ELECTRONIC COMMUNICATIONS AND TRANSACTIONS ACT, 2009: SUBSIDIARY LEGISLATION

INDEX TO SUBSIDIARY LEGISLATION

Electronic Communications and Transactions Act (Commencement) Order

Electronic Communications and Transactions (General) Regulations

ELECTRONIC COMMUNICATIONS AND TRANSACTIONS ACT (COMMENCEMENT) ORDER

[Section 1]

Arrangement of Paragraphs

   Paragraph

   1.   Title

   2.   Commencement of Act No. 21 of 2009

SI 105 of 2009.

 

1.   Title

This Order may be cited as the Electronic Communications and Transactions (Commencement) Order, 2009.

 

2.   Commencement of Act No. 21 of 2009

The Electronic Communications and Transactions Act, 2009, shall come into operation on the date of publication of this Order.

ELECTRONIC COMMUNICATIONS AND TRANSACTIONS (GENERAL) REGULATIONS

[Sections 33, 44, 79 and 113]

[Currency mentioned in this regulation should be re-denominated as stipulated under S 4 of Re-denomination Act, 2012, read with S 29 of Bank of Zambia Act, 1996.]

Arrangement of Regulations

PART I
PRELIMINARY

   Regulation

   1.   Title

   2.   Application

   3.   Interpretation

PART II
REGISTRATION OF CRYPTOGRAPHY SERVICE

   4.   Application for registration as cryptograph service provider

   5.   Registration as cryptographer service provider

   6.   Changes in detail or nature of cryptography services

   7.   Surrender of certificate of registration.

   8.   Prohibition on assigning, ceding or transferring certificate of registration

   9.   Application for consent to assign, cede etc., certificate of registration

   10.   Renewal of certificate of registration

   11.   Suspension or revocation of certificate of registration

   12.   Register of cryptograph service providers

PART III
ACCREDITATION OF AUTHENTICATION SERVICE PROVIDERS

   13.   Provision of authentication products or services

   14.   Application for accreditation of authentication product or service

   15.   Accreditation as authentication product or service provider

   16.   Changes in detail or nature of authentication products or services

   17.   Surrender of accreditation

   18.   Prohibition of assigning, ceding or transferring accreditation without authority

   19.   Application for approval to assign, cede or transfer accreditation

   20.   Renewal of accreditation

   21.   Suspension or revocation of accreditation

   22.   Database of authentication service providers

   23.   Minimum compliance requirements for authentication

PART IV
TECHNICAL REQUIREMENTS FOR AUTHENTICATION AND CERTIFICATION

   24.   Issuance of authentication certificates

   25.   Requirements for certification practice statements

   26.   Duties of subscribers

   27.   Responsibilities of certification service providers

   28.   Record keeping

   29.   Suspension and revocation of certificates

   30.   Adherence to international standards, risk assessments and audits

   31.   Recognition of foreign accreditation

PART V
PROTECTION OF CRITICAL DATABASE

   32.   Declaration of critical databases

   33.   Registration and identification of critical databases

   34.   Management of critical databases

   35.   Access to, transfer and control of critical databases

   36.   Securing integrity and authenticity of critical data

   37.   Procedures and technological methods for use in storage or archival of critical databases.

   38.   Disaster recovery plans

   39.   Risk assessment and evaluation of critical databases

PART VI
INTERCEPTION OF ELECTRONIC COMMUNICATIONS

   40.   Interception capability of electronic communications services

   41.   Duration of interception capability

   42.   Non-detectability of interception

   43.   Technical arrangements for interception.

   44.   Configuration of interception capable networks, services or archives

   45.   Restrictions on implementation of interception measure

   46.   Routing, provisioning storage, etc. of realtime and archived communications

   47.   Availability, storage, archival, etc. of real time communication related information

   48.   Information safety, security, etc

   49.   Technical standards and configuration for real time and archived communication-related information.

   50.   Storage period for communications

PART VII
DETAILED SECURITY, FUNCTIONAL AND TECHNICAL REQUIREMENTS FOR INTERCEPTION

   51.   General security, functional and technical requirements

   52.   Detailed security, functional and technical requirements for public switched telecommunications networks, fixed networks and mobile communications networks

   53.   Detailed security, functional and technical requirements for internet service providers

   54.   Technical security standards for public switched telecommunications networks, fixed networks and mobile communications networks.

