HFD> Derecho
Informático - Internet > Legislación y Proyectos
Extranjeros
DIGITAL SIGNATURE BILL 1997
- MALASIA
A Bill intituled An Act to make provision
for, and to regulate the use of, digital signatures and to
provide for matters connected therewith.
PART 1
PRELIMINARY
1. Short title and commencement
This Act may be cited as the Digital Signature
Act 1997 and shall come into force on a date to be appointed
by the Minister by notification in the Gazette, and the Minister
may appoint different dates for different provisions of this
Act.
2. Interpretation
(1) In this Act, unless the context otherwise
requires-
“accept a certificate" means-
(a) to manifest approval of a certificate,
while knowing or having notice of its contents; or
(b) to apply to a licensed certification authority for a certificate,
without revoking the application by delivering notice of the
revocation to the licensed certification authority, and obtaining
a signed, written receipt from the licensed certification
authority, if the licensed certification authority subsequently
issues a certificate based on the application;
“asymmetric cryptosystem" means
an algorithm or series of algorithms which provide a secure
key pair;
"authorised officer" means an officer
authorised under section 75;
“certificate" means a computer-based
record which-
(a) identifies the certification authority
issuing it;
(b) names or identifies its subscriber;
(c) contains the subscriber's public key; and
(d) is digitally signed by the certification authority issuing
it;
“certification authority" means
a person who issues a certificate;
“certification authority disclosure
record" means an on-line and publicly accessible record
which concerns a licensed certification authority which is
kept by the Controller under subsection 3(5);
"certification practice statement"
means a declaration of the practices which a certification
authority employs in issuing certificates generally, or employed
in issuing a particular certificate;
“ certify" means to declare with
reference to a certificate, with ample opportunity to reflect,
and with a duty to apprise oneself of all material facts;
“confirm" means to ascertain through
diligent inquiry and investigation;
"Controller" means the Controller
of Certification Authorities appointed under section 3;
“correspond", with reference to
keys, means to belong to the same key pair;
"digital signature" means a transformation
of a message using an asymmetric cryptosystem such that a
person having the initial message and the signer's public
key can accurately determine-
(a) whether the transformation was created
using the private key that corresponds to the signer's public
key; and
(b) whether the message has been altered since the transformation
was made;
"forge a digital signature" means-
(a) to create a digital signature without
the authorisation of the rightful holder of the private key;
or
(b) to create a digital signature verifiable by a certificate
listing as subscriber a person who either does not exist or
does not hold the private key corresponding to the public
key listed in the certificate;
"hold a private key" means to be
able to utilise a private key;
"incorporate by reference" means
to make one message a part of another message by identifying
the message to be incorporated and expressing the intention
that it be incorporated;
"issue a certificate" means the
act of a certification authority in creating a certificate
and notifying the subscriber listed in the certificate of
the contents of the certificate;
"key pair" means a private key
and its corresponding public key in an asymmetric cryptosystem,
where the public key can verify a digital signature that the
private key creates;
"licensed certification authority"
means a certification authority to whom a licence has been
issued by the Controller and whose licence is in effect;
“message" means a digital representation
of information;
"notify" means to communicate a
fact to another person in a manner reasonably likely under
the circumstances to impart knowledge of the information to
the other person;
“person" means a natural person
or a body of persons, corporate or unincorporate, capable
of signing a document, either legally or as a matter of fact;
"prescribed" means prescribed by
or under this Act or any regulations made under this Act;
“private key" means the key of
a key pair used to create a digital signature;
“public key" means the key of
a key pair used to verify a digital signature;
"publish" means to record or file
in a repository;
"qualified certification authority"
means a certification authority that satisfies the requirements
under section 5;
“recipient" means a person who
receives or has a digital signature and is in a position to
rely on it;
"recognised date/time stamp service"
means a date/time stamp service recognised by the Controller
under section 70;
"recognised repository" means a
repository recognised by the Controller under section 68;
"recommended reliance limit" means
the monetary amount recommended for reliance on a certificate
under section 60;
“repository" means a system for
storing and retrieving certificates and other information
relevant to digital signatures;
“revoke a certificate" means.
to make a certificate ineffective permanently from a specified
time forward;
“rightfully hold a private key"
means to be able to utilise a private key-
(a) which the holder or the holder's agents
have not disclosed to any person in contravention of this
Act; and
(b) which the holder has not obtained through theft, deceit,
eavesdropping or other unlawful means;
"subscriber" means a person who-
(a) is the subject listed in a certificate;
(b) accepts the certificate; and
(c) holds a private key which corresponds to a public key
listed in that certificate;
"suspend a certificate" means to
make a certificate ineffective temporarily for a specified
time forward;
"this Act" includes any regulations
made under this Act;
"time-stamp" means-
(a) to append or attach to a message, digital
signature or certificate a digitally signed notation indicating
at least the date, time and identity of the person appending
or attaching the notation; or
(b) the notation so appended or attached;
"transactional certificate" means
a certificate, incorporating by reference one or more digital
signatures, issued and valid for a specific transaction;
"trustworthy system" means computer
hardware and software which-
(a) are reasonably secure from intrusion
and misuse;
(b) provide a reasonable level of availability, reliability
and correct operation; and
(c) are reasonably suited to performing their intended functions;
"valid certificate" means a certificate
which-
(a) a licensed certification authority has
issued;
(b) has been accepted by the subscriber listed in it;
(c) has not been revoked or suspended; and
(d) has not expired:
Provided that a transactional certificate
is a valid certificate only in relation to the digital signature
incorporated in it by reference;
"verify a digital signature" means,
in relation to a given digital signature, message and public
key, to determine accurately that-
(a) the digital signature was created by
the private key corresponding to the public key; and
(b) the message has not been altered since its digital signature
was created;
“writing" or "written"
includes any handwriting, typewriting, printing, electronic
storage or transmission, or any other method of recording
information or fixing information in a form capable of being
preserved.
(2) For the purposes of this Act, a certificate
shall be revoked by making a notation to that effect on the
certificate or by including the certificate in a set of revoked
certificates.
(3) The revocation of a certificate does
not mean that it is destroyed or made illegible.
PART II
CONTROLLER OF CERTIFICATION AUTHORITIES AND THE LICENSING
OF CERTIFICATION AUTHORITIES
3. Appointment of Controller
(1) The Minister shall appoint a Controller
Of A Certification Authorities for the purposes of this Act,
in particular for the purpose of monitoring and overseeing
the activities of certification authorities.
(2) The Controller shall exercise, discharge
and perform the powers, duties and functions conferred on
the Controller under this Act.
(3) The Controller may, after consultation
with the Minister, appoint such number of officers and servants
as the Controller considers necessary to exercise and perform
all or any of the powers and duties of the Controller under
this Act except the powers delegated to the Controller under
subsection 4(4).
(4) The Controller and all officers and servants
appointed by the Controller under subsection (3) shall exercise
their powers under this Act subject to such directions as
to general policy and orders as may be given or made by the
Minister.
(5) The Controller shall maintain a publicly
accessible data base containing a certification authority
disclosure record for each licensed certification authority
which shall contain all the particulars required under the
regulations made under this Act.
(6) The Controller shall publish the contents
of the data base in at least one recognised repository.
4. Certification authorities to be licensed
(1) No person shall carry on or operate,
or hold himself out as carrying on or operating, as a certification
authority unless that person holds a valid licence issued
under this Act.
(2) A person who contravenes subsection (1)
commits an offence and shall, on conviction, be liable to
a fine not exceeding five hundred thousand ringgit or to imprisonment
for a term not exceeding ten years or to both, and in the
case of a continuing offence shall in addition be liable to
a daily fine not exceeding five thousand ringgit for each
day the offence continues to be committed.
(3) The Minister may, on an application in
writing being made in accordance with this Act, exempt-
(a) a person operating as a certification
authority within an organisation where certificates and key
pairs are issued to members of the organisation for internal
use only; and
(b) such other person or class of persons as the Minister
considers fit, from the requirements of this section.
(4) The Minister may delegate his powers
under subsection (3) to the Controller and such powers may
be exercised by the Controller in the name and on behalf of
the Minister.
