10 February 1999
Date: Wed, 10 Feb 1999 09:07:09 -0500 To: firstname.lastname@example.org From: Robert Hettinga <email@example.com> Subject: new Singapore PKI regulations --- begin forwarded text Date: Wed, 10 Feb 1999 08:43:58 -0500 From: Michael Power <Power.Michael@TBS-SCT.GC.CA> Subject: new Singapore PKI regulations To: DIGSIG@LISTSERV.TEMPLE.EDU Our colleagues in Singapore have been kind enough to let us know about the new Singapore Electronic Transactions (Certification Authority) Regulations 1999. (Released 10 Feb 99) Those interested in the subject can obtain further details at <http://www.cca.gov.sg> but below is the press document accompanying the release of the regulations. Introduction 1. The Electronic Transactions Act and its Regulations have put in place a voluntary licensing scheme for certification authorities (CAs). In addition to laying down the administrative framework for licensing by the Controller of CAs, the Regulations also stipulate the criteria for a CA in Singapore to be licensed, and the continuing operational requirements after obtaining a licence. The criteria that CAs will be evaluated against include their financial standing, operational policies and procedures, and track record. Benefits of Licensing 2. Although the licensing scheme is a voluntary one, there are certain benefits for a CA to be licensed: a. A licensed CA will enjoy the benefits of evidentiary presumption for digital signatures generated from the certificate it issues. Without such a presumption, a party that intends to rely on a digital signature must produce enough evidence to convince the court that the signature was created under conditions that will render it trustworthy. With the presumption, the party relying on the signature merely has to show that the signature has been correctly verified, and the onus is on the other party disputing the signature to prove otherwise. b. The liability of a licensed CA is limited under the Act. The CA will not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber so long as the CA has complied with the requirements under the Act and the Regulations. In the event that a licensed CA failed to observe some of its obligations, the CA will only be liable up to the reliance limit specified in the certificate. c. The licensing of a CA by the Controller is an indication that the CA has met the stringent regulatory requirements established. It is thus an indication to the public that the CA is trustworthy and deserving of consumer confidence. Together with the ease of proof in using digital signatures, there can be reliance on such CAs with greater certainty. Licensing Scheme 3. To apply for a licence, applicants have to pay an application fee of S$5,000 to cover the processing costs. Once approval for a licence has been given, an annual licensing fee of S$1,000 will be levied. Licences with a one-year validity period will be issued initially. As the industry matures and the CA builds up a track record, licences for a longer period can be issued. Criteria for Granting and Renewing Licences Financial Criteria, etc. 4. The licensing scheme is intended for companies operating in Singapore. The applicant must demonstrate that it has sufficient funds to operate a CA, and have adequate insurance coverage to cover major areas of liability. In addition, the applicant needs to post a performance bond or banker's guarantee. This is for the payment of fines arising from offences, or for liabilities and rectification costs arising from the CA's negligence. It may also be used for costs in the transition to a successor CA if the licensed CA decides to discontinue its operations. Operational Criteria 5. Prior to licensing, the applicant must undergo and pass an initial audit to demonstrate that it has met the requirements stipulated in the Act and the Regulations. In addition, the applicant will also be audited for compliance with its own Certificate Practice Statements (CPS). CPS are documents which stipulate the policies and procedures a CA adopts for the certificates it issues. Audits are also required again before a licence can be renewed. Security Guidelines 6. The Controller has published a set of security guidelines that CAs will be audited against. These security guidelines are specially tailored for CA operations. Hence, in addition to general security requirements, there are specific requirements governing CA operations such as certificate and key management. Requirements on Record Keeping 7. Licensed CAs must have reliable records and logs for activities that are core to the CA's operations. These activities include certificate management, key generation and administration of its computing facilities. To enable verification of past transactions, licensed CAs have to archive certificates for a minimum of seven years. The CAs should maintain such archives for a longer period where feasible. Management of Certificates 8. The management of certificates is a core function of a CA and is subject to strict requirements. The Controller must approve the methods used by the licensed CA to verify the identity of a subscriber before granting or renewing a subscription for a certificate. In accordance with the provisions of the Act, a licensed CA must also publish a notice of a certificate suspension or revocation immediately after receiving an authorised request for a certificate suspension or revocation. Secure Digital Signatures 9. In addition to meeting baseline security policies and requirements, the Regulations also specify when a digital signature will qualify as a secure digital signature (i.e. a legally binding digital signature that has the evidentiary presumption under the Act). An applicant must provide a system that can meet these requirements for generating secure digital signatures. Some of these requirements are: a. when a digital signature is successfully verified, it must confirm that the digitally signed document or record has not been tampered with since the fixation of the signature; b. when a digital signature is successfully verified, it must accurately identify the signatory; c. it is computationally infeasible for any person other than the signatory to have created the specific digital signature; d. measures must be taken to ensure that the creation of a signature must be under the direction of the signatory; and e. no other person can reproduce the sequence of steps to create the signature and thereby create a valid signature without the involvement or the knowledge of the signatory. Types of Certificates 10. To cater for market demands, a licensed CA may issue certificates with different levels of assurance. A licensed CA may issue trustworthy certificates that can create secure digital signatures, or other lower assurance certificates for simple authentication or identification purposes in applications such as electronic mail. However, this is subject to the approval of the Controller - each type of certificate must have a distinct approved CPS associated with it. This will give more flexibility to a licensed CA and will not disadvantage them vis-à-vis an unlicensed CA in the types of certificates it can issue. Confidentiality Requirements 11. Licensed CAs have to ensure confidentiality of subscriber information. This is to prevent abuse of the subscriber's trust in providing potentially private subscriber information to the CA when applying for a certificate. Government CAs 12. Under the Act, a government agency may be approved by the Minister for Trade and Industry to act as a CA with the benefits of a licensed CA. With the exception of certain requirements (e.g. financial criteria), the Regulations will also apply to such government CAs. Waivers 13. Although the Regulations will apply generally to CAs, the Controller will consider granting waivers for some of the requirements in the Regulations in special circumstances, especially for CAs in closed network communities. Conclusion 14. The Act and the Regulations aim to provide a legal framework that will establish trusted CA services in Singapore, serving both the domestic and international markets. In the long term, they provide the foundation to establish Singapore as a trusted hub for e-commerce, providing a wide range of security products and services. Prepared by National Computer Board, 10th February 1999 Michael Power Assistant Director, Policy / Directeur adjoint, Politiques Interdepartmental PKI Task Force / Groupe interministériel de mise en oeuvre de l'ICP Treasury Board Secretariat / Secrétariat du Conseil du Trésor 275 rue Slater Street, Ottawa, Canada K1A 0R5 Tel. 946-5056; Fax. 946-9893; Email: firstname.lastname@example.org, Website: <http://www.cio-dpi.gc.ca> <<...>> --- end forwarded text ----------------- Robert A. Hettinga <mailto: email@example.com> Philodox Financial Technology Evangelism <http://www.philodox.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'