- CHAPTER I- GENERAL PROVISIONS
- CHAPTER II- LICENSED CERTIFICATION AUTHORITY
- CHAPTER III- AUTHORIZED CERTIFICATE
- CHAPTER IV- SECURING OF SAFETY AND RELIABILITY OF CERTIFICATION WORK
- CHAPTER V- ADOPTION, ETC. OF DIGITAL SIGNATURE CERTIFICATION POLICY
- CHAPTER VI- SUPPLEMENTARY PROVISIONS
- CHAPTER VII- PENAL PROVISIONS
CHAPTER IV SECURING OF SAFETY AND RELIABILITY OF CERTIFICATION WORK
Article 18-3 (Securing Safety of Licensed Certification Authority)
Article 19 (Operation of Certification Work System)
Article 20 (Time-Stamp of Electronic Messages)
Article 21 (Control of Digital Signature Creating Key)
Article 22 (Keeping Records of Certification Work)
Article 22-2 (Control, etc. of Authorized Certificates)
Article 22-3 (Report on Occurrence of Obstacles to Certification Work)
Article 23 (Security of Digital Signature Creating Key, etc.)
Article 24 (Protection of Information on Individual)
Article 25 (Digital Signature Certification Control Service)
Article 25-2 (Obligation of Users)
Article 25-3 (Prohibition from Demand for Specific Authorized Certificate)
Article 26 (Compensation Responsibility)
CHAPTER IV - SECURING OF SAFETY AND RELIABILITY OF CERTIFICATION WORK
Article 18-3 (Securing Safety of Licensed Certification Authority)
A licensed certification authority shall take protective measures prescribed by Ordinance of the Ministry of Science, ICT and Future Planning to secure the safety of facilities for performing certification work. <Amended by Act No. 8852, Feb. 29, 2008; Act No. 11690, Mar. 23, 2013>
[This Article Newly Inserted by Act No. 6585, Dec. 31, 2001]
Article 19 (Operation of Certification Work System)
(1) A licensed certification authority shall securely operate its facilities and equipment for performing certification work, including a certification work system that serves to enable the public to ascertain at all times whether the authorized certificates it issues remain valid.
(2) A licensed certification authority shall be subject to a regular inspection by the Internet Security Agency to ascertain whether its facilities and equipment as provided in paragraph (1) are securely operated. <Amended by Act No. 11690, Mar. 23, 2013>
(3) Where a licensed certification authority replaces the facilities and equipment as provided in paragraph (1) after it was designated as such, it shall, without delay, report it to the Minister of Science, ICT and Future Planning. In such cases, the Minister of Science, ICT and Future Planning may direct the Internet Security Agency to inspect the new facilities and equipment in question for any problems in their safety. <Amended by Act No. 8852, Feb. 29, 2008; Act No. 11690, Mar. 23, 2013>
[This Article Wholly Amended by Act No. 6585, Dec. 31, 2001]
Article 20 (Time-Stamp of Electronic Messages)
A licensed certification authority may stamp by an authorized digital signature the time at which an electronic message is presented for its certification, if there is any request therefor on the part of a subscriber or an authorized certificate user (hereinafter referred to as the "user"). <Amended by Act No. 6585, Dec. 31, 2001; Act No. 7813, Dec. 30, 2005>
Article 21 (Control of Digital Signature Creating Key)
(1) A subscriber shall hold and keep control of his/her digital signature creating key in a secure and confidential manner, and, when he/she becomes aware that it has been lost, hacked, stolen, or disclosed to a third person or that it is in danger of being likely to be hacked, he/she shall notify the licensed certification authority thereof. In such cases, the subscriber shall, without delay, inform the users of the contents of the said notification he/she has sent to the licensed certification authority.
(2) A licensed certification authority shall provide its subscribers with the computational device by which they can inform or notify such facts as referred to in paragraph (1).