   55.   Technical security standards for internet service providers

PART VIII
GENERAL PROVISIONS

   56.   Fees

   57.   Transitional provision

      FIRST SCHEDULE

      SECOND SCHEDULE

SI 71 of 2011.

PART I
PRELIMINARY

 

1.   Title

These Regulations may be cited as the Electronic Communications and Transactions (General) Regulations, 2011.

 

2.   Application

These Regulations shall apply to the importation, supply, interception, accreditation, protection, utilisation, encryption and identification of electronic communications apparatus and services.

 

3.   Interpretation

In these Regulations, unless the context otherwise requires–

“archive” means the storage of data in a format where the data is not actively used but can be assessed at any time when required, and includes the storage of data by third parties, and “archived” or “archival” shall be construed accordingly;

“authentication certificate” means a certificate issued by a certification Authority or trusted third party that verifies the authentication of a certificate related to encryption that is issued by an authentication product or service provider;

“authorised officer” means any person authorised by the Authority to act on its behalf;

“Authority” has the meaning assigned to it in the Act;

“buffer” means the temporary storage of communication related information in case the necessary electronic communication connection to route information to the Monitoring Centre is temporarily unavailable, and “buffered” shall be construed accordingly;

“certificate of accreditation” means a certificate issued to a person upon registration as an accreditation service provider;

“certificate of registration” means a certificate issued to a person upon registration as an accreditation service provider;

“certificate of registration” means a certificate issued to a person upon registration as a cryptograph service provider;

“certification Authority” means an authority of a network that issues and manages security credentials and public keys for message encryption;

“connection” means a physical or logical linking between two or more electronic communications apparatus used by the same or different electronic communications service providers resulting in the transfer of an information unit or data capable of allowing one user of an electronic communications service to communicate with another user or to access a service provided by a third party;

“electronic communications apparatus” has the meaning assigned to it in the Information and Communication Technologies Act, 2009;

“fixed line” means an electronic communications network or service which uses fixed line technology deployed in its electronic communications system;

“handover interface” means a physical and logical interface across which the results of an interception of communication order or request are delivered from the electronic communications network or service provider to the Monitoring Centre;

“identity” means a technical label which represents the origin or destination of an electronic communications traffic, as a rule clearly identified by a logical or virtual electronic communications identity number assigned to a physical access;

“interception of communications order” means an order made by a court pursuant to section 66 of the Act;

"Interception measure” means a technical measure that facilitates the interception of electronic communications traffic or data pursuant to the Act;

“interception target” means a person whose indirect communications are to be intercepted, or whose real time communication related information or archived communication related information is to be routed by an electronic communications network or service provider to the Monitoring Centre or provided to a law enforcement agency, pursuant to an interception of communications order or request;

“International Mobile Equipment Identity (IMEI)” means a number that uniquely identifies cellular mobile equipment;

“internet service” means connectivity or access to a public transmission control protocol internet protocol (TCP/IP) network or services layered over transmission control protocol internet (TCP/IP) such as web, email, file transfer, web mail, on line chat and voice over IP (VoIP) telephony;

“internet service provider” means an electronic communications service provider providing internet services;

“IPSec” means Internet Protocol Secure, an industry standard security protocol utilising modern data cryptographic techniques for the establishment of a secure tunnel;

“licensee” has the meaning assigned to it in the Information and Communication Technologies Act;

“link” means a physical or logical connection between two points;

“mobile cellular service provide” means an electronic communication service provide licensed to provide mobile telecommunications under the Information and Communication Technologies Act, 2009;

“Mobile Subscriber Integrated Service Digital Network (MSISDN)” means a number uniquely identifying a subscription in a Global System for Mobile (GSM) or Universal Mobile Telecommunication System (UMTS) mobile network;

“Monitoring Centre” has the meaning assigned to it in the Information and Communication Technologies Act, 2009;

