|
Cryptome DVDs. Donate
$25 for two DVDs of the Cryptome collection of 47,000 files from June 1996
to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John
Young, 251 West 89th Street, New York, NY 10024. The collection includes
all files of cryptome.org, cryptome.info, jya.com, cartome.org,
eyeball-series.org and iraq-kill-maim.org, and
23,100 (updated)
pages of counter-intelligence dossiers declassified by the US Army Information
and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere
worldwide without extra cost. |
|
10 February 1999
Date: Wed, 10 Feb 1999 09:07:09 -0500
To: cryptography@c2.net
From: Robert Hettinga <rah@shipwright.com>
Subject: new Singapore PKI regulations
--- begin forwarded text
Date: Wed, 10 Feb 1999 08:43:58 -0500
From: Michael Power <Power.Michael@TBS-SCT.GC.CA>
Subject: new Singapore PKI regulations
To: DIGSIG@LISTSERV.TEMPLE.EDU
Our colleagues in Singapore have been kind enough to let us know about the
new Singapore Electronic Transactions (Certification Authority) Regulations
1999. (Released 10 Feb 99) Those interested in the subject can obtain
further details at <http://www.cca.gov.sg> but below is the press document
accompanying the release of the regulations.
Introduction
1. The Electronic Transactions Act and its Regulations have put in
place a voluntary licensing scheme for certification authorities (CAs). In
addition to laying down the administrative framework for licensing by the
Controller of CAs, the Regulations also stipulate the criteria for a CA in
Singapore to be licensed, and the continuing operational requirements after
obtaining a licence. The criteria that CAs will be evaluated against include
their financial standing, operational policies and procedures, and track
record.
Benefits of Licensing
2. Although the licensing scheme is a voluntary one, there are certain
benefits for a CA to be licensed:
a. A licensed CA will enjoy the benefits of evidentiary presumption for
digital signatures generated from the certificate it issues. Without such a
presumption, a party that intends to rely on a digital signature must
produce enough evidence to convince the court that the signature was created
under conditions that will render it trustworthy. With the presumption, the
party relying on the signature merely has to show that the signature has
been correctly verified, and the onus is on the other party disputing the
signature to prove otherwise.
b. The liability of a licensed CA is limited under the Act. The CA will
not be liable for any loss caused by reliance on a false or forged digital
signature of a subscriber so long as the CA has complied with the
requirements under the Act and the Regulations. In the event that a licensed
CA failed to observe some of its obligations, the CA will only be liable up
to the reliance limit specified in the certificate.
c. The licensing of a CA by the Controller is an indication that the CA
has met the stringent regulatory requirements established. It is thus an
indication to the public that the CA is trustworthy and deserving of
consumer confidence. Together with the ease of proof in using digital
signatures, there can be reliance on such CAs with greater certainty.
Licensing Scheme
3. To apply for a licence, applicants have to pay an application fee of
S$5,000 to cover the processing costs. Once approval for a licence has been
given, an annual licensing fee of S$1,000 will be levied. Licences with a
one-year validity period will be issued initially. As the industry matures
and the CA builds up a track record, licences for a longer period can be
issued.
Criteria for Granting and Renewing Licences
Financial Criteria, etc.
4. The licensing scheme is intended for companies operating in
Singapore. The applicant must demonstrate that it has sufficient funds to
operate a CA, and have adequate insurance coverage to cover major areas of
liability. In addition, the applicant needs to post a performance bond or
banker's guarantee. This is for the payment of fines arising from offences,
or for liabilities and rectification costs arising from the CA's negligence.
It may also be used for costs in the transition to a successor CA if the
licensed CA decides to discontinue its operations.
Operational Criteria
5. Prior to licensing, the applicant must undergo and pass an initial
audit to demonstrate that it has met the requirements stipulated in the Act
and the Regulations. In addition, the applicant will also be audited for
compliance with its own Certificate Practice Statements (CPS). CPS are
documents which stipulate the policies and procedures a CA adopts for the
certificates it issues. Audits are also required again before a licence can
be renewed.
