DUTIES OF LICENSED CERTIFICATION AUTHORITIES AND SUBSCRIBERS
General requirements for licensed certification authorities
27 Use of trustworthy systems
(1) A licensed certification authority shall only use a trustworthy system-
(a) to issue, suspend or revoke a certificate;
(b) to publish or give notice of the issuance, suspension or revocation of a certificate; and
(c) to create a private key, whether for itself or for a subscriber.
(2) A subscriber shall only use a trustworthy system to create a private key.
28 Disclosures on inquiry
(1) A licensed certification authority shall, on an inquiry being made to it under this Act, disclose any material certification practice statement and any fact material to either the reliability of a certificate which it has issued or its ability to perform its services.
(2) A licensed certification authority may require a signed, written and reasonably specific inquiry from an identified person, and payment of the prescribed fee, as conditions precedent to effecting a disclosure required under subsection (1).
29 Prerequisites to issuance of certificate to subscriber
(1) A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:
(a) the licensed certification authority has received a request for issuance signed by the prospective subscriber; and
(b) the licensed certification authority has confirmed that-
(i) the prospective subscriber is the person to be listed in the certificate to be issued;
(ii) if the prospective subscriber is acting through one or more agents, the subscriber duly authorized the agent or agents to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;
(iii) the information in the certificate to be issued is accurate;
(iv) the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;
(v) the prospective subscriber holds a private key capable of creating a digital signature; and
(vi) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber.
(2) The requirements of subsection (l) shall not be waived or disclaimed by the licensed certification authority, the subscriber, or both.
30 Publication of issued and accepted certificate
(1) Where the subscriber accepts the issued certificate, the licensed certification authority shall publish a signed copy of the certificate in a recognized repository, as the licensed certification authority and the subscriber named in the certificate may agree, unless a contract between the licensed certification authority and the subscriber provides otherwise.
(2) Where the subscriber does not accept the certificate, a licensed certification authority shall not publish it, or shall cancel its publication if the certificate has already been published.
31 Adoption of more rigorous requirements permitted
Nothing in sections 29 and 30 shall preclude a licensed certification authority from conforming to standards, certification practice statements, security plans or contractual requirements more rigorous than, but nevertheless consistent with, this Act.
32 Suspension or revocation of certificate for faulty issuance
(1) Where after issuing a certificate a licensed certification authority confirms that it was not issued in accordance with sections 29 and 30, the licensed certification authority shall immediately revoke it.
(2) A licensed certification authority may suspend a certificate which it has issued for a reasonable period not exceeding forty-eight hours as may be necessary for an investigation to be carried out to confirm the grounds for a revocation under subsection (1).
(3) The licensed certification authority shall immediately notify the subscriber of a revocation or suspension under this section.
33 Suspension or revocation of certificate by order
(1) The Commission may order the licensed certification authority to suspend or revoke a certificate issued by it where the Commission determines that-
(a) the certificate was issued without compliance with sections 29 and 30; and
(b) the non-compliance poses a significant risk to persons reasonably relying on the certificate.
(2) Before making a determination under subsection (1), the Commission shall give the licensed certification authority and the subscriber a reasonable opportunity of being heard.
(3) Notwithstanding subsections (1) and (2), where in the opinion of the Commission there exists an emergency that requires an immediate remedy, the Commission may, after consultation with the Minister, suspend a certificate for a period not exceeding forty-eight hours.
Warranties and obligations of licensed certification authorities
34 Warranties to subscriber
(1) By issuing a certificate, a licensed certification authority warrants to the subscriber named in the certificate that-
(a) the certificate contains no information known to the licensed certification authority to be false;
(b) the certificate satisfies all the requirements of this Act; and
(c) the licensed certification authority has not exceeded any limits of its licence in issuing the certificate.
(2) A licensed certification authority shall not disclaim or limit the warranties under subsection (1).
35 Continuing obligations to subscriber
Unless the subscriber and licensed certification authority otherwise agree, a licensed certification authority, by issuing a certificate, promises to the subscriber-
(a) to act promptly to suspend or revoke a certificate in accordance with Chapter 5 or 6; and
(b) to notify the subscriber within a reasonable time of any facts known to the licensed certification authority which significantly affect the validity or reliability of the certificate once it is issued.
36 Representations upon issuance
By issuing a certificate, a licensed certification authority certifies to all who reasonably rely on the information contained in the certificate that-
(a) the information in the certificate and listed as confirmed by the licensed certification authority is accurate;
(b) all information foreseeably material to the reliability of the certificate is stated or incorporated by reference within the certificate;
(c) the subscriber has accepted the certificate; and
(d) the licensed certification authority has complied with all applicable laws governing the issuance of the certificate.