“quality of service” in relation to an interception measure means the capability of a network to provide service to network traffic over various technologies to a standard which ensures that different priority is provided to different applications, user or data flows to guarantee a determined acceptable level of end-to-end performance without the deterioration of the end-to-end performance as a result of the interception measure;

“result of interception” means the content of an indirect communication which is routed by an electronic communications network or service provider to the Monitoring Centre pursuant to an interception of communication order or a request;

“request” means a request made in terms of sections 67 and 68 of the Act;

“secure tunnel” means an encrypted and authenticated internet protocol (IP) communication channel established using

“Seller” means a person or an agent appointed by the mobile cellular service provider or authorised to sell SIM cards on the mobile cellular service provider’s behalf;

“SIM card” means a Subscriber Identification Module (SIM) card inserted inside the mobile cellular phone or other device;

“successful call” means the successful establishment of a communication channel with the generation of one or more call data records (CDRs) associated with the communication channel;

“target identity” means the identity associated with a target service, used by the interception target; and

“target service” means an electronic communications service associated with an interception target and usually specified in an interception of communications order or request.

PART II
REGISTRATION OF CRYPTOGRAPHY SERVICE PROVIDERS

 

4.   Application for registration as cryptography service provider

   (1) A person who wishes to provide a cryptography service shall apply to the Authority in Form I set out in the First Schedule.

   (2) The Authority shall, within seven days of receipt of an application under sub-regulation (1), approve or reject the application.

 

5.   Registration as cryptography service provider

The Authority shall, where–

      (a)   the application meets the requirements of these Regulations, approve the application and issue a certificate of registration in Form II set out in the First Schedule; or

       (b)    the regulation does not meet the requirements of these Regulations, reject the application and inform the applicant of the rejection in Form III set out in the First Schedule.

 

6.   Changes in detail or nature of cryptography services

   (1) A cryptography service provider shall notify the Authority of any change in the particulars relating to the registration of that cryptography service provider in Form IV set out in the First Schedule.

   (2) A cryptography service provider shall, where the cryptography service provider intends to change the nature of the cryptography service provided, apply to the Authority for a variation or amendment of the nature of the service in Form V set out in the First Schedule.

   (3) The Authority shall–

      (a)   where it approves an application made under sub-regulation (1) inform the applicant of the approval and endorse the change in particular or variation of the nature of the cryptography service provided, as the case may be, on the certificate of rejection; or

      (b)   where it rejects an application, inform the applicant of the rejection in Form III set out in the First Schedule and endorse the rejection certificate of rejection.

 

7.   Surrender of certificate of registration

   (1) Where a cryptography service provider does not intend to continue with the services to which the certificate of registration relates, the cryptography service provider shall notify the Authority in Form VI set out in the First Schedule and shall agree with the Authority on the terms and conditions of the surrender of the certificate of registration with particular reference to anything done or any benefit obtained under the certificate of registration.

   (2) Where a certificate of registration is surrendered under sub-regulation (1)–

      (a)    the certificate of registration shall lapse or be cancelled and the cryptography service provider shall cease to be entitled to any benefits obtainable under the certificate or registration; and

      (b)    the Authority shall inform the cryptography service provider of the lapse or cancellation in Form VII.

 

8.   Prohibition on assigning, ceding or transferring certificate of registration

A cryptography service provider shall not assign, cede or otherwise transfer a certificate of registration to any other person without the prior approval of the Authority.

 

9.   Application for consent to assign, cede, etc., certificate of registration

   (1) An application for consent to assign, cede or otherwise transfer a certificate of registration shall be in Form VIII set out in the First Schedule.

   (2) The Authority shall–

      (a)   where it approves an application made under sub-regulation (1), inform the applicant of the approval in Form IX set out in the First Schedule and endorse the approval on the certificate; or

      (b)   where it rejects an application under sub-regulation (1), inform the applicant of the rejection in Form III set out in the First Schedule.

 

10.   Renewal of certificate of registration

   (1) An application for the renewal of a certificate of registration, in Form X set out in the First Schedule.

   (2) The Authority shall, where an applicant complies with the provisions of these Regulations or the conditions of a certificate of registration, renew the certificate of registration and endorse the renewal on the certificate.

   (3) The Authority shall where it rejects an application made under sub-regulation (1), inform the applicant of the rejection in Form III set out in the First Schedule.