(5) A delegation under subsection (4) shall
not preclude the Minister himself from exercising at any time
the powers so delegated.
(6) The liability limits specified in Chapter
8 of Part IV shall not apply to an exempted certification
authority and Part V shall not apply in relation to a digital
signature verified by a certificate issued by an exempted
certification authority.
5. Qualifications of certification authorities
(1) The Minister shall, by regulations made
under this Act, prescribe the qualification requirements for
certification authorities.
(2) The Minister may at any time vary or
amend the qualification requirements prescribed under subsection
(1) provided that any such variation or amendment shall not
be applied to a certification authority holding a valid licence
under this Act until the expiry of that licence.
6. Functions of licensed certification authorities
(1) The function of a licensed certification
authority shall be to issue a certificate to a subscriber
upon application and upon satisfaction of the licensed certification
authority's requirements as to the identity of the subscriber
to be listed in the certificate and upon payment of the prescribed
fees and charges.
(2) The licensed certification authority
shall, before issuing any certificate under this Act, take
all reasonable measures to check for proper identification
of the subscriber to be listed in the certificate.
(3) The licensed certification authority
shall, on the issuance of any certificate under this Act,
cause the application for the certificate to be certified
by a notary public duly appointed under the Notaries Public
Act 1959.
7. Application for licence
(1) An application for the grant of a licence
under this Act shall be made in writing to the Controller
in such form as may be prescribed.
(2) Every application under subsection (1)
shall be accompanied by such documents or information as may
be prescribed and the Controller may, orally or in writing
at any time after receiving the application and before it
is determined, require the applicant to provide such additional
documents or information as may be considered necessary by
the Controller for the purposes of determining the suitability
of the applicant for the licence.
(3) Where any additional document or information
required under subsection (2) is not provided by the applicant
within the time specified in the requirement or any extension
thereof granted by the Controller, the application shall be
deemed to be withdrawn and shall not be further proceeded
with, without prejudice to a fresh application being made
by the applicant.
8. Grant or refusal of licence
(1) The Controller shall, on an application
having been duly made in accordance with section 7 and after
being provided with all such documents and information as
he may require, consider the application, and where he is
satisfied that the applicant is a qualified certification
authority and a suitable licensee, and upon payment of the
prescribed fee, grant the licence with or without conditions,
or refuse to grant a licence.
(2) Every licence granted under subsection
(1) shall set out the duration of the licence and the licence
number.
(3) The terms and conditions imposed under
the licence may at any time be varied or amended by the Controller
provided that the licensee is given a reasonable opportunity
of being heard.
(4) Where the Controller refuses to grant
a licence, he shall immediately notify the applicant in writing
of his refusal.
9. Revocation of licence
(1) The Controller may revoke a licence granted
under section 8 if he is satisfied that-
(a) the licensed certification authority
has failed to comply with any obligation imposed upon it by
or under this Act;
(b) the licensed certification authority has contravened any
condition imposed under the licence, any provision of this
Act or any other written law, regardless that there has been
no prosecution for an offence in respect of such contravention;
(c) the licensed certification authority has, either in connection
with the application for the licence or at any time after
the grant of the licence, provided the Controller with false,
misleading or inaccurate information or a document or declaration
made by or on behalf of the licensed certification authority
or by or on behalf of any person who is or is to be a director,
controller or manager of the licensed certification authority
which is false, misleading or inaccurate;
(d) the licensed certification authority is carrying on its
business in a manner which is prejudicial to the interest
of the public or to the national economy;
(e) the licensed certification authority has insufficient
assets to meet its liabilities;
(f) a winding up order has been made against the licensed
certification authority or a resolution for its voluntary
winding-up has been passed;
(g) the licensed certification authority or any of its officers
holding a managerial or an executive position has been convicted
of any offence involving dishonesty, fraud or moral turpitude;
(h) the licensed certification authority or its director,
controller or manager has been convicted of any offence under
this Act; or
(i) the licensed certification authority has ceased to be
a qualified certification authority.
(2) Before revoking a licence, the Controller
shall give the licensed certification authority a notice in
writing of his intention to do so and require the licensed
certification authority to show cause within a period specified
in the notice as to why the licence should not be revoked.
(3) Where the Controller decides to revoke
the licence, he shall immediately inform the certification
authority concerned of his decision by a notice in writing.
(4) The revocation of a licence shall take
effect-
(a) where there is no appeal against such
revocation, on the expiration of fourteen days from the date
on which the notice of revocation is served on the licensed
certification authority; or
(b) where there is an appeal against such revocation, when
the revocation is confirmed by the Minister.
(5) Where an appeal has been made against
the revocation of a licence, the certification authority whose
licence has been so revoked shall not issue any certificates
until the appeal has been disposed of and the revocation has
been set aside by the Minister but nothing in this subsection
shall prevent the certification authority from fulfilling
its other obligations to its subscribers during such period.
(6) A person who contravenes subsection (5)
commits an offence and shall, on conviction, be liable to
a fine not exceeding five hundred thousand ringgit or to imprisonment
for a term not exceeding ten years or to both.
(7) Where the revocation of a licence has
taken effect, the Controller shall, as soon as practicable,
cause such revocation to be published in the certification
authority disclosure record he maintains for the certification
authority concerned and advertised in at least one national
language and one English language national daily newspaper
for at least three consecutive days.
(8) Any delay or failure in publishing or
advertising such notice of revocation shall not in any manner
affect the validity of the revocation.
10. Appeal
(1) Any person who is aggrieved by-
(a) the refusal of the Controller to license
any certification authority under section 8 or to renew any
such licence under section 17; or
(b) the revocation of any licence under section 9,
may appeal in writing to the Minister within
fourteen days from the date on which the notice of refusal
or revocation is served on that person.
(2) The decision of the Minister under this
section shall be final and conclusive.
11. Surrender of licence
(1) A licensed certification authority may
surrender its licence by forwarding it to the Controller with
a written notice of its surrender.
(2) The surrender shall take effect on the
date the Controller receives the licence and the notice under
subsection (1), or where a later date is specified in the
notice, on that date.
(3) The licensed certification authority
shall, not later than fourteen days after the date referred
to in subsection (2), cause such surrender to be published
in the certification authority disclosure record of the certification
authority concerned and advertised in at least one national
language and one English language national daily newspaper
for at least three consecutive days.
12. Effect of revocation, surrender or expiry
of licence
(1) Where the revocation of a licence under
section 9 or its surrender under section 11 has taken effect,
or where the licence has expired, the licensed certification
authority shall immediately cease to carry on or operate any
business in respect of which the licence was granted.
(2) Notwithstanding subsection (1), the Minister
may, on the recommendation of the Controller, authorise the
licensed certification authority in writing to carry on its
business for such duration as the Minister may specify in
the authorisation for the purpose of winding up its affairs.
(3) Notwithstanding subsection (1), a licensed
certification authority whose licence has expired shall be
entitled to carry on its business as if its licence had not
expired upon proof being submitted to the Controller that
the licensed certification authority has applied for a renewal
of the licence and that such application is pending determination.
(4) A person who contravenes subsection (1)
commits an offence and shall, on conviction, be liable to
a fine not exceeding five hundred thousand ringgit or to imprisonment
for a term not exceeding ten years or to both, and in the
case of a continuing offence shall in addition be liable to
a daily fine not exceeding five thousand ringgit for each
day the offence continues to be committed.
(5) Without prejudice to the Controller's
powers under section 33, the revocation of a licence under
section 9 or its surrender under section 11 or its expiry
shall not affect the validity or effect of any certificate
issued by the certification authority concerned before such
revocation, surrender or expiry.
(6) For the purposes of subsection (5), the
Controller shall appoint another licensed certification authority
to take over the certificates issued by the certification
authority whose licence has been revoked or surrendered or
has expired and such certificates shall, to the extent that
they comply with the requirements of the appointed licensed
certification authority, be deemed to have been issued by
that licensed certification authority.
(7) Nothing in subsection (6) shall preclude
the appointed licensed certification authority from requiring
the subscriber to comply with its requirements in relation
to the issuance of certificates or from issuing a new certificate
to the subscriber for the unexpired period of the original
certificate provided that any additional fees or charges to
be imposed shall only be imposed with the prior written approval
of the Controller.
