(2) A certification service provider shall provide every subscriber with a secure
and trustworthy system to generate his key pair.
(3) A certification service provider shall establish a mechanism that generates and
verifies advanced electronic signatures in a secure and trustworthy manner and
indicates the validity of a signature.
(4) Where the advanced electronic signature is not valid, the mechanism
established under paragraph (3) should indicate the reason for invalidity and the
status of the certificate.
(5) Where a verification mechanism is established by any person who is not a
certification service provider, the resulting signature shall not be considered secure
unless a licensed certification service provider endorses the implementation of
mechanism and its certificate.
(6) A licensed certification service provider shall store the keys, including the
subscriber’s and the certification service provider’s keys, in a secure and
trustworthy manner.
17. 1ncent handling.
(1) A certification service provider shall establish an incident management plan to
address, among others, incidents relating to(a) Compromise of key;
(b) Penetration of certification service provider’s system and network;
(c) Unavailability of infrastructure; and
(d) Fraudulent registration and generation of certificates, certificate suspension and
revocation information.
(2) Where any incident referred to in paragraph (1) occurs, a certification service
provider shall report the incident to the Commission within twenty four hours.
18. Confidentiality.
(1) A certification service provider shall not collect personal data directly from the
subscribers or their authorised agents, unless the personal data is necessary for the
purposes of issuance of a certificate.