PART IV
DUTIES OF LICENSED CERTIFICATION
AUTHORITIES AND SUBSCRIBERS
CHAPTER 1
General requircmentsfor licensed
certification authorities
27. Use of trustworthy systems
28. Disclosures on inquiry
(1) A licensed certification authority shall, on an inquiry being made to it under this Act, disclose any material certification practice statement and any fact material to either the reliability of a certificate which it has issued or its ability to perform its services.
(2) A licensed certification authority may require a signed, written and reasonably specific inquiry from an identified person, and payment of the prescribed fee, as conditions precedent to effecting a disclosure required under subsection (1).
29. Prerequisites to issuance of certificate to subscriber
(1) A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:
(a) the licensed certification authority has received a request for issuance signed by the prospective subscriber; and
(b) the licensed certification authority has confirmed that-
(i) the prospective subscriber is the person to be listed in the certificate to be issued;
(ii) if the prospective subscriber is acting through one or more agents, the subscriber duly authorised the agent or agents to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;
(iii) the information in the certificate to be issued is accurate;
(iv) the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;
(v) the prospective subscriber holds a private key capable of creating a digital signature; and
(vi) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber.
(2) The requirements of subsection (1) shall not be waived or disclaimed by the licensed certification authority, the subscriber, or both.
30. Publication of issued and accepted certificate
(1) Where the subscriber accepts the issued certificate, the licensed certification authority shall publish a signed copy of the certificate in a recognised repository, as the licensed certification authority and the subscriber named in the certificate may agree, unless a contract between the licensed certification authority and the subscriber provides otherwise.
(2) Where the subscriber does not accept the certificate, a licensed certification authority shall not publish it, or shall cancel its publication if the certificate has already been published.
31. Adoption of more rigorous requirements permitted
Nothing in sections 29 and 30 shall preclude a licensed certification authority from conforming to standards, certification practice statements, security plans or contractual requirements more rigorous than, but nevertheless consistent with, this Act.
32. Suspension or revocation of certificate for faulty issuance
(1) Where after issuing a certificate a licensed certification authority confirms that it was not issued in accordance with sections 29 and 30, the licensed certification authority shall immediately revoke it.
(2) A licensed certification authority may suspend a certificate which it has issued for a reasonable period not exceeding forty-eight hours as may be necessary for an investigation to be carried out to confirm the grounds for a revocation under subsection (1).
(3) The licensed certification authority shall immediately notify the subscriber of a revocation or suspension under this section.
33. Suspension or revocation of certificate by order
(1) The Controller may order the licensed certification authority to suspend or revoke a certificate issued by it where the Controller determines that-
(a) the certificate was issued without compliance with sections 29 and 30; and
(b) the non-compliance poses a significant risk to persons reasonably relying on the certificate.
(2) Before making a determination under subsection (1), the Controller shall give the licensed certification authority and the subscriber a reasonable opportunity of being heard.
(3) Notwithstanding subsections (1) and (2), where in the opinion of the Controller there exists an emergency that requires an immediate remedy, the Controller may, after consultation with the Minister, suspend a certificate for a period not exceeding forty-eight hours.
CHAPTER 2
Warranties and obligations of licensed
certification authorities
34. Warranties to subscriber
(1) By issuing a certificate, a licensed certification authority warrants to the subscriber named in the certificate that-
(a) the certificate contains no information known to the licensed certification authority to be false;
(b) the certificate satisfies all the requirements of this Act; and
(c) the licensed certification authority has not exceeded any limits of its licence in issuing the certificate.
(2) A licensed certification authority shall not disclaim or limit the warranties under subsection (1).
35. Continuing obligations to subscriber.
Unless the subscriber and licensed certification authority otherwise agree, a licensed certification authority, by issuing a certificate, promises to the subscriber-
(a) to act promptly to suspend or revoke a certificate in accordance with Chapter 5 or 6; and
(b) to notify the subscriber within a reasonable time of any facts known to the licensed certification authority which significantly affect the validity or reliability of the certificate once it is issued.
36. Representations upon issuance
By issuing a certificate, a licensed certification authority certifies to all who reasonably rely on the information contained in the certificate that-
(a) the information in the certificate and listed as confirmed by the licensed certification authority is accurate;
(b) all information foreseeably material to the reliability of the certificate is stated or incorporated by reference within the certificate;
(c) the subscriber has accepted the certificate; and
(d) the licensed certification authority has complied with all applicable laws governing the issuance of the certificate.
37. Representations upon publication
By publishing a certificate, a licensed certification authority certifies to the repository in which the certificate is published and to all who reasonably rely on the information contained in the certificate that the licensed certification authority has issued the certificate to the subscriber.