(8) Where the Controller has appointed a
licensed certification authority to take over the certificates
of a certification authority under subsection (6), the certification
authority shall pay to the appointed licensed certification
authority such part of the prescribed fee paid by the subscribers
to it as the Controller may determine.
13. Effect of lack of licence
(1) The liability limits specified in Chapter
8 of Part IV shall not apply to unlicensed certification authorities.
(2) Part V shall not apply in relation to
a digital signature which cannot be verified by a certificate
issued by a licensed certification authority.
(3) In any other case, unless the parties
expressly provide otherwise by contract between themselves,
the licensing requirements under this Act shall not affect
the effectiveness, enforceability or validity of any digital
signature.
14. Return of licence
(1) Where the revocation of a licence under
section 9 has taken effect, or where the licence has expired
and no application for its renewal has been submitted within
the period specified or where an application for renewal has
been refused under section 17, the licensed certification
authority shall within fourteen days return the licence to
the Controller.
(2) A person who contravenes subsection (1)
commits an offence and shall, on conviction, be liable to
a fine not exceeding five hundred thousand ringgit or to imprisonment
for a term not exceeding ten years or to both, and in the
case of a continuing offence shall in addition be liable to
a daily fine not exceeding five thousand ringgit for each
day the offence continues to be committed, and the court shall
retain the licence and forward it to the Controller.
15. Restricted licence
(1) The Controller may classify licences
according to specified limitations including-
(a) maximum number of outstanding certificates;
(b) cumulative maximum of recommended reliance limits in certificates
issued by the licensed certification authority; and
(c) issuance only within a single firm or organisation.
(2) The Controller may issue licences restricted
according to the limits of each classification.
(3) A licensed certification authority that
issues a certificate exceeding the restrictions of its licence
commits an offence.
(4) Where a licensed certification authority
issues a certificate exceeding the restrictions of its licence,
the liability limits specified in Chapter 8 of Part IV shall
not apply to the licensed certification authority in relation
to that certificate.
(5) Nothing in subsection (3) or (4) shall
affect the validity or effect of the issued certificate.
16. Restriction on use of expression "certification
authority"
Except with the written consent of the Controller,
no person, not being a licensed certification authority, shall
assume or use the expressions "certification authority"
or "licensed certification authority", as the case
may be, or any derivative of these expressions in any language,
or any other words in any language capable of being construed
as indicating the carrying on or operation of such business,
in relation to the business or any part of the business carried
on by such person, or make any representation to such effect
in any bill head, letter, paper, notice, advertisement or
in any other manner.
17. Renewal of licence
(1) Every licensed certification authority
shall submit an application to the Controller in such form
as may be prescribed for the renewal of its licence at least
thirty, but not more than sixty, days before the date of expiry
of the licence and such application shall be accompanied by
such documents and information as may be required by the Controller.
(2) The prescribed fee shall be payable upon
approval of the application.
(3) If any licensed certification authority
has no intention of renewing its licence, the licensed certification
authority shall, at least thirty days before the expiry of
the licence, publish such intention in the certification authority
disclosure record of the certification authority concerned
and advertise such intention in at least one national language
and one English language national daily newspaper for at least
three consecutive days.
(4) Without prejudice to any other grounds,
the Controller may refuse to renew a licence where the requirements
of subsection (1) have not been complied with.
18. Lost licence
(1) Where a licensed certification authority
has lost its licence, it shall immediately notify the Controller
in writing of the loss.
(2) The licensed certification authority
shall, as soon as practicable, submit an application for a
replacement licence accompanied by all such information and
documents as may be required by the Controller together with
the prescribed fee.
19. Recognition of other licences.
(1) The Controller may recognise, by order
published in the Gazette, certification authorities licensed
or otherwise authorised by governmental entities outside Malaysia
that satisfy the prescribed requirements.
(2) Where a licence or other authorisation
of a governmental entity is recognised under subsection (1),-
(a) the recommended reliance limit, if any,
specified in a certificate issued by the certification authority
licensed or otherwise authorised by the governmental entity
shall have effect in the same manner as a recommended reliance
limit specified in a certificate issued by a licensed certification
authority of Malaysia; and
(b) Part V shall apply to the certificates issued by the certification
authority licensed or otherwise authorised by the governmental
entity in the same manner as it applies to a certificate issued
by a licensed certification authority of Malaysia.
20. Performance audit
(1) The operations of a licensed certification
authority shall be audited a least once a year to evaluate
its compliance with this Act.
(2) The audit shall be carried out by a certified
public accountant having expertise in computer security or
by an accredited computer security professional.
(3) The qualifications of the auditors and
the procedure for an audit shall be as may be prescribed by
regulations made under this Act.
(4) The Controller shall publish in the certification
authority disclosure record he maintains for the licensed
certification authority concerned the date and result of the
audit.
21. Exemption from performance audit
(1) The Controller may exempt a licensed
certification authority from the requirements of section 20
if-
(a) the licensed certification authority
requests in writing for exemption;
(b) the most recent performance audit, if any, of the licensed
certification authority resulted in a finding of full or substantial
compliance with this Act; and
(c) the licensed certification authority declares under oath
or affirmation that one or more of the following is true with
respect to the licensed certification authority:
(i) the licensed certification authority
has issued fewer than six certificates during the past year
and the total of the recommended reliance limits of all such
certificates does not exceed twenty-five thousand ringgit;
(ii) the aggregate lifetime of all certificates issued by
the licensed certification authority during the past year
is less than thirty days and the total of the recommended
reliance limits of all such certificates does not exceed twenty-five
thousand ringgit;
(iii) the recommended reliance limits of all certificates
outstanding and issued by the licensed certification authority
total less than two thousand five hundred ringgit.
(2) Where the licensed certification authority's
declaration under paragraph (1)(c) falsely states a material
fact, the licensed certification authority shall be deemed
to have failed to comply with the performance audit requirement
under section 20.
(3) Where a licensed certification authority
is exempted under subsection (1), the Controller shall publish
in the certification authority disclosure record he maintains
for the licensed certification authority concerned a statement
that the licensed certification authority is exempted from
the performance audit requirement under section 20.
PART III
REQUIREMENTS OF LICENSED CERTIFICATION AUTHORITIES
22. Activities of licensed certification
authorities
(1) A licensed certification authority shall
only carry on such activities as may be specified in its licence.
(2) A licensed certification authority shall
carry on its activities in accordance with this Act and any
regulations made under this Act.
23. Requirement to display licence A licensed
certification authority shall at all times display its licence
in a conspicuous place at its place of business.
24. Requirement to submit information and
particulars relating to business operations
(1) A licensed certification authority shall
submit to the Controller such information and particulars
including financial statements, audited balance sheets and
profit and loss accounts relating to its entire business operations
as may be required by the Controller within such as he may
determine.
(2) A person who contravenes subsection (1)
commits an offence and shall, on conviction, be liable to
a fine not exceeding one hundred thousand ringgit or to imprisonment
for a term not exceeding two years or to both, and in the
case of a continuing offence shall in addition be liable to
a daily fine not exceeding two thousand ringgit for each day
the offence continues to be committed.
25. Notification of change of information
(1) Every licensed certification authority
shall, before making any amendment or alteration to any of
its constituent documents, or before any change in its director
or chief executive officer, furnish the Controller particulars
in writing of any such proposed amendment, alteration or change.
(2) Every licensed certification authority
shall immediately notify the Controller of any amendment or
alteration to any information or document which has been furnished
to the Controller in connection with the licence.
26. Requirements as to advertisement. A licensed
certification authority shall not publish, whether in a newspaper,
brochure or otherwise, any advertisement or information relating
to or in connection with the business of a certification authority
without including-
(a) the licence number;
(b) the business name under which it carries on business and
the address at which such business is carried on; and
(c) any other particulars relating to any services offered
as the Controller considers necessary.
PART IV
DUTIES OF LICENSED CERTIFICATION AUTHORITIES AND SUBSCRIBERS
CHAPTER 1
General requircmentsfor licensed certification authorities
27. Use of trustworthy systems
(1) A licensed certification authority shall
only use a trustworthy system -
(a) to issue, suspend or revoke a certificate;
(b) to publish or give notice of the issuance, suspension
or revocation of a certificate; and
(c) to create a private key, whether for itself or for a subscriber.
