Rule number two The State Cryptography Administration shall supervise and manage the use of passwords by electronic authentication service providers.
Password management institutions of provinces, autonomous regions and municipalities directly under the Central Government shall undertake relevant supervision and management work in accordance with these Measures.
Rule three. To provide electronic authentication services, an application for password permission for electronic authentication services shall be made in accordance with these Measures.
Article 4? A system that provides third-party electronic authentication services to the public by using cryptographic technology (hereinafter referred to as the electronic authentication service system) uses commercial passwords.
The electronic authentication service system shall be built by a unit with the ability of commercial password product production and password service.
Article 5? The construction and operation of the electronic authentication service system shall conform to the Technical Specification for Passwords and Related Security of Certificate Authentication System.
Article 6? The key service required by the electronic authentication service system is provided by the key management system planned by the State Password Administration and the password management institutions of provinces, autonomous regions and municipalities directly under the Central Government.
Article 7? To apply for a password license for electronic authentication service, the following materials shall be submitted to the password management institution of the local province, autonomous region or municipality directly under the Central Government or the State Password Administration after the completion of the construction of the electronic authentication service system: (1) Application Form for Password License for Electronic Authentication Service; (2) A copy of the business license of the enterprise as a legal person; (3) Technical materials related to the safety review of the electronic certification service system, including construction work summary report, technical work summary report, safety design report, safety management strategy and specification report, user manual and test instructions; (4) Technical materials related to the interconnection test of the electronic certification service system; (5) Certification documents that the information security products used in the electronic authentication service system comply with relevant laws and regulations.
Article 8? If the application materials submitted by the applicant are complete and conform to the prescribed form, the password management institution of the province, autonomous region or municipality directly under the Central Government or the State Password Administration shall accept and issue a notice of acceptance; If the application materials are incomplete or do not conform to the prescribed form, the password management institution of the province, autonomous region or municipality directly under the Central Government or the State Password Administration shall inform all the contents that need to be corrected on the spot or within five working days. If it is not accepted, it shall be notified in writing and explain the reasons.
If the application materials are accepted by the password management institutions of provinces, autonomous regions and municipalities directly under the Central Government, the password management institutions of provinces, autonomous regions and municipalities directly under the Central Government shall submit all the application materials to the State Password Administration within 5 working days from the date of accepting the application.
Article 9? The State Password Administration shall examine the application materials submitted by the applicant within 20 working days from the date of accepting the application by the password management institutions of the self-examination, autonomous regions and municipalities directly under the Central Government, organize the security review and interconnection test of the electronic authentication service system, and inform the applicant in writing of the time required for the security review and interconnection test.
If the electronic authentication service system passes the security review and interconnection test, the National Cryptography Administration will issue a password license for electronic authentication service and publish it; If it fails to pass the security review or interconnection test, it shall not be allowed, and the applicant shall be notified in writing to explain the reasons.
The time required for security review and interconnection test is not calculated within the time limit specified in these Measures.
Article 10? The license for password use of electronic authentication service shall include the following contents: (1) license number; (2) The name of the electronic certification service provider; (3) the validity period of the license; (four) the issuing authority and the date of issuance.
The validity period of the password license for electronic authentication service is 5 years.
Article 11? If an electronic certification service provider changes its name, it shall, within 30 days from the date of change, go through the replacement procedures of the Password License for Electronic Certification Service with the certificate of change to the password management institution of the local province, autonomous region or municipality directly under the Central Government.