IDA Singapore - Policies & Regulation - Electronic Transactions (Certifications Authority) Regulations 1999
 
Singapore Government Online Homepage
  Infocomm Development Authority of Singapore Website   IDA
Contact IDA Send Feedback To IDA Sitemap
Home  |  About Us Programmes Technology Publications News & Events
 
Infocomm Adoption Infocomm Industry Manpower Policies and Regulation Infrastructure
  Increase Text Decrease Text
Subscribe To News Feeds Add To Favourites Email This Page Print This Page
Policies & Regulation
  Overview  
  What's New  
  Acts & Regulations  
  Codes of Practice & Guidelines  
  Regulatory Policies & Frameworks  
  Information Economy Policies & Frameworks  
  Licensing  
  Consultation Papers & Decisions  
  Information Papers  
  Standards  
  International Relations  
  Industry Committees/Working Groups  
  Postal  
  Consumers  
 
 
Policies & Regulation
Home  >>  Policies & Regulation  >>  Acts & Regulations   >>  Electronic Transactions Act  >>  Electronic Transactions (Certifications Authority) Regulations 1999
 
 
Electronic Transactions (Certifications Authority) Regulations 1999

1. Citation and commencement

These Regulations may be cited as the Electronic Transactions (Certification Authority) Regulations 1999 and shall come into operation on 10th February 1999.

2. Definitions

In these Regulations, unless the context otherwise requires -
"licence" means a licence granted under these Regulations; "subscriber identity verification method" means the method used to verify and authenticate the identity of a subscriber; "trusted person" means any person who has -

  1. direct responsibilities for the day-to-day operations, security and performance of those business activities that are regulated under the Act or these Regulations in respect of a certification authority; or

  2. duties directly involving the issuance, renewal, suspension, revocation of certificates (including the identification of any person requesting a certificate from a licensed certification authority), creation of private keys or administration of a certification authority's computing facilities.

3. Application to be licensed certification authority

  1. Every application to be a licensed certification authority shall be made in such form and manner as the Controller may, from time to time, determine and shall be supported by such information as the Controller may require.

  2. The Controller may require the applicant to furnish such additional information as are necessary in support of the application.

  3. The Controller may allow applications for renewal of licences to be submitted in the form of electronic records subject to such requirements as the Controller may impose.

  4. A licence shall be subject to such conditions, restrictions and limitations as the Controller may, from time to time, determine.


4. Period of validity of licence

A licence shall be valid for a period of one year or such other longer period as the Controller may allow.

5. Renewal of licence

  1. Regulation 3 shall apply to an application for renewal of a licence as it applies to a fresh application for a licence.

  2. A certification authority shall submit an application for the renewal of its licence no later than 3 months before the expiry of its licence.

  3. If the certification authority has no intention to renew its licence, the certification authority shall -

    1. inform the Controller in writing no later than 3 months before the expiry of the licence;
    2. inform all its subscribers in writing no later than 2 months before the expiry of the licence; and
    3. advertise such intention in such daily newspaper and in such manner as the Controller may determine, no later than 2 months before the expiry of the licence.


6. Licence Fees

  1. An application fee of $5,000 shall be payable to the Controller on every application for the grant or renewal of a licence to be a licensed certification authority.

  2. If the application referred to in paragraph (1) is approved, there shall be payable to the Controller a fee of $1,000 for each year the licence is granted.

  3. There shall be payable to the Controller on every grant of the renewal of a licence a fee of $1,000 for each year the licence is renewed.

  4. The Controller shall not refund any fee paid if the application is not approved, withdrawn or discontinued or if the licence is suspended or revoked.

7. Financial criteria, etc.

  1. An applicant for a licence shall comply with the following criteria:
    1. the applicant must be a company operating in Singapore;
    2. the applicant must be insured against liability for loss of not less than $1 million for each claim arising out of any error or omission on the part of the applicant, its officers or employees;
    3. the applicant must have -
      1. not less than $2 million in paid-up capital; and
      2. in addition, a combined paid-up capital and proof of available financing of not less than $5 million; and
    4. the applicant must obtain a performance bond or banker's guarantee in favour of the Controller in a form approved by the Controller for an amount of not less than $1 million.

