(1) | A certification service provider whose authentication product or service has been accredited must make its certification practice statement and certificate policy for that advanced electronic signature available to the public on its website or in the manner determined by the South African Accreditation Authority. |
(2) | A certification service provider whose authentication products or services have been accredited must – |
(a) | at least 30 days before it effects any substantive changes to its certification practice statement and certificate policy, including changes – |
(i) | in the identification process; |
(ii) | in the reliance limit of the certificates; or |
(iii) | in key generation, storage or usage; |
notify the South African Accreditation Authority in writing and notify its subscribers and relying parties of the intended changes by publication on its website of its intention to effect such changes;
(b) | notify the South African Accreditation Authority, its subscribers and relying parties by publication on its website of any incident that adversely or materially affects or may affect the validity of the whole or part of its certification practice statement and certificate policy as it has been lodged with the South African Accreditation Authority; |
(c) | adhere to its certification practice statement and certificate policy when issuing a type, class or description of accredited certificates; and |
(d) | state clearly to subscribers and relying parties all costs and fees related to the issuing, revocation, suspension, retrieval or verification of the status of an accredited certificate under each type, class or description of certificates issued by it. |
(3) | A certification service provider must use the following documents to identify and authenticate a subscriber or applicant for a certificate or other authentication product or service during initial registration, certificate renewal, routine rekey, rekey after revocation and when processing requests for suspension or revocation— |
(a) | Where the subscriber or applicant is a natural person, an original, valid– |
(iii) | for certificate renewal purposes only, accredited certificate. |
(b) | Where the subscriber or applicant is a partnership, the constitutive documents of the partnership, if applicable, as well as the documents referred to in paragraph (a) in respect of each partner in the partnership, including the authorised key holder. |
(c) | Where the subscriber or applicant is a company, close corporation, trust or other legal entity, certified copies of— |
(i) | the relevant constitutive documents; |
(ii) | a resolution or power of attorney of the directors authorising a specific person to apply for or otherwise deal with a specific certification service provider in relation to the issuing, renewal or replacement of certificates; and |
(iii) | the documents referred to in paragraph (a) in respect of each of the directors, members or trustees of the applicant and the authorised key holder, together with a resolution appointing the representative as the authorised key holder. |
(a) | During the identification and authentication of a subscriber or applicant as contemplated in sub-regulation (3), a handwritten signature must be obtained by the certification service provider from the subscriber or applicant and the certification service provider should be able to prove that the subscriber or applicant was actually present and identified and accepted the certificate. |
(b) | The handwritten signature referred to in paragraph (a) must be made on a subscriber agreement. |
(c) | A subscriber agreement must provide that the responsibility for safeguarding the private key Iies with the subscriber, as does the responsibility to notify the certification service provider within 24 hours if the private key is lost or compromised. |
(5) | A certification service provider's certification practice statement and certificate policy must comply with the ITU X.509 standard and must contain the following— |
(a) | A detailed description of the identification process contemplated in regulation 14(1); |
(b) | Provisions governing the conduct of agents or contractors to whom operations have been outsourced as contemplated in regulation 10(3); |
(c) | Adequate provision for certificate renewal; |
(d) | Levels and reliance limits of certificates; |
(e) | Private key storage requirements. |