 

11.   Suspension or revocation of certificate of registration

   (1) The Authority may suspend or revoke a certificate of registration, after investigation and upon according the cryptography service provider an opportunity to be heard, if the cryptography service provider–

      (a)    obtained the certificate of registration by fraud, misrepresentation or any false or misleading statement;

      (b)    assigns, cedes or otherwise transfers the certificate of registration to another person without the prior approval of the Authority;

      (c)    fails without reasonable explanation to provide the services described in the certificate of registration;

      (d)    breaches or otherwise fails to comply with any terms or conditions of the certificate of registration; or

      (e)    is convicted of an offence under the Act or any other written law for which the punishment is a term of imprisonment for a period exceeding six months.

   (2) The Authority shall, before taking any action under sub-regulation (1), notify the cryptography service provider of its intention to suspend or revoke the certificate of registration in Form XI set out in the First Schedule.

   (3) The Authority shall not suspend or revoke a certificate of registration where the holder takes remedial measures to the satisfaction of the Authority, within such period as the Authority may specify.

   (4) The Authority shall, where the Authority suspends or revokes a certificate, inform the holder of the suspension or revocation in Form XII set out in the First Schedule.

   (5) Where a certificate of registration is suspended or revoked, it holder shall cease to be entitled to the rights or benefits conferred by or under these Regulations with effect from the date of the suspension or revocation and–

      (a)    in the case of a suspension, for the period of the suspension; and

      (b)    in the case of a revocation, shall surrender the certificate of registration to the Authority immediately.

 

12.   Register of cryptography service providers

The Authority shall cause to be maintained a register of cryptography service providers which shall contain–

      (a)    the names and details of holders of certificates of registration under this Part;

      (b)    a description of the type of cryptography service or cryptography product provided;

      (c)    the conditions attached to each certificate of registration;

      (d)    the amendments, suspensions or revocations of certificates of registration; and

      (e)    such other particulars as may be necessary to identify and locate the cryptography service provider or the products or services adequately.

PART III
ACCREDITATION OF AUTHENTICATION SERVICE PROVIDERS

 

13.   Provision of authentication products or service

   (1) A person accredited under regulation 15 may provide an authentication product or service.

 

14.   Application for accreditation of authentication product or service

   (1) A person who wishes to provide an authentication product or service shall apply to the Accreditation Authority in Form I set out in the First Schedule.

   (2) The Authority shall, within seven days of the receipt of an application under sub-regulation (1), approve or reject the application.

   (3) Where the Authority rejects an application for accreditation, it shall within seven days of its decision, inform the applicant of the rejection in Form III set out in the First Schedule.

 

15.   Accreditation as authentication product or service provider

The Authority shall–

      (a)    where an application meets the requirements of these Regulations, grant the accreditation in Form II set out in the First Schedule; or

      (b)    where an application does not meet the requirements of these Regulations, reject the application and inform the applicant of the rejection in Form III set out in the First Schedule.

 

16.   Changes in detail or nature of authentication products or services

   (1) An authentication service provider shall notify the Accreditation Authority of any change in the particulars relating to the accreditation of the authentication service provider in Form IV set out in the First Schedule.

   (2) An authentication service provider shall, where the authentication service provider intends to change the nature of the authentication products or services, apply to the Authority for a variation of the nature of the product or service in Form V set out in the First Schedule.

   (3) The Authority shall–

      (a)    where it approves an application under sub-regulations (1), inform the applicant of the approval and endorse the change in particulars or variation of the nature of the cryptography service provided, as the case may be, on the accreditation; or

      (b)    where it rejects an application, inform the applicant of the rejection in Form III set out in the First Schedule and endorse the rejection on the accreditation.

 

17. Surrender of accreditation

   (1) Where an authentication service provider ceases to provide the services to which the accreditation relates, the authentication service provider shall notify the Authority in Form VI set out in the First Schedule and shall agree with the Authority on the terms and conditions of the surrender of the accreditation with particular reference to anything done or any benefit obtained under the accreditation.

