Malaysian Digital Signature Act 1997

Question 1
What is Licence Framework under Digital Signature Act 1997?

Answer 1
The emergence of the Digital Signature arose out of the need to ensure secured connection between two transactional parties. Security and commitment are key issues for commercial online transactions, as the Internet is an open network prone to problems such as identity, legal commitment, third party interference and manipulation of information.

The enactment of the Digital Signature Act 1997 which came into effect on 1st Oct 1998, introduces and implements the usage of Digital Certificate for Internet based commercial transactions. The Malaysian Communications and Multimedia Commission took over the role of the Controller of Certification Authorities on 1st November 2001 and is now empowered to exercise, discharge and perform the duties, powers, functions conferred on it under the Digital Signature Act 1997. The Act primarily provides for the licensing and regulation of Certification Authorities (CA).

Licensing Framework
The Digital Signature Act 1997 and Digital Signature Regulation 1998 provide the licensing framework for the provision of digital signatures in Malaysia including the type of services, the qualification requirements, how to apply and the respected fees.

a) Licensed Certification Authority;
b) Certificate of Recognition for a Repository;
c) Certificate of Recognition for a Date/Time Stamp Service; and
d) Recognition of Foreign Certification Authority

Question 2
What is the function of Licensed Certification Authority?

Answer 2
The function of a licensed certification authority is to issue to a subscriber upon application and upon satisfaction of the licensed certification authority’s requirements as to the identity of the subscriber to be listed in the certificate and upon payment of the prescribed fees and charges.

Licensed certification authority, before issuing any certificate, must take all reasonable measures to check for proper identification of the subscriber to be listed in the certificate.

The licensing of certification authorities is obligatory under the Digital Signature Act 1997. The MCMC issues two stages of licences for certification authorities:
a) The establishment stage; and
b) The operation stage.

The MCMC issues the establishment stage licence for a period of not exceeding one year. During the period, a person has to fulfil all licensing requirements and may apply for the operation stage.

A person is only allowed to carry on or operate as a licensed certification authorities until that person has been issued with the operation stage of the licence.

Question 3
Who can apply for Licensed Certification Authority?

Answer 3
A person intending to carry on or operate as a certification authority must satisfy the following requirements:

§ It is a body corporate incorporated in Malaysia or a partnership within the meaning of the Partnership Act 1961;
§ It maintains a registered office in Malaysia;
§ It has a working capital reasonably sufficient, according to the requirements of the Commission, to enable it to carry on or operate as a certification authority;
§ It files with the Commission a suitable guarantee;
§ It uses a trustworthy system for the generation and management of key pairs and certificates;
§ It uses an approved digital signature scheme for the generation of key pairs and for the creation and verification of digital signatures;
§ It has an operating procedure that includes a certification practice statement, the measures to be taken to check the identity of subscribers to be listed in certificates, and the repositories and date/time stamp services to be used;
§ It employs as operative personnel only persons who:
a) have not been convicted within the past 15 years of an offence involving fraud, false statement or deception; and
b) have demonstrated knowledge and proficiency in following the requirements of the Act and its Regulations;
(i) it complies with the licensing, standards and technical requirements under the Act and its Regulation; and
(ii) it complies with such other requirement as the Commission thinks fit.

Question 4
What are the details required to apply for Licensed Certification Authority?

Answer 4
To apply for Licensed Certification Authority:
a) A person fills in Form 1;
b) A person must provide the following information for the establishment stage:
(i) the particular of the applicant
(ii) the anticipated operational costs and proposed financing;
(iii) details of the personnel to be employed and their qualifications, if available;
(iv) the proposed operating procedure; and
(v) the services to be provided and the fees and charges to be imposed thereof.
c) A person must provide the following information for the operation stage:
(i) all valid information submitted for the establishment stage;
(ii) all new information and all the changes to the information submitted for the establishment stage, if any;
(iii) a suitable guarantee; and
(iv) a report from a qualified auditor certifying that the prescribed licensing, standards and technical requirements have been satisfied.
d) The prescribed fee; and
e) Such other information or documents as the Commission may require.

Question 5
What is Certificate of Recognition for a Repository under Digital Signature Act 1997?

Answer 5
The repository service is important and critical to the operation of an open Public Key Infrastructure. The development of robust and easily accessible repository service is a crucial mechanism to maintain the quality of certification authority services. Typically, a repository will contain the licensed certification authorities’ disclosure records, certificates, the most recent Certificate Revocation List (CRL), other suspension or revocation information and other information about certification practices.

Question 6
Who can apply for Certificate of Recognition for a Repository?

Answer 6
A person intending to carry on or operate as a repository must satisfy the following requirements:

§ It is a body corporate incorporated in Malaysia or a partnership within the meaning of the Partnership Act 1961 [Act 135];
§ It maintains a registered office in Malaysia;
§ It has a working capital reasonably sufficient, according to the requirements of the Commission, to enable it to conduct business as a Repository;
§ It employs as operative personnel only persons who:
a) have not been convicted within the past 15 years of an offence involving fraud, false statement or deception; and
b) have demonstrated knowledge and proficiency in following the requirements of the Act and its Regulations;
§ The repository includes a date base that is capable of containing:
a) Certification Authority disclosure records for licensed Certification Authority;
b) Certificates to be published in the repository;
c) Notices of suspended or revoked certificates to be published by a licensed certification authority or any person suspending or revoking certificates;
d) Notice of termination of suspension of certificates to be published by a licensed certification authority or any person suspending certificates;
e) Advisory statements, written defences thereto and decisions made by the Commission thereon to be published by the Commission under the Act and its Regulations; and
f) Such other information as the Commission thinks fit.
§ It operates by means of a trustworthy system;
§ The repository contains no significant amount of information that the Commission finds is known or likely to be untrue, in accurate or not reasonably reliable;
§ The repository contains certificates published by certification authorities that are required to conform to rules of practice that are similar to or more stringent that the requirement of the Act and its Regulations;
§ It keeps and maintains an archive of certificates that have been suspended or revoked, or that have been expired at least the preceding ten years;
§ It complies with the certification, standards and technical requirements under the Act and its Regulation; and
§ It complies with such other requirement as the Commission thinks fit.

