Be aware of scammers impersonating as IMDA officers and report any suspicious calls to the police. Please note that IMDA officers will never call you nor request for your personal information. For scam-related advice, please call the Anti-Scam helpline at 1800-722-6688 or go to www.scamalert.sg.

  1. IMDA
  2. Resources
  3. Press Releases, Factsheets and Speeches
  4. Archived
  5. IDA Archived
  6. Electronic Commerce Security Reaches a New Milestone with the Launch of the Regulations to the Electronic Transactions Act

Electronic Commerce Security Reaches a New Milestone with the Launch of the Regulations to the Electronic Transactions Act

The National Computer Board (NCB) today released the Electronic Transactions (Certification Authority) Regulations for the licensing of certification authorities,2,3 See Glossary of Technical Terms (CAs) in Singapore. The Regulations set a new benchmark for the integrity and security of the services offered by CAs, thus giving electronic commerce (e-commerce) security a boost.

Singapore, 10 February 1999 | For Immediate Release

The National Computer Board (NCB) today released the Electronic Transactions (Certification Authority) Regulations for the licensing of certification authorities,2,3 See Glossary of Technical Terms (CAs) in Singapore. The Regulations set a new benchmark for the integrity and security of the services offered by CAs, thus giving electronic commerce (e-commerce) security a boost.

In the faceless world of the Internet, transacting parties may not be able to reliably verify each other's identity. A CA thus plays the important role of a trusted third party in vouching for the identities of holders of certificates that it issues (i.e. its subscribers). Parties participating in online transactions can, through the digital signatures created and the information contained in the certificates, reliably verify the identities of the transacting parties. Due to their position of trust, CAs will have to be subjected to high standards and control.

The Chief Executive of the NCB has been appointed as the Controller of Certification Authorities. The Controller will regulate, license and oversee the activities of CAs in Singapore. The NCB will be the regulatory agency for CAs in Singapore.

The Regulations lay down the administrative framework for licensing by the Controller of CAs. They also stipulate the criteria for a CA in Singapore to be licensed, and the continuing operational requirements for the CA once a licence has been obtained. The criteria that CAs will be evaluated against include their financial standing, operational policies and procedures, and track record.

Benefits of Licensing

A system of licensing will ensure compliance by CAs to an established set of stringent standards and control, and instill public confidence in the services offered by CAs. In return, the digital signatures created by licensed CAs will be legally recognised under the law. A licensed CA will enjoy the benefits of evidentiary presumption for digital signatures generated from the certificates it issues. With such presumption, the party relying on the signature merely has to show that the signature has been correctly verified, and the onus is on the other party disputing the signature to prove otherwise.

A licensed CA will also enjoy limitations in liability as prescribed in the Electronic Transactions Act (ETA). The CA will not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber so long as the CA has complied with the requirements under the Act and the Regulations. In the event that a licensed CA failed to observe some of its obligations, the CA will only be liable up to the reliance limit specified in the certificate.

Mr Stephen Yeo, Chief Executive, NCB, said: "The licensing scheme that we have put in place is in some ways different from those regulatory regimes that we are familiar with. This scheme is a voluntary one, and is more akin to an ISO-type certification scheme, in that only CAs that meet high integrity and operational standards will qualify for the license. This will enable the public to use the services of a licensed CA with confidence. We strongly encourage industry players that desire the benefits of the ETA to apply to be licensed."

Licensing Scheme 

Applications are now open for CAs to be licensed. To apply for a license, applicants have to pay an application fee of S$5,000 to cover the processing costs. Once approval for a license has been given, an annual licensing fee of S$1,000 will be levied. Licenses with a one-year validity period will be issued initially. As the industry matures and the CA builds up a track record, licenses for a longer period can be issued.

Cross Certification 

Licensing is only the first step in promoting the use of certification authorities. Efforts are currently underway to facilitate the recognition of certificates from other countries. For example, in June 1998, Singapore and Canada announced the first cross-certification of the countries' public key infrastructures See Glossary of Technical Terms to mutually recognise each other's digital certificates and certification authorities. These initiatives will bring Singapore one step closer to harmonising cross-border e-commerce laws and policies, and give businesses greater confidence to engage in electronic transactions with overseas partners.

National Public Key Infrastructure Advisory Committee (NPAC) 

The NCB also announced plans for the formation of a national advisory committee on CAs. This committee, called the National Public Key Infrastructure See Glossary of Technical Terms (PKI) Advisory Committee or NPAC, will be chaired by the Controller and will comprise industry consultants, leading PKI technology providers and CA operators. The committee will identify, deliberate and advise the Controller on national PKI policy issues and matters of cross certification and international interoperation. This will enable the Controller to review, fine-tune the Regulations and respond quickly to international developments in this area, given the dynamic nature of the environment.

Conclusion 

The Electronic Transactions Act and its Regulations aim to provide a legal framework that will establish trusted CA services in Singapore, serving both the domestic and international markets. In the long term, they provide the foundation to establish Singapore as a trusted hub for e-commerce, providing a wide range of security products and services.


