require prior written approval of the Commission.
3) A Certification Service Provider shall, in its certification
practice statement, highlight to its subscribers any
limitation of its liabilities and, in particular, draw the
subscribers' attention to the implication of reliance limits
on their certificates.
4) The subscriber identity verification method for the
issuance, suspension, revocation and renewal of a
certificate must be specified in the certification practice
statement.
5) A copy of the latest version of the certification practice
statement, together with its effective date, shall be filed
with the Commission and published on the Certification
Service Provider's website accessible to members of the
public.
6) Certification Service Providers shall log all changes to
the certification practice statement together with the
effective date of each change.
7) A licensed Certification Service Provider shall keep in a
secure manner a copy of each version of the certification
practice statement together with the date it came into
effect and the date it ceased to have effect.
Security Guidelines
14.
1) Every licensed Certification Service Provider shall
ensure that in the provision of its services it materially
satisfies the security guidelines that may be issued by the
Commission from time to time.
2) In determining whether a departure from the security
guidelines has occurred, reasonable professional
judgment shall be exercised as to whether a condition
that does not strictly comply with the guidelines is or is
not material, taking into consideration the circumstances
and the system as a whole.
3) Without prejudice to the generality of paragraph (2), the
following incidents of non-compliance shall be
considered to be material:
a. any non-compliance relating to the validity of a
certificate;
b. the performance of the functions of a certification
personnel by a person who is not suitably
qualified; or
11