   (2) Where an accreditation is surrendered under sub-regulation (1)–

      (a)    it shall lapse or be cancelled and the authentication service provider shall cease to be entitled to any benefits obtainable under the accreditation; and

      (b)    the Authority shall inform the authentication service provider of the lapse or cancellation in Form VII set out in the First Schedule.

   (3) An authentication service provider who intends to discontinue the provisions of authentication products or services to which an accreditation relates shall–

      (a)   before ceasing to provide an authentication product or service, give the Accreditation Authority at least 90 days’ notice of the intention to discontinue the provision of authentication products and services to which an accreditation relates;

      (b)   advertise the intention to terminate the accreditation in a daily newspaper of general circulation in Zambia and in such other manner as the Authority may determine;

      (c)   give all subscribers and holders of each unrevoked or unexpired authentication certificate issued by the authentication service provider at least 60 days’ notice by electronic mail and registered post of the intention to cease acting as an authentication service provider;

      (d)   ensure that the discontinuation of its operations causes minimal disruption to its subscribers and to person who require to verify authentication certificates;

      (e)   make arrangements for the preservation of records in accordance with these Regulations; and

      (f)   destroy all revoked and expired authentication certificates.

 

18.   Prohibition of assigning, ceding or transferring accreditation without authority

An authentication service provider shall not assign, cede or transfer an accreditation to any other person without the prior approval of the Authority.

 

19.   Application for approval to assign, cede, or transfer accreditation

   (1) An application to assign, cede or transfer an accreditation shall be made in Form VIII set out in the First Schedule.

   (2) The Authority shall–

      (a)   where it approves an application made under the sub-regulation (1), inform the application of the approval in Form IX set out in the First Schedule and endorse the approval on the accreditation;

      (b)   where it rejects an application made under sub-regulation (1), inform the applicant of the rejection in Form III set out in the First Schedule.

 

20.   Renewal of accreditation

   (1) An authentication service provider may apply for the renewal of the accreditation in Form X set out in the First Schedule.

   (2) The Authority shall, where an applicant complies with the provisions of these Regulations or the conditions of the accreditation, renew the accreditation and endorse the renewal on the accreditation.

   (3) The Authority shall, where it rejects an application made under sub-regulation (1), inform the applicant of the rejection in Form III set out in the First Schedule and endorse the rejection on the accreditation.

 

21.   Suspension or revocation of accreditation

   (1) The Authority may suspend or revoke an accreditation, after investigation, and after affording the authentication service provider an opportunity to be heard, if the authentication service provider–

      (a)    obtained the accreditation by fraud, misrepresentation or any false or misleading statement;

      (b)    assigns, cedes or transfers the accreditation to another person without the prior approval of the Authority;

      (c)    fails, without reasonable explanation, to provide the services described in the accreditation;

      (d)    breaches or fails to comply with any terms or conditions of the accreditation; or

      (e)    is convicted of an offence under the Act or any other law.

   (2) The Accreditation Authority shall, before taking any action under sub-regulation (1)–

      (a)    notify the authentication service provider of its intention to suspend or revoke the accreditation in Form XI set out in the First Schedule;

      (b)    publish a notice in its database and in any other medium that it regards as appropriate to the effect that it is in the process of revoking the accreditation of the authentication product or service in question;

      (c)    appoint an accreditation officer and an evaluator to oversee the winding up of the authentication service provider’s accredited operations;

      (d)    ensure that the authentication service provider communicates the revocation to subscribers and relying parties immediately;

      (e)    ensure that the authentication service provider revokes all accredited authentication products or services issued to its subscribers and record the manner, time and date of revocation;

      (f)    ensure that the authentication service provider issues a report certifying compliance with the prescribed revocation process;

      (g)    make arrangements for the preservation of records in accordance with these Regulations; and

      (h)    ensure that the revocation is conducted with minimal disruption to subscribers and relying parties.

   (3) Notwithstanding the suspension or revocation of accreditation, the Accreditation Authority may–

      (a)    take any action necessary to confirm whether the authentication service provider is in breach of any of the requirements, conditions or restrictions subject to which the accreditation was granted;

      (b)    monitor the progress of the authentication service provider in rectifying the breach;

      (c)    consider any specific request by the relevant authentication service provider; and

      (d)   reevaluate its decision to suspend or revoke an accreditation.

