Get documents about "In compliance with the Digital Signature Act (hereinafter referred
Document Sample
In compliance with the Digital Signature Act (hereinafter referred to as the "Act"), its Enforcement Decree
(hereinafter referred to as the "Decree"), its Enforcement Regulations (hereinafter referred to as the
"Regulations"), this Certification Practice Statement (CPS) or the "Rules" intend to prescribe all the matters
concerning Korea Information Certificate Authority (hereinafter referred to as "KICA") certification services
including certificate issuance and management, operation of certification systems, and responsibilities and
liabilities of the related parties such as KICA and subscribers.
1. Objectives 5. Responsibilities and Liabilities of Related Parties
2. Certificate Class and Issuance Policy 6. Operation of Certification System and Security Control
3. Applications and Procedure for
7. Management of Certification Practice
Certificates
4. Personal Identification 8. Definition of Terms
1. Objectives
In compliance with the Digital Signature Act (hereinafter referred to as the "Act"), its Enforcement Decree
(hereinafter referred to as the "Decree"), its Enforcement Regulations (hereinafter referred to as the
"Regulations"), this Certification Practice Statement (CPS) or the "Rules" intend to prescribe all the matters
concerning Korea Information Certificate Authority (hereinafter referred to as "KICA") certification services
including certificate issuance and management, operation of certification systems, and responsibilities and
liabilities of the related parties such as KICA and subscribers.
2. Certificate Class and Issuance Policy
2.1 Type of Certification Services
a. Designated as a licensed Certification Authority to provide certification services, Korea Information
Certificate Authority (KICA) performs such functions as certificate issuance (including re-issuance and
renewal) or suspension, reinstatement, and revocation of certificates.
b. Type of KICA certificates by class and their issuance policy are as follows:
Class Class I Class II Class III
Corporation/ Server Corporation/
Subscribers Individual Individual Individual
Organization Operator Organization
1.2.410. 1.2.410.
1.2.410. 1.2.410. 20004.
OID 20004. 20004. 1.2.410. 20004. 5.2.1.3
20004. 5.2.1.1 5.2.1.2
5.2.1.1 5.2.1.4
Electronic transactions Electronic e-mail Special purpose
transactions electronic
Internet banking e-mail between transactions
On-line Subscription to Server individuals ntra-/
insurance policy certification Interbusiness e-mail Special purpose
Use Cyber securities transaction On-line subscription electronic transactions i.e.
Access to corporate DB Password change general
On-line Membership Verification of meeting of
services software efficacy stockholders
e-commerce Small transaction
with low risk
* OID: Object Identifier
2.2 Fees
2.2.1 Fees by Certificate Class
Fee schedules for issuance and re-issuance of certificates by certificate class are as follows:
Class I Class II Class III
Corporation/ Server Corporation/
Individual Individual Individual
Organization Operator Organization
To be To be
10,000 100,000 500,000 5,000 decided by decided by
contract contract
Note:
1) VAT is excluded.
2) A current schedule of Discount fees and Membership fees will be available from the KICA homepage at
<http://www.signgate.com> separately.
2.2.2 Request and Payment of Fees
KICA may impose fees on subscribers when applications for certification services are filed, and subscribers
should prepay them. However, corporations, organizations or subscribers for server certification services
are allowed to pay them later. In the latter cases, KICA issues Request for Payment of Fees to the parties
concerned.
2.2.3 Refund of Fees
Subscribers may request a refund of fees if they decide to cancel their applications based on the quality of
certification services at KICA. If the quality is not to the standards of what has been stipulated in the Rules
or the Center has failed to perform major duties provided under the Rules then a refund should be
requested within 10 days from the date of certificate issuance. In this case, subscribers should fill out the
Application for Cancellation or Request for Refund of Fees prepared by KICA before presenting them to
KICA by personal visit, or send in an electronically signed Application for Cancellation or Request for
Refund of Fees through on-line communication networks.
When the subscriber requests a cancellation of application and for a refund within the given period, KICA
may deduct necessary expenses as dictated by the circumstance and refund the balance. On receipt of the
refund, the subscriber's certificate is automatically revoked.
2.2.4 Other Fees
For certification services such as re-issuance of certificate, suspension of certificate validity or
reinstatement, and revocation of certificate, KICA may impose additional fees.
3. Applications and Procedure for Certificates
3.1Application for Certificates
3.1.1Registration for Certificates
Subscribers should personally visit KICA offices for registration or access KICA website for registration
forms depending on the class of KICA certificates being sought. They should also undergo personal
identification following personal identification procedures stipulated by "4.1 Personal Identification for
Issuance of Certificates" of these Rules.
3.1.2 Application for Issuance of Certificates
When registration and personal identification are completed, subscribers generate Key pair using software
provided by KICA or personal software and transmit certificate application message to KICA using their
user identification number, assigned to them at the time of registration, to guarantee security.
3.2 Issuance of Certificates
3.2.1Issuance of Certificates
a. Before issuing certificates, KICA performs the following points of verification:
Personal identification of applicants, as described in "4.1 Personal Identification for issuance of
Certificates" of these Rules.
Uniqueness of public key submitted by an applicant.
Whether the Public key submitted by an applicant matches private key that the applicant owns.
The uniqueness of DN (Distinguished Name) submitted by the subscriber.
b. A certificate issued by KICA contains the following details:
Applicant 's name.
Applicant 's private key.
Method of digital signature used by an applicant and KICA.
Serial number of the certificate.
Validity of the certificate.
Name of KICA as an issuer of a certificate.
Scope of certificate's use and restrictions to its application
Information on representation in case subscriber holds representation rights for a third party.
c. In general, certificates are issued within 1 to 3 days from the date of application for issuance of
certificates using the key pair by an applicant. This is provided that the subscriber has filed application
forms and other supporting documents, has paid required fees stipulated by these Rules and completed
personal identification process stipulated by "4.1 Personal Identification for
Issuance of Certificates" and "5.3 Registration Authority".
