DIGITAL SIGNATURE BILL 1997
|
CHAPTER 6
Revocation of certificate
53. (1) A licensed certification authority shall revoke a certificate which it issued but which is not a transactional certificate, -
(a) upon receiving a request for revocation by the subscriber named in the certificate; and
(b) upon confirming that the person requesting revocation is that subscriber or is an agent of that subscriber with authority to request the revocation.
(2) A licensed certification authority shall confirm a request for revocation and revoke a certificate within one business day after receiving both a subscriber's written request and evidence reasonably sufficient to confirm the identity of the person requesting the revocation or of the agent.
54. A licensed certification authority shall revoke a certificate which it issued -
(a) upon receiving a certified copy of the subscriber's death certificate or upon confirming by other evidence that the subscriber is dead; or
(b) upon presentation of documents effecting a dissolution of the subscriber or upon confirming by other evidence that the subscriber has been dissolved or has ceased to exist.
55. (1) A licensed certification authority may revoke one or more certificates which it issued if the certificates are or become unreliable regardless of whether the subscriber consents to the revocation and notwithstanding any provision to the contrary in a contract between the subscriber and the licensed certification authority.
(2) Nothing in subsection (1) shall prevent the subscriber from seeking damages or other relief against the licensed certification authority in the event of wrongful revocation.
56. (1) Immediately upon revocation of a certificate by a licensed certification authority, the licensed certification authority shall publish a signed notice of the revocation in the repository specified in the certificate for publication of notice of revocation.
(2) Where one or more repositories are specified, the licensed certification authority shall publish signed notices of the revocation in all such repositories.
(3) Where any repository specified no longer exists or refuses to accept publication, or if no such repository is recognised under section 68, the licensed certification authority shall also publish the notice in a recognised repository.
57. Where a subscriber has requested for the revocation of a certificate, the subscriber ceases to certify as provided in Chapter 3 and has no further duty to keep the private key secure as required under section 43 -
(a) when notice of the revocation is published as required under section 56; or
(b) when two business days have lapsed after the subscriber requests for the revocation in writing, supplies to the issuing licensed certification authority information reasonably sufficient to confirm the request, and pays any prescribed fee, whichever occurs first.
58. Upon notification as required under section 56, licensed certification authority shall be discharged warranties based on issuance of the revoked certificate and ceases to certify as provided in sections 35 and 36 in relation to the revoked certificate.
CHAPTER 7
Expiration of certificate
59. (1) The date of expiry of a certificate shall be specified in the certificate.
(2) A certificate may be issued for any period not exceeding three years from the date of issuance. (3) When a certificate expires, the subscriber and licensed certification authority shall cease to certify as provided under this Act and the licensed certification authority shall be discharged of its duties based on issuance in relation to the expired certificate.
(4) The expiry of a certificate shall not affect the duties and obligations of the subscriber and licensed certification authority incurred under and in relation to the expired certificate. CHAPTER 8
Recommended reliance limits and liability
60. (1) A licensed certification authority shall, in issuing a certificate to a subscriber, specify a recommended reliance limit in the certificate.
(2) The licensed certification authority may specify different limits in different certificates as it considers fit.
61. Unless a licensed certification authority waives the application of this section, a licensed certification authority -
(a) shall not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber, if, with respect to the false or forged digital signature, the licensed certification authority complied with the requirements of this Act;
(b) shall not be liable in excess of the amount specified in the certificate as its recommended reliance limit for either -
(i) a loss caused by reliance on a misrepresentation in the certificate of any fact that the licensed certification authority is required to confirm; or
(ii) failure to comply with sections 29 and 30 in issuing the certificate; and
(c) shall not be liable for -
(i) punitive or exemplary damages; or
(ii) damages for pain or suffering.
PART V
EFFECT OF DIGITAL SIGNATURE
62. (1) Where a rule of law requires a signature provides for certain consequences in the absence of a signature, that rule shall be satisfied by a digital signature where -
(a) that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;
(b) that digital signature was affixed by the signer with the intention of signing the message; and
(c) the recipient has no knowledge or notice that the signer -
(i) has breached a duty as a subscriber; or
(ii) does not rightfully hold the private key used to affix the digital signature.