   (4) If, on the expiration of the period specified in the notice given under sub-regulation (2), and after considering any representations made by the authentication service provider, the Accreditation Authority determines that the accreditation should be suspended or revoked, the Authority may suspend or revoke the accreditation and shall inform the authentication service provider of the suspension or revocation in Form XII set out in the First Schedule.

   (5) The Accreditation Authority shall not suspend or revoke an accreditation where its holder takes remedial measures, to the satisfaction of the Accreditation Authority, within such period as the Accreditation Authority may specify.

   (6) Where an accreditation is suspended or revoked, its holder shall cease to be entitled to the rights or benefits conferred by, or under, these Regulations with effect from the date of the suspension or revocation and–

      (a)    in the case of a suspension, for the period of the suspension; and

      (b)    in the case of a revocation, shall surrender the certificate of accreditation to the Authority immediately.

 

22.   Database of authentication service providers

   (1) The Accreditation Authority shall maintain or cause to be maintained a database of authentication service providers which shall contain–

      (a)    the details of authentication service providers accredited by the Accreditation Authority;

      (b)    the names and technical description of the type of authentication product or service provided;

      (c)    the conditions attached to each accreditation;

      (d)    the amendment, suspension or revocation of the accreditations;

      (e)    the descriptions of the accreditation processes, requirements, functions and services of the Accreditation Authority;

      (f)    the complaints procedure for subscribers to accredited authentication service providers;

      (g)    the contact particulars of the Authority; and

      (j)    such other particular as may be necessary to identify and locate the accreditation service providers or the products or services adequately.

   (2) The database referred to in sub-regulation (1) shall be accessible to the public and open for inspection by members of the public at all reasonable times at the offices of the Accreditation Authority.

 

23.   Minimum compliance requirements for authentication

   (1) An authentication service provider who is also a certification service provider shall comply with such international standards as may regulate authentication products and services.

   (2) An authentication service provider shall issue an authentication certificate to the subscribers in accordance with these Regulations.

   (3) An authentication certificate issued by an authentication service provider, which utilises public key infrastructure technology shall, if accredited by the Authority, contain–

      (a)     the serial number of the certificate that distinguishes it from other authentication certificates;

      (b)    the signature algorithm identifier that identifies the algorithm used by the authentication service provider to sign the authentication certificates;

      (c)    the name of the authentication service provider that issued the authentication certificate;

      (d)    the period of validity of the certificate;

      (e)    the name of the subscriber whose public key the authentication certificate identifies;

      (f)    the public key information of the subscriber; and

      (g)    confirmation that the certificate has been accredited by the Authority.

   (4) An authentication service provider shall, where authentication products or services utilise public key infrastructure, implement at a minimum three factor authentication or a similar level of security for the storage of the private key.

PART IV
TECHNICAL REQUIREMENTS FOR AUTHENTICATION AND CERTIFICATION

 

24.   Issuance of authentication certificate

   (1) A person who wishes to utilise an authenticated product of service may apply to the certification Authority or a certification service provider for an accreditation certificate for use with an authentication product or service.

   (2) A certification service provider shall, upon receipt of an application under subsection (1)–

      (a)    establish the identity of the person or entity applying for an authentication certificate, including physical identification of the subscriber or authorised key holder;

      (b)    establish and maintain a verifiable and reviewable process to confirm that physical identification was undertaken; and

      (c)    ensure that the persons performing the physical identification have undergone appropriate training in identity and document verification.

   (3) A certification service provider shall issue an authentication certificate to a person or entity that applies for an authentication certificate upon compliance with the practices and procedures set forth in the certification service provider’s practice statements, policies and procedures regarding physical identification of a prospective subscriber.

   (4) A certification service provider shall ensure that an applicant, authorised person or subscriber is physically present, identified and accepts the authentication certificate.

   (5) A certification service provider shall, where a person relies on an authentication certificate relating to an authenticated encryption product or service, be considered to have incorporated the certification service provider’s practice statements, policies and procedures by reference to the certificate.

