DIGITAL SIGNATURE BILL 1997
DIGITAL SIGNATURE BILL 1997 --------------------------- ARRANGEMENT OF CLAUSES --------------------------- PART I PRELIMINARY Clause PART II CONTROLLER OF CERTIFICATION AUTHORITIES AND THE LICENSING OF CERTIFICATION AUTHORITIES PART III REQUIREMENTS OF LICENSED CERTIFICATION AUTHORITIES PART IV DUTIES OF LICENSED CERTIFICATION AUTHORITIES AND SUBSCRIBERS CHAPTER 1 General requirements for licensed certification authorities 27. Use of trustworthy systems. 29. Prerequisites to issuance of certificate to subscriber. 30. Publication of issued and accepted certificate. 31. Adoption of more rigorous requirements permitted. 32. Suspension or revocation of certificate for faulty issuance. 33. Suspension or revocation of certificate by order. CHAPTER 2 Warranties and obligations of licensed certification authorities 35. Continuing obligations to subscriber. 36. Representations upon issuance. 37. Representations upon publication. CHAPTER 3 Representations and duties upon acceptance of certificate 38. Implied representations by subscriber. 39. Representations by agent of subscriber. 40. Disclaimer or indemnity limited. 41. Indemnification of licensed certification authority by subscriber. 42. Certification of accuracy of information given. CHAPTER 4 Control of private key 43. Duty of subscriber to keep private key secure. 45. Licensed certification authority to be fiduciary if holding subscriber's private key. CHAPTER 5 Suspension of certificate 46. Suspension of certificate by issuing licensed certification authority. 47. Suspension of certificate by Controller or court. 49. Termination of suspension initiated by request. 50. Alternate contractual procedures. 51. Prohibition against false or unauthorised request for suspension of certificate. 52. Effect of suspension of certificate. CHAPTER 6 Revocation of certificate 54. Revocation on subscriber's demise. 55. Revocation of unreliable certificates. 57. Effect of revocation request on subscriber. 58. Effect of notification on licensed certification authority. CHAPTER 7 Expiration of certificate 59. Expiration of certificate. CHAPTER 8 Recommended reliance limits and liability 60. Recommended reliance limit. 61. Liability limits for licensed certification authorities. PART V EFFECT OF DIGITAL SIGNATURE 62. Satisfaction of signature requirements. 63. Unreliable digital signatures. 64. Digitally signed document deemed to be written document. 65. Digitally signed document deemed to be original document. 66. Authentication of digital signatures. 67. Presumptions in adjudicating disputes. PART VI REPOSITORIES AND DATE/TIME STAMP SERVICES 68. Recognition of repositories. 69. Liability of repositories. 70. Recognition of date/time stamp services. PART VII GENERAL 71. Prohibition against dangerous activities. 74. Offences by body corporate. 78. Search and seizure without warrant. 79. Access to computerised data. 81. Obstruction of authorised officer. 84. Recovery of procedural costs. 85. No costs or damages arising from seizure to be recoverable. 86. Institution and conduct of prosecution. 87. Jurisdiction to try offences. 90. Limitation on disclaiming or limiting application of Act. intituled An Act to make provision for, and to regulate the use of, digital signatures and to provide for matters connected therewith. [ ] BE IT ENACTED by the Seri Paduka Baginda Yang di-Pertuan Agong with the advice and consent of the Dewan Negara and Dewan Rakyat in Parliament assembled, and by the authority of the same, as follows: PART I PRELIMINARY 1. This Act may be cited as the Digital Signature Act 1997 and shall come into force on a date to be appointed by the Minister by notification in the Gazette, and the Minister may appoint different dates for different provisions of this Act. 2. (1) In this Act, unless the context otherwise requires - "accept a certificate" means - (a) to manifest approval of a certificate, while knowing or having notice of its contents; or (b) to apply to a licensed certification authority for a certificate, without revoking the application by delivering notice of the evocation to the licensed certification authority, and obtaining a signed, written receipt from the licensed certification authority, if the licensed certification authority subsequently issues a certificate based on the application; "asymmetric cryptosystem" means an algorithm or series of algorithms which provide a secure key pair; "authorised officer" means an officer authorised under section 75; "certificate" means a computer-based record which - "certification authority" means a person who issues a certificate; "certification authority disclosure record" means an on-line and publicly accessible record which concerns a licensed certification authority which is kept by the Controller under subsection 3(5); "certification practice statement" means a declaration of the practices which a certification authority employs in issuing certificates generally, or employed in issuing a particular certificate; "certify" means to declare with reference to a certificate, with ample opportunity to reflect, and with a duty to apprise oneself of all material facts; "confirm" means to ascertain