Supplementary Information:

Glossary of Technical Terms

  1. Certification Authority - A trusted third party who issues digital certificates, and vouches for the identity of the holder of the digital certificate.

  2. Digital Signature - An electronic signature that can be used to establish the identity of a party, make legal commitments and/or guarantee that the contents of a file or message have not been altered.

  3. Digital Certificate - An electronic document that certifies the electronic public key of users and organisations.

  4. Public Key Infrastructure - The entire system of digital certificates and certification authorities is collectively known as a Public Key Infrastructure (PKI).

Attachments:



Appendix 1: Salient Features of the Electronic Transactions (Certification Authority) Regulations 1999  

             Introduction
  1. The Electronic Transactions Act and its Regulations have put in place a voluntary licensing scheme for certification authorities (CAs). In addition to laying down the administrative framework for licensing by the Controller of CAs, the Regulations also stipulate the criteria for a CA in Singapore to be licensed, and the continuing operational requirements after obtaining a licence. The criteria that CAs will be evaluated against include their financial standing, operational policies and procedures, and track record.

    Benefits of Licensing
  2. Although the licensing scheme is a voluntary one, there are certain benefits for a CA to be licensed:

    • A licensed CA will enjoy the benefits of evidentiary presumption for digital signatures generated from the certificate it issues. Without such a presumption, a party that intends to rely on a digital signature must produce enough evidence to convince the court that the signature was created under conditions that will render it trustworthy. With the presumption, the party relying on the signature merely has to show that the signature has been correctly verified, and the onus is on the other party disputing the signature to prove otherwise.

    • The liability of a licensed CA is limited under the Act. The CA will not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber so long as the CA has complied with the requirements under the Act and the Regulations. In the event that a licensed CA failed to observe some of its obligations, the CA will only be liable up to the reliance limit specified in the certificate.

    • The licensing of a CA by the Controller is an indication that the CA has met the stringent regulatory requirements established. It is thus an indication to the public that the CA is trustworthy and deserving of consumer confidence. Together with the ease of proof in using digital signatures, there can be reliance on such CAs with greater certainty.

    Licensing Scheme
  3. To apply for a licence, applicants have to pay an application fee of S$5,000 to cover the processing costs. Once approval for a licence has been given, an annual licensing fee of S$1,000 will be levied. Licences with a one-year validity period will be issued initially. As the industry matures and the CA builds up a track record, licences for a longer period can be issued.

    Criteria for Granting and Renewing Licences

    Financial Criteria, etc. 
  4. The licensing scheme is intended for companies operating in Singapore. The applicant must demonstrate that it has sufficient funds to operate a CA, and have adequate insurance coverage to cover major areas of liability. In addition, the applicant needs to post a performance bond or banker's guarantee. This is for the payment of fines arising from offences, or for liabilities and rectification costs arising from the CA's negligence. It may also be used for costs in the transition to a successor CA if the licensed CA decides to discontinue its operations.

    Operational Criteria
  5. Prior to licensing, the applicant must undergo and pass an initial audit to demonstrate that it has met the requirements stipulated in the Act and the Regulations. In addition, the applicant will also be audited for compliance with its own Certificate Practice Statements (CPS). CPS are documents which stipulate the policies and procedures a CA adopts for the certificates it issues. Audits are also required again before a licence can be renewed.


    Security Guidelines
  6. The Controller has published a set of security guidelines that CAs will be audited against. These security guidelines are specially tailored for CA operations. Hence, in addition to general security requirements, there are specific requirements governing CA operations such as certificate and key management.


    Requirements on Record Keeping
  7. Licensed CAs must have reliable records and logs for activities that are core to the CA's operations. These activities include certificate management, key generation and administration of its computing facilities. To enable verification of past transactions, licensed CAs have to archive certificates for a minimum of seven years. The CAs should maintain such archives for a longer period where feasible.


    Management of Certificates
  8. The management of certificates is a core function of a CA and is subject to strict requirements. The Controller must approve the methods used by the licensed CA to verify the identity of a subscriber before granting or renewing a subscription for a certificate. In accordance with the provisions of the Act, a licensed CA must also publish a notice of a certificate suspension or revocation immediately after receiving an authorised request for a certificate suspension or revocation.


    Secure Digital Signatures
  9. In addition to meeting baseline security policies and requirements, the Regulations also specify when a digital signature will qualify as a secure digital signature (i.e. a legally binding digital signature that has the evidentiary presumption under the Act). An applicant must provide a system that can meet these requirements for generating secure digital signatures. Some of these requirements are:

    a) when a digital signature is successfully verified, it must confirm that the digitally signed document or record has not been tampered with since the fixation of the signature;

    b) when a digital signature is successfully verified, it must accurately identify the signatory;

    c) it is computationally infeasible for any person other than the signatory to have created the specific digital signature;

    d) measures must be taken to ensure that the creation of a signature must be under the direction of the signatory; and

    e) no other person can reproduce the sequence of steps to create the signature and thereby create a valid signature without the involvement or the knowledge of the signatory.