(2) A subscriber shall only use a trustworthy
system to create a private key.
28. Disclosures on inquiry
(1) A licensed certification authority shall,
on an inquiry being made to it under this Act, disclose any
material certification practice statement and any fact material
to either the reliability of a certificate which it has issued
or its ability to perform its services.
(2) A licensed certification authority may
require a signed, written and reasonably specific inquiry
from an identified person, and payment of the prescribed fee,
as conditions precedent to effecting a disclosure required
under subsection (1).
29. Prerequisites to issuance of certificate
to subscriber
(1) A licensed certification authority may
issue a certificate to a subscriber only after all of the
following conditions are satisfied:
(a) the licensed certification authority
has received a request for issuance signed by the prospective
subscriber; and
(b) the licensed certification authority has confirmed that-
(i) the prospective subscriber is the person
to be listed in the certificate to be issued;
(ii) if the prospective subscriber is acting through one or
more agents, the subscriber duly authorised the agent or agents
to have custody of the subscriber's private key and to request
issuance of a certificate listing the corresponding public
key;
(iii) the information in the certificate to be issued is accurate;
(iv) the prospective subscriber rightfully holds the private
key corresponding to the public key to be listed in the certificate;
(v) the prospective subscriber holds a private key capable
of creating a digital signature; and
(vi) the public key to be listed in the certificate can be
used to verify a digital signature affixed by the private
key held by the prospective subscriber.
(2) The requirements of subsection (1) shall
not be waived or disclaimed by the licensed certification
authority, the subscriber, or both.
30. Publication of issued and accepted certificate
(1) Where the subscriber accepts the issued
certificate, the licensed certification authority shall publish
a signed copy of the certificate in a recognised repository,
as the licensed certification authority and the subscriber
named in the certificate may agree, unless a contract between
the licensed certification authority and the subscriber provides
otherwise.
(2) Where the subscriber does not accept
the certificate, a licensed certification authority shall
not publish it, or shall cancel its publication if the certificate
has already been published.
31. Adoption of more rigorous requirements
permitted
Nothing in sections 29 and 30 shall preclude
a licensed certification authority from conforming to standards,
certification practice statements, security plans or contractual
requirements more rigorous than, but nevertheless consistent
with, this Act.
32. Suspension or revocation of certificate
for faulty issuance
(1) Where after issuing a certificate a licensed
certification authority confirms that it was not issued in
accordance with sections 29 and 30, the licensed certification
authority shall immediately revoke it.
(2) A licensed certification authority may
suspend a certificate which it has issued for a reasonable
period not exceeding forty-eight hours as may be necessary
for an investigation to be carried out to confirm the grounds
for a revocation under subsection (1).
(3) The licensed certification authority
shall immediately notify the subscriber of a revocation or
suspension under this section.
33. Suspension or revocation of certificate
by order
(1) The Controller may order the licensed
certification authority to suspend or revoke a certificate
issued by it where the Controller determines that-
(a) the certificate was issued without compliance
with sections 29 and 30; and
(b) the non-compliance poses a significant risk to persons
reasonably relying on the certificate.
(2) Before making a determination under subsection
(1), the Controller shall give the licensed certification
authority and the subscriber a reasonable opportunity of being
heard.
(3) Notwithstanding subsections (1) and (2),
where in the opinion of the Controller there exists an emergency
that requires an immediate remedy, the Controller may, after
consultation with the Minister, suspend a certificate for
a period not exceeding forty-eight hours.
CHAPTER 2
Warranties and obligations of licensed certification authorities
34. Warranties to subscriber
(1) By issuing a certificate, a licensed
certification authority warrants to the subscriber named in
the certificate that-
(a) the certificate contains no information
known to the licensed certification authority to be false;
(b) the certificate satisfies all the requirements of this
Act; and
(c) the licensed certification authority has not exceeded
any limits of its licence in issuing the certificate.
(2) A licensed certification authority shall
not disclaim or limit the warranties under subsection (1).
35. Continuing obligations to subscriber.
Unless the subscriber and licensed certification
authority otherwise agree, a licensed certification authority,
by issuing a certificate, promises to the subscriber-
(a) to act promptly to suspend or revoke
a certificate in accordance with Chapter 5 or 6; and
(b) to notify the subscriber within a reasonable time of any
facts known to the licensed certification authority which
significantly affect the validity or reliability of the certificate
once it is issued.
36. Representations upon issuance
By issuing a certificate, a licensed certification
authority certifies to all who reasonably rely on the information
contained in the certificate that-
(a) the information in the certificate and
listed as confirmed by the licensed certification authority
is accurate;
(b) all information foreseeably material to the reliability
of the certificate is stated or incorporated by reference
within the certificate;
(c) the subscriber has accepted the certificate; and
(d) the licensed certification authority has complied with
all applicable laws governing the issuance of the certificate.
37. Representations upon publication
By publishing a certificate, a licensed certification
authority certifies to the repository in which the certificate
is published and to all who reasonably rely on the information
contained in the certificate that the licensed certification
authority has issued the certificate to the subscriber.
CHAPTER 3
Representations and duties upon acceptance of certificate
38. Implied representations by subscriber.
By accepting a certificate issued by a licensed
certification authority, the subscriber listed in the certificate
certifies to all who reasonably rely on the information contained
in the certificate that-
(a) the subscriber rightfully holds the private
key corresponding to the public key listed in the certificate;
(b) all representations made by the subscriber to the licensed
certification authority and material to information listed
in the certificate are true; and
(c) all material representations made by the subscriber to
a licensed certification authority or made in the certificate
and not confirmed by the licensed certification authority
in issuing the certificate are true.
39. Representations by agent of subscriber
By requesting on behalf of a principal the
issuance of a certificate naming the principal as subscriber,
the requesting person certifies in that person's own right
to all who reasonably rely on the information contained in
the certificate that the requesting person-
(a) holds all authority legally required
to apply for issuance of a certificate naming the principal
as subscriber; and
(b) has authority to sign digitally on behalf of the principal,
and, if that authority is limited in any way, adequate safeguards
exist to prevent a digital signature exceeding the bounds
of the person's authority.
40. Disclaimer or indemnity limited
No person may disclaim or contractually limit
the application of this Chapter, nor obtain indemnity for
its effects, if the disclaimer, limitation or indemnity restricts
liability for misrepresentation as against persons reasonably
relying on the certificate.
41. Indemnification of licensed certification
authority by subscriber
(1) By accepting a certificate, a subscriber
undertakes to indemnify the issuing licensed certification
authority for any loss or damage caused by issuance or publication
of the certificate in reliance on-
(a) a false and material representation of
fact by the subscriber; or
(b) the failure by the subscriber to disclose a material fact,
if the representation or failure to disclose was made either
with intent to deceive the licensed certification authority
or a person relying on the certificate, or with negligence.
(2) Where the licensed certification authority
issued the certificate at the request of one or more agents
of the subscriber, the agent or agents personally undertake
to indemnify the licensed certification authority under this
section, as if they were accepting subscribers in their own
right.
(3) The indemnity provided in this section
shall not be disclaimed or contractually limited in scope.
42. Certification of accuracy of information
given
In obtaining information of the subscriber
material to the issuance of a certificate, the licensed certification
authority may require the subscriber to certify the accuracy
of relevant information under oath or affirmation.
CHAPTER 4
Control of private key
43. Duty of subscriber to keep private key
secure
By accepting a certificate issued by a licensed
certification authority, the subscriber named in the certificate
assumes a duty to exercise reasonable care to retain control
of the private key and prevent its disclosure to any person
not authorised to create the subscriber's digital signature.
44. Property in private key
A private key is the personal property of
the subscriber who rightfully holds it.
45. Licensed certification authority to be
fiduciary if holding subscriber's private key
Where a licensed certification authority
holds the private key corresponding to a public key listed
in a certificate which it has issued, the licensed certification
authority shall hold the private key as a fiduciary of the
subscriber named in the certificate, and may use that private
key only with the subscriber's prior written approval, unless
the subscriber expressly and in writing grants the private
key to the licensed certification authority and expressly
and in writing permits the licensed certification authority
to hold the private key according to other terms.
