28. Trustworthy System. Except as otherwise conspicuously set forth in its certification practice statement, a certification authority and a person maintaining a repository must:

(a) maintain and utilize trustworthy systems and operate in a trustworthy manner in performing its services;

(b) possess the reliability necessary for offering certification services;

(c) employ personnel which possess the expert knowledge, experience and qualifications necessary for the offered services;

(d) record and retain records of all relevant information concerning a certificate for an appropriate period of time, in particular to be able to provide evidence of certification in the context of a dispute or lawsuit; and

(e) publish all relevant information concerning the proper and secure use of certification services and established procedures for complaints and dispute resolution and settlement.

Source: UNCITRAL Draft Rules, Article 1.

Comments: Maintaining operations and performing services in a trustworthy manner is fundamental to the integrity of the certificate and digital signature process. This section recognizes that the degree of security should be determined according to a reasonableness standard in light of the factors set forth in the definition of trustworthy systems. This section also acknowledges that there may be situations in which persons desire to use certificates not created or maintained pursuant to trustworthy systems, such as for low cost, and allows them to do so as long as appropriate disclosure of that fact is clearly stated in the certification practice statement.

29. Disclosure by Certification Authorities.

(a) A certification authority shall disclose the following:

(i) its certificate that contains the public key corresponding to the private key used by that certification authority to digitally sign another certificate (defined for purposes of this section as a certification authority certificate);

(ii) any relevant certification practice statement;

(iii) notice of any revocation or suspension of its certification authority certificate; and

(iv) any other fact that materially and adversely affects either the reliability of a certificate that the authority has issued or the authority’s ability to perform its services.

(b) In the event of an occurrence that materially and adversely affects a certification authority’s trustworthy system or its certification authority certificate, the certification authority shall act in accordance with procedures governing such an occurrence specified in its certification practice statement or, in the absence of such procedures, use reasonable efforts to notify any person who is known to be or reasonably foreseeably will be affected by that occurrence.

Source: Singapore Electronic Transactions Act §28.

Comments: This section imposes a disclosure obligation upon a certification authority in order to facilitate the use of digital signatures.

30. Issuing of Certificate. A certification authority may issue a certificate to a prospective subscriber only after the certification authority has received a request for issuance from the prospective subscriber and

(a) if it has a certification practice statement, complied with all of the practices and procedures set forth in such certification practice statement including procedures regarding identification of the prospective subscriber; or

(b) in the absence of a certification practice statement addressing these issues, or if the parties involved have not entered into an agreement specifically providing otherwise, confirmed by itself or through an authorized agent that the following is the case:

(i) the prospective subscriber is the person to be listed in the certificate to be issued;

(ii) if the prospective subscriber is acting through one or more agents, the subscriber authorized the agent to have custody of the subscriber’s private key and to request issuance of a certificate listing the corresponding public key;

(iii) the information in the certificate to be issued is accurate;

(iv) the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;

(v) the prospective subscriber holds a private key capable of creating a digital signature; and

(vi) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber.

Source: Singapore Electronic Transactions Act §29.

Comments: This section imposes only two requirements on the certification authority before issuing a certificate to be used for the purpose of verifying digital signatures: (1) a certificate can be issued only in response to a request from the prospective subscriber; and (2) the certification authority must comply with whatever certificate issuance practices it specifies in its certification practice statement. If a certification authority does not publish a certification practice statement, or enter into a contract with a relying party to address these issues, then Section 30(b)imposes a default standard for subscriber authentication.

The intent of this section is to allow certification authorities maximum flexibility in the efforts they undertake to verify subscriber identity, so long as the verification procedures that will be employed are clearly disclosed in advance.

31. Representations Upon Issuance of Certificate.

(a) By issuing a certificate, a certification authority represents, to any person who reasonably relies on the certificate or a digital signature verifiable by the public key listed in the certificate, that the certification authority has processed, approved and issued, and will manage and if necessary suspend or revoke the certificate, in accordance with any applicable certification practice statement incorporated by reference in the certificate, or of which the relying person has notice.

(b) In the absence of such a certification practice statement, the certification authority represents that it has confirmed the following:

(i) the certification authority has complied with all applicable requirements of this Act and other appropriate authority in issuing the certificate and, if the certification authority has published the certificate or otherwise made it available to such relying person, that the subscriber listed in the certificate has accepted it;

(ii) the subscriber identified in the certificate holds the private key corresponding to the public key listed in the certificate;

(iii) the certification authority has verified the identity of the subscriber to the extent stated in the certificate or its applicable certification practice statement or, in lieu thereof, that the certificate authority has reasonably verified the identity of the subscriber;

(iv) the subscriber’s public key and private key constitute a functioning key pair;

(v) all information in the certificate is accurate, unless the certification authority has stated in the certificate or incorporated by reference in the certificate a statement that the accuracy of specified information is not confirmed; and

(vi) that the certification authority has no knowledge of any material fact which if it had been included in the certificate would adversely affect the reliability of the representations in this section.

(c) Where there is an applicable certification practice statement which has been incorporated by reference in the certificate, or of which the relying person otherwise has notice, subsection (b) shall apply to the extent that the representations are not inconsistent with the certification practice statement.

(d) Certification authorities shall keep and maintain as current a publicly accessible electronic register of certificates issued, indicating the time when any individual certificate expires or when it was suspended or revoked.

