PART IX –RECORDS KEEPING BY CERTIFICATION SERVICE, REPOSITORY
AND DATE AND TIME STAMP PROVIDERS
29. Records to be kept by certification, repository, and date and time service
providers
(1) Every certification service provider, repository provider and date and time
stamp service provider shall keep the following records for seven years (a)
all applications for issuing certificates to subscribers;
(b)
documents relating to the verification of certificates generated;
(c)
information relating to expired, suspended or revoked certificates;
(d)
reliable records and logs for activities that are core to the provider's
operations, including certificate management, key generation and administration
of computing facilities.
(2) All certificates shall be kept in a manner that (a)
a person who is not authorized cannot make changes to the
certificates;
(b)
(c)
makes it possible to verify that the information is correct; and
the certificate is available to the public only where the subscriber
expressly permits.
(3) A certification service provider, repository provider or date and time stamp
service provider shall maintain –
(a)
the database of records in a manner that allows subscribers and
relying parties to readily access those records;
(b)
all records in a manner that guarantees the security, integrity and
accessibility of the records and allows for retrieval and inspection of the
information by the Controller.
(4) A certification service provider, repository provider or a date and time stamp
service provider may re-signed a record or information required to be kept under
this regulation to protect the integrity of the record or information in the event of