shall issue or make available to a subscriber before or at the time the subscriber applies for a certificate from the licensed certification authority a copy of its
certification practice statement. - (2)
- A certification practice statement shall contain all the particulars specified in the Third Schedule.
- (3)
- Nothing in subregulation (2) shall prevent the licensed certification authority from adopting a more comprehensive certification practice statement provided it is not inconsistent with the Act and these Regulations.
- (4)
- The certification practice statement shall be in such form as the Controller may determine.
Regulation 36. Duty of instruction. - (1)
- A licensed certification authority shall instruct an applicant for a certificate concerning
- (a)
- the measures necessary to contribute to secure digital signatures and their reliable verification;
- (b)
- which technical components fulfill the requirements of regulation 81; and
- (c)
- the attribution of digital signatures created with the subscriber's private key.
- (2)
- A licensed certification authority shall inform the applicant that data with digital signatures may need to be re-signed before the security value of an available digital signature decreases with time.
- (3)
- If data are re-signed under subregulation (2), the new digital signature shall include the earlier digital signature or signatures and shall bear a time-stamp.
Regulation 37. Application for certificate. - (1)
- An application for a certificate shall be made in writing to the licensed certification authority.
- (2)
- An application under subregulation (1) shall contain the following particulars:
- (a)
- the name and address of the subscriber;
- (b)
- the telephone and facsimile number of the subscriber, if any;
- (c)
- the electronic mail or other address by which the subscriber may be contacted electronically, if any;
- (d)
- the distinguished name of the subscriber;
- (e)
- any pseudonym to be used to preserve the anonymity of the subscriber;
- (f)
- the public key corresponding to the subscriber's private key, if the subscriber generates his own key pair;
- (g)
- an identifier of the algorithms with which the subscriber's public key is intended to be used, if the subscriber generates his own key pair;
- (h)
- a statement of the period for which the certificate is required;
- (i)
- a statement of any limitations on the authority of the subscriber who is to be the signer;
- (j)
- the recommended reliance limit required for the certificate; and
- (k)
- either the distinguished name of the repository designated for publication of notice of revocation or suspension of the certificate, or a specification of the method by which notice of revocation or
suspension of the certificate is to be given. - (3)
- An application under subregulation (1) shall be accompanied by
- (a)
- the approved fee; and
- (b)
- such other information or document as the licensed certification authority may require.
- (4)
- The licensed certification authority may, at its discretion, refuse to allow a subscriber to use a pseudonym.
Regulation 38. Issue of certificate. - (1)
- On receipt of an application under regulation 37, the licensed certification authority shall consider the application.
- (2)
- If the licensed certification authority is satisfied as to the identity of the subscriber, the licensed certification authority may issue a certificate to the subscriber, with or without conditions, or refuse the certificate.
- (3)
- A certificate issued by a licensed certification authority under subregulation (2) shall contain or incorporate by reference the following particulars:
- (a)
- a statement that the type of the certificate is in accordance with this regulation;
- (b)
- the licence number, the date and time of the issue, and the date and time of the expiry, of its licence;
- (c)
- the serial number of the certificate, that must be unique among the certificates issued by the licensed certification authority;
- (d)
- a statement whether the certificate is a transactional certificate;
- (e)
- the name by which the subscriber is generally known or the pseudonym to be used;
- (f)
- the distinguished name of the subscriber;
- (g)
- the public key corresponding to the subscriber's private key;
- (h)
- an identifier of the algorithms with which the subscriber's public key is intended to be used;
- (i)
- the date and time on which the certificate is issued and accepted;
- (j)
- the date and time on which the certificate expires;
- (k)
- the distinguished name of the licensed certification authority issuing the certificate;
- (l)
- an identifier of the algorithm or algorithms used to sign the certificate, in the form generally accepted in the subscriber's industry;
- (m)
- the recommended reliance limit of the certificate;
- (n)
- either the distinguished name of the repository designated for publication of notice of revocation or suspension of the certificate, or a specification of the method by which notice of revocation or suspension of the certificate is to be given; and
- (o)
- a statement indicating the location of the licensed certification authority's certification practice statement, the method or procedure by which it may be retrieved, its form and structure, its
authorship and its date. - (4)
- A certificate issued by a licensed certification authority under subregulation (2) may, at the option of the subscriber and the licensed certification authority, contain or incorporate by reference all or any of the following particulars:
- (a)
- one or more additional, secondary public keys;
- (b)
- identifiers or usage indicators related to public keys;
- (c)
- references incorporating any applicable certification practice statements;
- (d)
- any other available documents material to the certificate, the issuing licensed certification authority or the accepting subscriber.