(e) Notwithstanding subsection (a) through (d), if a certification authority issued the certificate subject to the laws of another jurisdiction, the certification authority makes all warranties and representations, if any, otherwise applicable under the law governing its issuance.

Source: UNCITRAL Draft Rules, Article 10.

Comments: This section recognizes that there will be varying types of certificates based on differing levels of identification and authentication of prospective subscribers, and thus provides that the only representations made are that it has issued the certificate in accordance with any applicable certification practice statement and any requirements or representations imposed by the law of the state or country under which the certificate was issued.

The reference to laws of another jurisdiction is intended to give relying parties the benefit of any statutory requirements relating to the issuance of the certificate that are imposed by the law of the state or country under which the certificate originally was issued.

32. Fiduciary Relationship.

(a) A certification authority is a fiduciary to a subscriber where a certification authority holds that subscriber’s private key or where provided by contract among the parties involved.

(b) A certification authority is not otherwise a fiduciary to a subscriber and is not a fiduciary to any relying party, except where otherwise expressly provided by contract or law.

Source: ABA Digital Signature Guidelines §2.4.

Comments: A certification authority typically provides services at arm’s length and does not create a special trusted relationship with its subscribers or relying parties, except where the certification authority holds the private key of a subscriber or where otherwise provided by agreement or law.

33. Financial Responsibility. A certification authority must have sufficient financial resources:

(a) to maintain its operations in conformity with its duties; and

(b) to be reasonably able to bear its risk of liability to subscribers and other relying parties relying on certificates issued by the certification authority and digital signatures verifiable by reference to public keys listed in such certificates.

Source: ABA Digital Signature Guidelines §3.3.

Comments: A certification authority’s overall risk of liability largely will be a function of (1) its success in implementing a trustworthy system and utilizing the services of competent, conscientious personnel, (2) the number of certificates outstanding, and (3) the amounts at stake in transactions in which issued certificates are used, all evaluated in light of any applicable limits upon legal liability and recommended reliance limits. The certification authority can manage factors (1) and (2), but can do little in most cases to manage its risk in regard to factor (3).

Financial responsibility may be assured through security arrangements such as surety bonds or standby letters of credit, or perhaps through liability insurance.

34. Suspension of Certificate.

(a) Unless the certification authority and the subscriber agree otherwise, the certification authority that issued a certificate shall suspend the certificate as soon as possible after receiving a request by a person whom the certification authority reasonably believes to be one of the following:

(i) the subscriber listed in the certificate;

(ii) a person duly authorized to act for that subscriber; or

(iii) a person acting on behalf of that subscriber, who is unavailable.

(b) Except as otherwise specifically provided in its certification practice statement, or unless the certification authority and the subscriber agree otherwise, a certification authority that issued a certificate shall suspend the certificate as soon as possible after confirmation by the certification authority that:

(A) a material fact represented in the certificate is false;

(B) a material requirement for issuance of the certificate was not satisfied;

(C) the certification authority’s private key or trustworthy system was compromised in a manner materially affecting the certificate’s reliability; or

(D)the subscriber’s private key has been compromised.

(c) Immediately upon suspension of a certificate by a certification authority, the certification authority shall notify the subscriber and relying parties in accordance with its certification practice statement or, in the absence of such statement, shall promptly notify the subscriber, promptly publish a signed notice of the suspension in the repository specified in the certificate for publication of notice of suspension, and otherwise disclose the fact of suspension on inquiry be any relying party. Where one or more repositories are specified, the certification authority shall publish signed notices of the suspension in all such repositories.

Source: UNCITRAL Draft Rules Article 14.

Comments: A provision on suspension of certificates was added by the UN Working Group at its thirty-first session.

35. Revocation of Certificate

(a) Except as otherwise specifically provided in its certification practice statement, or unless the certification authority and the subscriber agree otherwise, a certification authority shall revoke a certificate that it issues upon the occurrence of the following:

(i) receiving a request for revocation by the subscriber named in the certificate, and confirming that the person requesting revocation is the subscriber or is an agent of the subscriber with authority to request the revocation;

(ii) receiving a certified copy of the subscriber’s death certificate, or upon confirming by other verifiable evidence that the subscriber is dead;

(iii) upon presentation of documents effecting a corporate dissolution of the subscriber or upon confirming by other verifiable evidence that the subscriber has been dissolved or has ceased to exist; or

(iv) confirmation by the certification authority that of the following events has occurred, provided that no such revocation may be made until the subscriber has had a reasonable opportunity for a hearing:

(A) a material fact represented in the certificate is false;

(B) a material requirement for issuance of the certificate was not satisfied;

(C) the certification authority’s private key or trustworthy system was compromised in a manner materially affecting the certificate’s reliability; or

(D)the subscriber’s private key has been compromised.

(b) Upon effecting such a revocation, the certification authority shall immediately provide notice as follows:

(i) immediately upon revocation of a certificate by a certification authority, the certification authority shall promptly notify the subscriber listed in the revoked certificate (if not deceased, dissolved or ceased to exist) and any relying parties in accordance with its certification practice statement or, in the absence of such statement, shall promptly notify the subscriber, promptly publish a signed notice of the revocation in the repository specified in the certificate for publication of notice of revocation, and otherwise disclose the fact of revocation on inquiry by a relying party; and

(ii) where one or more repositories are specified, the certification authority shall publish signed notices of the revocation in all such repositories.

Source: UNCITRAL Draft Rules, Article 13.