[ CHAPTER 4 - ACHIEVEMENT OF SECURITY AND RELIABILITY OF
CERTIFICATION PRACTICE ]
Article
19. Maintenance of Certification Practice System
A licensed certification authority shall maintain its certification practice
system in a secure
manner so that the validity of a certificate which it issues may be verified
by any person via
information networks at any time.
Article 20. Time-Stamp of Electronic Messages
Upon request by a subscriber or certificate user, a licensed certification authority
may stamp
by a digital signature the time at which a electronic message is submitted to
the respective
licensed certification authority.
Article 21. Control of the Private Key
(1) A subscriber shall hold and retain his or her private key,
and shall notify the respective
licensed certification authority of any loss to or compromise of the private
key.
(2) Unless requested by a subscriber, a licensed certification
authority shall not hold a
subscriber's private key; and a licensed certification authority which holds
the private key upon
request by a subscriber shall not use or disclose it to any person without the
subscriber's
approval.
(3) A licensed certification authority shall hold and retain
a public key it uses in a secure
manner; and in the event that a public key is lost, compromised, stolen or disclosed
outside,
the respective licensed certification authority shall notify the KISA thereof
without any delay,
and take necessary measures to achieve security and reliability of certification
practice.
(4) Immediately upon receipt of the notification pursuant to
Paragraph (3) hereof, the KISA
shall revoke the certificate that is issued by the respective licensed certification
authority, and
take necessary measures without delay that enable any person to verify such fact
by means of
the certification practice system. Such revoked certificate shall expire upon
the revocation.
(5) When a licensed certification authority has taken the necessary
measures to achieve
security and reliability of certification practice pursuant to Paragraph (3)
hereof, the KISA
shall, upon request by the respective licensed certification authority, issue
a new certificate.
Article 22. Retention of Records for Certification Practice
(1) A licensed certification authority shall hold and retain
records related to subscribers'
certificates and certification practice in a secure manner.
(2) A licensed certification authority shall retain a subscriber's
certificate, etc. for a period of
10 years after the expiration of the respective certificate.
Article 23. Security of the Private Key etc.
(1) No one shall fraudulently use or disclose another person's
private key.
(2) No one shall have issued to it a certificate in the name
of another person or aid such
issuance.
Article 24. Protection of Personal Information
(1) A licensed certification authority shall collect personal
information to the minimum
extent that is necessary in carrying out the certification practice, and shall
not collect personal
information without the respective person's consent.
(2) No licensed certification authority shall use or disclose
the personal information
collected for any purpose other than certification practice. If, however, another
law
specifically prescribes otherwise or the respective person consents, the foregoing
may not
apply.
(3) When a subscriber requests access to, or a correction of
error in, his or her personal
information, a licensed certification authority shall take necessary measures
without any delay.
(4) Any person who is, or was, engaged in the certification
practice shall not disclose, or
provide for a third party, other person's personal information obtained ex officio.
Article 25. Supervision of Certification Practice for Digital Signatures
(1) For the purpose of creating an environment in which digital
signatures may be used in a
secure and reliable manner, and in order to efficiently supervise licensed certification
authorities, the KISA shall carry out activities of certifying a licensed authority's
public key,
developing and encouraging wide use of certification technology, and other activities
related
to the certification of digital sigantures.
(2) Articles 3, 6, 7, 15, 16, 17, 18, 19, 22 and 28 shall be
applied mutatis mutandis to the
certification of the public key by a licensed certification authority pursuant
to Paragraph (1).
In such case, ¡°licensed certification authority¡± shall be replaced by ¡°the KISA,¡±
and
¡°subscriber¡± shall be replaced by ¡°licensed certification authority.¡±
Article 26. Liability for Damages
A licensed certification authority shall be liable for damages incurred by a
subscriber or any
user relying on a certificate in connection with its certification practice.
If, however, such
damages resulted from a force majeure event or attributable to the user's intent
or negligence,
the liability shall be reduced or exempted.
