14. Revocation of certificates.
(1) A certification service providers shall revoke a certificate upon —
(a) Receiving a request for revocation from a subscriber or his authorized agent;
(b) Detecting forgery or falsification of the information existing in the database or
changes in the information in database and
(c) Detecting the incapacity, bankruptcy or death of the subscriber:
Provided that where it is practicable, a certification service provider shall afford
the subscriber a reasonable opportunity to be heard, before the revocation is
effected.
(2) A certification service provider shall maintain facilities that can receive and act
upon requests for revocation at all times of the day and on all days of every year.
(3) A certification service provider shall use the subscriber identity verification
method specified in the certification practice statement to confirm the identity of
the subscriber or authorized agent who makes a request for revocation.
(4) A certification service provider shall, after revoking a certificate, give a notice
of revocation to the subscriber and publish the notice in the respective repository.
(5) A certification service provider shall log and keep in a secure manner the date
and time of all transactions relating to the revocation of a certificate.
(6) A party who wishes to rely on any certificate shall, before relying on a
certificate, establish the status of the certificate.
15. Performance audits.
The Commission shall, at least once in every year, audit the operations of a
licensed certification service provider to monitor compliance with the Act and
these Regulations.
16. Security guidelines.
(1) A certification service provider shall comply with the security guidelines that
may be issued by the Commission.