Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002)Chapter VI : Authentication Service ProvidersPart 2 : Accreditation38. Criteria for accreditation |
(1) | The Accreditation Authority may not accredit authentication products or services unless the Accreditation Authority is satisfied that an electronic signature to which such authentication products or services relate— |
(a) | is uniquely linked to the user; |
(b) | is capable of identifying that user; |
(c) | is created using means that can be maintained under the sole control of that user; and |
(d) | will be linked to the data or data message to which it relates in such a manner that any subsequent change of the data or data message is detectable; |
(e) | is based on the face-to-face identification of the user. |
(2) | For purposes of subsection (1), the Accreditation Authority must have regard to the following factors in respect of an authentication service provider prior to accrediting authentication products or services— |
(a) | Its financial and human resources, including its assets; |
(b) | the quality of its hardware and software systems; |
(c) | its procedures for processing of' products or services; |
(d) | the availability of information to third parties relying on the authentication product or service; |
(e) | the regularity and extent of audits by an independent body; |
(f) | the factors referred to in subsection (4) where the products and services are rendered by a certification service provider; and |
(g) | any other relevant factor which may be prescribed. |
(3) | For the purposes of subsections (2)(b) and (c), the hardware and software systems and procedures must at least— |
(a) | be reasonably secure from intrusion and misuse; |
(b) | provide a reasonable level of availability, reliability and correct operation; |
(c) | be reasonably suited to performing their intended functions; and |
(d) | adhere to generally accepted security procedures. |
(4) | For the purposes of subsection (1), where the products or services are provided by a certification service provider, the Accreditation Authority may stipulate, prior to accrediting authentication products or services— |
(a) | the technical and other requirements which certificates must meet; |
(b) | the requirements for issuing certificates; |
(c) | the requirements for certification practice statements; |
(d) | the responsibilities of the certification service provider; |
(e) | the liability of the certification service provider; |
(f) | the records to be kept and the manner in which and length of time for which they must be kept; |
(g) | requirements as to adequate certificate suspension and revocation procedures; and |
(h) | requirements as to adequate notification procedures relating to certificate 1 suspension and revocation. |
(5) | The Accreditation Authority may impose any conditions or restrictions necessary when accrediting an authentication product or service. |