(b)
utilize a secure and reliable system in providing certification
services;
(c)
have adequate measures in place to ensure all employees are fit and
proper to carry out the duties assigned to them;
(d)
comply with the operational and technical requirements specified in
regulation 4;
(e)
have adequate policies relating to information security and privacy,
physical security, and disaster recovery;
(f)
provide evidence of access to adequate working capital to enable it
to operate as a certification service provider; and
(g)
has adequate insurance cover, including liability cover for
subscribers and persons relying on certificates issued.
4. Technical and operational requirements
(1) A certification service provider shall have the following technical
components(a)
(b)
at the generation of key pairs, technical components that ascertain that—
(i)
any given key can only occur once;
(ii)
a private key cannot be derived from the corresponding public key;
(iii)
keys cannot be duplicated;
during the generation and storage of key pairs, and the verification of
digital signatures, technical components that have security features which—
(i)
allow the use of the private key only after identification of the
user through a personal identification number or other data used for
identification in conjunction with the data storage medium for the
private key of the user;
(ii)
do not disclose the private key during its use;
(iii)
function in a manner that prevents the private key from being
derived from the digital signature; and