However, issuance of certificates may be delayed or rejected if the information presented by the
subscriber is inaccurate or the subscriber fails to pay the required fees. Issuance of certificates may also
be delayed when the number of subscribers is unusually large as in the case of a group subscription.
3.2.2 Re-issuance of Certificates
3.2.2.1 Reasons for re-issuance of certificates
Re-issuance of certificates refers to issuance of a new certificate by KICA under special conditions.
Registration for re-issuance is done using the same DN (Distinguished Name) but with a new Private key.
The reissued certificate is valid for the remainder of the original certificate's validity period. The conditions
for re-issuance of certificate are;
a. When subscriber applies for re-issuance of certificate, fearing that his Private key was lost, damaged,
stolen, or leaked.
b. When KICA realizes that its Private key has been lost, damaged, stolen, or leaked.
c. When KICA discovers weaknesses in its digital signature algorithm.
3.2.2.2 Application for re-issuance of certificates and re-issuance procedure
Procedures under "3.2.1 Issuance of Certificates" are applied to re-issuance of certificates, as applicable.
The certificate originally issued before registration for re-issuance will be revoked. Before reissuing
certificates, however, KICA should verify the following points:
a. Personal identification, stipulated by "4.2 Personal Identification for Re-issuance of a Certificate" of
these Rules.
b. The uniqueness of Public key submitted by the applicant who applied for re-registration.
c. Whether the new Public key submitted by the subscriber who applied for re-registration matches the
Private key owned by the subscriber.
d. An Identity of DN (Distinguished Name) submitted by the subscriber who applied for re-registration.
3.2.3 Renewal of Certificates
3.2.3.1 Reasons for renewal of certificates
a. Renewal of certificates refers to issuance of a new certificate intended to extend the validity of the
original certificate using the same Public key and the same DN (Distinguished Name). Subscribers who
want their certificates renewed should apply 30 days prior to the expiration of their original certificate. For
new certificates, subscribers are allowed to change information except for the Public key and DN.
b. KICA provides guidance service for renewal of certificates from 60 days prior to the expiration of the
existing certificates.
3.2.3.2 Application for renewal of certificates and renewal procedure
Procedures under "3.2.1 Issuance of Certificates" are applied to renewal of certificates, as applicable. The
certificate originally issued before registration for renewal will be revoked. Before renewing certificates,
however, KICA will verify the following points:
a. Personal identification, stipulated by "4.3 Personal Identification for Renewal of a Certificate" of these
Rules.
The identity of the Public key submitted by the subscriber who applied for renewal with the Public key
recorded in the existing certificate.
The identity of DN submitted by the subscriber who applied for renewal with the DN recorded in the
existing certificate.
3.3 Validity of Certificates
In consideration of the scope of an application, use of the certificates , security and reliability of the
technology employed, etc., KICA determines the validity of certificates as follows:
Class I Class II Class III
Corporation/ Server Corporation/
Individual Individual Individual
Organization Operator Organization
Less than1
1 Year 1 Year 1 Year 1 Year Less than1 Year
Year
3.4 Suspension of Certificate Validity
3.4.1 Reasons for Suspension of a Certificate
Reasons for suspension of a certificate are as follows:
a. When the subscriber or his representative applies the suspension of a certificate.
b. When the subscriber violates any of these Rules.
c. When the Minister of Information & Communications deems it necessary to safeguard security and
reliability of certification services.
3.4.2 Applicant for Suspension of a Certificate
Only the subscriber or his representative can apply for suspension of a certificate.
3.4.3 Application Procedure for Suspension
3.4.3.1 Application for suspension of a certificate
On completion of the application form for suspension of a certificate, the subscriber can pay personal visit
to one of the KICA offices to file the application, or transmit the application signed by his private key
through on-line communication networks.
3.4.3.2 Personal identification
KICA verifies the subscriber's personal identification pursuant to "4.4 Personal Identification for
Suspension and Revocation of a Certificate" of the Rules.
3.4.3.3 Renewal and announcement of the list of suspended certificates
KICA renews and announces the list of suspended certificates immediately, so that anybody can search
the list at any time through certification practice systems. The announcement will be posted on a directory
service, as shown under "5.2.2.4 Provision of directory service" of these Rules, and the time when it is
posted on directory service will be construed as the time of announcement.
3.5 Reinstatement of Certificate Validity
3.5.1 Applicant for Reinstatement of a Certificate
Only a subscriber or his representative can apply for reinstatement of a certificate.
3.5.2 Application Procedure for Reinstatement
3.5.2.1Application for reinstatement of a certificate
On completion of the application form for reinstatement of a certificate, a subscriber should personally visit
one of the KICA offices to file the application.
3.5.2.2 Personal identification
KICA verifies the subscriber's personal identification pursuant to "4.5 Personal Identification for
Reinstatement of a Certificate" of these Rules.
3.5.2.3 Measures of reinstatement of a certificate
KICA takes measures so that anybody can verify the reinstatement of certificates at any time through
Certification practice systems by deleting the corresponding certificates from the list of revoked
certificates.
3.5.3 Restrictions on Application for Reinstatement of a Certificate
Application for reinstatement of a certificate should be filed within 6 months from the date of suspension.
Unless application for reinstatement is filed within the specified time limit, the corresponding certificate will
be automatically revoked.
3.6 Revocation of Certificates
3.6.1Reasons for Revocation of a Certificate
a. KICA revokes the corresponding certificate when any of the following reasons arise:
When subscriber or his representative applied to KICA for revocation.
When KICA discovers that the subscriber obtained his certificate by fraud, forgery, or other illegal
means.
When KICA discovers the death, missing, or dissolution of the subscriber or his organization.
When KICA discovers the subscriber's Private key has been lost, damaged, stolen, or leaked.