(3) A licensed certification authority shall not hold a subscriber's digital signature creating key unless the subscriber so requests; notwithstanding, if by the request of a subscriber it holds his/her digital signature creating key, it shall not use or disclose the said key without the consent of the subscriber.
(4) A licensed certification authority shall hold and keep control of the digital signature creating key that it is using, in a secure and confidential manner. When it becomes aware that such a digital signature creating key has been lost, hacked, stolen or disclosed outside or that the digital signature creating key is in danger of being likely to be hacked, it shall, without delay, notify the Internet Security Agency thereof and take such measures as to secure the safety and reliability of certification work. <Amended by Act No. 11690, Mar. 23, 2013>
[This Article Wholly Amended by Act No. 6585, Dec. 31, 2001]
Article 22 (Keeping Records of Certification Work)
(1) A licensed certification authority shall keep and control records of the issuance of authorized certificates for its subscribers and the performance of its certification work in a secure manner. <Amended by Act No. 6585, Dec. 31, 2001>
(2) A licensed certification authority shall retain its subscriber's certificates, etc. for a period of 10 years after the termination of the validity of the certificates concerned. <Amended by Act No. 6585, Dec. 31, 2001>
Article 22-2 (Control, etc. of Authorized Certificates)
(1) A licensed certification authority and its subscriber shall pay due care in maintaining in a correct and perfect manner the contents of the authorized certificate concerned or the information associated with the authorized certificate while it remains valid.
(2) A licensed certification authority shall provide the users with such convenient device as to enable them to ascertain the matters set forth in the following subparagraphs by using the authorized certificate:
- 1. Name of the licensed certification authority and other information that can serve to verify the identity of the licensed certification authority;
- 2. The fact that the subscriber held and kept control of the digital signature creating key at the time of the issuance of the authorized certificate concerned; and
- 3. The fact that the digital signature creating key remained valid prior to the issuance of the authorized certificate.
(3) A licensed certification authority shall provide the users with such convenient device as to enable them to ascertain the matters set forth in the following subparagraphs:
- 1. Methods by which the identity of the signer can be verified;
- 2. Limits on the purpose of use of, or the amount permissible for, the digital signature creating key or the authorized certificate; and
- 3. The scope or limit of the liability incurred by the licensed certification authority.
[This Article Newly Inserted by Act No. 6585, Dec. 31, 2001]
Article 22-3 (Report on Occurrence of Obstacles to Certification Work)
(1) Where any obstacles have occurred to the information processing systems that provide the certification work, a licensed certification authority shall report such facts without delay to the Minister of Science, ICT and Future Planning or the president of the Internet Security Agency, and shall prepare the countermeasures capable of rapidly overcoming the obstacles. <Amended by Act No. 8852, Feb. 29, 2008; Act No. 11690, Mar. 23, 2013>
(2) When the Minister of Science, ICT and Future Planning or the president of the Internet Security Agency has received a report on obstacles to the certification work under the provisions of paragraph (1), he/she shall take the measures of the following subparagraphs: <Amended by Act No. 8852, Feb. 29, 2008; Act No. 11690, Mar. 23, 2013>
- 1. Collection and dissemination of the information on obstacles; and
- 2. Technological support and cooperation concerning overcoming the obstacles.
[This Article Newly Inserted by Act No. 7813, Dec. 30, 2005]
Article 23 (Security of Digital Signature Creating Key, etc.)
(1) No person shall use by stealth or disclose another person's digital signature creating key. <Amended by Act No. 6585, Dec. 31, 2001>
(2) No person shall have an authorized certificate issued in the name of another person, or aid such issuance. <Amended by Act No. 6585, Dec. 31, 2001>
(3) No person shall use a similar mark that leads or may lead others to confuse an unauthorized certificate, etc. with an authorized certificate or shall falsely indicate the use of an authorized certificate. <Newly Inserted by Act No. 6585, Dec. 31, 2001>
(4) No person shall unlawfully use an authorized certificate by ridding oneself of the utilization scope or usage. <Newly Inserted by Act No. 7813, Dec. 30, 2005>
(5) No person shall transfer or rent an authorized certificate to other persons for the purpose of being exercised, or receive any transfer or rent of other persons' authorized certificate for the purpose of exercising. <Newly Inserted by Act No. 7813, Dec. 30, 2005>
Article 24 (Protection of Information on Individual)
(1) A licensed certification authority shall protect information on individual regarding its performance of certification work.