CHAPTER 3
Representations and duties upon acceptance
of certificate
38. Implied representations by subscriber.
By accepting a certificate issued by a licensed certification authority, the subscriber listed in the certificate
certifies to all who reasonably rely on the information contained in the certificate that-
(a) the subscriber rightfully holds the private key corresponding to the public key listed in the certificate;
(b) all representations made by the subscriber to the licensed certification authority and material to information listed in the certificate are true; and
(c) all material representations made by the subscriber to a licensed certification authority or made in the certificate and not confirmed by the licensed certification authority in issuing the certificate are true.
39. Representations by agent of subscriber
By requesting on behalf of a principal the issuance of a certificate naming the principal as subscriber, the requesting person certifies in that person's own right to all who reasonably rely on the information contained in the certificate that the requesting person-
(a) holds all authority legally required to apply for issuance of a certificate naming the principal as subscriber; and
(b) has authority to sign digitally on behalf of the principal, and, if that authority is limited in any way, adequate safeguards exist to prevent a digital signature exceeding the bounds of the person's authority.
40. Disclaimer or indemnity limited
No person may disclaim or contractually limit the application of this Chapter, nor obtain indemnity for its effects, if the disclaimer, limitation or indemnity restricts liability for misrepresentation as against persons reasonably relying on the certificate.
41. Indemnification of licensed certification authority by subscriber
(1) By accepting a certificate, a subscriber undertakes to indemnify the issuing licensed certification authority for any loss or damage caused by issuance or publication of the certificate in reliance on-
(a) a false and material representation of fact by the subscriber; or
(b) the failure by the subscriber to disclose a material fact, if the representation or failure to disclose was made either with intent to deceive the licensed certification authority or a person relying on the certificate, or with negligence.
(2) Where the licensed certification authority issued the certificate at the request of one or more agents of the subscriber, the agent or agents personally undertake to indemnify the licensed certification authority under this section, as if they were accepting subscribers in their own right.
(3) The indemnity provided in this section shall not be disclaimed or contractually limited in scope.
42. Certification of accuracy of information given
In obtaining information of the subscriber material to the issuance of a certificate, the licensed certification authority may require the subscriber to certify the accuracy of relevant information under oath or affirmation.
CHAPTER 4
Control of private key
43. Duty of subscriber to keep private key secure
By accepting a certificate issued by a licensed certification authority, the subscriber named in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorised to create the subscriber's digital signature.
44. Property in private key
A private key is the personal property of the subscriber who rightfully holds it.
45. Licensed certification authority to be fiduciary if holding subscriber's private key
Where a licensed certification authority holds the private key corresponding to a public key listed in a
certificate which it has issued, the licensed certification authority shall hold the private key as a fiduciary of the subscriber named in the certificate, and may use that private key only with the subscriber's prior written approval, unless the subscriber expressly and in writing grants the private key to the licensed certification authority and expressly and in writing permits the licensed certification authority to hold the private key according to other terms.
CHAPTER 5
Suspension of certificate
46. Suspension of certificate by issuing licensed certification authority
(1) Unless the licensed certification authority and the subscriber agree otherwise, the licensed certification authority which issued a certificate, which is not a transactional certificate, shall suspend the certificate for a period not exceeding forty-eight hours-
(a) upon request by a person identifying himself as the subscriber named in the certificate, or as a person in a position likely to know of a compromise of the security of a subscriber's private key, such as an agent, business associate, employee or member of the immediate family of the subscriber; or
(b) by order of the Controller under section 33.
(2) The licensed certification authority shall take reasonable measures to cheek the identity or agency of the person requesting suspension.
47. Suspension of certificate by Controller or court
(1) Unless the certificate provides otherwise or the certificate is a transactional certificate, the Controller or a court may suspend a certificate issued by a licensed certification authority for a period of forty-eight hours, if-
(a) a person identifying himself as the subscriber named in the certificate or as an agent, business associate, employee or member of the immediate family of the subscriber requests suspension; and
(b) the requester represents that the licensed certification authority which issued the certificate is unavailable.
(2) The Controller or court may require the person requesting suspension to provide evidence, including a statement under oath or affirmation regarding his identity and authorisation, and the unavailability of the issuing licensed certification authority, and may decline to suspend the certificate in his or its discretion.
(3) The Controller or other law enforcement agency may investigate suspensions by the Controller or court for possible wrongdoing by persons requesting suspension.
48. Notice of suspension
(1) Immediately upon suspension of a certificate by a licensed certification authority, the licensed certification authority shall publish a signed notice of the suspension in the repository specified in the certificate for publication of notice of suspension.
(2) Where one or more repositories are specified, the licensed certification authority shall publish signed notices of the suspension in all such repositories.
(3) Where any repository specified no longer exists or refuses to accept publication, or if no such repository is recognised under section 68, the licensed certification authority shall also publish the notice in a recognised repository.
(4) Where a certificate is suspended by the Controller or a court, the Controller or court shall give notice as required in this section for a licensed certification authority provided that the person requesting suspension pays in advance any prescribed fee required by a repository for publication of the notice of suspension.