When the subscriber violates any of these Rules.
b.When the designation of KICA as licensed Certification Authority is cancelled, the corresponding
certificates are revoked.
c. When notified by the subscriber that his Private key has weaknesses, or when he discovers that his
Private key is lost, damaged, stolen or leaked for other reasons, or if he discovers that there are
weaknesses in his Key pair or algorithm, KICA revokes the corresponding subscriber's certificate pursuant
to 5.2.2.3 of these Rules.
3.6.2 Applicant for Revocation of a Certificate
The subscriber or his representative (including testamentary executor or legal guardian) can apply for
revocation of a certificate.
3.6.3 Application Procedure for Revocation
3.6.3.1Application for revocation of a certificate
On completion of the application form for revocation of a certificate, the subscriber should personally visit
one of the KICA offices to file the application form or transmit the application form that signed with Private
key by subscriber through Communication networks.
3.6.3.2 Personal identification
KICA verifies the subscriber's personal identification pursuant to "4.4 Personal Identification for
Suspension and Revocation of a Certificate" of the Rules.
3.6.3.3 Renewal and announcement of the list of revoked certificates
KICA renews and announces the list of revoked certificates promptly, so that anybody can verify the list at
any time through certification practice systems. Provision on the time of announcement would be the
same as in 3.4.3.3 "Renewal and announcement of the list of suspended certificates" of these Rules.
3.6.4 Time Required for Processing Revoked Certificates
If reasons for revocation of certificates and the identity of the subscriber who applied for revocation are
confirmed, then KICA will revoke the corresponding certificates promptly, as there is no grace period for
processing revoked certificates at KICA.
3.7 Frequency of Renewal for Certificate Revocation List (CRL)
KICA renews and announces CRL at least every 24 hours.
3.8 Termination of Certificate Validity
Validity of certificates issued by KICA will be terminated when the following causes arise:
a. When the term of the certificate's validity elapses.
b. When the designation of KICA as licensed Certification Authority is cancelled.
c. When the certificate issued by KICA is suspended.
d. When the certificate issued by KICA is revoked.
e. When the CA certificate issued by KISA to KICA is revoked.
3.9 Formulation of "Agreement on Use" and Notification to Subscribers
To inform subscribers of important matters concerning application for certification services, KICA reserves
the right to formulate and notify an "Agreement on Use of Licensed Certification Services", a major
provision contained in this Certification Practice Statement.
4. Personal Identification
4.1Personal Identification for Issuance of Certificates
4.1.1Use of Name
a For names used in the basic domain of certificates and the Certificate Revocation List (CRL), the method
of ITU-T X.500 DN (Distinguished Name) is applied.
b. Information contained in certificates and the Certificate Revocation List (CRL) is as follows:
Individual/Corporation Certificate: Real name (in English) and e-mail address.
Server Certificate: Real Name (in English) and Internet domain name (Internet IP address such as
URLs for WWW).
4.1.2 Uniqueness of Name
KICA verifies the uniqueness of subscribers¨ DN (Distinguished Name).
4.1.3 Verification of Key pair
On receiving application for issuance of a certificate, KICA verifies whether the Public key submitted by an
applicant matches the Private key owned by an applicant through the following:
a. In applying for issuance of a certificate, the applicant should use application forms prepared by KICA.
b.KICA verifies whether the Public key matches the Private key based on information contained in
application form.
4.1.4 Identification by Scope of Application and Use of the Certificate
KICA verifies personal identity of the applicant based on information provided in the application form also
taking into consideration of such factors as the scope of application and use of the certificate being sought.
4.1.5 Identification by Service Type of the Subscriber
a. KICA verifies personal identity of the applicant by service type as follows:
Class I Class II Class III
Corporation/ Server Corporation/
Individual Individual Individual
Organization Operator Organization
ApplicatApplication ApplicatApplication ApplicatApplication
Application Application
Application by by mail or on-line by mail or on-line by mail or on-line
by personal by personalv
personal visit communi- communi- communi-
visit isit
cationnetworks cationnetworks cationnetworks
Note: In case the identity of an applicant is already verified by RA following the same procedure as used
by KICA, the subscriber may be regarded as having fulfilled the requirement of application by personal visit
as stipulated in this statement.
b. In case the identity of a subscriber is already verified by his interview with RA, the applicant may be
regarded as having fulfilled his interview requirement.
c. The applicant who applies for issuance of a certificate is liable to provide accurate information, and if
there arises any untoward consequence due to inaccurate information, the subscriber shall be held
exclusively responsible.
4.2 Personal Identification for Re-issuance of a Certificate
Procedures of personal identification for re-issuance of a certificate are comparable to procedures of
personal identification for issuance of a certificate. The exception is when the Private key of the subscriber
is still valid and the subscriber applies for re-issuance via communication networks using electronically
signed application form then KICA should also verify the registration information and the digital signature.
4.3 Personal Identification for Renewal of a Certificate
Procedures of personal identification for renewal of a certificate are comparable to procedures of personal
identification for issuance of a certificate. The exception is when the subscriber applies for renewal via
communication networks using electronically signed application form then KICA should also verify the
changed information and the digital signature.
4.4 Personal Identification for Suspension and Revocation of a Certificate
When the subscriber or his representative personally visits one of KICA offices to apply for suspension or
revocation of a certificate, the procedures are comparable to procedures of personal identification for
issuance of a certificate. There is an exception in the case where the subscriber applies for suspension or
revocation via communication networks using electronically signed application form then KICA should also
verify the registration information and the digital signature.
4.5 Personal Identification for Reinstatement of a Certificate
Procedures of personal identification for reinstatement of a certificate are comparable to procedures of
personal identification for issuance of a certificate.
4.6 Supporting Documents for Personal Identification
4.6.1. Class I
4.6.1.1Individual
a. Adults
Application form for certification services (Prepared by KICA): 1 copy
Copy of resident card, driver's license, passport, or other photo ID (issued by national
or regional governments): Any copy of 1 document (Should bring the original).
b. Minors
When in possession of a passport;
- Application form for certification services (Prepared by KICA): 1 copy .
