The Electronic Transactions Act ("ETA") and the Electronic Transactions (Certification Authority) Regulations ("ETR") provide a legal framework to facilitate the establishment of trusted certification authority ("CA") services in Singapore, serving both the domestic and international markets.
Having achieved the initial target of providing a basic legal framework and secure public key infrastructure ("PKI") for trusted e-commerce transactions, the focus now is to maintain the market relevance of the ETR to international developments in this area. With the emergence of a more mature PKI market and the availability of new alternative security solutions, the existing framework of the ETR, which seeks to create trust by imposing stringent requirements for licensing CAs, may be inappropriate in today's context.
To facilitate further development of the CA, authentication and security solutions market, Singapore has moved away from ensuring the business viability of CAs through stringent financial requirements. Instead, users should be allowed to make their own commercial decisions on the level of security and risk that they are prepared to accept. The 2010 ETR aims to encourage CAs to be accredited so long as the guidelines in the Compliance Audit Checklist (which replaces the Security Guidelines) are met.
The key features of the 2010 ETR are:
- Voluntary Accreditation: The Electronic Transactions Act and its Regulations have put in place a voluntary accreditation scheme for CAs. The ETR stipulate the criteria for a CA in Singapore to be accredited, and the continuing operational requirements after being accredited. The criteria that CAs will be evaluated against include their financial standing, operational policies and procedures, and track record. Most international economies have adopted voluntary schemes for the accreditation of CAs as it is more conducive to the growth of the industry, such as Australia, Japan and Taiwan.
- Fees and Term of Accreditation: Under the 2010 ETR, CAs applying for accreditation will be required to pay an application fee of $1,000 and an accreditation fee of $1,000. The term of accreditation is two years.
- Operational Criteria & Auditing Requirements: the Compliance Audit Checklist (68.82KB), which merges the audit requirements of the previous Security Guidelines together with the other obligations found in the various documents applicable, provides ease of reference in a single document for the CAs and stakeholders to understand the operational procedures and security measures that CAs put in to secure their services.
- Evidentiary Presumption: An accredited CA will enjoy the benefits of evidentiary presumption for digital signatures generated from the certificate it issues. Without such a presumption, a party that intends to rely on a digital signature must produce enough evidence to convince the court that the signature was created under conditions that will render it trustworthy. With the presumption, the party relying on the signature merely has to show that the signature has been correctly verified, and the onus is on the other party disputing the signature to prove otherwise.
- Limitation of Liability: The liability of an accredited CA is limited under the Act. The CA will not be liable for any loss caused by reliance on a false or forged digital signature of a subscriber so long as the CA has complied with the requirements under the Act and the Regulations. In the event that an accredited CA failed to observe some of its obligations, the CA will only be liable up to the reliance limit specified in the certificate.
IMDA partners Mandai Wildlife Group to drive digital transformation
IMDA and Mandai Wildlife Group will forge a two-year strategic partnership to co-develop innovative solutions for commercial...
IMDA and New Zealand DIA signed Memorandum of Arrangement (MOA)
The Infocomm Media Development Authority (IMDA) and New Zealand Department of Internal Affairs (DIA) have signed a MOA to enhance...