CHAPTER 5
Suspension of certificate
46. Suspension of certificate by issuing
licensed certification authority
(1) Unless the licensed certification authority
and the subscriber agree otherwise, the licensed certification
authority which issued a certificate, which is not a transactional
certificate, shall suspend the certificate for a period not
exceeding forty-eight hours-
(a) upon request by a person identifying
himself as the subscriber named in the certificate, or as
a person in a position likely to know of a compromise of the
security of a subscriber's private key, such as an agent,
business associate, employee or member of the immediate family
of the subscriber; or
(b) by order of the Controller under section 33.
(2) The licensed certification authority
shall take reasonable measures to cheek the identity or agency
of the person requesting suspension.
47. Suspension of certificate by Controller
or court
(1) Unless the certificate provides otherwise
or the certificate is a transactional certificate, the Controller
or a court may suspend a certificate issued by a licensed
certification authority for a period of forty-eight hours,
if-
(a) a person identifying himself as the subscriber
named in the certificate or as an agent, business associate,
employee or member of the immediate family of the subscriber
requests suspension; and
(b) the requester represents that the licensed certification
authority which issued the certificate is unavailable.
(2) The Controller or court may require the
person requesting suspension to provide evidence, including
a statement under oath or affirmation regarding his identity
and authorisation, and the unavailability of the issuing licensed
certification authority, and may decline to suspend the certificate
in his or its discretion.
(3) The Controller or other law enforcement
agency may investigate suspensions by the Controller or court
for possible wrongdoing by persons requesting suspension.
48. Notice of suspension
(1) Immediately upon suspension of a certificate
by a licensed certification authority, the licensed certification
authority shall publish a signed notice of the suspension
in the repository specified in the certificate for publication
of notice of suspension.
(2) Where one or more repositories are specified,
the licensed certification authority shall publish signed
notices of the suspension in all such repositories.
(3) Where any repository specified no longer
exists or refuses to accept publication, or if no such repository
is recognised under section 68, the licensed certification
authority shall also publish the notice in a recognised repository.
(4) Where a certificate is suspended by the
Controller or a court, the Controller or court shall give
notice as required in this section for a licensed certification
authority provided that the person requesting suspension pays
in advance any prescribed fee required by a repository for
publication of the notice of suspension.
49. Termination of suspension initiated by
request.
A licensed certification authority shall
terminate a suspension initiated by request-
(a) where the subscriber named in the suspended
certificate requests termination of the suspension, only if
the licensed certification authority has confirmed that the
person requesting suspension is the subscriber or an agent
of the subscriber authorised to terminate the suspension;
or
(b) where the licensed certification authority discovers and
confirms that the request for the suspension was made without
authorisation by the subscriber.
50. Alternate contractual procedures
(1) The contract between a subscriber and
a licensed certification authority may limit or preclude requested
suspension by the licensed certification authority or may
provide otherwise for termination of a requested suspension.
(2) Where the contract limits or precludes
suspension by the Controller or a court when the issuing licensed
certification authority is unavailable, the limitation or
preclusion shall be effective only if notice of it is published
in the certificate.
51. Prohibition against false or unauthorised
request for suspension of certificate
No person shall knowingly or intentionally
misrepresent to a licensed certification authority his identity
or authorisation in requesting suspension of a certificate.
52. Effect of suspension of certificate
Nothing in this Chapter shall release the
subscriber from the duty under section 43 to keep the private
key secure while a certificate is suspended.
CHAPTER 6
Revocation of certificate
53. Revocation on request
(1) A licensed certification authority shall
revoke a certificate which it issued but which is not a transactional
certificate,-
(a) upon receiving a request for revocation
by the subscriber named in the certificate; and
(b) upon confirming that the person requesting revocation
is that subscriber or is an agent of that subscriber with
authority to request the revocation.
(2) A licensed certification authority shall
confirm a request for revocation and revoke a certificate
within one business day after receiving both a subscriber's
written request and evidence reasonably sufficient to confirm
the identity of the person requesting the revocation or of
the agent.
54. Revocation on subscriber's demise
A licensed certification authority shall
revoke a certificate which it issued-
(a) upon receiving a certified copy of the
subscriber's death certificate or upon confirming by other
evidence that the subscriber is dead; or
(b) upon presentation of documents effecting a dissolution
of the subscriber or upon confirming by other evidence that
the subscriber has been dissolved or has ceased to exist.
55. Revocation of unreliable certificates
(1) A licensed certification authority may
revoke one or more certificates which it issued if the certificates
are or become unreliable regardless of whether the subscriber
consents to the revocation and notwithstanding any provision
to the contrary in a contract between the subscriber and the
licensed certification authority.
(2) Nothing in subsection (1) shall prevent
the subscriber from seeking damages or other relief against
the licensed certification authority in the event of wrongful
revocation.
56. Notice of revocation
(1) Immediately upon revocation of a certificate
by a licensed certification authority, the licensed certification
authority shall publish a signed notice of the revocation
in the repository specified in the certificate for publication
of notice of revocation.
(2) Where one or more repositories are specified,
the licensed certification authority shall publish signed
notices of the revocation in all such repositories.
(3) Where any repository specified no longer
exists or refuses to accept publication, or if no such repository
is recognised under section 68, the licensed certification
authority shall also publish the notice in a recognised repository.
57. Effect of revocation request on subscriber
Where a subscriber has requested for the
revocation of a certificate, the subscriber ceases to certify
as provided in Chapter 3 and has no further duty to keep the
private key secure as required under section 43 -
(a) when notice of the revocation is published
as required under section 56; or
(b) when two business days have lapsed after the subscriber
requests for the revocation in writing, supplies to the issuing
licensed certification authority information reasonably sufficient
to confirm the request, and pays any prescribed fee, whichever
occurs first.
58. Effect of notification on licensed certification
authority
Upon notification as required under section
56, a licensed certification authority shall be discharged
of its warranties based on issuance of the revoked certificate
and ceases to certify as provided in sections 35 and 36 in
relation to the revoked certificate.
CHAPTER 7
Expiration of certificate
59. Expiration of certificate
(1) The date of expiry of a certificate shall
be specified in the certificate.
(2) A certificate may be issued for any period
not exceeding three years from the date of issuance.
(3) When a certificate expires, the subscriber
and licensed certification authority shall cease to certify
as provided under this Act and the licensed certification
authority shall be discharged of its duties based on issuance
in relation to the expired certificate.
(4) The expiry of a certificate shall not
affect the duties and obligations of the subscriber and licensed
certification authority incurred under and in relation to
the expired certificate.
CHAPTER 8
Recommended reliance limits and liability
60. Recommended reliance limit
(1) A licensed certification authority shall,
in issuing a certificate to a subscriber, specify a recommended
reliance limit in the certificate.
(2) The licensed certification authority
may specify different limits in different certificates as
it considers fit.
61. Liability limits for licensed certification
authorities Unless a licensed certification authority waives
the application of this section, a licensed certification
authority-
(a) shall not be liable for any loss caused
by reliance on a false or forged digital signature of a subscriber,
if, with respect to the false or forged digital signature,
the licensed certification authority complied with the requirements
of this Act;
(b) shall not be liable in excess of the amount specified
in the certificate as its recommended reliance limit for either-
(i) a loss caused by reliance on a misrepresentation
in the certificate of any fact that the licensed certification
authority is required to confirm; or
(ii) failure to comply with sections 29 and 30 in issuing
the certificate; and
(c) shall not be liable for-
(i) punitive or exemplary damages; or
(ii) damages for pain or suffering.
PART V
EFFECT OF DIGITAL SIGNATURE
62. Satisfaction of signature requirements
(1) Where a rule of law requires a signature
or provides for certain consequences in the absence of a signature,
that rule shall be satisfied by a digital signature where-
(a) that digital signature is verified by
reference to the public key listed in a valid certificate
issued by a licensed certification authority;
(b) that digital signature was affixed by the signer with
the intention of signing the message; and
(c) the recipient has no knowledge or notice that the signer-
(i) has breached a duty as a subscriber;
or
(ii) does not rightfully hold the private key used to affix
the digital signature.