- Copy of passport: 1 copy (Should bring the original).
- Parent should accompany and bring ID.
When not in possession of a passport;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of resident register: 1 copy.
- Parent should accompany and bring ID.
c. Korean nationals abroad, foreigners.
Korean nationals abroad;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of passport, Korean nationals¨ abroad registration: Any copy of 1 document (Should bring
the original).
Foreigners;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of an alien registration card, passport: Any copy of 1 document (Should bring the
original).
4.6.1.2 Corporation, organization, etc.
a. Corporation
When the representative personally applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of business registration certificate: 1 copy (Should bring the original).
- Copy of corporation register: 1 copy.
- Seal-impression certificate of the corporation: 1 copy.
- Copy of the representative's ID: 1 copy (Should bring the original).
When the representative's legal agent applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of business registration certificate: 1 copy (Should bring the original).
- Copy of corporation register: 1 copy.
- A letter of proxy (issued by a representative of corporation): 1 copy.
- Seal-impression certificate of the corporation: 1 copy.
- Office-holder certificate: 1 copy.
- Copy of the legal agent's ID: 1 copy (Should bring the original).
b. Individual business taxpayer
When the representative personally applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of business registration certificate: 1 copy (Should bring the original).
- Copy of identification card: 1 copy (Should bring the original).
When the representative's legal agent applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of business registration certificate: 1 copy (Should bring the original).
- A letter of proxy (issued by a representative of corporation): 1 copy.
- Seal-impression certificate of an applicant: 1 copy
- Office-holder's certificate: 1 copy.
- Copy of the legal agent's ID: 1 copy (Should bring the original).
c. Voluntary Organization
When the representative himself/herself applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of certificate of proprietary number or certificate of tax payment number: 1 copy (Should
bring the original).
- Copy of the representative's ID: 1 copy (Should bring the original).
When the representative's legal agent applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of certificate of proprietary number or certificate of tax payment number: 1 copy (Should
bring the original).
- A letter of proxy (issued by the representative of organization): 1 copy.
- Seal-impression certificate of the representative: 1 copy.
- Office-holder's certificate: 1 copy.
- Copy of the legal agent's ID: 1 copy (Should bring the original).
d. Foreign corporation or organization.
When the representative personally applies.
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of a certificate of foreign corporation or organization (issued by the government of
corresponding country certifying the existence of such a corporation or organization in that country):
Any copy of 1 document (Should bring the original).
- Copy of the representative's photo ID: 1 copy (Should bring the original).
When the representative's legal agent applies.
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of a certificate of foreign corporation or organization (Issued by the government of
corresponding country certifying the existence of such a corporation or organization In that country):
Any copy of 1 document (Should bring the original).
- A letter of proxy (Issued by the representative of corporation or organization): 1copy.
- Office-holder certificate of the representative's legal agent: 1 copy (When not holding office in the
corporation or organization concerned, a letter of proxy issued by the representative may be
accepted).
- Copy of the legal agent's photo ID (issued by proper authorities of that country): 1 copy (Should
bring the original).
4.6.1.3 Server
a. Corporation
When the representative personally applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of business registration certificate: 1 copy (Should bring the original).
- Copy of corporation register: 1 copy.
- Seal-impression certificate of the corporation: 1 copy.
- Copy of the representative's ID: 1 copy (Should bring the original).
- Copy of a certificate of URL registration issued by the URL registration authority:
1 copy (Should bring the original).
When the representative's legal agent applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of business registration certificate: 1 copy (Should bring the original).
- Copy of corporation register: 1 copy.
- A letter of proxy (Issued by the representative of corporation): 1 copy.
- Seal-impression certificate of the corporation: 1 copy.
- Office-holder certificate: 1 copy.
- Copy of the legal agent's ID: 1 copy (Should bring the original).
- Copy of a certificate of URL registration issued by the URL registration authority
: 1 copy (Should bring the original).
b. Individual business taxpayer
When the representative personally applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of business registration certificate: 1 copy (Should bring the original).
- Copy of identification card: 1 copy (Should bring the original).
- Copy of a certificate of URL registration issued by the URL registration authority:
1 copy (Should bring the original).
When the representative's legal agent applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of business registration certificate: 1 copy (Should bring the original).
- A letter of proxy issued by the representative: 1 copy.
- Seal-impression certificate of the representative: 1 copy.
- Office-holder's certificate: 1 copy.
- Copy of the legal agent's ID: 1 copy (Should bring the original).
- Copy of a certificate of URL registration issued by the URL registration authority:
1 copy (Should bring the original).
c. Voluntary Organization
When the representative personally applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of certificate of proprietary number or certificate of tax payment number: 1 copy (Should
bring the original).
- Copy of the representative's ID: 1 copy (Should bring the original).
- Copy of a certificate of URL registration issued by the URL registration authority:
1 copy (Should bring the original).
When the representative's legal agent applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of certificate of proprietary number or certificate of tax payment number: 1 copy (Should
bring the original).
- A letter of proxy issued by a representative): 1 copy.
- Seal-impression certificate of the representative: 1 copy.
- Office-holder's certificate: 1 copy.
- Copy of the legal agent's ID: 1 copy (Should bring the original).
- Copy of a certificate of URL registration issued by the URL registration authority:
1 copy (Should bring the original).
d. Foreign corporation or organization
When the representative personally applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of a certificate of foreign corporation or organization (issued by the government of
corresponding country certifying the existence of such a corporation or organization in that country):
Any copy of 1 document (Should bring the original).
- Copy of the representative's photo ID: 1 copy (Should bring the original).
- Copy of a certificate of URL registration issued by the URL registration authority:
1 copy (Should bring the original).