  2. The performance bond or banker's guarantee referred to in paragraph (1)(d) may be invoked -
    1. for payment of an offer of composition made by the Controller;
    2. for payment of liabilities and rectification costs attributed to the negligence of the certification authority, its officers or employees; or
    3. for payment of the costs incurred in the discontinuation or transfer of operations of the licensed certification authority, if the certification authority's licence or operations is discontinued.


8. Personnel

  1. An applicant shall take reasonable measures to ensure that every trusted person -
    1. is a fit and proper person to carry out the duties assigned to him;
    2. is not an undischarged bankrupt in Singapore or elsewhere or has made a composition or an arrangement with his creditors; and
    3. has not been convicted, whether in Singapore or elsewhere, of -
      1. an offence the conviction for which involved a finding that he acted fraudulently or dishonestly; or
      2. an offence under the Act or these Regulations.


  2. Notwithstanding paragraph (1)(c), the Controller may allow the applicant to have a trusted person who has been convicted of an offence referred to in that paragraph, if the Controller is satisfied that -
    1. the trusted person is now a fit and proper person to carry out his duties; and
    2. 10 years have elapsed from -
      1. the date of conviction; or
      2. the date of release from imprisonment if he was sentenced to a term of imprisonment, whichever is the later.

  3. Every trusted person must -
    1. have a good knowledge of the Act and these Regulations;
    2. be trained in the certification authority's certification practice statement; and
    3. possess the relevant technical qualifications, expertise and experience to effectively carry out his duties.


9. Operational criteria

  1. An applicant shall comply with the following operational criteria:
    1. the applicant must have a certification practice statement approved by the Controller;
    2. the applicant must undergo and pass an initial audit before a licence can be granted by the Controller; and
    3. the applicant must undergo and pass such audit as the Controller may, by notice in writing, require.

  2. The audits referred to in this regulation must be -
    1. conducted in accordance with the auditing requirements specified in regulation 10; and
    2. completed within such time as the Controller may, by notice in writing, specify.


10. Auditing requirements

  1. An applicant must pass any audit required under regulation 9(1) for compliance with -
    1. security guidelines as referred to in regulation 26;
    2. licensing conditions;
    3. its certification practice statement; and
    4. the Act and these Regulations.

  2. All audits must be conducted by a qualified independent audit team approved by the Controller for this purpose comprising of a person who is a Certified Public Accountant and a person who is a Certified Information Systems Auditor and either of whom must possess sufficient knowledge of digital signature and certificates.
  3. The firm or company to which the audit team belongs must be independent of the certification authority being audited and must not be a software or hardware vendor that is or has been providing services or supplying equipment to the certification authority.
  4. Auditing fees shall be borne by the certification authority.
  5. A copy of every audit report shall be submitted to the Controller within 4 weeks of the completion of an audit.
  6. Failure to pass the audit may be a ground for revocation of a licence.


11. Controller to refuse to grant or renew licences in certain circumstances

  1. The Controller may refuse to grant or renew a licence if -
    1. the applicant has not provided the Controller with such information relating to it or any person employed by or associated with it for the purposes of its business, and to any circumstances likely to affect its method of conducting business, as the Controller may require;
    2. the applicant or its substantial shareholder is in the course of being wound up or liquidated;
    3. a receiver or a receiver and manager has been appointed to the applicant or its substantial shareholder;
    4. the applicant or its substantial shareholder has, whether in Singapore or elsewhere, entered into a compromise or scheme of arrangement with its creditors, being a compromise or scheme of arrangement that is still in operation;
    5. the applicant or its substantial shareholder or any trusted person has been convicted, whether in Singapore or elsewhere, of an offence the conviction for which involved a finding that it or he acted fraudulently or dishonestly, or has been convicted of an offence under the Act or these Regulations;
    6. the Controller is not satisfied as to the qualifications or experience of the trusted person who is to perform duties in connection with the holding of the licence by the applicant;
    7. the applicant fails to satisfy the Controller that it is a fit and proper person to be licensed or that all its trusted persons and substantial shareholders are fit and proper persons;
    8. the Controller has reason to believe that the applicant may not be able to act in the best interest of its subscribers, customers or participants having regard to the reputation, character, financial integrity and reliability of the applicant or any of its substantial shareholders or trusted persons;
    9. the Controller is not satisfied as to the financial standing of the applicant or its substantial shareholder;
    10. the Controller is not satisfied as to the record of past performance or expertise of the applicant or its trusted person having regard to the nature of the business which the applicant may carry on in connection with the holding of the licence;
    11. there are other circumstances which are likely to lead to the improper conduct of business by, or reflect discredit on the method of conducting the business of, the applicant or its substantial shareholder or any of the trusted persons; or
    12. the Controller is of the opinion that it is in the interest of the public to do so.

