Monday, August 20, 2007


3 Appointment of Commission

(1) The Commission shall be responsible for administering, enforcing, carrying out and giving effect to the provisions of this Act and shall exercise, discharge and perform the powers, duties and functions under this Act for the purpose of monitoring and overseeing the activities of certification authorities.

(2) (Deleted)

(3) (Deleted)

(4) The Commission and its employees shall exercise their powers under this Act subject to such directions as to general policy and orders as may be given or made by the Minister.

(5) The Commission shall maintain a publicly accessible data base containing a certification authority disclosure record for each licensed certification authority which shall contain all the particulars required under the regulations made under this Act.

(6) The Commission shall publish the contents of data base in at least one recognized repository.

Saturday, July 28, 2007


2 Interpretation

(1)In this Act, rules the context otherwise requires –

“accept a certificate” means –

(a) to manifest approval of a certificate, while knowing or having notice of its contents; or

(b) to apply to a licensed certification authority for a certificate, without revoking the application by delivering notice of the revocation to the licensed certification authority, and obtaining a signed, written receipt from the licensed certification authority, if the licensed certification authority subsequently issues a certificate based on the application;

“asymmetric cryptosystem” means an algorithm or series of algorithms which provide a secure key pair;

“authorized officer” means on officer authorized under section 75;

“certificate” means a computer-based record which –

(a) identifies the certification authority issuing it;

(b) names or identifies its subscriber;

(c) contains the subscriber’s public key; and

(d) is digitally signed by the certification authority issuing it;

“certification authority” means a person who issues a certificate;

“certification authority disclosure record” means an on-line and publicly accessible record which concerns a licensed certification authority which is kept by the Commission under subsection 3(5);

“certification practice statement” means a declaration of the practices which a certification authority employs in issuing certificates generally, or employed in issuing a particular certificate;

“certify” means to declare with reference to a certificate, with ample opportunity to reflect, and with a duty to apprise oneself of all material facts;

“Commission” means the Malaysian Communications and Multimedia Commission established under the Malaysian Communications and Multimedia Commission Act 1998;

“confirm” means to ascertain through diligent inquiry and investigation;

“correspond”, with reference to keys, means to belong to the same key pair;

“digital signature” means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine –

(a) whether the transformation was created using the private key that corresponds
to the signer’s public key; and

(b) whether the message has been altered since the transformation was made;

“forge a digital signature” means –

(a) to create a digital signature without the authorization of the rightful holder of the private key; or

(b) to create a digital signature verifiable by a certificate listing as subscriber a person who either does not exist not hold the private key corresponding to the public key listed in the certificate;

“hold a private key” means to be able to utilize a private key;

“incorporate by reference” means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated;

“issue a certificate” means the act of a certificate authority in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate;

“key pair” means a private key and its corresponding public key in an asymmetric cryptosystem, where the public key can verify a digital signature that the private key creates;

“licensed certification authority” means a certification authority to whom a licence has been issued by the Commission and whose licence is in effect;

“message” means a digital representation of information;

“notify” means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person;

“person” means a natural person or a body of persons, corporate or unincorporated, capable of singing a document, either legally or as a matter of fact;

“prescribed” means prescribed by or under this Act or any regulations made under this Act;

“private key” means the key of a key pair used to create a digital signature;

“public key” means the key of a key pair used to verify a digital signature;

“publish” means to record or file in a repository;

“qualified certification authority” means a certification authority that satisfies the requirements under section 5;

“recipient” means a person who receives or has a digital signature and is in a position to rely on it;

“recognized date/time stamp service” means a date/time stamp service recognized by the Commission under section 68;

“recommended reliance limit” means the monetary amount recommended for reliance on a certificate under section 60;

“repository” means a system for storing and retrieving certificates and other information relevant to digital signatures;

“revoke a certificate” means to make a certificate ineffective permanently from a specified time forward;

“rightfully hold a private key” means to be able to utilize a private key –

(a) which the holder or the holder’s agents have not disclosed to any person in contravention of this Act; and

(b) which the holder has not obtained through theft, deceit, eavesdropping or other unlawful means;

“subscriber” means a person who –

(a) is the subject listed in a certificate;

(b) accepts the certificate; and

(c) holds a private key which corresponds to a public key listed in that certificate;

“suspend a certificate” means to make a certificate ineffective temporarily for a specified time forwards;

“this Act” includes any regulations made under this Act;

“time-stamp” means –

(a) to append or attach to a message, digital signature or certificate a digitally signed indicating at least the date, time and identity of the person appending or attaching the notation; or

(b) the notation so appended or attached;

“transactional certificate” means a certificate, incorporating by reference one or more digital signatures, issued and valid for a specific transaction;

“trustworthy system’ means computer hardware and software which –

(a) are reasonably secure from intrusion and misuse;

(b) provide a reasonable level of availability, reliability and correct operation; and

(c) are reasonably suited to performing their intended functions;

“valid certificate” means a certificate which –

(a) a licensed certification authority has issued;

(b) has been accepted by the subscriber listed in it;

(c) has not been revoked or suspended; and

(d) has not expired:
Provided that a transaction certificate is a valid certificate only in relation to the digital signature incorporated in it by reference;

“verify a digital signature” means, in relation to a given digital signature, message and public key, to determine accurately that –

(a) the digital signature was created by the private key corresponding to the public key; and

(b) the message has not been altered since its digital signature was created;

“writing” or “written” includes any handwriting, typewriting, printing, electronic storage or transmission or any other method of recording information or fixing information in a form capable of being preserved.

(2)For the purposes of this Act, a certificate shall be revoked by making a notation to that effect on the certificate or by including the certificate in a set of revoked certificates.

(3)The revocation of a certificate does not mean that it is destroyed or made illegible.



1 Short title and commencement

This Act may be cited as the Digital Signature Act 1997 and shall come into force on a date to be appointed by the Minister by notification in the Gazette, and the Minister may appoint different dates for different provisions of this Act.