When the representative's legal agent applies;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of a certificate of foreign corporation or organization (issued by the government of
corresponding country certifying the existence of such a corporation or organization in that country):
Any copy of 1 document (Should bring the original).
- Copy of the legal agent's photo ID (issued by proper authorities of that country):
1 copy (Should bring the original).
- Copy of a certificate of URL registration issued by the URL registration authority:
1 copy (Should bring the original).
4.6.2. Class II
4.6.2.1 Application of individuals by personal visit
a. Adults
Application form for certification services (Prepared by KICA): 1 copy.
Copy of resident card, driver's license, passport, or other photo ID (issued by national
or regional governments): Any copy of 1 document (Should bring the original).
b. Minors
When in possession of a passport;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of passport: 1 copy (Please bring the original).
- Parent should accompany and bring ID.
When not in possession of a passport;
- Application form for certification services (Prepared by KICA): 1 copy.
- Copy of resident register: 1 copy.
- Parent should accompany and bring ID.
4.6.2.2 Application by mail
Procedures for application by mail and personal identification will be announced separately.
4.6.3. Class III
Procedures for application and personal identification will be announced separately.
5. Responsibilities and Liabilities of Related Parties
5.1 Korea Information Security Authority (KISA)
KISA performs the following functions as stipulated by law:
a. Authentication of digital signature verification keys issued by licensed certification authorities.
b. Other services related to digital signature certification services.
5.2 Korea Information Certificate Authority (KICA)
5.2.1Provision of Licensed Certification Services
a. KICA provides the following licensed certification services to subscribers:
Issuance, re-issuance, and renewal of certificates.
Suspension, reinstatement, and revocation of certificates.
Personal identification related to certification services (issuance, suspension, reinstatement, and
revocation).
Public announcement of information related to certificates.
Time-stamp services.
b. KICA does not refuse to provide certification services to anyone without reasonable cause, nor does it
discriminate unduly toward any subscriber or service user.
5.2.2 KICA's Responsibilities
5.2.2.1 Provision of accurate information and public announcement
a. KICA ensures that subscribers and users may verify the reliability and validity of certificates by
announcing the following information promptly:
1) Information on KICA:
Designation and cancellation as licensed certification authority.
Recess, suspension, or revocation of certification services.
Transfer, takeover, or merger of certification services.
2) Information concerning subscriber certificates:
Subscriber certificates.
Certificate Revocation List(CRL).
3) Certification Practice Statement of KICA.
4) Other information related to certification services.
5.2.2.2 Safekeeping of Private keys
KICA generates Key pair in a secure manner utilizing reliable software or hardware. KICA should securely
manage the private key to prevent their loss, damage, theft, or leakage.
5.2.2.3 Measures to maintain security of Private keys
a. KICA informs KISA and a subscriber when KICA discovers any events that may affect reliability or validity
of certificates, including loss, damage, theft, or leakage of Private key, or discovers any weaknesses in Key
pair or in the algorithms, through communication networks immediately. And also, KICA may revoke
subscriber certificates issued using the corresponding Private keys.
b. KICA generates new Private keys, has its Public key certified from KISA, and uses Private keys to
re-issue subscriber certificates. KICA then notifies and distributes the corresponding facts through e-mail or
communication networks.
c. Further, KICA publicly announces the corresponding facts so that anyone concerned can check them at
any time through certification management systems, and can also take measures to secure the reliability
and validity of its certification services.
5.2.2.4 Provision of directory service
KICA also provides directory service so that subscribers and users relying on a certificate may search
certificate of KICA, subscriber certificates, and Certificate Revocation List (CRL) at any time through on-line
communication networks.
5.2.2.5 Protection of private information and safekeeping of data security
a.With regard to the information pertaining to subscribers obtained in performing certification procedures
and the following data generated in operating certification authority, KICA does not use or disclose such
private information for purposes other than that for certification service, unless otherwise stipulated by other
laws, court order, or consent of the corresponding subscriber.
Records related to certification application (other than what is recorded in the
certificate or information already disclosed).
Data related to audit and certification services.
b. With regard to one's own private information, subscribers are allowed access to certification
management systems through which they may inspect or correct any relevant information.
5.2.3. Specification of Certificates and Certificate Revocation List (CRL)
5.2.3.1 Specification of certificates
KICA issues certificates pursuant to the certificate specification under ITU-T X.509 Version 3.
5.2.3.2 Specification of Certificate Revocation List (CRL)
a. KICA generates and announces Certificate Revocation List (CRL) pursuant to the specifications of the list
of revoked certificates under ITU-T X.509 Version 2.
b. When suspending certificates, KICA displays suspended certificates using the Reason Code in the
extension field of Certificate Revocation List (CRL).
5.2.4 KICA's Liabilities
5.2.4.1 Liability for Damages
KICA compensates for damages inflicted on subscribers while providing certification service in violation of
the Act, its enforcement decrees, regulations, or provisions of these Rules.
5.2.4.2 Limit of Liability
a. With regard to damages caused in connection with its certification service, KICA is not responsible for
damages exceeding the given limits even though the total amount of liability for damages incurred on
subscribers, both directly or indirectly, exceed the limit of liability for KICA.
b. The limits of liability for KICA for one valid certificate and within the limit of its validity are as follows:
Class I Class II Class III
Corporation/ Server Corporation/
Individual Individual Individual
Organization Operator Organization
c. In case the damage where exceeds the limit of liability, and is accompanied by a judgment of a legal
court, KICA shall be responsible only within the above limits and only for cases officially resolved.