  2. For the purposes of paragraph (1), "substantial shareholder", in relation to an applicant which is a company, has the same meaning as in the Companies Act (Cap.50).

12. Revocation or suspension of licence

  1. A licence shall be deemed to be revoked if the certification authority is wound up.
  2. The Controller may revoke or suspend the licence of a certification authority -
    1. on any ground on which the Controller may refuse to grant a licence under regulation 11;
    2. if the certification authority fails to comply with a direction of the Controller made under section 51 of the Act;
    3. if the certification authority is being or will be wound up;
    4. if the certification authority has entered into any composition or arrangement with its creditors;
    5. if the certification authority fails to carry on business for which it was licensed;
    6. if the Controller has reason to believe that the certification authority or its trusted person has not performed its or his duties efficiently, honestly or fairly; or
    7. if the certification authority contravenes or fails to comply with any condition or restriction applicable in respect of the licence.
  3. The Controller may revoke the licence of a certification authority at the request of that certification authority.
  4. The Controller shall not revoke the licence under paragraph (2) without first giving the certification authority an opportunity of being heard.

13. Powers of Controller in cases of misconduct, etc.

  1. The Controller may inquire into any allegation that a certification authority, its officers or employees, is or has been guilty of any misconduct or is no longer fit to continue to remain licensed by reason of any other circumstances which have led, or are likely to lead, to the improper conduct of business by it or to reflect discredit on the method of conducting business.
  2. If, after inquiring into an allegation under paragraph (1), the Controller is of the opinion that the allegation is proved, the Controller may if he thinks fit -
    1. revoke the licence of the certification authority;
    2. suspend the licence of the certification authority for such period, or until the happening of such event, as the Controller may determine; or
    3. reprimand the certification authority.
  3. The Controller shall, at the hearing of an inquiry into an allegation under paragraph (1) against a certification authority, give the certification authority an opportunity of being heard.
  4. Where the Controller is satisfied, after making an inquiry into an allegation under paragraph (1), that the allegation has been made in bad faith or that it is otherwise frivolous or vexatious, the Controller may, by order in writing, require the person who made the allegation to pay any costs and expenses involved in the inquiry.
  5. The Controller may issue directions to the certification authority for compliance under section 51 of the Act as a result of making the inquiry.
  6. For the purposes of this regulation, "misconduct" means -
    1. any failure to comply with the requirements of the Act or these Regulations or its certification practice statement; and
    2. any act or omission relating to the conduct of business of a certification authority which is or is likely to be prejudicial to public interest.

14. Effect of revocation or suspension of licence

  1. A certification authority whose licence is revoked or suspended under regulation 12 or 13 shall, for the purposes of this regulation, be deemed not to be licensed from the date that the Controller revokes or suspends the licence, as the case may be.
  2. A revocation or suspension of a licence of a certification authority shall not operate so as to -
    1. avoid or affect any agreement, transaction or arrangement entered into by the certification authority, whether the agreement, transaction or arrangement was entered into before or after the revocation or suspension of the licence; or
    2. affect any right, obligation or liability arising under any such agreement, transaction or arrangement.



