DIGITAL SIGNATURE BILL 1997

    PART III

    REQUIREMENTS OF LICENSED

    CERTIFICATION AUTHORITIES

     

    22. (1) A licensed certification authority shall only carry on such activities as may be specified in its licence.

     

    (2) A licensed certification authority shall carry on its activities in accordance with this Act and any regulations made under this Act.

     

    23. A licensed certification authority shall at all display its licence in a conspicuous place at its place of business.

     

    24. (1) A licensed certification authority shall submit to the Controller such information and parti- particulars relating toculars including financial statements, audited balance sheets and profit and loss accounts relating to its entire business operations as may be required by the Controller within such time as he may determine.

     

    (2) A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both, and in the case of a continuing offence shall in addition be liable to a daily fine not exceeding two thousand ringgit for each day the offence continues to be committed.

     

     

    25. (1) Every licensed certification authority shall, before making any amendment or alteration to any of its constituent documents, or before any change in its director or chief executive officer, furnish the Controller particulars in writing of any such proposed amendment, alteration or change.

     

    (2) Every licensed certification authority shall immediately notify the Controller of any amendment or alteration to any information or document which has been furnished to the Controller in connection with the licence.

     

     

    26. A licensed certification authority shall not publish, whether in a newspaper, brochure or otherwise, any advertisement or information relating to or in connection with the business of a certification authority without including -

     

    (a) the licence number;

     

    (b) the business name under which it carries on business and the address at which such business is carried on; and

     

    (c) any other particulars relating to any services offered as the Controller considers necessary.

     

     

     

     

     

     

     

     

     

     

     

     

    PART IV

     

    DUTIES OF LICENSED CERTIFICATION

    AUTHORITIES AND SUBCRIBERS

     

    CHAPTER 1

     

    General requirements for licensed

    certification authorities

     

     

    27. (1) A licensed certification authority shall only use a trustworthy system -

     

    (a) to issue, suspend or revoke a certificate;

     

    (b) to publish or give notice of the issuance, suspension or revocation of a certificate; and

     

    (c) to create a private key, whether for itself or for a subscriber.

     

     

    (2) A subscriber shall only use a trustworthy system to create a private key.

     

    28. (1) A licensed certification authority shall, on an inquiry being made to it under this Act, disclose any material certification practice statement and any fact material to either the reliability of a certificate which it has issued or its ability to perform its services.

     

    (2) A licensed certification authority may require a signed, written and reasonably specific inquiry from an identified person, and payment of the prescribed fee, as conditions precedent to effecting a disclosure required under subsection (1).

     

     

    29. (1) A licensed certification authority may issue a to a subscriber only after all of the following conditions are satisfied:

     

    (a) the licensed certification authority has received a request for issuance signed by the prospective subscriber; and

     

    (b) the licensed certification authority has confirmed that -

     

    (i) the prospective subscriber is the person to be listed in the certificate to be issued;

     

    (ii) if the prospective subscriber is acting through one or more agents, the subscriber duly authorised the agent or agents to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;

     

    (iii) the information in the certificate to be issued is accurate;

     

    (iv) the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;

     

    (v) the prospective subscriber holds a private key capable of creating a digital signature; and

     

    (vi) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber.

     

    (2) The requirements of subsection (1) shall not be waived or disclaimed by the licensed

    certification authority, the subscriber, or both.

     

     

     

    30. (1) Where the subscriber accepts the issued certificate, the licensed certification authority shall certificate. publish a signed copy of the certificate in a recognised repository, as the licensed certification authority and the subscriber named in the certificate may agree, unless a contract between the licensed certification authority and the subscriber provides otherwise.

     

    (2) Where the subscriber does not accept the certificate, a licensed certification authority shall not publish it, or shall cancel its publication if the certificate has already been published.

     

     

    31. Nothing in sections 29 and 30 shall preclude a licensed certification authority from conforming to permitted.standards, certification practice statements,security plans or contractual requirements more rigorous than, but nevertheless consistent with, this Act.

     

     

    32. (1) Where after issuing a certificate a licensed revocation of certificate forcertification authority confirms that it was not issued in accordance with sections 29 and 30, the licensed certification authority shall immediately revoke it.

     

    (2) A licensed certification authority may suspend a certificate which it has issued for a reasonable period not exceeding forty-eight hours as may be necessary for an investigation to be carried out to confirm the grounds for a revocation under subsection (1).

