286
CAP. 411A
[Subsidiary]
Obligations of a
subscriber.
Kenya Information and Communications
[Rev. 2011
10. (1) Where a subscriber has accepted a certificate, the subscriber shall
generate a key pair by applying the relevant security procedure.
(2) A subscriber shall be deemed to have accepted a certificate if he
publishes or authorizes the publication of the certificate to any person, in a
repository; or otherwise demonstrates his acceptance.
(3) A subscriber certifies, by accepting a certificate, to all who wish to
reasonably rely on the information contained in the certificate that—
(a) the subscriber holds and is entitled to hold the private key
corresponding to the public key listed in the certificate;
(b) all representations made by the subscriber to the certification service
provider and all the information contained in the certificate are true;
and
(c) all information in the certificate is within the knowledge of the
subscriber is true.
(4) Every subscriber shall exercise reasonable care to retain control of
the private key corresponding to the public key listed in his certificate and take
the necessary steps to prevent its disclosure to any person who is not authorized
to affix the advanced electronic signature of the subscriber.
(5) In the event that the subscriber becomes aware that the private key
has been compromised, the subscriber shall, notify the certification service
provider of such compromise within twenty four hours.
Liability of
certification service
providers.
11. (1) A certification service provider shall, by issuing or guaranteeing
a certificate to the public, accept liability for damage caused to any person who
reasonably relies on the certificate unless the certification service provider can
prove that it was not negligent.
(2) The liability of a certification provider under paragraph (1) shall be
limited to issues relating to—
(a) the accuracy, at the time of issuance, of all information contained
in the certificate and the fact that the certificate contains all the
details prescribed for the certificate;
(b) the assurance that at the time of the issuance of the certificate, the
signatory identified in the certificate held the signature-creation data
corresponding to the signature- verification data given or identified
in the certificate;
(c) assurance that the signature-creation data and the signatureverification data can be used in a complementary manner in cases
where the certification service provider generated both of them; and
(d) the failure to publish a notice of suspension or revocation of a