Security Guidelines
6. The Controller has published a set of security guidelines that CAs
will be audited against. These security guidelines are specially tailored
for CA operations. Hence, in addition to general security requirements,
there are specific requirements governing CA operations such as certificate
and key management.
Requirements on Record Keeping
7. Licensed CAs must have reliable records and logs for activities that
are core to the CA's operations. These activities include certificate
management, key generation and administration of its computing facilities.
To enable verification of past transactions, licensed CAs have to archive
certificates for a minimum of seven years. The CAs should maintain such
archives for a longer period where feasible.
Management of Certificates
8. The management of certificates is a core function of a CA and is
subject to strict requirements. The Controller must approve the methods used
by the licensed CA to verify the identity of a subscriber before granting or
renewing a subscription for a certificate. In accordance with the provisions
of the Act, a licensed CA must also publish a notice of a certificate
suspension or revocation immediately after receiving an authorised request
for a certificate suspension or revocation.
Secure Digital Signatures
9. In addition to meeting baseline security policies and requirements,
the Regulations also specify when a digital signature will qualify as a
secure digital signature (i.e. a legally binding digital signature that has
the evidentiary presumption under the Act). An applicant must provide a
system that can meet these requirements for generating secure digital
signatures. Some of these requirements are:
a. when a digital signature is successfully verified, it must confirm
that the digitally signed document or record has not been tampered with
since the fixation of the signature;
b. when a digital signature is successfully verified, it must
accurately identify the signatory;
c. it is computationally infeasible for any person other than the
signatory to have created the specific digital signature;
d. measures must be taken to ensure that the creation of a signature
must be under the direction of the signatory; and
e. no other person can reproduce the sequence of steps to create the
signature and thereby create a valid signature without the involvement or
the knowledge of the signatory.
Types of Certificates
10. To cater for market demands, a licensed CA may issue certificates
with different levels of assurance. A licensed CA may issue trustworthy
certificates that can create secure digital signatures, or other lower
assurance certificates for simple authentication or identification purposes
in applications such as electronic mail. However, this is subject to the
approval of the Controller - each type of certificate must have a distinct
approved CPS associated with it. This will give more flexibility to a
licensed CA and will not disadvantage them vis-à-vis an unlicensed CA in the
types of certificates it can issue.
Confidentiality Requirements
11. Licensed CAs have to ensure confidentiality of subscriber
information. This is to prevent abuse of the subscriber's trust in providing
potentially private subscriber information to the CA when applying for a
certificate.
Government CAs
12. Under the Act, a government agency may be approved by the Minister
for Trade and Industry to act as a CA with the benefits of a licensed CA.
With the exception of certain requirements (e.g. financial criteria), the
Regulations will also apply to such government CAs.
Waivers
13. Although the Regulations will apply generally to CAs, the Controller
will consider granting waivers for some of the requirements in the
Regulations in special circumstances, especially for CAs in closed network
communities.
Conclusion
14. The Act and the Regulations aim to provide a legal framework that
will establish trusted CA services in Singapore, serving both the domestic
and international markets. In the long term, they provide the foundation to
establish Singapore as a trusted hub for e-commerce, providing a wide range
of security products and services.
Prepared by National Computer Board, 10th February 1999
Michael Power
Assistant Director, Policy / Directeur adjoint, Politiques
Interdepartmental PKI Task Force / Groupe interministériel de mise en oeuvre
de l'ICP
Treasury Board Secretariat / Secrétariat du Conseil du Trésor
275 rue Slater Street, Ottawa, Canada K1A 0R5
Tel. 946-5056; Fax. 946-9893;
Email: power.michael@tbs-sct.gc.ca,
Website: <http://www.cio-dpi.gc.ca> <<...>>
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'