(2) Notwithstanding any written law to the contrary -
(a) a document signed with a digital signature in accordance with this Act shall be as legally binding as a document signed with a handwritten signature, an affixed thumb-print or any other mark; and
(b) a digital signature created in accordance with this Act shall be deemed to be a legally binding signature. (3) Nothing in this Act shall preclude any symbol from being valid as a signature under any other applicable law.
63. (1) Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances.
(2) Where the recipient determines not to rely on a digital signature under this section, the recipient shall promptly notify the signer of its determination not to rely on a digital signature and the grounds for that determination.
64. (1) A message shall be as valid, enforceable and effective as if it had been written on paper if -deemed
(a) it bears in its entirety a digital signature; and
(b) that digital signature is verified by the public key listed in a certificate which -
(i) was issued by a licensed certification authority; and
(ii) was valid at the time the digital signature was created.
(2) Nothing in this Act shall preclude any message, document or record from being considered written or in writing under any other applicable law.
65. A copy of a digitally signed message shall be as valid, enforceable and effective as the original of the deemed to message unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, enforceable and effective message.
66. A certificate issued by a licensed certification shall be an acknowledgement of a digital signature verified by reference to the public key listed in the certificate, regardless of whether words of an express acknowledgement appear with the digital signature and regardless of whether the signer physically appeared before the licensed certification authority when the digital signature was created, if that digital signature is -
(a) verifiable by that certificate; and
(b) affixed when that certificate was valid.
67. In adjudicating a dispute involving a digital signature, a court shall presume -
(a) that a certificate digitally signed by a licensed certification authority and -
(i) published in a recognised repository; or
(ii) made available by the issuing licensed certification authority or by the subscriber listed in the certificate,
is issued by the licensed certification authority which digitally signed it and is accepted by the subscriber listed in it;
(b) that the information listed in a valid certificate and confirmed by a licensed certification authority issuing the certificate is accurate;
(c) that where a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority -
(i) that digital signature is the digital signature of the subscriber listed in that certificate;
(ii) that digital signature was affixed by that subscriber with the intention of signing the message; and
(iii) the recipient of that digital signature has no knowledge or notice that the signer -
(A) has breached a duty as a subscriber; or
(B) does not rightfully hold the private key used to affix the digital signature; and
(d) that a digital signature was created before it was time-stamped by a recognised date/time stamp service utilising a trustworthy system.
PART VI
REPOSITORIES AND DATE/TIME STAMP SERVICES
68. (1) The Controller may recognise one or more repositories, after determining that a repository to be recognised satisfies the requirements prescribed in the regulations made under this Act.
(2) The procedure for recognition of repositories shall be as may be prescribed by regulations made under this Act.
(3) The Controller shall publish a list of recognised repositories in such form and manner as he may determine.
69. (1) Notwithstanding any disclaimer by the repository or any contract to the contrary between the repository and a licensed certification authority or a subscriber, a repository shall be liable for a loss incurred by a person reasonably relying on a digital signature verified by the public key listed in a suspended or revoked certificate, if loss was incurred more than one business day after receipt by the repository of a request to publish notice of the suspension or revocation, and the repository had failed to publish the notice when the person relied on the digital signature.
(2) Unless waived, a recognised repository or the owner or operator of a recognised repository -
(a) shall not be liable for failure to record publication of a suspension or revocation, unless the repository has received notice of publication and one business day has elapsed since the notice was received;
(b) shall not be liable under subsection (1) in excess of the amount specified in the certificate as the recommended reliance limit;
(c) shall not be liable under subsection (1) for -
(i) punitive or exemplary damages; or
(ii) damages for pain or suffering;
(d) shall not be liable for misrepresentation in a certificate published by a certification authority;
(e) shall not be liable for accurately recording or reporting information which a licensed certification authority, a court or the Controller has published as required or permitted under this Act, including information about the suspension or revocation of a certificate;
(f) shall not be liable for reporting information about a certification authority, a certificate or a subscriber, if such information is published as required or permitted under this Act or is published by order of the Controller in the performance of his licensing and regulatory duties under this Act.
70. (1) The Controller may recognise one or more date/time stamp services. date/time stamp services, after determining that a service to be recognised satisfies the requirements prescribed in the regulations made under this Act.
(2) The procedure for recognition of date/time stamp services shall be as may be prescribed by regulations made under this Act.
(3) The Controller shall publish a list of recognised date/time stamp services in such form and manner as he may determine.
|