15. Appeal against refusal to license, etc.

  1. Where -
    1. the Controller refuses to grant or renew a licence under regulation 11;
    2. the Controller revokes a licence under regulation 12;
    3. the licence is revoked or suspended, or a certification authority is reprimanded, under regulation 13; or
    4. a performance bond or banker's guarantee is invoked under regulation 7(2),
    any person who is aggrieved by the decision of the Controller may, within 14 days after he is notified of the decision, appeal to the Minister whose decision shall be final.

  2. If an appeal is made against a decision made by the Controller, the Controller may, if he thinks fit, defer the execution of the decision, as the case may be, until a decision is made by the Minister or when the appeal is withdrawn.
  3. In considering whether to defer the execution of the decision, the Controller shall have regard to whether the deferment is prejudicial to the interests of any subscriber of the certification authority or any other party who may be adversely affected.
  4. If an appeal is made to the Minister, a copy of the appeal shall be lodged with the Controller.

16. Trustworthy record keeping and archival

  1. A licensed certification authority may keep its records in the form of paper-based documents, electronic records or any other form approved by the Controller.

  2. Such records shall be indexed, stored, preserved and reproduced so as to be accurate, complete, legible and accessible to the Controller, an auditor or an authorised officer.

17. Trustworthy transaction logs

  1. Every licensed certification authority shall make and keep in a trustworthy manner the records relating to -

    1. activities in issuance, renewal, suspension and revocation of certificates (including the process of identification of any person requesting a certificate from a licensed certification authority);
    2. the process of generating subscribers' (where applicable) or the licensed certification authority's own key pairs;
    3. the administration of a licensed certification authority's computing facilities; and
    4. such critical related activity of a licensed certification authority as may be determined by the Controller.

  2. Every licensed certification authority shall archive all certificates issued by it and maintain mechanisms to access such certificates for a period of not less than 7 years.

  3. Every licensed certification authority shall retain all records required to be kept under paragraph (1) and all logs of the creation of the archive of certificates referred to in paragraph (2) for a period of not less than 7 years.

18. Types of certificates

  1. Subject to the approval of the Controller, a licensed certification authority may issue certificates of the following different levels of assurance:

    1. certificates which shall be considered as trustworthy certificates for the purposes of section 20(b)(i) of the Act; and
    2. certificates which shall not be considered as trustworthy certificates for the purposes of section 20(b)(i) of the Act.

  2. The licensed certification authority must associate a distinct certification practice statement approved by the Controller for each type of certificate issued.

  3. The licensed certification authority must draw the attention of subscribers and relying parties to the effect of using and relying on certificates that are not considered trustworthy certificates for the purposes of section 20(b)(i) of the Act.

19. Issuance of certificates

  1. In addition to the requirements specified in section 29 of the Act, every licensed certification authority shall comply with the requirements in this regulation in relation to the issuing of certificates.

  2. The certificate must contain or incorporate by reference such information as is sufficient to locate or identify one or more repositories in which notification of the revocation or suspension of the certificate will be listed if the certificate is suspended or revoked.

  3. The practices and procedures set forth in the certification practice statement of a licensed certification authority shall contain conditions with standards higher than those conditions specified in section 29(2) of the Act.

  4. The subscriber identity verification method employed for issuance of certificates must be specified in the certification practice statement and is subject to the approval of the Controller during the application for a licence.

  5. Where a certificate is issued to a person (referred to in this regulation as the new certificate) on the basis of another valid certificate held by the same person (referred to in this regulation as the originating certificate) and subsequently the originating certificate has been suspended or revoked, the certification authority that issued the new certificate must conduct investigations to determine whether it is necessary to suspend or revoke the new certificate.

  6. The licensed certification authority must provide a reasonable opportunity for the subscriber to verify the contents of the certificate before it is accepted.

  7. If the subscriber accepts the issued certificate, the licensed certification authority shall publish a signed copy of the certificate in a repository referred to in paragraph (2).

  8. Notwithstanding paragraph (7), the licensed certification authority may contractually agree with the subscriber not to publish the certificate.

