PART V
EFFECT OF DIGITAL SIGNATURE
62. Satisfaction of signature requirements
(1) Where a rule of law requires a signature or provides for certain consequences in the absence of a signature, that rule shall be satisfied by a digital signature where-
(a) that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;
(b) that digital signature was affixed by the signer with the intention of signing the message; and
(c) the recipient has no knowledge or notice that the signer-
(i) has breached a duty as a subscriber; or
(ii) does not rightfully hold the private key used to affix the digital signature.
(2) Notwithstanding any written law to the contrary-
(a) a document signed with a digital signature in accordance with this Act shall be as legally binding as a document signed with a handwritten signature, an affixed thumb-print or any other mark; and
(b) a digital signature created in accordance with this Act shall be deemed to be a legally binding signature.
(3) Nothing in this Act shall preclude any symbol from being valid as a signature under any other applicable law.
63. Unreliable digital signatures
(1) Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances.
(2) Where the recipient determines not to rely on a digital signature under this section, the recipient shall promptly notify the signer of its determination not to rely on a digital signature and the grounds for that determination.
64. Digitally signed document deemed to be written document
(1) A message shall be as valid, enforceable and effective as if it had been written on paper if-
(a) it bears in its entirety a digital signature; and
(b) that digital signature is verified by the public key listed in a certificate which-
(i) was issued by a licensed certification authority; and
(ii) was valid at the time the digital signature was created.
(2) Nothing in this Act shall preclude any message, document or record from being considered written or in writing under any other applicable law.
65. Digitally signed document deemed to be original document.
A copy of a digitally signed message shall be as valid, enforceable and effective as the original of the message unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, enforceable and effective message.
66. Authentication of digital signatures
A certificate issued by a licensed certification authority shall be an acknowledgement of a digital signature verified by reference to the public key listed in the certificate, regardless of whether words of an express acknowledgement appear with the digital signature and regardless of whether the signer physically appeared before the licensed certification authority when the digital signature was created, if that digital signature is-
(a) verifiable by that certificate; and
(b) affixed when that certificate was valid.
67. Presumptions in adjudicating disputes
In adjudicating a dispute involving a digital signature, a court shall presume-
(a) that a certificate digitally signed by a licensed certification authority and-
(i) published in a recognised repository; or
(ii) made available by the issuing licensed
certification authority or by the subscriber listed in the certificate,
is issued by the licensed certification authority which digitally signed it and is accepted by the subscriber listed in it;
(b) that the information listed in a valid certificate and confirmed by a licensed certification authority issuing the certificate is accurate;
(c) that where a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority-
(i) that digital signature is the digital signature of the subscriber listed in that certificate;
(ii) that digital signature was affixed by that subscriber with the intention of signing the message; and
(iii) the recipient of that digital signature has no knowledge or notice that the signer-
(A) has breached a duty as a subscriber; or
(B) does not rightfully hold the private key used to affix the digital signature; and
(d) that a digital signature was created before it was time-stamped by a recognised date/time stamp service utilising a trustworthy system.
PART VI
REPOSITORIES AND DATE/TIME STAMP SERVICES
68. Recognition of repositories
(1) The Controller may recognise one or more repositories, after determining that a repository to be recognised satisfies the requirements prescribed in the regulations made under this Act.
(2) The procedure for recognition of repositories shall be as may be prescribed by regulations made under this Act.
(3) The Controller shall publish a list of recognised repositories in such form and manner as he may determine.
69. Liability of repositories.
(1) Notwithstanding any disclaimer by the repository or any contract to the contrary between the repository and a licensed certification authority or a subscriber, a repository shall be liable for a loss incurred by a person reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate, if loss was incurred more than one business day after receipt by the repository of a request to publish notice of the suspension or revocation, and the repository had failed to publish the notice when the person relied on the digital signature.
(2) Unless waived, a recognised repository or the owner or operator of a recognised repository-
(a) shall not be liable for failure to record publication of a suspension or revocation, unless the repository has received notice of publication and one business day has elapsed since the notice was received;
(b) shall not be liable under subsection (1) in excess of the amount specified in the certificate as the recommended reliance limit;
(c) shall not be liable under subsection (1) for-
(i) punitive or exemplary damages; or
(ii) damages for pain or suffering;
(d) shall not be liable for misrepresentation in a certificate published by a certification authority;
(e) shall not be liable for accurately recording or reporting information which a licensed certification authority, a court or the Controller has published as required or permitted under this Act, including information about the suspension or revocation of a certificate; and
(f) shall not be liable for reporting information about a certification authority, a certificate or a subscriber, if such information is published as required or permitted under this Act or is published by order of the Controller in the performance of his licensing and regulatory duties under this Act.
70. Recognition of date/time stamp services
(1) The Controller may recognise one or more date/time stamp services, after determining that a service to be recognised satisfies the requirements prescribed in the regulations made under this Act.
(2) The procedure for recognition of date/time stamp
services shall be as may be prescribed by regulations
made under this Act.
(3) The Controller shall publish a list of recognised
date/time stamp services in such form and manner as he may determine.