   (6) Where a certification service provider has incorporated a practice statement, policy or procedure into an authentication certificate, the following principles shall apply to the extent that the representations are not inconsistent with the Act or these Regulations–

      (a)    the certification service provider has complied with an applicable international standards, laws and procedures in issuing the authentication certificates;

      (b)    where the certification service provider has published the authentication certificate or otherwise made it available to a person who relies on it, the subscriber listed in the authentication certificate has accepted it;

      (c)    all the information in the authentication certificate is accurate unless the certificate service provider states in the authentication certificate that the accuracy of the specified information has not;

      (d)    the certification service provider has no knowledge of any material fact that, if included in the authentication certificate, would adversely affect the reliability of the representations made by the certification service provider; and

      (e)    where public key infrastructure cryptography is being utilised, that–

      (i)    the subscriber identified in the authentication certificate holds the private key corresponding to the public key listed in the authentication certificate; and

      (ii)    the subscribers’ public key and private key constitute a functioning key pair.

   (7) A certification service provider shall, when conducting an identification or verification of an applicant or subscriber, use the following documents–

   <IN:LF:0.5,FI:-0.5>   (a)   where the subscriber or applicant is a natural person, an original valid

      (i)   national identity document;

      (ii)   passport; or

<IN:LF:0.75,FI:-0.75>      (iii)   any additional documents as may be necessary to verify identify;

   <IN:LF:0.5,FI:-0.5>   (b)   where the subscriber or applicant is a partnership, the constitutive documents of the partnership, if applicable, and the documents referred to in paragraph (a) in respect of each partner in the partnership, including the authorised person or key holder;

   <IN:LF:0.5,FI:-0.5>   (c)   where the subscriber or applicant is a company, trust or other legal entity, certified copies of–

<IN:LF:0.5,FI:-0.5>      (i)   the relevant constitutive documents;

<IN:LF:0.75,FI:-0.75>      (ii)   a resolution or power of attorney of the directors authorising a specific certification service provider in relation to the issuing, renewal or replacement of certificates; and

<IN:LF:0.75,FI:-0.75>      (iii)   the documents referred to in paragraph (a) in respect of each of the directors, members or trustees of the applicant and the authorised key holder, together with a resolution appointing the representative as the authorised person or key holder.

   (8) A certification service provider shall, during the identification of an applicant or subscriber, obtain a handwritten signature from the applicant, authorised person or subscriber on a subscriber agreement.

   (9) A subscriber agreement entered into under sub-regulation (7) shall provide that the responsibility for safeguarding the safety of any security device, code or any private key lies with the subscriber.

   (10) A subscriber or authorised person shall notify the certification service provider within 24 hours if a security device, code or key is lost or compromised.

 

25.   Requirement for certification practice statements

   (1) A certification service provider whose authentication product or service is accredited shall make its practice statements, policies and procedures available to the public on its website or in the manner determined by the Accreditation Authority.

   (2) A certification service provider whose authentication product or serve is accredited shall–

      (a)   at least 30 days before any change is effected to its practice statement, policy or procedure, including changes in–

      (i)   the identification process

      (ii)   the reliance limit of the certificates; or

      (iii)   key generation, storage or usage;

notify the Authority, the subscriber and third parties of the intended changes and publish its intention to effect the changes on its website;

      (b)   notify the Authority, it subscribers and relying parties by publication on its website of any incident that adversely or materially affects or may affect the validity of the whole or part of its practice statements, policies or procedures as lodged with the Accreditation Authority;

      (c)   adhere to its practice statement, policy or procedure when issuing a type, class or description of authentication certificates; and

      (d)   state clearly to its subscribers and interested third parties all costs and fees related to the issuing, revocation, suspension, retrieval or verification of the status of an authentication certificate under each type, class or description of certificates issued by it.

   (3) A certification service provider’s practice statements, policies and procedures shall, in addition to compliance with international standards, at a minimum contain the following–

      (a)   a detailed description of the subscriber identification and verification process;

      (b)   provisions governing the conduct of agents, contractors or other third parties to whom operations have been outsourced;

      (c)   clear, detailed and concise provisions for renewal of authentication certificates;

      (d)   levels of and reliance limits for, authentication certificates; and

      (e)   security device, code or key storage requirements.

 

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.


 
 

Popular Tags