  9. If the subscriber does not accept the certificate, the licensed certification authority shall not publish it.

  10. Once the certificate has been issued by the licensed certification authority and accepted by the subscriber, the licensed certification authority shall notify the subscriber within a reasonable time of any fact known to the licensed certification authority that significantly affects the validity or reliability of the certificate.

  11. The date and time of all transactions in relation to the issuance of a certificate must be logged and kept in a trustworthy manner.

20. Renewal of certificates

  1. Regulation 19 shall apply to the renewal of certificates as it applies to the issuance of certificates.

  2. The subscriber identity verification method shall be that specified in the certification practice statement as approved by the Controller.

  3. The date and time of all transactions in relation to the renewal of a certificate must be logged and kept in a trustworthy manner.

21. Suspension of certificates

  1. This regulation shall apply only to every licensed certification authority which allows subscribers to request for suspension of certificates.

  2. Every licensed certification authority may provide for immediate revocation instead of suspension if the subscriber has agreed in writing.

  3. Upon receiving a request for suspension of a certificate under section 31 of the Act, the licensed certification authority shall ensure that the certificate is suspended and notice of the suspension published in the repository in accordance with section 34 of the Act.

  4. A licensed certification authority may suspend a certificate that it has issued if the licensed certification authority has reasonable grounds to believe that the certificate is unreliable, regardless of whether the subscriber consents to the suspension; but the licensed certification authority shall complete its investigation into the reliability of the certificate and decide within a reasonable time whether to reinstate the certificate or to revoke the certificate in accordance with section 32 or 33 of the Act.

  5. It is the responsibility of any person relying on a certificate to check whether a certificate has been suspended.

  6. A licensed certification authority shall suspend a certificate after receiving a valid request for suspension (in accordance with section 31 of the Act); but if the licensed certification authority considers that revocation is justified in the light of all the evidence available to it, the certificate must be revoked in accordance with section 32 or 33 of the Act.

  7. A licensed certification authority shall check with the subscriber or his authorised agent whether the certificate should be revoked and whether to reinstate the certificate after suspension.

  8. A licensed certification authority must terminate a suspension initiated by request if the licensed certification authority discovers and confirms that the request for suspension was made without authorisation by the subscriber or his authorised agent.

  9. If the suspension of a certificate leads to a revocation of the certificate, the requirements for revocation shall apply.

  10. The date and time of all transactions in relation to the suspension of certificates must be logged and kept in a trustworthy manner.

  11. A licensed certification authority must maintain facilities to receive and act upon requests for suspension at all times of the day and on all days of every year.

22. Revocation of certificates

  1. In order to confirm the identity of the subscriber or authorised agent making a request for revocation under section 32(a) of the Act, the licensed certification authority must use the subscriber identity verification method specified in the certification practice statement for this purpose.

  2. A licensed certification authority must, after receiving a request for revocation, verify the request, revoke the certificate and publish notification of it under section 35 of the Act.

  3. A licensed certification authority must maintain facilities to receive and act upon requests for revocation at all times of the day and on all days of every year.

  4. A licensed certification authority shall give notice to the subscriber immediately upon the revocation of a certificate.

  5. The date and time of all transactions in relation to the revocation of certificates must be logged and kept in a trustworthy manner.

23. Expiry date of certificates

A certificate must state the date on which it expires.


24. Certification practice statement

  1. Every licensed certification authority shall use the Internet draft of the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, adopted by the Internet Engineering Task Force and reproduced by the Controller on its Internet website, as a guide for the preparation of its certification practice statement.

  2. Any change to the certification practice statement during the term of the licence requires the prior approval of the Controller.

  3. Every licensed certification authority must highlight to its subscribers any limitation of their liabilities and, in particular, it must draw the subscribers' attention to the implication of reliance limits on their certificates.

  4. The subscriber identity verification method for the issuance, suspension, revocation and renewal of a certificate must be specified in the certification practice statement.

  5. A copy of the latest version of the certification practice statement, together with its effective date, must be filed with the Controller and published on the certification authority's Internet website accessible to members of the public.

