[ 5. Responsibilities and Liabilities of Related Parties ]
5.1 Korea Information Security Authority (KISA) KISA
performs the following functions as stipulated by law:
a. Authentication of digital signature verification keys issued
by licensed certification authorities.
b. Other services related to digital signature certification
services.
5.2 Korea Information Certificate Authority (KICA)
5.2.1 Provision of Licensed Certification Services
a. KICA provides the following licensed certification
services to subscribers:
¨ç Issuance, re-issuance, and renewal of certificates.
¨è Suspension, reinstatement, and revocation of certificates.
¨é Personal identification related to certification services (issuance, suspension,
reinstatement, and revocation).
¨ê Public announcement of information related to certificates.
¨ë Time-stamp services.
b. KICA does not refuse to provide certification services to
anyone without reasonable cause, nor does it discriminate unduly toward any subscriber
or service user.
5.2.2 KICA's Responsibilities
5.2.2.1 Provision of accurate information and public announcement
a. KICA ensures that subscribers and users may verify the reliability
and validity of certificates by announcing the following information promptly:
1) Information on KICA:
¨ç Designation and cancellation as licensed certification authority.
¨è Recess, suspension, or revocation of certification services.
¨é Transfer, takeover, or merger of certification services.
2) Information concerning subscriber certificates:
¨ç Subscriber certificates.
¨è Certificate Revocation List(CRL).
3) Certification Practice Statement of KICA.
4) Other information related to certification services.
1 copy (Should bring the original).
5.2.2.2 Safekeeping of Private keys
KICA generates Key pair in a secure manner utilizing reliable software or hardware.
KICA should securely manage the private key to prevent their loss, damage, theft,
or leakage.
5.2.2.3 Measures to maintain security of Private keys
a. KICA informs KISA and a subscriber when KICA discovers any
events that may affect reliability or validity of certificates, including loss,
damage, theft, or leakage of Private key, or discovers any weaknesses in Key
pair or in the algorithms, through communication networks immediately. And also,
KICA may revoke subscriber certificates issued using the corresponding Private
keys.
b. KICA generates new Private keys, has its Public key certified
from KISA, and uses Private keys to re-issue subscriber certificates. KICA then
notifies and distributes the corresponding facts through e-mail or communication
networks.
c. Further, KICA publicly announces the corresponding facts
so that anyone concerned can check them at any time through certification management
systems, and can also take measures to secure the reliability and validity of
its certification services.
5.2.2.4 Provision of directory service
KICA also provides directory service so that subscribers and users relying on
a certificate may search certificate of KICA, subscriber certificates, and Certificate
Revocation List (CRL) at any time through on-line communication networks.
5.2.2.5 Protection of private information and safekeeping of
data security
a. With regard to the information pertaining to subscribers
obtained in performing certification procedures and the following data generated
in operating certification authority, KICA does not use or disclose such private
information for purposes other than that for certification service, unless otherwise
stipulated by other laws, court order, or consent of the corresponding subscriber.
¨ç Records related to certification application (other than what is recorded in
the
certificate or information already disclosed).
¨è Data related to audit and certification services.
b. With regard to one's own private information, subscribers
are allowed access to certification management systems through which they may
inspect or correct any relevant information.
5.2.3. Specification of Certificates and Certificate Revocation
List (CRL)
5.2.3.1 Specification of certificates
KICA issues certificates pursuant to the certificate specification under ITU-T
X.509 Version 3.
5.2.3.2 Specification of Certificate Revocation List (CRL)
a. KICA generates and announces Certificate Revocation List
(CRL) pursuant to the specifications of the list of revoked certificates under
ITU-T X.509 Version 2.
b. When suspending certificates, KICA displays suspended certificates using the
Reason Code in the extension field of Certificate Revocation List (CRL).
5.2.4 KICA's Liabilities
5.2.4.1 Liability for Damages
KICA compensates for damages inflicted on subscribers while providing certification
service in violation of the Act, its enforcement decrees, regulations, or provisions
of these Rules.
5.2.4.2 Limit of Liability
a. With regard to damages caused in connection with its certification
service, KICA is not responsible for damages exceeding the given limits even
though the total amount of liability for damages incurred on subscribers, both
directly or indirectly, exceed the limit of liability for KICA.
b. In case the damage where exceeds the limit of liability,
and is accompanied by a judgment of a legal court, KICA shall be responsible
only within the above limits and only for cases officially resolved.
5.2.4.3 Exemption of Liability
KICA does not assume responsibility for damages caused by the following reasons:
a. Damages that are caused by using the certificates beyond
specific restrictions imposed by KICA on the scope of their application or use.
b. Damages that resulted from causes not attributable to KICA,
including communication failures in providing such certification services as
issuance, re-issuance, and renewal of certificates or in announcing lists of
suspended or revoked certificates, or failures of subscribers' system.
c. Damages caused by not checking and verifying on the part
of user relying on a certificate, as required under "5.5.2 Responsibilities of
user relying on a certificate" of these Rules.
d. Damages other than those that are direct and compensatory
caused in connection with KICA's certificates and certification services.
e. Damages caused by fraudulent information provided by subscribers
or other illegal means.
f. Damages caused by revised information that subscribers failed
to provide due to negligence or intention.