Question 7
What are the details required to apply for Certification of Recognition for Repositories?

Answer 7
To apply for Certification of Recognition for Repositories:
a) A person fills in Form 1;
b) For the establishment stage, a person must provide the following information:
(i) the particular of the applicant
(ii) the anticipated operational costs and proposed financing;
(iii) details of the personnel to be employed and their qualifications, if available;
(iv) the proposed operating procedure; and
(v) the services to be provided and the fees and charges to be imposed thereof.
c) For the operation stage, a person must provide the following information:
(i) all valid information submitted for the establishment stage;
(ii) all new information and all the changes to the information submitted for the establishment stage, if any; and
(iii) a report from a qualified auditor certifying that the prescribed certification, standards and technical requirements have been satisfied.
d) The prescribed fee; and
e) Such other information or documents as the Commission may require.

Question 8
What is Certificate of Recognition for a Date/Time Stamp Service under Digital Signature Act 1997?

Answer 8
A way of vouching the exact time when a computer record (messages, document, or even digital signatures) was created or last modified is by using a digital date/time stamping system. A digital date/time stamp is basically a cryptographically inforgeable digital declaration which can be used as evidence of the date and time a computer record was created. The date/time stamp can be attached to a digital signature, message or other document if required by any written law.

Question 9
Who can apply for Certificate of Recognition for a Date/Time Stamp Service?

Answer 9
A person intending to carry on or operate as a repository must satisfy the following requirements:

§ It is a body corporate incorporated in Malaysia or a partnership within the meaning of the Partnership Act 1961 [Act 135];
§ It maintains a registered office in Malaysia;
§ It has a working capital reasonably sufficient, according to the requirements of the Commission, to enable it to conduct business as a Repository;
§ It employs as operative personnel only persons who:
a) have not been convicted within the past 15 years of an offence involving fraud, false statement or deception; and
b) have demonstrated knowledge and proficiency in following the requirements of the Act and its Regulations;
§ It operates by means of a trustworthy system;
§ It uses a reasonably secure and tamper-proof mechanism as it’s time-stamping device;
§ It keeps and maintains an archive of documents that have been time-stamped, irrespective that the contents of the document itself are not disclosed, within at least the preceding ten years;
§ It complies with the certification, standards and technical requirements under the Act and its Regulation; and
§ It complies with such other requirement as the Commission thinks fit.

Question 10
What are the details required to apply for Certificate of Recognition for a Date/Time Stamp Service?

Answer 10
To apply for Certificate of Recognition for a Date/Time Stamp Service:
a) A person fills in Form 1;
b) For the establishment stage, a person must provide the following information:
(i) the particular of the applicant
(ii) the anticipated operational costs and proposed financing;
(iii) details of the personnel to be employed and their qualifications, if available;
(iv) the proposed operating procedure; and
(v) the services to be provided and the fees and charges to be imposed thereof.
c) For the operation stage, a person must provide the following information:
(i) all valid information submitted for the establishment stage;
(ii) all new information and all the changes to the information submitted for the establishment stage, if any; and
(iii) a report from a qualified auditor certifying that the prescribed certification, standards and technical requirements have been satisfied.
d) The prescribed fee; and
e) Such other information or documents as the Commission may require.

Question 11
What is Recognition of Foreign Certification Authorities under Digital Signature Act 1997?

Answer 11
The Commission may recognise by order of published in the Gazette, certification authorities licensed or otherwise authorized by governmental entities outside Malaysia. A certificate issued by recognised foreign certification authorities has the same effect as a certificate issued by a licensed certification authority of Malaysia.

Question 12
What are the criteria to apply for Recognition of Foreign Certifications Authorities?

Answer 12
a) A foreign certification authority is eligible for recognition if an international treaty, agreement or convention concerning the recognition of its certificates has been concluded to which Malaysia is a party;
b) It must le licensed or otherwise authorized by the relevant governmental entity in that country to carry on or operate as a certification authority in that country;
c) The certificate issued by the foreign certification authority demonstrates a level of security equal to or more stringent than the level of security of a certificates issued by a licensed certification authority in Malaysia;
d) It has established a local agent for service of process in Malaysia;
e) It complies with the standards and technical requirements under the Act and its Regulations; and
f) It complies with such other requirements as the Commission thinks fit.

Question 13
What are the details required to apply for Recognition of Foreign Certification Authorities?

Answer 13
A foreign certification authority must be apply:
a) In writing to the Commission for the recognition
b) The application above must be accompanied by the following documents:
(i) proof that the criteria for recognition of foreign certification authorities have been satisfied, including a report from a qualified auditor certifying that the prescribed standards and technical requirements have been satisfied.
c) The prescribed fee; and
d) Such other information or document as the Commission may require.