36. Generating A Key Pair

(a) If the subscriber generates the key pair whose public key is to be listed in a certificate issued by a certification authority and accepted by the subscriber, the subscriber shall generate that key pair using a trustworthy system.

(b) This section shall not apply to a subscriber who generates the key pair using a system approved by the certification authority.

Source: Singapore Electronic Transactions Act §36.

37. Obtaining A Certificate. All material representations made by the subscriber to a certification authority for purposes of obtaining a certificate, including all information known to the subscriber and represented in the certificate, shall be accurate and complete to the best of the subscriber’s knowledge and belief, regardless of whether such representations are confirmed by the certification authority.

Comments: This section sets forth the general obligation of the subscriber to provide accurate and complete information to a certification authority when seeking to obtain a certificate.

38. Acceptance of Certificate.

(a) A subscriber shall be deemed to have accepted a certificate if that subscriber:

(i) publishes or authorizes the publication of a certificate in one of the following ways:

(A) to one or more persons; or

(B) in a repository; or

(ii) otherwise demonstrates approval of a certificate while knowing or having notice of its contents.

(b) By accepting a certificate issued by a certification authority, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate as follows:

(i) that the subscriber rightfully holds the private key corresponding to the public key listed in the certificate;

(ii) that all material representations made by the subscriber to the certification authority and material to the information listed in the certificate are true; and

(iii) that all information in the certificate that is within the knowledge of the subscriber is true.

Source: Singapore Electronic Transactions Act §38.

Comments: Acceptance of a certificate by a subscriber may be expressed or implied, and can occur in a variety of ways. For example, acceptance can occur when the subscriber publishes the certificate in a repository or when the subscriber provides copies of the certificate to one or more persons. Factors to be considered in determining whether a subscriber has accepted a certificate include whether the subscriber has specifically requested issuance of the certificate; whether the subscriber has expressly approved the certificate, or not acknowledged it in any way; whether the subscriber has knowledge that the certificate is available to potential relying parties; the reasonableness of reliance upon the certificate; and the foreseeability of such reliance.

39. Control of Private Key.

(a) By accepting a certificate issued by a certification authority, the subscriber identified in the certificate assumes a duty to exercise reasonable care to retain control of the private key corresponding to the public key listed in such certificate and to prevent its disclosure to any person not authorized to create the subscriber’s digital signature.

(b) Such duty shall continue during the operational period of the certificate and during any period of suspension of the certificate.

Source: Singapore Electronic Transactions Act § 39.

Comments: This section imposes a higher duty of care upon a subscriber than is currently imposed on the holder of a credit card, ATM card or other such item. Persons who intentionally or negligently disclose their private keys, with or without fraudulent intent, should be held to a higher standard than those responsible for an involuntary disclosure.

If a private key is compromised, and a certificate has been issued listing the corresponding public key, the appropriate corrective action is to revoke the certificate or to suspend the certificate without delay until revocation or other corrective action can be taken.

40. Initiating Suspension or Revocation. A subscriber who has accepted a certificate shall as soon as possible notify the issuing certification authority and request said authority to suspend or revoke the certificate if the private key corresponding to the public key listed in the certificate has been compromised.

Source: Singapore Electronic Transactions Act § 40.