through diligent inquiry and investigation; "Controller" means the Controller of Certification Authorities appointed under section 3; "correspond", with reference to keys, means to belong to the same key pair; "digital signature" means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine - (a) whether the transformation was created using the private key that corresponds to the signer's public key; and (b) whether the message has been altered since the transformation was made; "forge a digital signature" means - (a) to create a digital signature without the authorisation of the rightful holderof the private key; or (b) to create a digital signature verifiable by a certificate listing as subscriber a person who either does not exist or does not hold the private key corresponding to the public key listed in the certificate; "hold a private key" means to be able to utilise a private key; "incorporate by reference" means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated; "issue a certificate" means the act of a certification authority in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate; "key pair" means a private key and its corresponding public key in an asymmetric cryptosystem, where the public key can verify a digital signature that the private key creates; "licensed certification authority" means a certification authority to whom a licence has been issued by the Controller and whose licence is in effect; "message" means a digital representation of information; "notify" means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person; "person" means a natural person or a body of persons, corporate or unincorporate, capable of signing a document, either legally or as a matter of fact; "prescribed" means prescribed by or under this Act or any regulations made under this Act; "private key" means the key of a key pair used to create a digital signature; "public key" means the key of a key pair used to verify a digital signature; "publish" means to record or file in a repository; "qualified certification authority" means a certification authority that satisfies the requirements under section 5; "recipient" means a person who receives or has a digital signature and is in a position to rely on it; "recognised date/time stamp service" means a date/time stamp service recognised by the Controller under section 70; "recognised repository" means a repository recognised by the Controller under section 68; "recommended reliance limit" means the monetary amount recommended for reliance on a certificate under section 60; "repository" means a system for storing and retrieving certificates and other information relevant to digital signatures; "revoke a certificate" means to make a certificate ineffective permanently from a specified time forward; "rightfully hold a private key" means to be able to utilise a private key - (a) which the holder or the holder's agents have not disclosed to any person in contravention of this Act; and (b) which the holder has not obtained through theft, deceit, eavesdropping or other unlawful means; "subscriber" means a person who - (a) is the subject listed in a certificate; (b) accepts the certificate; and (c) holds a private key which corresponds to a public key listed in that certificate; "suspend a certificate" means to make a certificate ineffective temporarily for a specified time forward; "this Act" includes any regulations made under this Act; "time-stamp" means - (a) to append or attach to a message, digital signature or certificate a digitally signed notation indicating at least the date, time and identity of the person appending or attaching the notation; or (b) the notation so appended or attached; "transactional certificate" means a certificate, incorporating by reference one or more digital signatures, issued and valid for a specific transaction; "trustworthy system" means computer hardware and software which - (a) are reasonably secure from intrusion and misuse; (b) provide a reasonable level of availability, reliability and correct operation; and (c) are reasonably suited to performing their intended functions; "valid certificate" means a certificate which - (a) a licensed certification authority has issued; (b) has been accepted by the subscriber listed in it; (c) has not been revoked or suspended; and (d) has not expired: Provided that a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference; "verify a digital signature" means, in relation to a given digital signature, message and public key, to determine accurately that - (a) the digital signature was created by the private key corresponding to the public key; and (b) the message has not been altered since its digital signature was created; "writing" or "written" includes any handwriting, typewriting, printing, electronic storage or transmission, or any other method of recording information or fixing information in a form capable of being preserved. (2) For the purposes of this Act, a certificate shall be revoked by making a notation to that effect on the certificate or by including the certificate in a set of revoked certificates. (3) The revocation of a certificate does not mean that it is destroyed or made illegible. |
