Förderverein Informationstechnik und Gesellschaft

new Singapore PKI regulations

------- Forwarded Message Follows -------
Date:          Wed, 10 Feb 1999 09:07:09 -0500
From:          Robert Hettinga <>
Subject:       new Singapore PKI regulations

--- begin forwarded text

Date:         Wed, 10 Feb 1999 08:43:58 -0500
Reply-To: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
Sender: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
From: Michael Power <Power.Michael@TBS-SCT.GC.CA> Subject:      new
Singapore PKI regulations To: DIGSIG@LISTSERV.TEMPLE.EDU

Our colleagues in Singapore have been kind enough to let us know about
the new Singapore Electronic Transactions (Certification Authority)
Regulations 1999. (Released 10 Feb 99) Those interested in the subject
can obtain further details at  <> but below is the press document accompanying the
release of the regulations.

1.      The Electronic Transactions Act and its Regulations have put
in place a voluntary licensing scheme for certification authorities
(CAs). In addition to laying down the administrative framework for
licensing by the Controller of CAs, the Regulations also stipulate the
criteria for a CA in Singapore to be licensed, and the continuing
operational requirements after obtaining a licence. The criteria that
CAs will be evaluated against include their financial standing,
operational policies and procedures, and track record.

Benefits of Licensing
2.      Although the licensing scheme is a voluntary one, there are
certain benefits for a CA to be licensed:

a.      A licensed CA will enjoy the benefits of evidentiary
presumption for digital signatures generated from the certificate it
issues. Without such a presumption, a party that intends to rely on a
digital signature must produce enough evidence to convince the court
that the signature was created under conditions that will render it
trustworthy. With the presumption, the party relying on the signature
merely has to show that the signature has been correctly verified, and
the onus is on the other party disputing the signature to prove

b.      The liability of a licensed CA is limited under the Act. The
CA will not be liable for any loss caused by reliance on a false or
forged digital signature of a subscriber so long as the CA has
complied with the requirements under the Act and the Regulations. In
the event that a licensed CA failed to observe some of its
obligations, the CA will only be liable up to the reliance limit
specified in the certificate.

c.      The licensing of a CA by the Controller is an indication that
the CA has met the stringent regulatory requirements established. It
is thus an indication to the public that the CA is trustworthy and
deserving of consumer confidence. Together with the ease of proof in
using digital signatures, there can be reliance on such CAs with
greater certainty.

Licensing Scheme
3.      To apply for a licence, applicants have to pay an application
fee of S$5,000 to cover the processing costs. Once approval for a
licence has been given, an annual licensing fee of S$1,000 will be
levied. Licences with a one-year validity period will be issued
initially. As the industry matures and the CA builds up a track
record, licences for a longer period can be issued.

Criteria for Granting and Renewing Licences
        Financial Criteria, etc.
4.      The licensing scheme is intended for companies operating in
Singapore. The applicant must demonstrate that it has sufficient funds
to operate a CA, and have adequate insurance coverage to cover major
areas of liability. In addition, the applicant needs to post a
performance bond or banker's guarantee. This is for the payment of
fines arising from offences, or for liabilities and rectification
costs arising from the CA's negligence. It may also be used for costs
in the transition to a successor CA if the licensed CA decides to
discontinue its operations.
                Operational Criteria
5.      Prior to licensing, the applicant must undergo and pass an
initial audit to demonstrate that it has met the requirements
stipulated in the Act and the Regulations. In addition, the applicant
will also be audited for compliance with its own Certificate Practice
Statements (CPS). CPS are documents which stipulate the policies and
procedures a CA adopts for the certificates it issues. Audits are also
required again before a licence can be renewed.
                Security Guidelines
6.      The Controller has published a set of security guidelines that
CAs will be audited against. These security guidelines are specially
tailored for CA operations. Hence, in addition to general security
requirements, there are specific requirements governing CA operations
such as certificate and key management.

Requirements on Record Keeping
7.      Licensed CAs must have reliable records and logs for
activities that are core to the CA's operations. These activities
include certificate management, key generation and administration of
its computing facilities. To enable verification of past transactions,
licensed CAs have to archive certificates for a minimum of seven
years. The CAs should maintain such archives for a longer period where

Management of Certificates
8.      The management of certificates is a core function of a CA and
is subject to strict requirements. The Controller must approve the
methods used by the licensed CA to verify the identity of a subscriber
before granting or renewing a subscription for a certificate. In
accordance with the provisions of the Act, a licensed CA must also
publish a notice of a certificate suspension or revocation immediately
after receiving an authorised request for a certificate suspension or

Secure Digital Signatures
9.      In addition to meeting baseline security policies and
requirements, the Regulations also specify when a digital signature
will qualify as a secure digital signature (i.e. a legally binding
digital signature that has the evidentiary presumption under the Act).
An applicant must provide a system that can meet these requirements
for generating secure digital signatures. Some of these requirements

a.      when a digital signature is successfully verified, it must
confirm that the digitally signed document or record has not been
tampered with since the fixation of the signature;

b.      when a digital signature is successfully verified, it must
accurately identify the signatory;

c.      it is computationally infeasible for any person other than the
signatory to have created the specific digital signature;

d.      measures must be taken to ensure that the creation of a
signature must be under the direction of the signatory; and

e.      no other person can reproduce the sequence of steps to create
the signature and thereby create a valid signature without the
involvement or the knowledge of the signatory.

Types of Certificates
10.     To cater for market demands, a licensed CA may issue
certificates with different levels of assurance. A licensed CA may
issue trustworthy certificates that can create secure digital
signatures, or other lower assurance certificates for simple
authentication or identification purposes in applications such as
electronic mail. However, this is subject to the approval of the
Controller - each type of certificate must have a distinct approved
CPS associated with it. This will give more flexibility to a licensed
CA and will not disadvantage them vis-à-vis an unlicensed CA in the
types of certificates it can issue.

Confidentiality Requirements
11.     Licensed CAs have to ensure confidentiality of subscriber
information. This is to prevent abuse of the subscriber's trust in
providing potentially private subscriber information to the CA when
applying for a certificate.

Government CAs
12.     Under the Act, a government agency may be approved by the
Minister for Trade and Industry to act as a CA with the benefits of a
licensed CA. With the exception of certain requirements (e.g.
financial criteria), the Regulations will also apply to such
government CAs.

13.     Although the Regulations will apply generally to CAs, the
Controller will consider granting waivers for some of the requirements
in the Regulations in special circumstances, especially for CAs in
closed network communities.

14.     The Act and the Regulations aim to provide a legal framework
that will establish trusted CA services in Singapore, serving both the
domestic and international markets. In the long term, they provide the
foundation to establish Singapore as a trusted hub for e-commerce,
providing a wide range of security products and services.

Prepared by National Computer Board, 10th February 1999

Michael Power
Assistant Director, Policy / Directeur adjoint, Politiques
Interdepartmental PKI Task Force / Groupe interministériel de mise en
oeuvre de l'ICP Treasury Board Secretariat / Secrétariat du Conseil du
Trésor 275 rue Slater Street, Ottawa, Canada K1A 0R5 Tel. 946-5056;
Fax. 946-9893; Email:
<>  , Website:
<>     <<...>>

--- end forwarded text

Robert A. Hettinga <mailto:>
Philodox Financial Technology Evangelism <> 44
Farquhar Street, Boston, MA 02131 USA "... however it may deserve
respect for its usefulness and antiquity, [predicting the end of the
world] has not been found agreeable to experience." -- Edward Gibbon,
'Decline and Fall of the Roman Empire'