(2) Notwithstanding any written law to the
contrary-
(a) a document signed with a digital signature
in accordance with this Act shall be as legally binding as
a document signed with a handwritten signature, an affixed
thumb-print or any other mark; and
(b) a digital signature created in accordance with this Act
shall be deemed to be a legally binding signature.
(3) Nothing in this Act shall preclude any
symbol from being valid as a signature under any other applicable
law.
63. Unreliable digital signatures
(1) Unless otherwise provided by law or contract,
the recipient of a digital signature assumes the risk that
a digital signature is forged, if reliance on the digital
signature is not reasonable under the circumstances.
(2) Where the recipient determines not to
rely on a digital signature under this section, the recipient
shall promptly notify the signer of its determination not
to rely on a digital signature and the grounds for that determination.
64. Digitally signed document deemed to be
written document
(1) A message shall be as valid, enforceable
and effective as if it had been written on paper if-
(a) it bears in its entirety a digital signature;
and
(b) that digital signature is verified by the public key listed
in a certificate which-
(i) was issued by a licensed certification
authority; and
(ii) was valid at the time the digital signature was created.
(2) Nothing in this Act shall preclude any
message, document or record from being considered written
or in writing under any other applicable law.
65. Digitally signed document deemed to be
original document.
A copy of a digitally signed message shall
be as valid, enforceable and effective as the original of
the message unless it is evident that the signer designated
an instance of the digitally signed message to be a unique
original, in which case only that instance constitutes the
valid, enforceable and effective message.
66. Authentication of digital signatures
A certificate issued by a licensed certification
authority shall be an acknowledgement of a digital signature
verified by reference to the public key listed in the certificate,
regardless of whether words of an express acknowledgement
appear with the digital signature and regardless of whether
the signer physically appeared before the licensed certification
authority when the digital signature was created, if that
digital signature is-
(a) verifiable by that certificate; and
(b) affixed when that certificate was valid.
67. Presumptions in adjudicating disputes
In adjudicating a dispute involving a digital
signature, a court shall presume-
(a) that a certificate digitally signed by
a licensed certification authority and-
(i) published in a recognised repository;
or
(ii) made available by the issuing licensed certification
authority or by the subscriber listed in the certificate,
is issued by the licensed certification authority which digitally
signed it and is accepted by the subscriber listed in it;
(b) that the information listed in a valid
certificate and confirmed by a licensed certification authority
issuing the certificate is accurate;
(c) that where a digital signature is verified by the public
key listed in a valid certificate issued by a licensed certification
authority-
(i) that digital signature is the digital
signature of the subscriber listed in that certificate;
(ii) that digital signature was affixed by that subscriber
with the intention of signing the message; and
(iii) the recipient of that digital signature has no knowledge
or notice that the signer-
(A) has breached a duty as a subscriber;
or
(B) does not rightfully hold the private key used to affix
the digital signature; and
(d) that a digital signature was created before it was time-stamped
by a recognised date/time stamp service utilising a trustworthy
system.
PART VI
REPOSITORIES AND DATE/TIME STAMP SERVICES
68. Recognition of repositories
(1) The Controller may recognise one or more
repositories, after determining that a repository to be recognised
satisfies the requirements prescribed in the regulations made
under this Act.
(2) The procedure for recognition of repositories
shall be as may be prescribed by regulations made under this
Act.
(3) The Controller shall publish a list of
recognised repositories in such form and manner as he may
determine.
69. Liability of repositories.
(1) Notwithstanding any disclaimer by the
repository or any contract to the contrary between the repository
and a licensed certification authority or a subscriber, a
repository shall be liable for a loss incurred by a person
reasonably relying on a digital signature verified by the
public key listed in a suspended or revoked certificate, if
loss was incurred more than one business day after receipt
by the repository of a request to publish notice of the suspension
or revocation, and the repository had failed to publish the
notice when the person relied on the digital signature.
(2) Unless waived, a recognised repository
or the owner or operator of a recognised repository-
(a) shall not be liable for failure to record
publication of a suspension or revocation, unless the repository
has received notice of publication and one business day has
elapsed since the notice was received;
(b) shall not be liable under subsection (1) in excess of
the amount specified in the certificate as the recommended
reliance limit;
(c) shall not be liable under subsection (1) for-
(i) punitive or exemplary damages; or
(ii) damages for pain or suffering;
(d) shall not be liable for misrepresentation in a certificate
published by a certification authority;
(e) shall not be liable for accurately recording or reporting
information which a licensed certification authority, a court
or the Controller has published as required or permitted under
this Act, including information about the suspension or revocation
of a certificate; and
(f) shall not be liable for reporting information about a
certification authority, a certificate or a subscriber, if
such information is published as required or permitted under
this Act or is published by order of the Controller in the
performance of his licensing and regulatory duties under this
Act.
70. Recognition of date/time stamp services
(1) The Controller may recognise one or more
date/time stamp services, after determining that a service
to be recognised satisfies the requirements prescribed in
the regulations made under this Act.
(2) The procedure for recognition of date/time
stamp services shall be as may be prescribed by regulations
made under this Act.
(3) The Controller shall publish a list of
recognised date/time stamp services in such form and manner
as he may determine.
PART VII
GENERAL
71. Prohibition against dangerous activities
(1) No certification authority, whether licensed
or not, shall conduct its business in a manner that creates
an unreasonable risk of loss to the subscribers of the certification
authority, to persons relying on certificates issued by the
certification authority or to a repository.
(2) The Controller may publish in one or
more recognised repositories brief statements advising subscribers,
persons relying on digital signatures and repositories about
any activities of a certification authority, whether licensed
or not, which create a risk prohibited under subsection (1).
(3) The certification authority named in
a statement as creating or causing a risk may protest the
publication of the statement by filing a brief written defence.
(4) On receipt of a protest made under subsection
(3), the Controller shall publish the written defence together
with the Controller's statement, and shall immediately give
the protesting certification authority notice and a reasonable
opportunity of being heard.
(5) Where, after a hearing, the Controller
determines that the publication of the advisory statement
was unwarranted, the Controller shall revoke the advisory
statement.
(6) Where, after a hearing, the Controller
determines that the advisory statement is no longer warranted,
the Controller shall revoke the advisory statement.
(7) Where, after a hearing, the Controller
determines that the advisory statement remains warranted,
the Controller may continue or amend the advisory statement
and may take further legal action to eliminate or reduce the
risk prohibited under subsection (1).
(8) The Controller shall publish his decision
under subsection (5), (6) or (7), as the case may be, in one
or more recognised repositories.
72. Obligation of secrecy
(1) Except for the purposes of this Act,
no person who has access to any record, book, register, correspondence,
information, document or other material obtained under this
Act shall disclose such record, book, register, correspondence,
information, document or other material to any other person.
(2) A person who contravenes subsection (1)
commits an offence and shall, on conviction, be liable to
a fine not exceeding one hundred thousand ringgit or to imprisonment
for a term not exceeding two years or to both.
73. False information
A person who makes, orally or in writing,
signs or furnishes any declaration, return, certificate or
other document or information required under this Act which
is untrue, inaccurate or misleading in any particular commits
an offence and shall, on conviction, be liable to a fine not
exceeding five hundred thousand ringgit or to imprisonment
for a term not exceeding ten years or to both.
74. Offences by body corporate
(1) Where a body corporate commits an offence
under this Act, any person who at the time of the commission
of the offence was a director, manager, secretary or other
similar officer of the body corporate or was purporting to
act in any such capacity or was in any manner or to any extent
responsible for the management of any of the affairs of the
body corporate or was assisting in such management-
(a) may be charged severally or jointly in
the same proceedings with the body corporate; and
(b) where the body corporate is found guilty of the offence,
shall be deemed to be guilty of that offence unless, having
regard to the nature of his functions in that capacity and
to all circumstances, he proves-
(i) that the offence was committed without
his knowledge, consent or connivance; and
(ii) that he took all reasonable precautions and had exercised
due diligence to prevent the commission of the offence.
