Singapore Government Online Homepage
Public Key Infrastructure and Licensing of Certification Authority
Widely recognised as the most secure platform for e-commerce transactions, the Public Key Infrastructure (PKI) is also by far the most matured solution that addresses all four key elements of security: authentication, non-repudiation, confidentiality and integrity. A PKI refers to the whole system of policies, processes and technologies including digital certificates, certificate servers and Certification Authorities (CAs) working together to enable users to exchange information over open networks securely and confidentially.

A CA is a trusted third party that verifies the identity of an applicant registering for a digital certificate and issues that person a digital certificate binding his or her identity to a public key. It also provides certificate management services such as publications and revocation of digital certificates. A CA acts like a trusted electronic notary public, telling everyone who the valid users are and what their digital signatures should look like.

The Electronic Transactions Act (Cap 88) (ETA) and the Electronic Transactions (Certification Authority) Regulations (ET(CA)R) provide for a voluntary licensing regime of CAs and empower the Controller of Certification Authorities (CCA) to regulate and license the activities of CAs in Singapore. The Director-General (Telecommunications) of the Infocomm Development Authority of Singapore (IDA) is the CCA. As CAs perform a trusted role in verifying the identities of parties in electronic transactions, the CCA seeks to provide the assurance that the CA's responsibilities are met and that these services are made available with high integrity, security and service standards. Only CAs that meet the standards set up by the Controller will be licensed. There is currently one licensed operating CA in Singapore - Netrust Pte Ltd as of 14 June 2002.

A licensed CA enjoys the following benefits:

  • A licensed CA will enjoy evidentiary presumption for digital signatures generated from the certificates it issues. With the presumption, the party relying on the signature merely has to show that the signature has been correctly verified and the onus is on the other party disputing the signature to prove otherwise. Evidentiary presumption hence assures online merchants of the security of their transactions when they use such signatures to validate electronic contracts and transmit them over the Internet (or by other electronic means).
  • A licensed CA enjoys limited liability under the ETA. The CA will not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber as long as the CA has complied with requirements under the Act. The CA will also not be liable in excess of the reliance limit amount specified in the certificate, even if it failed to observe some of its obligations.
  • Licensing of a CA by the Controller is an indication to the public that the CA has met stringent regulatory requirements and is therefore trustworthy and deserving of consumer confidence.


The licensing criteria are stipulated in the ETAET(CA)R and the Security Guidelines for CAs. In essence, the CAs will be evaluated against their financial standing, operational policies and procedures and the security of their systems.