288
CAP. 411A
Kenya Information and Communications
[Rev. 2011
[Subsidiary]
(9) A certification service provider shall log and keep in a secure manner
the date and time of all transactions relating to the suspension of certificates.
(10) A party who wishes to rely on any certificate shall, before relying
on a certificate, establish the status of the certificate.
Revocation of
certificates.
14. (1) A certification service providers shall revoke a certificate upon—
(a) receiving a request for revocation from a subscriber or his
authorized agent;
(b) detecting forgery or falsification of the information existing in the
database or changes in the information in database ; and
(c) detecting the incapacity, bankruptcy or death of the subscriber:
Provided that where it is practicable, a certification service provider
shall afford the subscriber a reasonable opportunity to be heard, before the
revocation is effected.
(2) A certification service provider shall maintain facilities that can
receive and act upon requests for revocation at all times of the day and on all
days of every year.
(3) A certification service provider shall use the subscriber identity
verification method specified in the certification practice statement to confirm the
identity of the subscriber or authorized agent who makes a request for revocation.
(4) A certification service provider shall, after revoking a certificate, give
a notice of revocation to the subscriber and publish the notice in the respective
repository.
(5) A certification service provider shall log and keep in a secure manner
the date and time of all transactions relating to the revocation of a certificate.
(6) A party who wishes to rely on any certificate shall, before relying on
a certificate, establish the status of the certificate.
Performance audits.
Security guidelines.
15. The Commission shall, at least once in every year, audit the operations
of a licensed certification service provider to monitor compliance with the Act
and these Regulations.
16. (1) A certification service provider shall comply with the security
guidelines that may be issued by the Commission.
(2) A certification service provider shall provide every subscriber with
a secure and trustworthy system to generate his key pair.
(3) A certification service provider shall establish a mechanism that
generates and verifies advanced electronic signatures in a secure and trustworthy
manner and indicates the validity of a signature.