PART VIII
DUTIES OF CERTIFICATION AUTHORITIES
Trustworthy system27. A certification authority must utilise trustworthy systems in performing its services.
28. Disclosure(1)
A certification authority shall disclose —
(a) its certificate that contains the public key corresponding to the private key used by that certification authority to digitally sign another certificate (referred to in this section as a certification authority certificate);
(b) any relevant certification practice statement;
(c) notice of the revocation or suspension of its certification authority certificate; and
(d) any other fact that materially and adversely affects either the reliability of a certificate that the authority has issued or the authority"s ability to perform its services.
(2)
In the event of an occurrence that materially and adversely affects a certification authority’s trustworthy system or its certification authority certificate, the certification authority shall -(a) use reasonable efforts to notify any person who is known to be or foreseeably will be affected by that occurrence; or
(b) act in accordance with procedures governing such an occurrence specified in its certification practice statement.
Issue of certificate29. —
(1) A certification authority may issue a certificate to a prospective subscriber only after the certification authority —
(a) has received a request for issuance from the prospective subscriber; and
(b) has —
(i) if it has a certification practice statement, complied with all of the practices and procedures set forth in such certification practice statement including procedures regarding identification of the prospective subscriber; or
(ii) in the absence of a certification practice statement, complied with the conditions in subsection (2).
(2)
In the absence of a certification practice statement, the certification authority shall confirm by itself or through an authorised agent that —
(a) the prospective subscriber is the person to be listed in the certificate to be issued;
(b) if the prospective subscriber is acting through one or more agents, the subscriber authorised the agent to have custody of the subscriber’s private key and to request issuance of a certificate listing the corresponding public key;
(c) the information in the certificate to be issued is accurate;
(d) the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;
(e) the prospective subscriber holds a private key capable of creating a digital signature; and
(f) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber.
Representations upon issuance of certificate30. —(1) By issuing a certificate, a certification authority represents to any person who reasonably relies on the certificate or a digital signature verifiable by the public key listed in the certificate that the certification authority has issued the certificate in accordance with any applicable certification practice statement incorporated by reference in the certificate, or of which the relying person has notice.
(2)
In the absence of such certification practice statement, the certification authority represents that it has confirmed that — (a) the certification authority has complied with all applicable requirements of this Act in issuing the certificate, and if the certification authority has published the certificate or otherwise made it available to such relying person, that the subscriber listed in the certificate has accepted it;
(b) the subscriber identified in the certificate holds the private key corresponding to the public key listed in the certificate;
(c) the subscriber’s public key and private key constitute a functioning key pair;
(d) all information in the certificate is accurate, unless the certification authority has stated in the certificate or incorporated by reference in the certificate a statement that the accuracy of specified information is not confirmed; and
(e) the certification authority has no knowledge of any material fact which if it had been included in the certificate would adversely affect the reliability of the representations in paragraphs (a) to (d).
(3)
Where there is an applicable certification practice statement which has been incorporated by reference in the certificate, or of which the relying person has notice, subsection (2) shall apply to the extent that the representations are not inconsistent with the certification practice statement. Suspension of certificate31. Unless the certification authority and the subscriber agree otherwise, the certification authority that issued a certificate shall suspend the certificate as soon as possible after receiving a request by a person whom the certification authority reasonably believes to be —
(a) the subscriber listed in the certificate;
(b) a person duly authorised to act for that subscriber; or
(c) a person acting on behalf of that subscriber, who is unavailable.
Revocation of certificate32. A certification authority shall revoke a certificate that it issued —
(a) after receiving a request for revocation by the subscriber named in the certificate; and confirming that the person requesting the revocation is the subscriber, or is an agent of the subscriber with authority to request the revocation;
(b) after receiving a certified copy of the subscriber’s death certificate, or upon confirming by other evidence that the subscriber is dead; or
(c) upon presentation of documents effecting a dissolution of the subscriber, or upon confirming by other evidence that the subscriber has been dissolved or has ceased to exist.
Revocation without subscriber’s consent33. —
(1) A certification authority shall revoke a certificate, regardless of whether the subscriber listed in the certificate consents, if the certification authority confirms that —
(a) a material fact represented in the certificate is false;
(b) a requirement for issuance of the certificate was not satisfied;
(c) the certification authority’s private key or trustworthy system was compromised in a manner materially affecting the certificate"s reliability;
(d) an individual subscriber is dead; or
(e) a subscriber has been dissolved, wound-up or otherwise ceased to exist.
(2) Upon effecting such a revocation, other than under subsection (1) (d) or (e), the certification authority shall immediately notify the subscriber listed in the revoked certificate.
Notice of suspension34. —
(1) Immediately upon suspension of a certificate by a certification authority, the certification authority shall publish a signed notice of the suspension in the repository specified in the certificate for publication of notice of suspension.
(2) Where one or more repositories are specified, the certification authority shall publish signed notices of the suspension in all such repositories.
Notice of revocation35. —
(1) Immediately upon revocation of a certificate by a certification authority, the certification authority shall publish a signed notice of the revocation in the repository specified in the certificate for publication of notice of revocation.
(2) Where one or more repositories are specified, the certification authority shall publish signed notices of the revocation in all such repositories.