(2) Where any person would be liable under
this Act to any punishment or penalty for any act, omission,
neglect or default, he shall be liable to the same punishment
or penalty for every such act, omission, neglect or default
of any employee or agent of his, or of the employee of such
agent, if such act, omission, neglect or default was committed-
(a) by his employee in the course of his
employment;
(b) by the agent when acting on his behalf; or
(c) by the employee of such agent in the course of his employment
by such agent or otherwise on behalf of the agent.
75. Authorised officer
(1) The Minister may in writing authorise
any public officer or officer of the Controller to exercise
the powers of enforcement under this Act.
(2) Any such officer shall be deemed to be
a public servant within the meaning of the Penal Code.
(3) In exercising any of the powers of enforcement
under this Act, an authorised officer shall on demand produce
to the person against whom he is acting the authority issued
to him by the Minister.
76. Power to investigate
(1) The Controller may investigate the activities
of a certification authority material to its compliance with
this Act.
(2) For the purposes of subsection (1), the
Controller may issue orders to a certification authority to
further its investigation and secure compliance with this
Act.
(3) Further, in any case relating to the
commission of an offence under this Act, any authorised officer
carrying on an investigation may exercise all or any of the
special powers in relation to police investigation in seizable
cases given by the Criminal Procedure Code.
77. Search by warrant
(1) If it appears to a Magistrate, upon written
information on oath and after such inquiry as he considers
necessary, that there is reasonable cause to believe that
an offence under this Act is being or has been committed on
any premises, the Magistrate may issue a warrant authorising
any police officer not below the rank of Inspector, or any
authorised officer named therein, to enter the premises at
any reasonable time by day or by night, with or without assistance
and if need be by force, and there to search for and seize-
(a) copies of any books, accounts or other
documents, including computerised data, which contain or are
reasonably suspected to contain information as to any offence
so suspected to have been committed;
(b) any signboard, card, letter, pamphlet, leaflet, notice
or other device representing or implying that the person is
a licensed certification authority; and
(c) any other document, article or item that is reasonably
believed to furnish evidence of the commission of such offence.
(2) A police officer or an authorised officer
conducting a search under subsection (1) may, if in his opinion
it is reasonably necessary to do so for the purpose of investigating
into the offence, search any person who is in or on such premises.
(3) A police officer or an authorised officer
making a search of a person under subsection (2) may seize,
detain or take possession of any book, accounts, document,
computerised data, card, letter, pamphlet, leaflet, notice,
device, article or item found on such person for the purpose
of the investigation being carried out by such officer.
(4) No female person shall be searched under
this section except by another female person.
(5) Where, by reason of its nature, size
or amount, it is not practicable to remove any book, accounts,
document, computerised data, signboard, card, letter, pamphlet,
leaflet, notice, device, article or item seized under this
section, the seizing officer shall, by any means, seal such
book, accounts, document, computerised data, signboard, card,
letter, pamphlet, leaflet, notice, device, article or item
in the premises or container in which it is found.
(6) A person who, without lawful authority,
breaks, tampers with or damages the seal referred to in subsection
(5) or removes any book, accounts, document, computerised
data, signboard, card, letter, pamphlet, leaflet, notice,
device, article or item under seal or attempts to do so commits
an offence.
78. Search and seizure without warrant
If a police officer not below the rank of
Inspector in any of the circumstances referred to in section
77 has reasonable cause to believe that by reason of delay
in obtaining a search warrant under that section the investigation
would be adversely affected or evidence of the commission
of an offence is likely to be tampered with, removed, damaged
or destroyed, such officer may enter such premises and exercise
in, upon and in respect of the premises all the powers referred
to in section 77 in as full and ample a manner as if he were
authorised to do so by a warrant issued under that section.
79. Access to computerised data
(1) A police officer conducting a search
under section 77 or 78 or an authorised officer conducting
a search under section 77 shall be given access to computerised
data whether stored in a computer or otherwise.
(2) For the purposes of this section, "access"
includes being provided with the necessary password, encryption
code, decryption code, software or hardware and any other
means required to enable comprehension of computerised data.
80. List of things seized
(1) Except as provided in subsection (2),
where any book, accounts, document, computerised data, signboard,
card, letter, pamphlet, leaflet, notice, device, article or
item is seized under section 77 or 78, the seizing officer
shall prepare a list of the things seized and immediately
deliver a copy of the list signed by him to the occupier of
the premises which have been searched, or to his agent or
servant, at those premises.
(2) Where the premises are unoccupied, the
seizing officer shall whenever possible post a list of the
things seized conspicuously on the premises.
81. Obstruction of authorised officer
Any person who obstructs, impedes, assaults
or interferes with any authorised officer in the performance
of his functions under this Act commits an offence.
82. Additional powers
An authorised officer shall, for the purposes
of the execution of this Act, have power to do all or any
of the following:
(a) to require the production of records,
accounts, computerised data and documents kept by a licensed
certification authority and to inspect, examine and copy any
of them;
(b) to require the production of any identification document
from any person in relation to any case or offence under this
Act;
(c) to make such inquiry as may be necessary to ascertain
whether the provisions of this Act have been complied with.
83. General penalty
(1) A person who commits an offence under
this Act for which no penalty is expressly provided shall,
on conviction, be liable to a fine not exceeding two hundred
thousand ringgit or to imprisonment for a term not exceeding
four years or to both, and in the case of a continuing offence
shall in addition be liable to a daily fine not exceeding
two thousand ringgit for each day the offence continues to
be committed.
(2) For the purposes of this section, "this
Act" does not include the regulations made under this
Act.
84. Recovery of procedural costs
Where the Controller finds that a certification
authority has contravened this Act, the Controller may order
the certification authority to pay the costs incurred by the
Controller in prosecution and adjudication proceedings in
relation to the order and in enforcing it.
85. No costs or damages arising from seizure
to be recoverable
No person shall, in any proceedings before
any court in respect of the seizure of any book, accounts,
document, computerised data, signboard, card, letter, pamphlet,
leaflet, notice, device, article or item seized in the exercise
or the purported exercise of any power conferred under this
Act, be entitled to the costs of such proceedings or to any
damages or other relief unless such seizure was made without
reasonable cause.
86. Institution and conduct of prosecution
(1) No prosecution for or in relation to
any offence under this Act shall be instituted without the
written consent of the Public Prosecutor.
(2) Any officer of the Controller duly authorised
in writing by the Public Prosecutor may conduct the prosecution
for any offence under this Act.
87. Jurisdiction to try offences
Notwithstanding any written law to the contrary,
a Court of a Magistrate of the First Class shall have jurisdiction
to try any offence under this Act and to impose the full punishment
for any such offence.
88.Protection of officers
No action or prosecution shall be brought,
instituted or maintained in any court against -
(a) the Controller or any officer duly authorised
under this Act for or on account of or in respect of any act
ordered or done for the purpose of carrying into effect this
Act; and
(b) any other person for or on account of or in respect of
any act done or purported to be done by him under the order,
direction or instruction of the Controller or any officer
duly authorised under this Act if the act was done in good
faith and in a reasonable belief that it was necessary for
the purpose intended to be served thereby.
89. Power to exempt
(1) The Minister may, by order published
in the Gazette, exempt any person or class of persons from
all or any of the provisions of this Act, except section 4.
(2) The Minister may impose any terms and
conditions as he thinks fit on any exemption under subsection
(1).
90. Limitation on disclaiming or limiting
application of Act
Unless it is expressly provided for under
this Act, no person may disclaim or contractually limit the
application of this Act.