     

    (3) The licensed certification authority shall immediately notify the subscriber of a revocation or suspension under this section.

     

     

    33. (1) The Controller may order the licensed certification authority to suspend or revoke a certificate issued by it where the Controller determines that -

     

    (a) the certificate was issued without compliance with sections 29 and 30; and

     

    (b) the non-compliance poses a significant risk to persons reasonably relying on the certificate.

     

    (2) Before making a determination under subsection (1), the Controller shall give the licensed certification authority and the subscriber a reasonable opportunity of being heard.

     

    (3) Notwithstanding subsections (1) and (2), where in the opinion of the Controller there exists an emergency that requires an immediate remedy, the Controller may, after consultation with the Minister, suspend a certificate for a period not exceeding forty-eight hours.

     

    CHAPTER 2

     

    Warranties and obligations of licensed

    certification authorities

     

    34. (1) By issuing a certificate, a licensed certification authority warrants to the subscriber named in the certificate that -

     

    (a) the certificate contains no information known to the licensed certification authority to be false;

     

    (b) the certificate satisfies all there quirements of this Act; and

     

    (c) the licensed certification authority has not exceeded any limits of its licence in issuing the certificate.

     

     

    (2) A licensed certification authority shall not disclaim or limit the warranties under subsection (1).

     

    35. Unless the subscriber and licensed certification authority otherwise agree, a licensed certification authority, by issuing a certificate, promises to the subscriber -

     

    (a) to act promptly to suspend or revoke a certificate in accordance with Chapter 5 or 6; and

     

    (b) to notify the subscriber within a reasonable time of any facts known to the licensed certification authority which significantly affect the validity or reliability of the certificate once it is issued.

     

     

    36. By issuing a certificate, a licensed certification authority certifies to all who reasonably rely on the information contained in the certificate that -

     

    (a) the information in the certificate and listed as confirmed by the licensed certification authority is accurate;

     

    (b) all information foreseeably material to the reliability of the certificate is stated or incorporated by reference within the certificate;

     

    (c) the subscriber has accepted the certificate; and

     

    (d) the licensed certification authority has complied with all applicable laws governing the issuance of the certificate.

     

     

    37. By publishing a certificate, a licensed certification authority certifies to the repository in which the certificate is published and to all who reasonably rely on the information contained in the certificate that the licensed certification authority has issued the certificate to the subscriber.

    CHAPTER 3

     

    Representations and duties upon acceptance

    of certificate

     

     

    38. By accepting a certificate issued by a licensed certification authority, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate that -

     

    (a) the subscriber rightfully holds the private key corresponding to the public key listed in the certificate;

     

    (b) all representations made by the subscriber to the licensed certification authority and material to information listed in the certificate are true; and

     

    (c) all material representations made by the subscriber to a licensed certification authority or made in the certificate and not confirmed by the licensed certification authority in issuing the certificate are true.

     

     

    39. By requesting on behalf of a principal the issuance of a certificate naming the principal as subscriber, the requesting person certifies in that person's own right to all who reasonably rely on the information contained in the certificate that the requesting person -

     

    (a) holds all authority legally required to apply for issuance of a certificate naming the principal as subscriber; and

     

    (b) has authority to sign digitally on behalf of the principal, and, if that authority is limited in any way, adequate safeguards exist to prevent a digital signature exceeding the bounds of the person's authority.

     

     

    40. No person may disclaim or contractually limit the application of this Chapter, nor obtain indemnity for its effects, if the disclaimer, limitation or indemnity restricts liability for misrepresentation as against persons reasonably relying on the certificate.

     

     

    41. (1) By accepting a certificate, a subscriber undertakes to indemnify the issuing licensed authority for any loss or damage caused by issuance or publication of the certificate in reliance on -

     

    (a) a false and material representation of fact by the subscriber; or

     

    (b) the failure by the subscriber to disclose a material fact,

     

    if the representation or failure to disclose was made either with intent to deceive the licensed certification authority or a person relying on the certificate, or with negligence.

     

     

    (2) Where the licensed certification authority issued the certificate at the request of one or more agents of the subscriber, the agent or agents personally undertake to indemnify the licensed certification authority under this section, as if they were accepting subscribers in their own right.