(2) Deleted. <by Act No. 10465, Mar. 29, 2011>
[This Article Wholly Amended by Act No. 6585, Dec. 31, 2001]
Article 25 (Digital Signature Certification Control Service)
(1) In order to create an environment in which the public may use digital signatures with a sense of safety and reliability and to exercise efficient control over licensed certification authorities, the Internet Security Agency shall perform the functions set forth in the following subparagraphs: <Amended by Act No. 11690, Mar. 23, 2013>
- 1. In cases of designating a licensed certification authority under Article 4, assistance with the examination of such facilities and equipment as the applicant for the designation shall prepare for meeting requirements for the said designation;
- 2. Assistance with the inspection of a licensed certification authority as provided in Article 14 (1);
- 3. Examination and technical assistance of protective measures as provided in Article 18-3;
- 4. Regular inspection as provided in Article 19 (2) as to whether facilities and equipment are securely operated;
- 5. Certification work, such as the issuance, control, etc. of authorized certificates for the licensed certification authorities;
- 6. Development of technology relating to digital signature certification, dissemination thereof, and research on standardization thereof;
- 7. Assistance with the promotion of international cooperation, including research on systems relating to digital signature certification and the reciprocal recognition thereof; and
- 8. Other necessary matters concerning digital signature certification control service.
(2) Articles 6, 7, 15 through 18, 18-2, 18-3, 19 (1), and 22 shall apply mutatis mutandis to the digital signature certification control service of the Internet Security Agency. In such cases, the "licensed certification authority" shall be deemed to be the "Internet Security Agency" and the "subscriber" to be the "licensed certification authority". <Amended by Act No. 7813, Dec. 30, 2005; Act No. 11690, Mar. 23, 2013>
((3) The Internet Security Agency may levy charges, etc. for its performance of digital signature certification control service as referred to in paragraph (1), such as examination, technical assistance, inspection, issuance of authorized certificates. <Amended by Act No. 11690, Mar. 23, 2013>
([This Article Wholly Amended by Act No. 6585, Dec. 31, 2001]
Article 25-2 (Obligation of Users)
The users shall take the following measures in order to verify whether or not a certified digital signature is true by referring to the particulars, etc. of the authorized certificate as set forth in Article 15 (2) 1 through 6:
- 1. A measure to ascertain whether the authorized certificate remains valid;
- 2. A measure to ascertain whether the authorized certificate has been suspended or revoked; and
- 3. A measure to ascertain such matters as set forth in Article 15 (2) 7 and 8.
[This Article Newly Inserted by Act No. 6585, Dec. 31, 2001]
Article 25-3 (Prohibition from Demand for Specific Authorized Certificate)
In verifying a digital signature by means of an authorized certificate, no person shall demand an authorized certificate issued only by a specific licensed certification authority without any justifiable reason therefor.
[This Article Newly Inserted by Act No. 6585, Dec. 31, 2001]
Article 26 (Compensation Responsibility)
(1) Where a licensed certification authority has caused damages to the subscribers or the users who have trusted its authorized certificates in connection with the performance of the certification work, it shall compensate such damages: Provided, That if the licensed certification authority proves that it has no fault, such compensation responsibility shall be exempted.
(2) A licensed certification authority shall subscribe for an insurance for compensating the damages under the provisions of paragraph (1).
[This Article Wholly Amended by Act No. 7813, Dec. 30, 2005]