  6. After the effective date, the latest version filed with the Controller will be the prevailing version for a particular certificate.

  7. Every licensed certification authority must log all changes to the certification practice statement together with the effective date of each change.

  8. A licensed certification authority shall keep in a trustworthy manner a copy of each version of the certification practice statement, together with the date it came into effect and the date it ceased to have effect.

25. Secure digital signatures

  1. The technical implementation of the requirements in section 20 of the Act shall be such as to ensure that it is computationally infeasible for any person other than the person to whom the signature correlates to have created a digital signature which is verified by reference to the public key listed in that person's certificate.

  2. The signature on its own should be such as to -

    1. ensure that the name or other unique identifiable notation of the person to whom the signature correlates be incorporated as part of the signature and cannot be replaced or forged; and
    2. readily present such indicia of identity to a person intending to rely on the signature.

  3. The technical implementation should ensure that -

    1. the steps taken towards the creation of the signature must be under the direction of the person to whom the signature correlates; and
    2. no other person can reproduce the sequence of steps to create the signature and thereby create a valid signature without the involvement or the knowledge of the person to whom the signature correlates.

  4. The technical implementation should indicate to a relying party of a signature whether the document or record that the signature purports to sign has been modified in anyway and this indication should be revealed in the process of verifying the signature.

26. Security guidelines

  1. Every licensed certification authority shall ensure that in the performance of its services it materially satisfies the security guidelines determined by the Controller and published on the Controller's Internet website.

  2. An auditor when determining whether a departure from the security guidelines is material shall exercise reasonable professional judgment as to whether a condition that does not strictly comply with the guidelines is or is not material, taking into consideration the circumstances and the system as a whole.

  3. Without prejudice to the generality of situations which the auditor may consider to be material, the following incidents of non-compliance shall be considered to be material:

    1. any non-compliance relating to the validity of a certificate;
    2. the performance of the functions of a trusted person by a person who is not suitably qualified; or
    3. the use by a licensed certification authority of any system other than a trustworthy system.

  4. The security guidelines shall be interpreted in a manner that is reasonable in relation to the context in which a system is used and is consistent with other laws.

  5. Notwithstanding an auditor's assessment of whether a departure from the security guidelines is material, the Controller may make his own assessment and reach a conclusion for the purpose of paragraph (1) which is at variance with that of the auditor.

  6. Every licensed certification authority shall provide every subscriber with a trustworthy system to generate his key pair.

  7. Every licensed certification authority shall provide the mechanism to generate and verify digital signatures in a trustworthy manner and the mechanism provided shall also indicate the validity of the signature.

  8. If the digital signature is not valid, the mechanism provided should indicate if the invalidity is due to the integrity of the document or the signature and the mechanism provided shall also indicate the status of the certificate.

  9. For mechanisms provided by third parties other than the licensed certification authority, the resulting signature is considered secure only if the licensed certification authority endorses the implementation of such mechanisms in conjunction with its certificate.

  10. Every licensed certification authority shall be responsible for the storage of keys (including the subscriber's key and the licensed certification authority's own key) in a trustworthy manner.

  11. The Controller may, from time to time, publish on its Internet website further details of the security guidelines for compliance by every licensed certification authority.

27. Incident handling

  1. A licensed certification authority shall implement an incident management plan that must provide at the least for management of the following incidents:

    1. compromise of key;
    2. penetration of CA system and network;
    3. unavailability of infrastructure; and
    4. fraudulent registration and generation of certificates, certificate suspension and revocation information.

  2. If any incident referred to in paragraph (1) occurs, it shall be reported to the Controller within 24 hours.

28. Confidentiality

  1. Except for the purposes of Part XII of the Act, or for any prosecution under any written law or pursuant to an order of court, every licensed certification authority and its authorised agent must keep all subscriber-specific information confidential.

  2. Any disclosure of subscriber-specific information by the licensed certification authority or its agent must be authorised by the subscriber.

