A certification service provider must ensure that its subscribers comply with the following duties—
(a) |
The subscriber whose public key is to be listed in a certificate issued by the certification service provider and accepted by the subscriber must generate the key pair using a trustworthy system as required by SANS 21 188. |
(b) |
Material representations made by the subscriber to a certification service provider for purposes of obtaining a certificate, including all information known to the subscriber and represented in the certificate, must be accurate and complete, irrespective of whether such representations are confirmed by the certification service provider. |
(c) |
A subscriber is deemed to have accepted a certificate if he or she publishes the certificate in a repository or makes it available to a third party for use. |
(d) |
A subscriber must guarantee to all who reasonably rely on the information contained in the certificate that— |
(i) |
the subscriber rightfully holds the private key corresponding to the public key listed in the certificate; |
(ii) |
all representations made by the subscriber to the certification service provider and material to the information listed in the certificate are true; and |
(iii) |
all information in the certificate of which the subscriber has knowledge is true. |
(e) |
On accepting a certificate issued by a certification service provider, the subscriber identified in the certificate must exercise all reasonable care to retain control of the private key corresponding to the public key listed in such certificate and prevent its disclosure to a person not authorised to create the subscriber's advanced electronic signature, and such duty continues throughout the period of validity of the certificate and during any period of suspension of the certificate. |
(f) |
A subscriber who has accepted a certificate must, if the private key corresponding to the public key listed in the certificate has been compromised, request the issuing certification service provider to suspend or revoke the certificate within 24 hours of such loss or compromise. |