     

    (3) The indemnity provided in this section shall not be disclaimed or contractually limited in scope.

     

     

    42. In obtaining information of the subscriber material to the issuance of a certificate, the licensed certification authority may require the subscriber to certify the accuracy of relevant information under oath or affirmation.

     

     

     

    CHAPTER 4

     

    Control of private key

     

     

    43. By accepting a certificate issued by a licensed certification authority, the subscriber named in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorised to create the subscriber's digital signature.

     

     

    44. A private key is the personal property of the subscriber who rightfully holds it.

     

     

    45. Where a licensed certification authority holds the private key corresponding to a public key listed in a be certificate which it has issued, the licensed certification authority shall hold the private key as a fiduciary of the subscriber named in the certificate, and may use that private key only with the subscriber's prior written approval, unless the subscriber expressly and in writing grants the private key to the licensed certification authority and expressly and in writing permits the licensed certification authority to hold the private key according to other terms.

     

     

    CHAPTER 5

     

    Suspension of certificate

     

    46. (1) Unless the licensed certification authority and the subscriber agree otherwise, the licensed licensed certification authority which issued a certificate, which is not a transactional certificate, shall suspend the certificate for a period not exceeding forty-eight hours -

     

    (a) upon request by a person identifying himself as the subscriber named in the certificate, or as a person in a position likely to know of a compromise of the security of a subscriber's private key, such as an agent, business associate, employee or member of the immediate family of the subscriber; or

     

    (b) by order of the Controller under section 33.

     

    (2) The licensed certification authority shall take reasonable measures to check the identity or agency of the person requesting suspension.

     

     

    47. (1) Unless the certificate provides otherwise or the certificate is a transactional certificate, the Controller or a court may suspend a certificate issued by a licensed certification authority for a period of forty-eight hours, if -

     

    (a) a person identifying himself as the subscriber named in the certificate or as an agent, business associate, employee or member of the immediate family of the subscriber requests suspension; and

     

    (b) the requester represents that the licensed certification authority which issued the certificate is unavailable.

     

    (2) The Controller or court may require the person requesting suspension to provide evidence, including a statement under oath or affirmation regarding his identity and authorisation, and the unavailability of the issuing licensed certification authority, and may decline to suspend the certificate in his or its discretion.

     

    (3) The Controller or other law enforcement agency may investigate suspensions by the Controller or court for possible wrongdoing by persons requesting suspension.

     

     

    48. (1) Immediately upon suspension of a certificate by a licensed certification authority, the licensed certification authority shall publish a signed notice of the suspension in the repository specified in the certificate for publication of notice of suspension.

     

    (2) Where one or more repositories are specified, the licensed certification authority shall publish signed notices of the suspension in all such repositories.

     

    (3) Where any repository specified no longer exists or refuses to accept publication, or if no such repository is recognised under section 68, the licensed certification authority shall also publish the notice in a recognised repository.

     

    (4) Where a certificate is suspended by the Controller or a court, the Controller or court shall give notice as required in this section for a licensed certification authority provided that the person requesting suspension pays in advance any prescribed fee required by a repository for publication of the notice of suspension.

     

    49. A licensed certification authority shall terminate a suspension initiated by request -request.

     

    (a) where the subscriber named in the suspended certificate requests termination of the suspension, only if the licensed certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorised to terminate the suspension; or

     

    (b) where the licensed certification authority discovers and confirms that the request for the suspension was made without authorisation by the subscriber.

     

     

    50. (1) The contract between a subscriber and a licensed certification authority may limit or preclude requested suspension by the licensed certification authority or may provide otherwise for termination of a requested suspension.

     

    (2) Where the contract limits or precludes suspension by the Controller or a court when the issuing licensed certification authority is unavailable, the limitation or preclusion shall be effective only if notice of it is published in the certificate.

     

     

    51. No person shall knowingly or intentionally misrepresent to a licensed certification authority his request forsuspension ofidentity or authorisation in requesting suspension of certificate.a certificate.

     

     

    52. Nothing in this Chapter shall release the subscriber from the duty under section 43 to keep the private key secure while a certificate is suspended.

     

     

     

 
计划概念 | 基本设施 | 投资奖掖 |
电 子 资 讯 法 案 | 多 媒 体 超 级 走 廊 咨 询 委 员 会 | 常问短答

songjing@geocities.com

 

 1