Rev. 2011]
Kenya Information and Communications
CAP. 411A
289
[Subsidiary]
(4) Where the advanced electronic signature is not valid, the mechanism
established under paragraph (3) should indicate the reason for invalidity and
the status of the certificate.
(5) Where a verification mechanism is established by any person who
is not a certification service provider, the resulting signature shall not be
considered secure unless a licensed certification service provider endorses the
implementation of mechanism and its certificate.
(6) A licensed certification service provider shall store the keys, including
the subscriber’s and the certification service provider’s keys, in a secure and
trustworthy manner.
17. (1) A certification service provider shall establish an incident Incident handling.
management plan to address, among others, incidents relating to(a) compromise of key;
(b) penetration of certification service provider’s system and network;
(c) unavailability of infrastructure; and
(d) fraudulent registration and generation of certificates, certificate
suspension and revocation information.
(2) Where any incident referred to in paragraph (1) occurs, a certification
service provider shall report the incident to the Commission within twenty
four hours.
18. (1) A certification service provider shall not collect personal data Confidentiality.
directly from the subscribers or their authorised agents, unless the personal
data is necessary for the purposes of issuance of a certificate.
(2) A certification service provider shall keep all information relating to
a subscriber confidential.
(3) A certification service provider shall not disclose any information
relating to a subscriber unless the disclosure is authorized by the subscriber:
Provided that a certification service provider may, pursuant to an order
of the court, disclose information relating to a subscriber without the consent
of the subscriber.
(4) The obligation to maintain confidentiality shall not apply to
information relating to a subscriber which��
(a) is contained in the certificate and is available to the public for
inspection;
(b) is otherwise provided by the subscriber to the licensed certification