    Types of Certificates
  10. To cater for market demands, a licensed CA may issue certificates with different levels of assurance. A licensed CA may issue trustworthy certificates that can create secure digital signatures, or other lower assurance certificates for simple authentication or identification purposes in applications such as electronic mail. However, this is subject to the approval of the Controller - each type of certificate must have a distinct approved CPS associated with it. This will give more flexibility to a licensed CA and will not disadvantage them vis-?-vis an unlicensed CA in the types of certificates it can issue.


    Confidentiality Requirements
  11. Licensed CAs have to ensure confidentiality of subscriber information. This is to prevent abuse of the subscriber's trust in providing potentially private subscriber information to the CA when applying for a certificate.


    Government CAs
  12. Under the Act, a government agency may be approved by the Minister for Trade and Industry to act as a CA with the benefits of a licensed CA. With the exception of certain requirements (e.g. financial criteria), the Regulations will also apply to such government CAs.


    Waivers
  13. Although the Regulations will apply generally to CAs, the Controller will consider granting waivers for some of the requirements in the Regulations in special circumstances, especially for CAs in closed network communities.


    Conclusion
  14. The Act and the Regulations aim to provide a legal framework that will establish trusted CA services in Singapore, serving both the domestic and international markets. In the long term, they provide the foundation to establish Singapore as a trusted hub for e-commerce, providing a wide range of security products and services.

Prepared by National Computer Board, 10th February 1999

Appendix 2

Digital Signatures and Certification Authorities
In the electronic world, hand-written signatures can be replaced by digital signatures. Like written signatures, digital signatures may be used to establish the identity of a party or to make legal commitments. In addition, digital signatures can also be used to guarantee that the contents of a file or message have not been altered. The recently enacted Electronic Transactions Act provides for the recognition of digital signatures under Singapore law.

For digital signatures to work, a trusted third party known as a Certification Authority (CA) is needed to issue digital certificates that certify the electronic identities of users and organisations. Before issuing a digital certificate, the CA performs an identity verification on the user or business entity. The CA acts like a trusted electronic notary, telling everyone who the valid users are and what their digital signatures should look like. With a certified electronic identity, an Internet user's digital signatures will then be recognised by parties involved in electronic transactions like Internet banking, online shopping and online information subscription services. The whole system of digital certificates, certificate servers and CAs is collectively known as a Public Key Infrastructure (PKI).

Digital signatures based on digital certificates issued by licensed CAs are automatically considered to be trustworthy and recognised by the law. Just like written signatures, they can be used to sign contracts or to purchase goods and services. To prevent forgery, digital signatures are created using a personal secret code, known as the signing key, that is usually stored in a secure device like a smart card. It is important that the signing key be kept private at all times so that no one else can forge your digital signatures. Loss of a signing key must be reported to the certification authority immediately.

Technical Inset
Digital signatures are created using a mathematical technique called cryptography. Cryptography is the science of disguising information by transforming a piece of data into something that seems totally random. The transformation process, known as encryption, usually involves an electronic key, which is just a string of digital bits functioning like a key to a lock in the physical world. Encrypting a piece of data is like putting the data into a safe and locking it with a key. By performing the reverse transformation (decryption), which may require the same key or a different key, the original data can be retrieved. Digital signature uses public key cryptography a kind of cryptographic system involving two electronic keys. In public key cryptography, one key is kept private to the user while the other key is made known to the general public.

Suppose Alice wants to sign an electronic contract to be sent to Bob (please see Figure 1). She uses a signing system in conjunction with her signing key (private key) to create a digital signature based on the contract. On receiving the digital signature, Bob uses a verification system with Alice's verification key (public key) to verify that the contract was indeed signed by Alice. The system can determine that the signature has been created by Alice because only Alice's signing key could have generated the signature, and Alice is the only person who possesses the signing key. Hence, it is important that the signing key be kept private since anyone besides Alice who has a copy of her signing key will be able to forge her digital signatures. The signing key is usually stored in a smart card that is protected by a password. Loss of a private key must be reported to the certification authority immediately.

For the above scenario to work, Bob will need to have a trusted copy of Alice's verification key. This can be done by having a trusted third party known as a Certification Authority (CA). The CA issues digital certificates, which are electronic documents that tie each person's or organisation's identity to his/her public verification key. These digital certificates are signed by the CA, so that users can verify that the certificates are authentic. Figure 2 depicts a more complete picture of the digital signing and verification process. Bob checks that the digital certificate belongs to Alice and has been signed by a trusted CA. He then uses the enclosed verification key to verify Alice's digital signature. The digital certificate, used in conjunction with the private signing key, serves as a form of electronic identification, much like a digital passport.

LAST UPDATED: 13 MAR 2023

Related Programmes

5G Academy
Programme

5G Academy

The Singapore 5G & Telecoms Academy offers training courses focused on 5G and other emerging technologies such as the internet...

5G Grant
Programme +1
  • Grant

5G Grant

IMDA is looking to support 5G use cases in the four strategic clusters of (i) Maritime Operations; (ii) Urban Mobility; (iii...

5G Innovation
Digital Solution +1
  • Programme

5G Innovation

Globally acknowledged to be the next big leap in mobile and wireless communications, 5G technology is widely touted to enable...

View all programmes