- (5)
- The data in a certificate shall be in such form as the Controller may determine.
- (6)
- A certificate shall be digitally signed by the issuing licensed certification authority.
- (7)
- The licensed certification authority shall keep and maintain a Register of Certificates containing a list of the certificates issued by it in such form as the Controller may determine.
- (8)
- If the licensed certification authority refuses a certificate under subregulation (2), the licensed certification authority shall immediately notify the applicant in writing and shall immediately refund the approved fee.
- (9)
- The licensed certification authority may classify the certificates issued by it according to designated levels of trust and may issue certificates according to such classification.
Regulation 39. Certificate Revocation List.
(1) A licensed certification authority shall keep and maintain a Certificate Revocation List that shall contain a list of all certificates revoked by the licensed certification authority together with the date and time of revocation. - (2)
- A Certificate Revocation List shall be digitally signed by the licensed certification authority.
- (3)
- The licensed certification authority shall publish the Certificate Revocation List in at least one recognised repository.
- (4)
- The licensed certification authority shall keep the Certificate Revocation List under constant review and shall enter all relevant information as soon as possible after it is received or determined but no later than the end of the business day on which it is received or determined.
- (5)
- The licensed certification authority shall publish an up-dated Certificate Revocation List at least once in every twenty-four hours.
Regulation 40. Chargeable fees.
A licensed certification authority may impose such fees and charges for its services as may be approved by the Controller.
Regulation 41. Qualification and registration of auditors. - (1)
- A certified public accountant or an accredited computer security professional intending to act as a compliance auditor under section 20 of the Act shall satisfy the following requirements:
- (a)
- holds such accreditation or qualification as the Controller may determine;
- (b)
- has at least two years experience in trusted computer information systems, trusted telecommunications networking environments and professional audit techniques;
- (c)
- has at least two years experience in digital signature technology, standards and practices; and
- (d)
- demonstrates knowledge of the requirements of the Act and these Regulations that satisfies the Controller.
- (2)
- A certified public accountant or an accredited computer security professional intending to act as a compliance auditor under section 20 of the Act shall apply in writing to the Controller to be registered as a qualified auditor.
- (3)
- If the Controller is satisfied that the requirements under subregulation (1) have been complied with, the Controller may register the applicant as a qualified auditor.
- (4)
- A qualified auditor registered with the Controller under these Regulations shall not operate as or in any way participate in the operation of or be concerned in a certification authority, a repository or a date/time stamp service.
- (5)
- The Controller shall keep and maintain a Register of Qualified Auditors in such form as he thinks fit.
- (6)
- A person may inspect the Register of Qualified Auditors and make copies of or take extracts from the Register.
Regulation 42. Procedure for annual compliance audit. - (1)
- The qualified auditor shall give the licensed certification authority at least seven days written notice before the qualified auditor carries out the annual compliance audit.
- (2)
- The licensed certification authority shall make available any information, document or personnel as may be required by the qualified auditor.
- (3)
- Based on the information gathered in the audit, the qualified auditor shall categorise the licensed certification authority's compliance as one of the following:
- (a)
- full compliance, if the licensed certification authority appears to comply with all the requirements of the Act and these Regulations;
- (b)
- substantial compliance, if the licensed certification authority appears generally to comply with the requirements of the Act and these Regulations but one or more instances of non-compliance or of inability to demonstrate compliance were found in the audited sample, that were likely to be inconsequential;
- (c)
- partial compliance, if the licensed certification authority appears to comply with some of the requirements of the Act and these Regulations but was found not to have complied with or not to be able to demonstrate compliance with one or more important safeguards; or
- (d)
- non-compliance, if the licensed certification authority
- (i)
- complies with few or none of the requirements of the Act or these Regulations;
- (ii)
- fails to keep adequate records to demonstrate compliance with more than a few requirements; or
(iii) refused to submit to an audit.
Regulation 43. Auditor's report. - (1)
- The qualified auditor shall within fourteen days from the completion of a compliance audit under regulation 42 submit a written report to the Controller.
- (2)
- The auditor's report shall contain
- (