Digital Signature Act 1997 [Act 562]

Part I


1 Short title and commencement

This Act may be cited as the Digital Signature Act 1997 and shall come into force on a date to be appointed by the Minister by notification in the Gazette, and the Minister may appoint different dates for different provisions of this Act.

2 Interpretation

(1) In this Act, unless the context otherwise requires-

"accept a certificate" means-

(a) to manifest approval of a certificate, while knowing or having notice of its contents; or

(b) to apply to a licensed certification authority for a certificate, without revoking the application by delivering notice of the revocation to the licensed certification authority, and obtaining a signed, written receipt from the licensed certification authority, if the licensed certification authority subsequently issues a certificate based on the application;

"asymmetric cryptosystem" means an algorithm or series of algorithms which provide a secure key pair;

"authorized officer" means an officer authorized under section 75;

"certificate" means a computer-based record which-

(a) identifies the certification authority issuing it;

(b) names or identifies its subscriber;

(c) contains the subscriber's public key; and

(d) is digitally signed by the certification authority issuing it;

"certification authority" means a person who issues a certificate;

"certification authority disclosure record" means an on-line and publicly accessible record which concerns a licensed certification authority which is kept by the Commission under subsection 3(5);

"certification practice statement" means a declaration of the practices which a certification authority employs in issuing certificates generally, or employed in issuing a particular certificate;

"certify" means to declare with reference to a certificate, with ample opportunity to reflect, and with a duty to apprise oneself of all material facts;

*"Commission" means the Malaysian Communications and Multimedia Commission established under the Malaysian Communications and Multimedia Commission Act 1998 [Act 589];

"confirm" means to ascertain through diligent inquiry and investigation;

"correspond", with reference to keys, means to belong to the same key pair;

"digital signature" means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine-

(a) whether the transformation was created using the private key that corresponds to the signer's public key; and

(b) whether the message has been altered since the transformation was made;

"forge a digital signature" means-

(a) to create a digital signature without the authorization of the rightful holder of the private key; or

(b) to create a digital signature verifiable by a certificate listing as subscriber a person who either does not exist or does not hold the private key corresponding to the public key listed in the certificate;

"hold a private key" means to be able to utilize a private key;

"incorporate by reference" means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated;

"issue a certificate" means the act of a certification authority in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate;

"key pair" means a private key and its corresponding public key in an asymmetric cryptosystem, where the public key can verify a digital signature that the private key creates;

"licensed certification authority" means a certification authority to whom a licence has been issued by the Commission and whose licence is in effect;

"message" means a digital representation of information;

"notify" means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person;

"person" means a natural person or a body of persons, corporate or unincorporate, capable of signing a document, either legally or as a matter of fact;

"prescribed" means prescribed by or under this Act or any regulations made under this Act;

"private key" means the key of a key pair used to create a digital signature;

"public key" means the key of a key pair used to verify a digital signature;

"publish" means to record or file in a repository;

"qualified certification authority" means a certification authority that satisfies the requirements under section 5;

"recipient" means a person who receives or has a digital signature and is in a position to rely on it;

"recognized date/time stamp service" means a date/time stamp service recognized by the Commission under section 70;

"recognized repository" means a repository recognized by the Commission under section 68;

"recommended reliance limit" means the monetary amount recommended for reliance on a certificate under section 60;

"repository" means a system for storing and retrieving certificates and other information relevant to digital signatures;

"revoke a certificate" means to make a certificate ineffective permanently from a specified time forward;

"rightfully hold a private key" means to be able to utilize a private key-

(a) which the holder or the holder's agents have not disclosed to any person in contravention of this Act; and

(b) which the holder has not obtained through theft, deceit, eavesdropping or other unlawful means;

"subscriber" means a person who-

(a) is the subject listed in a certificate;

(b) accepts the certificate; and

(c) holds a private key which corresponds to a public key listed in that certificate;

"suspend a certificate" means to make a certificate ineffective temporarily for a specified time forward;

"this Act" includes any regulations made under this Act;

"time-stamp" means-

(a) to append or attach to a message, digital signature or certificate a digitally signed notation indicating at least the date, time and identity of the person appending or attaching the notation; or

(b) the notation so appended or attached;

"transactional certificate" means a certificate, incorporating by reference one or more digital signatures, issued and valid for a specific transaction;

"trustworthy system" means computer hardware and software which-

(a) are reasonably secure from intrusion and misuse;

(b) provide a reasonable level of availability, reliability and correct operation; and

(c) are reasonably suited to performing their intended functions;

"valid certificate" means a certificate which-

(a) a licensed certification authority has issued;

(b) has been accepted by the subscriber listed in it;

(c) has not been revoked or suspended; and

(d) has not expired:

Provided that a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference;

"verify a digital signature" means, in relation to a given digital signature, message and public key, to determine accurately that-

(a) the digital signature was created by the private key corresponding to the public key; and

(b) the message has not been altered since its digital signature was created;

"writing" or "written" includes any handwriting, typewriting, printing, electronic storage or transmission or any other method of recording information or fixing information in a form capable of being preserved.

(2) For the purposes of this Act, a certificate shall be revoked by making a notation to that effect on the certificate or by including the certificate in a set of revoked certificates.

(3) The revocation of a certificate does not mean that it is destroyed or made illegible.
*NOTE-Upon the commencement of Act A1121, previous references to the Controller of Certification Authorities ("Controller") or any officer and servant appointed by the Controller, shall be construed as references to the Commission or its authorized officer-see section 19 of Act A1121.