49. Termination of suspension initiated by request.
A licensed certification authority shall terminate a suspension initiated by request-
(a) where the subscriber named in the suspended certificate requests termination of the suspension, only if the licensed certification authority has confirmed that the person requesting suspension is the subscriber or an agent of the subscriber authorised to terminate the suspension; or
(b) where the licensed certification authority discovers and confirms that the request for the suspension was made without authorisation by the subscriber.
50. Alternate contractual procedures
(1) The contract between a subscriber and a licensed certification authority may limit or preclude requested suspension by the licensed certification authority or may provide otherwise for termination of a requested suspension.
(2) Where the contract limits or precludes suspension by the Controller or a court when the issuing licensed certification authority is unavailable, the limitation or preclusion shall be effective only if notice of it is published in the certificate.
51. Prohibition against false or unauthorised request for suspension of certificate
No person shall knowingly or intentionally misrepresent to a licensed certification authority his identity or authorisation in requesting suspension of a certificate.
52. Effect of suspension of certificate
Nothing in this Chapter shall release the subscriber from the duty under section 43 to keep the private key secure while a certificate is suspended.
CHAPTER 6
Revocation of certificate
53. Revocation on request
(1) A licensed certification authority shall revoke a certificate which it issued but which is not a transactional certificate,-
(a) upon receiving a request for revocation by the subscriber named in the certificate; and
(b) upon confirming that the person requesting revocation is that subscriber or is an agent of that subscriber with authority to request the revocation.
(2) A licensed certification authority shall confirm a request for revocation and revoke a certificate within one business day after receiving both a subscriber's written request and evidence reasonably sufficient to confirm the identity of the person requesting the revocation or of the agent.
54. Revocation on subscriber's demise
A licensed certification authority shall revoke a certificate which it issued-
(a) upon receiving a certified copy of the subscriber's death certificate or upon confirming by other evidence that the subscriber is dead; or
(b) upon presentation of documents effecting a dissolution of the subscriber or upon confirming by other evidence that the subscriber has been dissolved or has ceased to exist.
55. Revocation of unreliable certificates
(1) A licensed certification authority may revoke one or more certificates which it issued if the certificates are or become unreliable regardless of whether the subscriber consents to the revocation and notwithstanding any provision to the contrary in a contract between the subscriber and the licensed certification authority.
(2) Nothing in subsection (1) shall prevent the subscriber from seeking damages or other relief against the licensed certification authority in the event of wrongful revocation.
56. Notice of revocation
(1) Immediately upon revocation of a certificate by a licensed certification authority, the licensed certification authority shall publish a signed notice of the revocation in the repository specified in the certificate for publication of notice of revocation.
(2) Where one or more repositories are specified, the licensed certification authority shall publish signed notices of the revocation in all such repositories.
(3) Where any repository specified no longer exists or refuses to accept publication, or if no such repository is recognised under section 68, the licensed certification authority shall also publish the notice in a recognised repository.
57. Effect of revocation request on subscriber
Where a subscriber has requested for the revocation of a certificate, the subscriber ceases to certify as provided in Chapter 3 and has no further duty to keep the private key secure as required under section 43 -
(a) when notice of the revocation is published as required under section 56; or
(b) when two business days have lapsed after the subscriber requests for the revocation in writing, supplies to the issuing licensed certification authority information reasonably sufficient to confirm the request, and pays any prescribed fee, whichever occurs first.
58. Effect of notification on licensed certification authority
Upon notification as required under section 56, a licensed certification authority shall be discharged of its warranties based on issuance of the revoked certificate and ceases to certify as provided in sections 35 and 36 in relation to the revoked certificate.
CHAPTER 7
Expiration of certificate
59. Expiration of certificate
(1) The date of expiry of a certificate shall be specified in the certificate.
(2) A certificate may be issued for any period not exceeding three years from the date of issuance.
(3) When a certificate expires, the subscriber and licensed certification authority shall cease to certify as provided under this Act and the licensed certification authority shall be discharged of its duties based on issuance in relation to the expired certificate.
(4) The expiry of a certificate shall not affect the duties and obligations of the subscriber and licensed certification authority incurred under and in relation to the expired certificate.
CHAPTER 8
Recommended reliance limits and liability
60. Recommended reliance limit
(1) A licensed certification authority shall, in issuing a certificate to a subscriber, specify a recommended reliance limit in the certificate.
(2) The licensed certification authority may specify different limits in different certificates as it considers fit.
61. Liability limits for licensed certification authorities
Unless a licensed certification authority waives the application of this section, a licensed certification authority-
(a) shall not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber, if, with respect to the false or forged digital signature, the licensed certification authority complied with the requirements of this Act;
(b) shall not be liable in excess of the amount specified in the certificate as its recommended reliance limit for either-
(i) a loss caused by reliance on a misrepresentation in the certificate of any fact that the licensed certification authority is required to confirm; or
(ii) failure to comply with sections 29 and
30 in issuing the certificate; and
(c) shall not be liable for-
(i) punitive or exemplary damages; or
(ii) damages for pain or suffering.