(2) The provisions of this article do not apply to the case where the matching key is provided by the certification authority system.
Get a certificate
All information and statements provided by the registrant to the authorized institution for obtaining the certificate, including information known by the registrant and information to be noted in the certificate, shall be accurate and complete within the scope of its understanding and trust, regardless of whether the identity of the statement is confirmed by the certification institution.
38 Receiving certificate
(1) The registrant shall be deemed to have received the certificate if he
A. issue certificates or authorize the issuance of certificates;
1. To one or more individuals;
Ii to a repository.
or
B in other cases, when the contents of the certificate are known or noticed, the certificate is declared to be accepted.
(2) The registrant specified in the certificate shall, upon receipt of the certificate issued by its own certification authority, confirm to all those who reasonably rely on the contents of the certificate:
A the registrant correctly holds the private key that matches the public key listed in the certificate;
B all the statements made by the registrant to the certification body and the information contained in the confirmation are true and valid; and
C the information that the registrant should know in the certificate is valid.
39 private key management
(1) When the registrant passes the certificate issued by the certification authority and identifies the identity of the authority, it undertakes the obligation of reasonable care to keep control of the private key consistent with the public key listed in the certificate and prevent it from being disclosed to others who are not granted the right to create the registrant's digital signature.
(2) The above responsibilities always exist during the validity period and suspension period of the certificate.
40. Start of suspension or revocation of certificate
If the private key paired with the public key in the certificate is leaked to a third party, the registrant who accepts the certificate should request the issuing authority to suspend or revoke the certificate as soon as possible.
It can be seen that the provisions on obligations are basically consistent with those in China, and only "publication for the purpose of fraud" and "false or unauthorized requests" are punished. As for the losses that this behavior may cause to the relying party of electronic signature and the electronic authentication service provider, there is no liability. This limits the legal liability of the electronic signer. China's regulations are stricter.
The Electronic Signature Law does not stipulate the responsibilities and obligations of the relying party of electronic signature. This is the passive party, and the electronic signature should be verified in a reasonable way. The relationship between the electronic signer and the relying party of the electronic signature is generally a sales contract relationship, which is mainly regulated by the contract law. Generally speaking, the electronic signer, as a cautious goodwill businessman, should fulfill his reasonable duty of care.
Electronic authentication service provider is in the center of the whole legal relationship of digital signature authentication. The authenticity, integrity and non-repudiation of data message and digital signature are based on the effective authentication of electronic signature, while the effective authentication of electronic signature is based on the electronic signature authentication certificate issued by the authenticator. The job of the authenticator is to prove the relationship between the public key and the signer by issuing a certificate, and to enable the relying party to verify the authenticity and integrity of the digital signature by virtue of its professional ability and qualification. China's Electronic Signature Law stipulates its obligations as follows: 1. Apply for license qualification according to law, abide by the management rules of the State Council Ministry of Information Industry, and accept the supervision of the Ministry of Information Industry. (Articles 18 and 24)
2. Publicize its name, license number and electronic authentication business rules, including the scope of responsibility, operational specifications and information security measures. (article 18, paragraph 3, article 19)
3. Examine the identity and relevant information of the signatory by legal means. (art 20, para. 2)
4. Ensure that the contents of the authentication certificate are complete and accurate within the validity period, and ensure that the relying party can confirm or understand the contents contained in the authentication certificate and other related matters. (Article 22)
5. After the electronic signature expires, properly keep the information related to authentication for at least five years. (Article 25)
6, properly solve the certification body to suspend or terminate the service of the follow-up work. (Article 23)
The provisions on the obligations of certification providers in the legislation of various countries basically follow the sample of the Model Law. And what kind of legal responsibility should the certification provider bear? In the business activities of issuing electronic certificates and proving the correctness of electronic signatures, certification bodies bear huge legal liability risks. For example, if the party applying for an electronic certificate provides false identity information, but the security certification body fails to find out through careful verification and fails to inform the party receiving the electronic signature document in time, it will bear legal responsibility. For another example, when an electronic certificate has expired and the certification body fails to notify the other party in time, people will also bear the responsibility. In e-commerce, the status of certification bodies is similar to that of network service providers, which is both important and dangerous. If the risk of its legal liability is not properly limited, the safety certification institution may be difficult to survive and the certification market will shrink and die out. Therefore, the e-commerce legislation of all countries basically takes into account the necessity of appropriately limiting the responsibility of security certification bodies. For example, as stipulated in the European Electronic Signature Directive, the civil legal liability of certification bodies is mainly that certification bodies that issue authoritative certificates should be responsible for the completeness and accuracy of the contents of certificates, the identity of the holders of signature generation data, the correspondence between signature generation data and signature verification data, and the losses caused by the failure to revoke certificates in time. However, the certification authority may limit the scope and responsibility of the certificate in advance. There are similar provisions in the British Electronic Signatures Ordinance. Singapore's electronic transaction law stipulates that:
44 standard basic restrictions
(1) When an authorized certification authority issues a certificate to a registrant, it may specify a reference standard base limit in the certificate.
(2) Authorized certification bodies can suspend quotas in different places with different certificates.
45 limitation of liability of authorized certification bodies
Unless the certification body is authorized to waive the application of this article,
A. If an authorized certification body abides by the provisions of this Law and suffers losses due to false statements or forged digital signatures, it will not be responsible for the losses;
B. The standard foundation limit is the expansion cost due to the following reasons, and the institution will not bear the additional cost specified in the certificate:
First, the loss caused by the incorrect statement of the certificate of dependence that the authorized certification body should abide by;
2. Failure to issue certificates in accordance with Articles 29 and 30.
Although there is no general limitation on the liability of security certification bodies, it is stipulated that security certification bodies licensed by government management agencies can specify their liability limits in their electronic certificates, so the liability risk of licensed security certification bodies is actually limited. However, this provision has aroused strong criticism from Singapore's business and legal circles. Some scholars believe that this special protection of certification bodies should be replaced by the general principles of contract or tort to solve this problem. Another scholar believes that the purpose of limiting the compensation amount of certification bodies is to make the risks borne by certification bodies equal to those borne by banks that issue ATM cards or credit cards, not greater. In the early days of online trade, it is understandable to give some special protection to certification bodies in order to promote their development. On the other hand, if the certificate issued by the certification authority is stolen by others and used for fraud, the certification authority will not be responsible for the losses caused by the fraud if the fraud occurs before the parties notify the certification authority of the stolen certificate. Corresponding to the obligation, the legal responsibility of the electronic signer is:
Article 27 If an electronic signer knows that the electronic signature production data has been or may have been compromised, fails to notify the relevant parties in time, stops using the electronic signature production data, fails to provide true, complete and accurate information to the electronic certification service provider, or has other faults, thus causing losses to the relying party of the electronic signature and the electronic certification service provider, he shall be liable for compensation.