5.2.4.3 Exemption of Liability
KICA does not assume responsibility for damages caused by the following reasons:
a. Damages that are caused by using the certificates beyond specific restrictions imposed by KICA on the
scope of their application or use.
b. Damages that resulted from causes not attributable to KICA, including communication failures in
providing such certification services as issuance, re-issuance, and renewal of certificates or in announcing
lists of suspended or revoked certificates, or failures of subscribers' system.
c. Damages caused by not checking and verifying on the part of user relying on a certificate, as required
under "5.5.2 Responsibilities of user relying on a certificate" of these Rules.
d. Damages other than those that are direct and compensatory caused in connection with KICA's
certificates and certification services.
e. Damages caused by fraudulent information provided by subscribers or other illegal means.
f. Damages caused by revised information that subscribers failed
to provide due to negligence or intention.
Damages caused by careless management of Private keys on the part of subscribers.
Damages caused by reasons other than those stipulated in the Act or in the Certification Practice Statement.
5.2.4.4 Limitation on warranty
KICA does not warrant the matters such as subscribers' credit or the integrity of information related to
subscribers that are not provided under the Act and these Rules.
5.2.4.5 Security for Liability for Damages
As a security for its Liability for Damages, KICA is carrying a policy of public liability insurance.
5.3 Registration Authorities (RAs)
5.3.1 Operation of RAs
a. To perform secure and reliable registration functions, KICA may operate Registration Authorities
recruited exclusively for the purpose. RAs sign contracts with KICA and carry out their responsibilities as
specified in these Rules and in the contract.
b. The main functions of RAs are as follows:
Receipt of application for certification services.
- Receipt of application for certificates (issuance, re-issuance, and renewal)
- Receipt of application for suspension or reinstatement of certificates.
- Receipt of application for revocation of certificates.
Personal identification of applicants for certification services.
Requesting KICA to issue applicants' certificates and notifying to applicants.
Other functions related to certification services as commissioned by KICA.
5.3.2 RA's Responsibilities
5.3.2.1 Observance of Certification Practice Statement
In providing licensed certification services, Registration Authorities observe these Rules and (pursuant to
5.3.1 of these Rules) carry out registration functions faithfully.
5.3.2.2 Receipt of applications for Certification services
With regard to issuance of certificates, Registration Authorities accept only those applications with accurate
information based on facts, and until verifications are completed applications are not treated as "accepted".
For personal identification, Registration Authorities observe specific guidelines set by KICA.
When the reception process is completed, Registration Authorities issue receipt slips prepared by KICA or
by the RAs themselves.
c. Registration Authorities are prohibited from refusing receipt of applications for certificate issuance,
suspension, revocation, reinstatement, etc. without good reasons. Accordingly, when refusing Registration
Authorities should clearly state the reasons why the applications in question cannot be received.
5.3.2.3 Fast, accurate, and secure registration
Registration Authorities, as befitting their role as reliable managers of registration, carry out their
responsibilities quickly, accurately, and securely.
5.3.2.4 Protection of private information and safekeeping of data security
Pursuant to 5.2.2.5 of these Rules, Registration Authorities protect the private information obtained in
performing certification and safeguard the security of data.
5.3.2.5 Safeguard of facilities and personnel
In performing certification services, Registration Authorities observe security guidelines for facilities and
personnel as set by KICA.
5.3.3 RA's Liabilities
a. In case Registration Authorities cause subscribers and users to suffer damages by violating provisions of
the Act, its enforcement decrees, regulations, and these Rules in performing certification functions, RAs
shall be subject to the same liabilities as those applicable to KICA, as shown in "5.2.4 KICA's Liabilities."
b. As a security for such Liability for Damages, Registration Authorities may subscribe to public liability
insurance.
5.4 Subscribers
5.4.1 Subscribers' Responsibilities
5.4.1.1 Provision of accurate information
Information that subscribers provide, including changes subscribers make subsequently to them, in the
following cases, shall always be accurate and based on facts:
a. Information provided for certificate application (issuance, re-issuance, and renewal).
b. Information provided when applying for suspension of certificates.
c. Information provided when applying for reinstatement of certificates.
d. Information provided when applying for revocation of certificates.
e. Changes made to subscribers' identity as recorded in the certificates.
5.4.1.2 Generation of Key pair
Pursuant to 3.1.2 of these Rules, subscribers can generate Key pair.
5.4.1.3. Protection and safekeeping of Private keys
a. Of the generated Key pair, subscribers are responsible for safekeeping of Private keys to prevent their
loss, damage, theft, or leakage.
b. On recognizing that the Private keys belonging to them have been lost, damaged, stolen, or leaked,
subscribers should immediately notify KICA of the corresponding fact through on-line communication
networks, etc.
c. Upon recognition that the Private keys belonging to them have been lost, damaged, stolen, or leaked,
subscribers should exert themselves to reduce or confine the damage.
5.4.1.4 Use of Private key
To generate key pair having legal validity, subscribers should use the Private key that matches the Public
key contained in the KICA-issued certificate.
5.4.1.5 Verification of Certificates
On receiving new certificates, subscribers should confirm their validity, issuing body, their types, and
services before using them.
5.4.2 Subscribers' Liabilities
In case subscribers cause KICA to suffer damages by violation of subscribers' responsibilities pursuant to
these Rules or in the process of using certification services then subscribers are liable to compensate for
the damages inflicted on KICA.
5.5 User relying on a certificate
5.5.1 User relying on a certificate
Users are those who, trusting reliability of the certificates issued by KICA, conduct business with KICA
certificate holders.
5.5.2 Responsibilities of the user relying on a certificate
a. Before conducting business with KICA certificate holders, user relying on a certificate should confirm the
validity, issuing body, types, and use of the corresponding certificates.
b. Before conducting business with KICA certificate holders, users should verify and confirm whether or not
the corresponding certificates are suspended or revoked of their validity, using C.R.L.
c. For damages incurred by not observing confirmation responsibilities of users, the users are exclusively
responsible.
