Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002)

Accreditation Regulations

Chapter III : Requirements for certification service providers

20. Records to be kept

Purchase cart Previous page Return to chapter overview Next page

 

(1)For purposes of section 38(4)(f) of the Act, the following records must be kept by a certification service provider for a period of seven years or for some other period that the South African Accreditation Authority may determine—
(a)applications for the issuing of certificates;
(b)registration and verification documents for certificates generated;
(c)certificates in a manner such that—
(i)no-one, with the exception of parties authorised to do so, can make changes to the certificates;
(ii)it is possible to verify that the information is correct; and
(iii)the certificate is available to the public only if this is expressly permitted by the subscriber;
(d)information related to suspended certificates;
(e)information related to expired and revoked certificates;
(f)reliable records and logs for activities that are core to the certification service provider's operations, such as certificate management, key generation and administration of its computing facilities.

 

(2)An accredited service provider must maintain its repository in such a manner that subscribers and relying parties can readily access records to which the authentication service provider permits access.

 

(3)All records must be kept in such a manner as to ensure the security, integrity and accessibility of the information and records for purposes of their retrieval and inspection by the South African Accreditation Authority.

 

(4)All archived records may be re-signed to protect their integrity and reliability in the event of technological advances that might impact on the reliance that can be placed on the original records.

 

(5)If a certification service provider's authentication products and services are based on PKI, key certificates must be re-signed in accordance with the key lengths specified in the certification practice