38
GOVERNMENT GAZETTE, 2 AUGUST 2002
No. 33708
Act No. 25,2002
ELECTRONIC
COMMUNICATIONS
AND
TRANSACTIONS ACT, 2003-
of an authenticationservice
provider to ensure its compliance with section38 and the otherobligations of
authentication service providers in terms of this Act;
( b ) temporarily suspend or revoke the accreditation of an authentication product
or service; and
5
(c) appoint an independent auditing firm to conductperiodicaudits
of the
authentication service provider to ensure its compliance with section 38 and
the other obligations of authentication service providers in terms of this Act.
(2) The Accreditation Authority mustmaintain a publicly accessibledatabase in
respect of10
( a ) authentication products or services accredited in terms of section 37;
( b ) authentication products and services recognised in terms of section 40;
( c ) revoked accreditations or recognitions; and
(d) such other information as may be prescribed.
( a ) monitortheconduct,systemsandoperations
Part 2
15
Accreditation
Accreditation of authentication products and services
37. ( 1 ) The Accreditation Authority may accredit authentication products and services
in support of advanced electronic signatures.
( 2 ) An application for accreditation must20
( a ) be made to the Accreditation Authority in the prescribed manner supported by
the prescribed information; and
( 0 ) be accompanied by a non-refundable prescribed fee.
(3) A person falsely holding out its products or services to be accredited by the
Accreditation Authority is guilty of an offence.
25
Criteria for accreditation
38. ( 1 ) The Accreditation Authority may not accredit authentication products or
services unless the Accreditation Authority is satisfied that an electronic signature to
which such authentication products or services relate( a ) is uniquely linked to the user;
30
(0) is capable of identifying that user;
( c ) is created using means that can be maintained under the sole control of that
user: and
( d ) will be linked to the data or data message to which it relates in such a manner
that any subsequent change of the data ordatamessaze is detectable;
35
( e ) is based on the face-to-face identification of the user.
12) For purposes of subsection (1). the Accreditation Authority must have regard to
the following factors in respect of an authentication service provider priorto accrediting
authentication products or services:
( a ) Its financial and human resources, including its assets;
40
(17) the quality of its hardware and software systems:
(c) its procedures for processing of products or services:
(tl) the availability of information to third parties relying on the authentication
product or service;
(c) the regularity and extent of audits by an independent body;
45
If) the factors referred to in subsection (4) where the products and services are
rendered by a certification servjce provider; and
(g) any other relevant factor which may be prescribed.
(3) For the purposes of subsections (2)(b)and (c), the hardware and software systems
and procedures must at least50
( a ) be reasonably secure from intrusion and misuse;
(0) provide a reasonable level of availability, reliability and correct operation;