91. Regulations
(1) The Minister may make regulations for
all or any of the following purposes:
(a) prescribing the qualification requirements
for certification authorities;
(b) prescribing the manner of applying for licences and certificates
under this Act, the particulars to be supplied by an applicant,
the manner of licensing and certification, the fees payable
therefor, the conditions or restrictions to be imposed and
the form of licences and certificates;
(c) regulating the operations of licensed certification authorities;
(d) prescribing the requirements for the content, form and
sources of information in certification authority disclosure
records, the updating and timeliness of such information and
other practices and policies relating to certification authority
disclosure records;
(e) prescribing the form of certification practice statements;
(f) prescribing the qualification requirements for auditors
and the procedure for audits;
(g) prescribing the requirements for repositories and the
procedure for recognition of repositories;
(h) prescribing the requirements for date/time stamp services
and the procedure for recognition of date/time stamp services;
(i) prescribing the procedure for the review of software for
use in creating digital signatures and of the applicable standards
in relation to digital signatures and certification practice
and for the publication of reports on such software and standards;
(j) prescribing the forms for the purposes of this Act;
(k) prescribing the fees and charges payable under this Act
and the manner for collecting and disbursing such fees and
charges;
(l) providing for such other matters as are contemplated by,
or necessary for giving full effect to, the provisions of
this Act and for their due administration.
(2) Regulations made under subsection (1)
may prescribe any act in contravention of the regulations
to be an offence and may prescribe penalties of a fine not
exceeding one hundred thousand ringgit or imprisonment for
a term not exceeding two years or both.
92. Savings and transitional.
(1) A certification authority that has been
carrying on or operating as a certification authority before
the commencement of this Act shall, not later than three months
from such commencement, obtain a licence under this Act.
(2) Where a certification authority referred
to in subsection (1) fails to obtain a licence after the period
prescribed in subsection (1), it shall be deemed to be an
unlicensed certification authority and the provisions of this
Act shall apply to it and the certificates issued by it accordingly.
(3) Where a certification authority referred
to in subsection (1) has obtained a licence in accordance
with this Act within the period prescribed in subsection (1),
all certificates issued by such certification authority before
the commencement of this Act, to the extent that they are
not inconsistent with this Act, shall be deemed to have been
issued under this Act and shall have effect accordingly.
EXPLANATORY STATEMENT
This Bill seeks to make provision for, and
to regulate the use of, digital signatures and to provide
for matters connected therewith.
2. Part 1 contains preliminary matters.
Clause 1 contains the short title and provisions
on the commencement of the proposed Act.
Clause 2 contains the definitions of several
expressions used in the proposed Act.
3. Part II deals with the Controller of Certification
Authorities and the licensing of certification authorities.
Clause 3 seeks to empower the Minister to
appoint a Controller of Certification Authorities. It also
seeks to empower the Controller, after consultation with the
Minister, to appoint such number of officers and servants
as the Controller considers necessary. The function of the
Controller is primarily to license certification authorities
and to monitor and oversee the activities of certification
authorities.
Clause 4 seeks to introduce a mandatory licensing
scheme for certification authorities. The mandatory licensing
scheme is proposed to establish a minimum regulatory system
to provide a basic level of reliability in certification authority
practice without undermining the reliability of any signature
by invalidating it for lack of a regulatory licence. Under
the proposed scheme, a digital signature may nevertheless
be reliable and legally valid if verified by a certificate
issued by an unlicensed certification authority or without
verification by any certificate at all. However, in such cases
and as expressly provided in clause 13 of the proposed Act,
neither the liability limits specified in Chapter 8 of Part
IV of the proposed Act nor Part V of the proposed Act shall
apply.
Subclause 4(3) seeks to allow the Minister
to exempt a person operating as a certification authority
within an organisation where certificates and key pairs are
issued to members of the organisation for internal use only
and such other person or class of persons as the Minister
considers fit.
Clause 5 seeks to empower the Minister to
prescribe the qualification requirements for certification
authorities by regulations made under the proposed Act.
Clause 6 seeks to make provision for the
functions of licensed certification authorities. It also seeks
to impose a duty on the licensed certification authority to
take all reasonable measures to check for proper identification
of a subscriber before issuing a certificate.
Clauses 7 to 11 seek to make provision for
the application for licences and the issue, surrender and
revocation of licences.
Clause 12 seeks to provide for the effect
of the revocation, surrender or expiry of licences. Subclauses
12(5) to (8) seek to make provision for the certificates issued
by a certification authority where its licence has been revoked
or surrendered or has expired.
Clause 13 seeks to clarify the effect of
the lack of a licence, that is, Chapter 8 of Part IV of the
proposed Act will not apply to the unlicensed certification
authority and Part V of the proposed Act will not apply in
relation to a digital signature which cannot be verified by
a certificate issued by a licensed certification authority.
Clause 14 seeks to require the return of
revoked or expired licences.
Clause 15 seeks to allow the Controller to
classify licences according to specified limitations and provides
that where a licensed certification authority issues a certificate
exceeding the restrictions of its licence, the licensed certification
authority commits an offence. Further, the liability limits
specified in Chapter 8 of Part IV shall not apply to it. However,
this shall not affect the validity or effect of the issued
certificate.
Clause 16 seeks to restrict the use of the
expression "certification authority" and "licensed
certification authority".
Clause 17 seeks to provide for the renewal
of licences whilst clause 18 seeks to provide for the replacement
of lost licences.
Clause 19 seeks to allow the Controller,
by order published in the Gazette, to recognise foreign certification
authorities thereby allowing the recommended reliance limits
specified in the certificates issued by the foreign certification
authorities to apply and Part V of the proposed Act to apply
to the certificates issued by it.
Clause 20 seeks to provide for performance
audits of licensed certification authorities to evaluate its
compliance with the proposed Act. Clause 21 seeks to provide
limited exemptions from performance audits to small businesses.
4. Part Ill (clauses 22 to 26) deals with
the requirements imposed on licensed certification authorities
and includes requiring the licensed certification authority
to only carry on activities specified in its licence, to display
its licence and to submit information relating to its business
operations.
5. Part IV (clauses 27 to 61) deals with
the duties of licensed certification authorities and subscribers.
The duties of a licensed certification authority include using
a trustworthy system to issue, suspend or revoke a certificate,
to publish or give notice thereof and to create a private
key, to publish issued and accepted certificates and to suspend
or revoke certificates immediately where the need arises.
Clause 31 provides that a licensed certification
authority may conform to standards, certification practice
statements, security plans or contractual requirements more
rigorous than the proposed Act provided that they are not
inconsistent therewith.
The duties of a subscriber include retaining
control of the private key and practising safe key management.
Clause 44 provides that the private key is the personal property
of the subscriber who rightfully holds it.
Clauses 34 to 42 seek to provide the warranties
and obligations of the licensed certification authority and
subscriber on the issue and acceptance of a certificate.
Clauses 60 and 61 seek to provide for a recommended
reliance limit. By specifying a recommended reliance limit
in a certificate, the issuing certification authority and
accepting subscriber recommend that a person rely on the certificate
only to the extent that the total amount at risk does not
exceed the recommended reliance limit.
6. Part V deals with the effect of digital
signatures.
Clause 62 seeks to provide that a digital
signature created in accordance with the proposed Act shall
satisfy the requirements of law with respect to signatures
and that notwithstanding any written law to the contrary,
a document signed with a digital signature in accordance with
the proposed Act shall be as legally binding as a document
signed with a handwritten signature, an affixed thumbprint
or any other mark.However, the proposed Act does not preclude
any symbol from being valid as a signature under any other
applicable law.
Clause 63 seeks to provide that the recipient
of a digital signature assumes the risk that a digital signature
is forged if under the circumstances reliance on it is not
reasonable. It also seeks to impose a duty on the recipient
who does not rely on a digital signature to notify the signer
of its determination and the grounds for that determination.
Clause 64 seeks to deem a digitally signed
document to be a written document whilst clause 65 seeks to
deem a digitally signed document to be an original document.
Clause 66 seeks to provide for the authentication
of digital signatures.
Clause 67 seeks to provide certain presumptions
in adjudicating disputes.
7. Part VI deals with repositories and date/time
stamp services. Clauses 68 and 69 seek to provide for the
recognition of repositories and their liabilities.
Clause 70 seeks to provide for the recognition
of date/time stamp services.
8. Part VII deals with general matters.
Clause 72 seeks to impose an obligation of
secrecy on persons who have access to confidential information
obtained under the proposed Act.
Clause 73 seeks to make it an offence to
furnish untrue, inaccurate or misleading information.
Clause 74 seeks to provide for offences committed
by a body corporate.
Clause 75 seeks to empower the Minister to
authorise any public officer or officer of the Controller
to exercise the powers of enforcement under the proposed Act.
|