Damages caused by careless management of Private keys on the part of subscribers.
Damages caused by reasons other than those stipulated in the Act or in the Certification
Practice Statement.
5.2.4.4 Limitation on warranty
KICA does not warrant the matters such as subscribers' credit or the integrity
of information related to subscribers that are not provided under the Act and
these Rules.
5.2.4.5 Security for Liability for Damages
As a security for its Liability for Damages, KICA is carrying a policy of public
liability insurance.
5.3 Registration Authorities (RAs)
5.3.1 Operation of RAs
a. To perform secure and reliable registration functions, KICA
may operate Registration Authorities recruited exclusively for the purpose. RAs
sign contracts with KICA and carry out their responsibilities as specified in
these Rules and in the contract.
b. The main functions of RAs are as follows:
¨ç Receipt of application for certification services.
- Receipt of application for certificates (issuance, re-issuance, and renewal)
- Receipt of application for suspension or reinstatement of certificates.
- Receipt of application for revocation of certificates.
¨è Personal identification of applicants for certification services.
¨é Requesting KICA to issue applicants' certificates and notifying to applicants.
¨ê Other functions related to certification services as commissioned by KICA.
5.3.2 RA's Responsibilities
5.3.2.1 Observance of Certification Practice Statement
In providing licensed certification services, Registration Authorities observe
these Rules and (pursuant to 5.3.1 of these Rules) carry out registration functions
faithfully.
5.3.2.2 Receipt of applications for Certification services
With regard to issuance of certificates, Registration Authorities accept only
those applications with accurate information based on facts, and until verifications
are completed applications are not treated as "accepted". For personal identification,
Registration Authorities observe specific guidelines set by KICA.
When the reception process is completed, Registration Authorities issue receipt
slips prepared by KICA or by the RAs themselves.
c. Registration Authorities are prohibited from refusing receipt of applications
for certificate issuance, suspension, revocation, reinstatement, etc. without
good reasons. Accordingly, when refusing Registration Authorities should clearly
state the reasons why the applications in question cannot be received.
5.3.2.3 Fast, accurate, and secure registration
Registration Authorities, as befitting their role as reliable managers of registration,
carry out their responsibilities quickly, accurately, and securely.
5.3.2.4 Protection of private information and safekeeping of
data security
Pursuant to 5.2.2.5 of these Rules, Registration Authorities protect the private
information obtained in performing certification and safeguard the security of
data.
5.3.2.5 Safeguard of facilities and personnel
In performing certification services, Registration Authorities observe security
guidelines for facilities and personnel as set by KICA.
5.3.3 RA's Liabilities
a. In case Registration Authorities cause subscribers and users
to suffer damages by violating provisions of the Act, its enforcement decrees,
regulations, and these Rules in performing certification functions, RAs shall
be subject to the same liabilities as those applicable to KICA, as shown in "5.2.4
KICA's Liabilities."
b. As a security for such Liability for Damages, Registration
Authorities may subscribe to public liability insurance.
5.4 Subscribers
5.4.1 Subscribers' Responsibilities
5.4.1.1 Provision of accurate information
Information that subscribers provide, including changes subscribers make subsequently
to them, in the following cases, shall always be accurate and based on facts:
a. Information provided for certificate application (issuance,
re-issuance, and renewal).
b. Information provided when applying for suspension of certificates.
c. Information provided when applying for reinstatement of certificates.
d. Information provided when applying for revocation of certificates.
e. Changes made to subscribers' identity as recorded in the
certificates.
5.4.1.2 Generation of Key pair
Pursuant to 3.1.2 of these Rules, subscribers can generate Key pair.
5.4.1.3. Protection and safekeeping of Private keys
a. Of the generated Key pair, subscribers are responsible for
safekeeping of Private keys to prevent their loss, damage, theft, or leakage.
b. On recognizing that the Private keys belonging to them have
been lost, damaged, stolen, or leaked, subscribers should immediately notify
KICA of the corresponding fact through on-line communication networks, etc.
c. Upon recognition that the Private keys belonging to them
have been lost, damaged, stolen, or leaked, subscribers should exert themselves
to reduce or confine the damage.
5.4.1.4 Use of Private key
To generate key pair having legal validity, subscribers should use the Private
key that matches the Public key contained in the KICA-issued certificate.
5.4.1.5 Verification of Certificates
On receiving new certificates, subscribers should confirm their validity, issuing
body, their types, and services before using them.
5.4.2 Subscribers' Liabilities
In case subscribers cause KICA to suffer damages by violation of subscribers'
responsibilities pursuant to these Rules or in the process of using certification
services then subscribers are liable to compensate for the damages inflicted
on KICA.
5.5 User relying on a certificate
5.5.1 User relying on a certificate
Users are those who, trusting reliability of the certificates issued by KICA,
conduct business with KICA certificate holders.
5.5.2 Responsibilities of the user relying on a certificate
a. Before conducting business with KICA certificate holders,
user relying on a certificate should confirm the validity, issuing body, types,
and use of the corresponding certificates.
b. Before conducting business with KICA certificate holders,
users should verify and confirm whether or not the corresponding certificates
are suspended or revoked of their validity, using C.R.L.
c. For damages incurred by not observing confirmation responsibilities
of users, the users are exclusively responsible.