6. Operation of Certification System and Security Control
6.1 Physical Control
6.1.1Physical Control on Access
KICA safeguards the sites where the core certification systems are installed to prevent physical hazards,
such as intrusion, illegal access, or fire damage, as follows:
a. KICA installs and operates the core certification systems in a separate controlled area.
b. KICA controls access to the controlled area by using multi-layer access systems, which use a
combination of passwords, fingerprint recognition, weight sensing devices, etc.
c. KICA installs the core certification systems in a secure cabinet to allow for physical access control.
d. KICA has all outside hardware service technicians, etc. accompanied by the person in charge when
they enter the area where the core certification systems are installed.
e. KICA maintains and regularly reviews a log that records any entry into the controlled area in connection
with the ID authentication card.
f. KICA maintains alarm systems by installing the following surveillance control systems.
CCTV camera monitoring system.
Intrusion dictating system.
g. KICA may emp
loy security professionals to guard the controlled area.
6.1.2 Power Source
KICA employs UPS to prevent damage from unexpected power failures.
6.1.3 Prevention of Flood Damage
KICA installs the core certification systems at minimum height of 30cm or more to protect them from flood
damage.
6.1.4 Prevention of Fire Damage
KICA installs fire detector, portable fire extinguisher, and automatic fire extinguishing facilities to guard the
core certification systems from fire.
6.1.5 Storage Media
KICA controls physical access to its major storage media that are stored in safes.
6.1.6 Disposal of Refuse
KICA shreds and crushes documents, diskettes, and other items to prevent information from such material
from being leaked.
6.1.7 Remote Backup
KICA maintains a remote backup storage of subscriber certificates, including C.R.L, for 10 years after the
corresponding certificates are voided.
6.2 Storage and Management of Records
KICA stores all records related to the key generating system, certificate generating system, management
system, directory system, and time-stamping system in file format and manages them according to
separate KICA guidelines.
6.3 Technical Security Control
6.3.1Generation and Use of Key pair
6.3.1.1Generation of Key pair
a. KICA allows only persons authorized by KICA to generate Key pair.
b. KICA generates Key pair by using a secure key generating system that is physically separated from the
outside.
6.3.1.2 Size and hash value of Key pair
KICA uses the following size and hash values to employ secure and reliable algorithms for digital
signature key encryption.
a. For RSA and KCDSA: 1024 bit or higher.
b. For HAS-160 and SHA-1: 160 bit or higher.
6.3.2 Safeguard of Private keys
KICA stores Private keys and key generating modules in a secure storage device which is not connected
to internal or external communication networks and which is protected from physical intrusion. The Private
keys are stored in access-authorized smart cards that are safe from leakage or tampering due to the use
of double encryption codes.
6.3.2.1 Storage device for Private keys
Digital signature modules used by KICA are sealed; access authorized, and equipped with functions that
protect Private keys from leakage or tampering.
6.3.2.2 Generation and secure deletion of Private keys
KICA deletes Private keys immediately from system memory upon completion of their generation and use.
6.3.3 Replacement of Key pair
a. With newly generated Key pair, KICA applies to KISA for renewal of its Licensed CA (Certification
Authority) Certificate before expiration of the existing Certificate.
b. In case its Licensed CA (Certification Authority) Certificate expires before expiration of the subscribers'
certificates, KICA should as a matter of principle have its Certificate renewed by the Korea Information
Security Authority (KISA) prior to use.
6.3.4 Method of Disposing Private keys
When its Licensed CA (Certification Authority) Certificate expires or when Private keys are damaged or
leaked, KICA completely destroys their physical storage media.
6.3.5 Validity of Private keys
KICA and subscribers shall use Private keys only during the term of validity of the corresponding
certificates.
6.3.6 Security Control on Computers and Networks
a. For maintenance of the core certification systems, KICA manages operation records of the core
certification systems and keeps major lists of each system's current status.
b. For access control of networks, KICA employs firewall systems with certificates of assessment.
c. To protect network service from interfering attacks, KICA operates intrusion-detecting systems.
6.3.7 Record Archives
6.3.7.1Types of archival records
KICA archives the following types of records, which are related to core certification practice, general audit,
prevention of security intrusion, and operations:
a. Records of key generation and renewal.
b. Records related to application for issuance, suspension, revocation, and reinstatement of certificates.
c. Notifications of loss, damage, theft, or leakage of Private keys.
d. Records related to generation, issuance, renewal, suspension or revocation of certificates.
e. Issuance and renewal of CRL.
6.3.7.2 Safekeeping of archival records
To prevent forgery of, tampering, or damage to archival records, KICA archives records as follows;
a. Electronic documents are safely stored with Digital signatures.
b. Hard copy documents are stored in locked cabinets.
6.3.7.3 Measures for archiving records
KICA regularly archives the original records; copies are archived in physically separate and secure sites
for 10 years.
6.3.8 Recovery Measures
6.3.8.1Measures against failures of system resources and software
When system resources or software are damaged, KICA restores the system immediately using dual
backup system resources and software in order to prevent inconvenience in subscriber use.
6.3.8.2 Measures against damage or loss of data
When major data such as subscribers' certificates are damaged or lost, KICA restores them immediately
using backup data.
6.3.9 Others
6.3.9.1Storage of Public keys
KICA stores certificates containing Public keys in directory during the term of validity of the certificates or
until the certificates are revoked.
7. Management of Certification Practice
7.1 Management of Certification Practice Statement
7.1.1 Formulation and Revision of Certification Practice Statement
When formulating or revising this Certification Practice Statement or the Rules, KICA reports to the
Minister of Information & Communications of the fact, pursuant to Article 6 Clause 1 of the Digital
signature Act.
7.1.2 Reasons for Revision of Certification Practice Statement
a. When the Minister of Information & Communications orders a revision, pursuant to Article 6 Clause 2 of
the Digital signature Act.
b. When the President of KICA deems it necessary to revise the Rules.
7.1.3 Maintenance of Records Related to Revision of Certification Practice Statement
Whenever these Rules are revised, KICA should maintain records containing the following:
a. Version of rules.
b. Scope of application and outline.
c. Records related to revision.
Existing provisions before revision.