  3. This regulation shall not apply to subscriber-specific information which -

    1. is contained in the certificate for public disclosure;
    2. is otherwise provided by the subscriber to the licensed certification authority for this purpose; or
    3. relates to the fact that the certificate has been revoked or suspended.

29. Change in management
A licensed certification authority shall inform the Controller of any changes in the appointment of any person as its director or chief executive, or of any person to perform functions equivalent to that of a chief executive, within 3 working days from the date of appointment of that person.30. Availability of general purpose repository
  1. A general purpose repository shall be available at all times of the day and on all days of every year.

  2. A general purpose repository must ensure that the total aggregate period of any down time in any period of one month shall not exceed 0.3% of the period.

  3. Any down time, whether scheduled or unscheduled, shall not exceed 30 minutes duration at any one time.


31. Specific purpose repository

Subject to the approval of the Controller, a repository may be dedicated for a specific purpose for which specific hours of operation may be acceptable.32. Application to Government and statutory corporations
  1. For the purposes of section 20(b)(iii) of the Act, a department or ministry of the Government, an organ of State or a statutory corporation that is approved by the Minister under that section to act as a certification authority shall comply with the provisions of Parts III (with the exception of regulations 7 and 11), IV (with the exception of regulations 12, 14 and 15), V (with the exception of regulation 29), VI, VII and VIII (with the exception of regulations 36 and 37) as if it were a licensed certification authority.

  2. The provisions referred to in paragraph (1) shall apply, with the necessary modifications and such other modifications as the Controller may determine, to the department or ministry of the Government, an organ of State or a statutory corporation that is approved by the Minister under section 20(b)(iii) of the Act.

33. Waiver

  1. Any licensed certification authority that wishes to apply for a waiver of any of the requirements specified in these Regulations may apply in writing to the Controller at the time when it submits an application for a licence.
  2. The application must be supported by reasons for the application and include the necessary supporting documents.



34. Disclosure

  1. The licensed certification authority must submit half-yearly progress and financial reports to the Controller.
  2. The half-yearly progress reports must include information on -
    1. the number of subscribers;
    2. the number of certificates issued, suspended, revoked, expired and renewed
    3. system performance including system up and down time and any extraordinary incidents;
    4. changes in the organisational structure of the certification authority;
    5. changes since the preceding progress report submitted or since the application for the licence; and
    6. changes in the particulars of any trusted person since the last submission to the Controller, including the name, identification number, residential address, designation, function and date of employment of the trusted person.
  3. The licensed certification authority has a continuing obligation to disclose to the Controller any changes in the information submitted.
  4. All current versions of the licensed certification authority's applicable certification practice statements together with their effective dates must be published in the licensed certification authority's Internet website.



35. Discontinuation of operations of licensed certification authority

  1. If a licensed certification authority intends to discontinue its operations, the licensed certification authority may arrange for its subscribers to re-subscribe to another licensed certification authority.
  2. The licensed certification authority shall make arrangements for its records and certificates to be archived in a trustworthy manner.
  3. If the records are transferred to another licensed certification authority, the transfer must be done in a trustworthy manner.
  4. A licensed certification authority shall -
    1. give the Controller a minimum of 3 months' written notice of its intention to discontinue its operations;
    2. give its subscribers a minimum of 2 months' written notice of its intention to discontinue its operations; and
    3. advertise, in such daily newspaper and in such manner as the Controller may determine, at least 2 months' notice of its intention to discontinue its operations.


36. Penalties

Any person who fails, without any reasonable excuse, to comply with regulation 16(2), 17, 19(2) or (11), 20(3), 21(10), 22(5), 24(7) or (8) or 28 shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 and, in the case of a second or subsequent conviction, to a fine not exceeding $10,000.


37. Composition of offences

Any offence under these Regulations may be compounded by the Controller under section 59 of the Act.

 
Last Updated on 31 October 2006
 
  Privacy statement  |  Terms of use   |  Rate This Site © 2008 Infocomm Development Authority of Singapore  
 Best viewed using IE 6.0+ or Firefox 2.0 and above , Screen Resolution 1024 x 768