CPS

5. Responsibilities and Liabilities of Related Parties

5.1 Korea Information Security Authority (KISA) KISA performs the following functions as stipulated by law:

a. Authentication of digital signature verification keys issued by licensed certification authorities.

b. Other services related to digital signature certification services.

5.2 Korea Information Certificate Authority (KICA)

5.2.1 Provision of Licensed Certification Services

a. KICA provides the following licensed certification services to subscribers:

  1. ① Issuance, re-issuance, and renewal of certificates.
  2. ② Suspension, reinstatement, and revocation of certificates.
  3. ③ Personal identification related to certification services (issuance, suspension, reinstatement, and revocation).
  4. ④ Public announcement of information related to certificates.
  5. ⑤ Time-stamp services.

b. KICA does not refuse to provide certification services to anyone without reasonable cause, nor does it discriminate unduly toward any subscriber or service user.

5.2.2 KICA's Responsibilities
5.2.2.1 Provision of accurate information and public announcement

a. KICA ensures that subscribers and users may verify the reliability and validity of certificates by announcing the following information promptly:

  1. 1) Information on KICA:
    1. ① Designation and cancellation as licensed certification authority.
    2. ② Recess, suspension, or revocation of certification services.
    3. ③ Transfer, takeover, or merger of certification services.
  2. 2) Information concerning subscriber certificates:
    1. ① Subscriber certificates.
    2. ② Certificate Revocation List(CRL).
  3. 3) Certification Practice Statement of KICA.
  4. 4) Other information related to certification services.

1 copy (Should bring the original).

5.2.2.2 Safekeeping of Private keys

KICA generates Key pair in a secure manner utilizing reliable software or hardware. KICA should securely manage the private key to prevent their loss, damage, theft, or leakage.

5.2.2.3 Measures to maintain security of Private keys

a. KICA informs KISA and a subscriber when KICA discovers any events that may affect reliability or validity of certificates, including loss, damage, theft, or leakage of Private key, or discovers any weaknesses in Key pair or in the algorithms, through communication networks immediately. And also, KICA may revoke subscriber certificates issued using the corresponding Private keys.

b. KICA generates new Private keys, has its Public key certified from KISA, and uses Private keys to re-issue subscriber certificates. KICA then notifies and distributes the corresponding facts through e-mail or communication networks.

c. Further, KICA publicly announces the corresponding facts so that anyone concerned can check them at any time through certification management systems, and can also take measures to secure the reliability and validity of its certification services.

5.2.2.4 Provision of directory service

KICA also provides directory service so that subscribers and users relying on a certificate may search certificate of KICA, subscriber certificates, and Certificate Revocation List (CRL) at any time through on-line communication networks.

5.2.2.5 Protection of private information and safekeeping of data security

a. With regard to the information pertaining to subscribers obtained in performing certification procedures and the following data generated in operating certification authority, KICA does not use or disclose such private information for purposes other than that for certification service, unless otherwise stipulated by other laws, court order, or consent of the corresponding subscriber.

  1. ① Records related to certification application (other than what is recorded in the certificate or information already disclosed).
  2. ② Data related to audit and certification services.

b. With regard to one's own private information, subscribers are allowed access to certification management systems through which they may inspect or correct any relevant information.

5.2.3. Specification of Certificates and Certificate Revocation List (CRL)
5.2.3.1 Specification of certificates

KICA issues certificates pursuant to the certificate specification under ITU-T X.509 Version 3.

5.2.3.2 Specification of Certificate Revocation List (CRL)

a. KICA generates and announces Certificate Revocation List (CRL) pursuant to the specifications of the list of revoked certificates under ITU-T X.509 Version 2.

b. When suspending certificates, KICA displays suspended certificates using the Reason Code in the extension field of Certificate Revocation List (CRL).

5.2.4 KICA's Liabilities
5.2.4.1 Liability for Damage

KICA compensates for damages inflicted on subscribers while providing certification service in violation of the Act, its enforcement decrees, regulations, or provisions of these Rules.

5.2.4.2 Limit of Liability

a. With regard to damages caused in connection with its certification service, KICA is not responsible for damages exceeding the given limits even though the total amount of liability for damages incurred on subscribers, both directly or indirectly, exceed the limit of liability for KICA.

b. In case the damage where exceeds the limit of liability, and is accompanied by a judgment of a legal court, KICA shall be responsible only within the above limits and only for cases officially resolved.

5.2.4.3 Exemption of Liability

KICA does not assume responsibility for damages caused by the following reasons:

a. Damages that are caused by using the certificates beyond specific restrictions imposed by KICA on the scope of their application or use.

b. Damages that resulted from causes not attributable to KICA, including communication failures in providing such certification services as issuance, re-issuance, and renewal of certificates or in announcing lists of suspended or revoked certificates, or failures of subscribers' system.

c. Damages caused by not checking and verifying on the part of user relying on a certificate, as required under "5.5.2 Responsibilities of user relying on a certificate" of these Rules.

d. Damages other than those that are direct and compensatory caused in connection with KICA's certificates and certification services.

e. Damages caused by fraudulent information provided by subscribers or other illegal means.

f. Damages caused by revised information that subscribers failed

to provide due to negligence or intention.
Damages caused by careless management of Private keys on the part of subscribers.
Damages caused by reasons other than those stipulated in the Act or in the Certification Practice Statement.

