Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002)

Chapter VI : Authentication Service Providers

Part 2 : Accreditation

38. Criteria for accreditation

Purchase cart Previous page Return to chapter overview Next page

 

(1)The Accreditation Authority may not accredit authentication products or services unless the Accreditation Authority is satisfied that an electronic signature to which such authentication products or services relate—
(a)is uniquely linked to the user;
(b)is capable of identifying that user;
(c)is created using means that can be maintained under the sole control of that user; and
(d)will be linked to the data or data message to which it relates in such a manner that any subsequent change of the data or data message is detectable;
(e)is based on the face-to-face identification of the user.

 

(2)For purposes of subsection (1), the Accreditation Authority must have regard to the following factors in respect of an authentication service provider prior to accrediting authentication products or services—
(a)Its financial and human resources, including its assets;
(b)the quality of its hardware and software systems;
(c)its procedures for processing of' products or services;
(d)the availability of information to third parties relying on the authentication product or service;
(e)the regularity and extent of audits by an independent body;
(f)the factors referred to in subsection (4) where the products and services are rendered by a certification service provider; and
(g)any other relevant factor which may be prescribed.

 

(3)For the purposes of subsections (2)(b) and (c), the hardware and software systems and procedures must at least—
(a)be reasonably secure from intrusion and misuse;
(b)provide a reasonable level of availability, reliability and correct operation;
(c)be reasonably suited to performing their intended functions; and
(d)adhere to generally accepted security procedures.

 

(4)For the purposes of subsection (1), where the products or services are provided by a certification service provider, the Accreditation Authority may stipulate, prior to accrediting authentication products or services—
(a)the technical and other requirements which certificates must meet;
(b)the requirements for issuing certificates;
(c)the requirements for certification practice statements;
(d)the responsibilities of the certification service provider;
(e)the liability of the certification service provider;
(f)the records to be kept and the manner in which and length of time for which they must be kept;
(g)requirements as to adequate certificate suspension and revocation procedures; and
(h)requirements as to adequate notification procedures relating to certificate 1 suspension and revocation.

 

(5)The Accreditation Authority may impose any conditions or restrictions necessary when accrediting an authentication product or service.