Particulars of revision.
Reasons for revision, etc.
7.1.4 Procedure for Implementation
a. KICA reports the formulated or revised rules to the Minister of Information & Communications.
b. KICA announces the rules by posting news at its homepage (http: //www.signgate.com) and, if
necessary, notifies subscribers through e-mail, etc.
c. Unless otherwise stipulated, the new rules will come into effect from the day they are reported.
7.1.5 Subscriber¨s Agreement
Unless subscribers file their formal objections, within 2 weeks of announcement of changed Rules, in
writing or by electronically signed documents using the Private key that matches the certificate issued by
KICA, the corresponding subscribers will be recognized by KICA to have agreed on the changed Rules.
7.2 Interpretation and Enforcement of Certification Practice Statement
7.2.1 Applicable Laws
This Certification Practice Statement will be interpreted and applied pursuant to the Digital Signature Act
and related laws of the Republic of Korea.
7.2.2 Jurisdiction of Litigation Court
All litigation concerning certification services between KICA and subscriber or user relying on a certificate
shall be referred to the Seoul District Court.
7.2.3 Mediation of Disputes
a. Should there arise a dispute between subscriber and user relying on a certificate, KICA may present a
plan for mediation or recommend an agreement by requesting the related parties to present relevant
material and investigating their compliance with the Digital Signature Act and Certification Practice
Statement.
b. Should there arise a dispute between KICA and its subscriber or user relying on a certificate, KICA may
request The Korea Information Security Authority (KISA) to mediate the dispute. KISA may present a plan
for mediation or recommend corrective measures by requesting related parties to present relevant
material and investigating their compliance with the Digital Signature Act and Certification Practice
Statement.
Supplement
1. Korea Information Certificate Authority (KICA)
Korea Information Certificate Authority (KICA) is a Licensed Certification Authority
designated by the Ministry of Information & Communications on Feb. 10, 2000,
pursuant to Article 4 of the Digital Signature Act.
1.1 Contact Information
The following locations provide information on KICA certification services:
a. URL: http://www.signgate.com/english/index.html
b. e-mail: kica@signgate.com
c. Address: Korea Information Certificate Authority Hankyung Bldg., 9th F. 441
Chunglim-dong, Chung-ku, Seoul.
d. Tel: +82-2-360-3000.
e. Fax: +82-2-360-3209.
1.2 Websites
Websites related to KICA certification services are as follows:
a. Certification Practice Statement:
http://www.signgate.com/english/service/service.html.
b. Directory (List of Certificates, List of Suspended or Revoked Certificates):
ldap://ldap.signgate.com
c. CA certificate issued by KISA: http://www.rootca.or.kr/cert.htm
d. CRL of Licensed Certification Authorities: http://www.rootca.or.kr/crl.htm
1.3 Public announcement
1.3.1 Announcement of information by KICA
KICA announces all information concerning issuance and management of certificates,
so that interested parties may review such information at any time through certification
practice systems.
1.3.2 Frequency of announcement
a. KICA announces all information concerning issuance and management of
certificates as soon as certificates are processed, so that interested parties may
review such information at any time through certification practice system.
b. CRL is renewed and announced daily, even when no changes are made to the lists,
so that interested parties may review such information at any time through
certification practice system.
2. Definition of Terms
2.1 Subscriber (Digital signature Act, Article 2 Clause 11)
Those who have obtained KICA certificates for Public keys on the basis of their contracts with KICA for use
of licensed certification services.
2.2 Certification Authority (Digital signature Act, Article 2.Clause 9)
Those who provide licensed certification services by obtaining the designation from the Information &
Communications Minister pursuant to Article 4 of the Act.
2.3 Private information (Act, Article 2 Clause 12)
Information pertaining to a living person, whose identity can be recognized by his name or resident
registration number, etc., which are contained in that information (Including such information that can be
used, not alone but in combination with other information, to easily identify the corresponding person).
2.4 Asymmetric crytosystem (Act, Article 2 Clause 13)
An encryption method in which the key that is used to encrypt information and the key that is used to
decrypt information are different.
2.5 Directory
X.500 compliant directory systems that store lists of issued, suspended, or revoked certificates and are
used to provide public announcement and search services to users relying on certificates.
2.6 User relying on a certificate
Those who use certificates issued by KICA, trusting their reliability, and carry out transactions with
certificate holders.
2.7 Personal identification
The act of verifying the integrity of information concerning the subscriber and his application for issuance,
renewal, suspension, or revocation of certificates in order to secure reliability of certificates.
2.8 Certification (Act, Article 2 Clause 6)
Act of verifying or certifying that the Public key matches the Private keys held by corporations or individuals.
2.9 Certification practice system (Act, Article 2 Clause 10)
Systems providing certification services including issuance of certificates and management of records, etc.
2.10 Certificates (Act, Article 2 Clause 7)
Digital data that verifies or certifies Public key matches the Private keys held or used by corporations or
individuals.
2.11 Certification practice (Act, Article 2 Clause 8)
Services related to issuance of certificates and maintenance of records related to certification, and other
related functions.
2.12 Digital or electronic document (Act, Article 2 Clause 1)
Information or data, which are generated, transmitted by, or stored digitally in computers or other
information processing equipment.
2.13 Digital signature (Act, Article 2 Clause 2)
Electronic data that is generated by Private key, using asymmetric encryption, unique to the corresponding
electronic message, that is utilized to identify the writer of the message and its integrity from forgery or
tampering, etc.
2.14 Public key (Act, Article 2 Clause 4)
Electronic data that is used to authenticate (verify) Digital signature.
2.15 Private keys (Act, Article 2 Clause 3)
Electronic data that is used to generate Digital signature.
2.16 Key pair (Act, Article 2 Clause 5)
Private key and its matching Public key.
2.17 Core certification systems
Systems used for key generation, certificate generation, certificate management, directory, and time
stamping service.
Related docs