5.2.4.4 Limitation on warranty

KICA does not warrant the matters such as subscribers' credit or the integrity of information related to subscribers that are not provided under the Act and these Rules.

5.2.4.5 Security for Liability for Damages

As a security for its Liability for Damages, KICA is carrying a policy of public liability insurance.

5.3 Registration Authorities (RAs)

5.3.1 Operation of RAs

a. To perform secure and reliable registration functions, KICA may operate Registration Authorities recruited exclusively for the purpose. RAs sign contracts with KICA and carry out their responsibilities as specified in these Rules and in the contract.

b. The main functions of RAs are as follows:

  1. ① Receipt of application for certification services.
    • Receipt of application for certificates (issuance, re-issuance, and renewal)
    • Receipt of application for suspension or reinstatement of certificates.
    • Receipt of application for revocation of certificates.
  2. ② Personal identification of applicants for certification services.
  3. ③ Requesting KICA to issue applicants' certificates and notifying to applicants.
  4. ④ Other functions related to certification services as commissioned by KICA.
5.3.2 RA's Responsibilities
5.3.2.1 Observance of Certification Practice Statement

In providing licensed certification services, Registration Authorities observe these Rules and (pursuant to 5.3.1 of these Rules) carry out registration functions faithfully.

5.3.2.2 Receipt of applications for Certification services

a. With regard to issuance of certificates, Registration Authorities accept only those applications with accurate information based on facts, and until verifications are completed applications are not treated as "accepted". For personal identification, Registration Authorities observe specific guidelines set by KICA.

b. When the reception process is completed, Registration Authorities issue receipt slips prepared by KICA or by the RAs themselves.

c. Registration Authorities are prohibited from refusing receipt of applications for certificate issuance, suspension, revocation, reinstatement, etc. without good reasons. Accordingly, when refusing Registration Authorities should clearly state the reasons why the applications in question cannot be received.

5.3.2.3 Fast, accurate, and secure registration

Registration Authorities, as befitting their role as reliable managers of registration, carry out their responsibilities quickly, accurately, and securely.

5.3.2.4 Protection of private information and safekeeping of data security

Pursuant to 5.2.2.5 of these Rules, Registration Authorities protect the private information obtained in performing certification and safeguard the security of data.

5.3.2.5 Safeguard of facilities and personnel

In performing certification services, Registration Authorities observe security guidelines for facilities and personnel as set by KICA.

5.3.3 RA's Liabilities

a. In case Registration Authorities cause subscribers and users to suffer damages by violating provisions of the Act, its enforcement decrees, regulations, and these Rules in performing certification functions, RAs shall be subject to the same liabilities as those applicable to KICA, as shown in "5.2.4 KICA's Liabilities."

b. As a security for such Liability for Damages, Registration Authorities may subscribe to public liability insurance.

5.4 Subscribers

5.4.1 Subscribers' Responsibilities
5.4.1.1 Provision of accurate information

Information that subscribers provide, including changes subscribers make subsequently to them, in the following cases, shall always be accurate and based on facts:

  1. a. Information provided for certificate application (issuance, re-issuance, and renewal).
  2. b. Information provided when applying for suspension of certificates.
  3. c. Information provided when applying for reinstatement of certificates.
  4. d. Information provided when applying for revocation of certificates.
  5. e. Changes made to subscribers' identity as recorded in the certificates.
5.4.1.2 Generation of Key pair

Pursuant to 3.1.2 of these Rules, subscribers can generate Key pair.

5.4.1.3. Protection and safekeeping of Private keys

a. Of the generated Key pair, subscribers are responsible for safekeeping of Private keys to prevent their loss, damage, theft, or leakage.

b. On recognizing that the Private keys belonging to them have been lost, damaged, stolen, or leaked, subscribers should immediately notify KICA of the corresponding fact through on-line communication networks, etc.

c. Upon recognition that the Private keys belonging to them have been lost, damaged, stolen, or leaked, subscribers should exert themselves to reduce or confine the damage.

5.4.1.4 Use of Private key

To generate key pair having legal validity, subscribers should use the Private key that matches the Public key contained in the KICA-issued certificate.

5.4.1.5 Verification of Certificates

On receiving new certificates, subscribers should confirm their validity, issuing body, their types, and services before using them.

5.4.2 Subscribers' Liabilities

In case subscribers cause KICA to suffer damages by violation of subscribers' responsibilities pursuant to these Rules or in the process of using certification services then subscribers are liable to compensate for the damages inflicted on KICA.

5.5 User relying on a certificate

5.5.1 User relying on a certificate

Users are those who, trusting reliability of the certificates issued by KICA, conduct business with KICA certificate holders.

5.5.2 Responsibilities of the user relying on a certificate

a. Before conducting business with KICA certificate holders, user relying on a certificate should confirm the validity, issuing body, types, and use of the corresponding certificates.

b. Before conducting business with KICA certificate holders, users should verify and confirm whether or not the corresponding certificates are suspended or revoked of their validity, using C.R.L.

c. For damages incurred by not observing confirmation responsibilities of users, the users are exclusively responsible.