Medicines and Related Substances Act, 1965
R 385
Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002)Accreditation RegulationsChapter III : Requirements for certification service providers20. Records to be kept |
| (1) | For purposes of section 38(4)(f) of the Act, the following records must be kept by a certification service provider for a period of seven years or for some other period that the South African Accreditation Authority may determine— |
| (a) | applications for the issuing of certificates; |
| (b) | registration and verification documents for certificates generated; |
| (c) | certificates in a manner such that— |
| (i) | no-one, with the exception of parties authorised to do so, can make changes to the certificates; |
| (ii) | it is possible to verify that the information is correct; and |
| (iii) | the certificate is available to the public only if this is expressly permitted by the subscriber; |
| (d) | information related to suspended certificates; |
| (e) | information related to expired and revoked certificates; |
| (f) | reliable records and logs for activities that are core to the certification service provider's operations, such as certificate management, key generation and administration of its computing facilities. |
| (2) | An accredited service provider must maintain its repository in such a manner that subscribers and relying parties can readily access records to which the authentication service provider permits access. |
| (3) | All records must be kept in such a manner as to ensure the security, integrity and accessibility of the information and records for purposes of their retrieval and inspection by the South African Accreditation Authority. |
| (4) | All archived records may be re-signed to protect their integrity and reliability in the event of technological advances that might impact on the reliance that can be placed on the original records. |
| (5) | If a certification service provider's authentication products and services are based on PKI, key certificates must be re-signed in accordance with the key lengths specified in the certification practice |
