Chapter 1 General Principles
Article 1
These Regulations are enacted pursuant to Paragraph 2, Article 11 of the Electronic Signatures Act.
Article 2
These Regulations make use of the following defined terms:
1.“Assurance” means a basis that the trusted entity has complied with certain security requirements.
2.“Assurance level” means a certain level in a relative assurance tier.
3.“Certificate policy (CP)” means a named set of rules that indicates the applicability of a certificate to a particular community or class of application with common security requirements.
4.“Object identifier (OID)” means a unique alphanumeric/numeric identifier registered under the International Standard Organization registration standard, and which could be used to identify the uniquely corresponding CP; where the CP is modified, the OID is not changed accordingly.
5.“Subscriber” means a subject named or identified in a certificate that holds the private key which corresponds to the public key listed in the certificate.
6.“Relying party” means a recipient of a certificate who acts in reliance on that certificate.
7.“Repository” means a system for storing and retrieving certificates or other information relevant to certificates.
8.“Certificate revocation list (CRL)” means a list of revoked certificates digitally signed by a certification service provider.
9.“Activation data” means data values other than keys, thArticleArticlet are required to operate cryptographic modules and that need to be protected.
Article 3
A certification service provider shall specify the following significant particulars in the first page of the certification practice statement (CPS):
1.The approval number issued by the competent authority
2.Types of certificate
3.Assurance levels of certificates
4.Applicability and restrictions on certificate usage
5.Limitations of liability, and allocation of liability within the application period for certificate revocation
6.Whether the certificate services are audited by a third party or have been granted any seal
Article 4
A certification service provider shall specify the supported CPs, provide the OIDs of the CPs, and specify other significant documents supporting the CPS.
Article 5
A certification service provider shall specify the identity or types of entity that fill the roles of participants operating and maintaining the certification service. In the event that an entity participates in the certification service by outsourcing, the certification service provider shall also specify the name and qualification of the entity.
Article 6
A certification service provider shall specify the telephone number, mailing address and electronic mail address of a contact person to subscribers or relying parties to report the loss of private key and to consult matters of the CPS.
Article 7
A certification service provider shall specify the following subscriber obligations:
1.Ensuring accuracy of representations in certificate application
2.Safely generating and guarding the private key where the private key is generated by the subscriber
3.Complying with the restrictions on private key and certificate usage
4.Notifying the matters of private key compromise or loss
Article 8
A certification service provider shall specify the following replying party obligations:
1.Taking responsibilities to verify digital signatures
2.Placing reliance on the certificate within the purposes of certificate usage
3.Inspecting the certificate status
4.Acknowledging the liability provisions on certification service providers
Article 9
A certification service provider shall specify the following particulars in respect of the publication of information and the operation and maintenance of repositories:
1.The methods it publishes information such as certificates, certificate status, CPS and CP
2.When information must be published and the frequency of publication
3.Access control on repositories
Article 10
A certification service provider shall specify a notification mechanism in the case of CPS modification.
Article 11
A certification service provider shall specify the following particulars in respect of financial responsibility:
1.Amount of insurance coverage provided for liability for potential and actual damages
2.Whether the operation of the certification service provider is covered by insurance
3.Whether financial audit of the certification service provider is implemented by a third party
Article 12
A certification service provider shall specify the dispute resolution procedures and governing and applicable laws to resolve disputes arising out of the certification service or certificate usage.
Article 13
A certification service provider shall specify whether subscribers can request for refund. If applicable, it shall also specify the procedures for refund.
Article 14
A certification service provider shall specify the following particulars in respect of compliance audit or other assessment:
1.Frequency of compliance audit or other assessment
2.The qualifications of the personnel performing the audit or other assessment
3.Assurance of the independence of the personnel performing the audit or other assessment
4.The scope of the compliance audit or other assessment
5.Actions taken as a result of deficiencies found during the compliance audit or other assessment
6.The parts and methods to disclose the reports of compliance audit or other assessment
Article 15
A certification service provider shall specify the types of personal information of subscribers to be protected and methods to keep the information confidential:
1.Types of information to be kept confidential
2.Relevant particulars concerning personal information protection