In compliance with the Digital Signature Act (hereinafter referred by sir17308

VIEWS: 4 PAGES: 34

									 In compliance with the Digital Signature Act (hereinafter referred to as the "Act"), its Enforcement Decree
(hereinafter referred to as the "Decree"), its Enforcement Regulations (hereinafter referred to as the

"Regulations"), this Certification Practice Statement (CPS) or the "Rules" intend to prescribe all the matters

concerning Korea Information Certificate Authority (hereinafter referred to as "KICA") certification services

including certificate issuance and management, operation of certification systems, and responsibilities and

liabilities of the related parties such as KICA and subscribers.



    1. Objectives                                 5. Responsibilities and Liabilities of Related Parties




    2. Certificate Class and Issuance Policy 6. Operation of Certification System and Security Control




    3. Applications and Procedure for
                                                  7. Management of Certification Practice
    Certificates




    4. Personal Identification                    8. Definition of Terms
1. Objectives



In compliance with the Digital Signature Act (hereinafter referred to as the "Act"), its Enforcement Decree

(hereinafter referred to as the "Decree"), its Enforcement Regulations (hereinafter referred to as the

"Regulations"), this Certification Practice Statement (CPS) or the "Rules" intend to prescribe all the matters

concerning Korea Information Certificate Authority (hereinafter referred to as "KICA") certification services

including certificate issuance and management, operation of certification systems, and responsibilities and

liabilities of the related parties such as KICA and subscribers.


2. Certificate Class and Issuance Policy


2.1 Type of Certification Services


a. Designated as a licensed Certification Authority to provide certification services, Korea Information

Certificate Authority (KICA) performs such functions as certificate issuance (including re-issuance and

renewal) or suspension, reinstatement, and revocation of certificates.

b. Type of KICA certificates by class and their issuance policy are as follows:


   Class                          Class I                             Class II                   Class III

                            Corporation/     Server                                                   Corporation/
Subscribers Individual                                       Individual                Individual
                            Organization     Operator                                                 Organization

                1.2.410.                        1.2.410.
                                 1.2.410.                       1.2.410. 20004.
      OID        20004.                         20004.                                   1.2.410. 20004. 5.2.1.3
                            20004. 5.2.1.1                             5.2.1.2
                 5.2.1.1                        5.2.1.4

              Electronic transactions        Electronic      e-mail                    Special purpose

                                             transactions                              electronic
              Internet banking                               e-mail between            transactions
              On-line Subscription to        Server          individuals ntra-/

              insurance policy               certification   Interbusiness e-mail Special purpose

Use           Cyber securities transaction                   On-line      subscription electronic transactions i.e.

              Access to corporate DB                         Password change           general

              On-line Membership                             Verification of           meeting of

              services                                       software efficacy         stockholders

              e-commerce                                     Small transaction

                                                             with low risk
* OID: Object Identifier




2.2 Fees


2.2.1 Fees by Certificate Class


Fee schedules for issuance and re-issuance of certificates by certificate class are as follows:


                           Class I                            Class II                Class III

                           Corporation/       Server                                       Corporation/
   Individual                                                Individual     Individual
                           Organization      Operator                                    Organization

                                                                           To be         To be

  10,000               100,000              500,000          5,000        decided by decided by

                                                                          contract       contract


Note:

1) VAT is excluded.

2) A current schedule of Discount fees and Membership fees will be available from the KICA homepage at

<http://www.signgate.com> separately.


2.2.2 Request and Payment of Fees


KICA may impose fees on subscribers when applications for certification services are filed, and subscribers

should prepay them. However, corporations, organizations or subscribers for server certification services

are allowed to pay them later. In the latter cases, KICA issues Request for Payment of Fees to the parties

concerned.


2.2.3 Refund of Fees


Subscribers may request a refund of fees if they decide to cancel their applications based on the quality of

certification services at KICA. If the quality is not to the standards of what has been stipulated in the Rules

or the Center has failed to perform major duties provided under the Rules then a refund should be

requested within 10 days from the date of certificate issuance. In this case, subscribers should fill out the

Application for Cancellation or Request for Refund of Fees prepared by KICA before presenting them to

KICA by personal visit, or send in an electronically signed Application for Cancellation or Request for

Refund of Fees through on-line communication networks.
When the subscriber requests a cancellation of application and for a refund within the given period, KICA

may deduct necessary expenses as dictated by the circumstance and refund the balance. On receipt of the

refund, the subscriber's certificate is automatically revoked.


2.2.4 Other Fees


For certification services such as re-issuance of certificate, suspension of certificate validity or

reinstatement, and revocation of certificate, KICA may impose additional fees.




3. Applications and Procedure for Certificates


3.1Application for Certificates


3.1.1Registration for Certificates


Subscribers should personally visit KICA offices for registration or access KICA website for registration

forms depending on the class of KICA certificates being sought. They should also undergo personal

identification following personal identification procedures stipulated by "4.1 Personal Identification for

Issuance of Certificates" of these Rules.


3.1.2 Application for Issuance of Certificates


When registration and personal identification are completed, subscribers generate Key pair using software

provided by KICA or personal software and transmit certificate application message to KICA using their

user identification number, assigned to them at the time of registration, to guarantee security.


3.2 Issuance of Certificates


3.2.1Issuance of Certificates


a. Before issuing certificates, KICA performs the following points of verification:

   Personal identification of applicants, as described in "4.1 Personal Identification for issuance of

Certificates" of these Rules.

   Uniqueness of public key submitted by an applicant.

   Whether the Public key submitted by an applicant matches private key that the applicant owns.

   The uniqueness of DN (Distinguished Name) submitted by the subscriber.


b. A certificate issued by KICA contains the following details:
   Applicant 's name.

   Applicant 's private key.

   Method of digital signature used by an applicant and KICA.

   Serial number of the certificate.

   Validity of the certificate.

   Name of KICA as an issuer of a certificate.

   Scope of certificate's use and restrictions to its application

   Information on representation in case subscriber holds representation rights for a third party.


c. In general, certificates are issued within 1 to 3 days from the date of application for issuance of

certificates using the key pair by an applicant. This is provided that the subscriber has filed application

forms and other supporting documents, has paid required fees stipulated by these Rules and completed

personal identification process stipulated by "4.1 Personal Identification for


Issuance of Certificates" and "5.3 Registration Authority".

However, issuance of certificates may be delayed or rejected if the information presented by the

subscriber is inaccurate or the subscriber fails to pay the required fees. Issuance of certificates may also

be delayed when the number of subscribers is unusually large as in the case of a group subscription.


3.2.2 Re-issuance of Certificates


3.2.2.1 Reasons for re-issuance of certificates


Re-issuance of certificates refers to issuance of a new certificate by KICA under special conditions.
Registration for re-issuance is done using the same DN (Distinguished Name) but with a new Private key.

The reissued certificate is valid for the remainder of the original certificate's validity period. The conditions

for re-issuance of certificate are;


a. When subscriber applies for re-issuance of certificate, fearing that his Private key was lost, damaged,

stolen, or leaked.


b. When KICA realizes that its Private key has been lost, damaged, stolen, or leaked.


c. When KICA discovers weaknesses in its digital signature algorithm.


3.2.2.2 Application for re-issuance of certificates and re-issuance procedure


Procedures under "3.2.1 Issuance of Certificates" are applied to re-issuance of certificates, as applicable.
The certificate originally issued before registration for re-issuance will be revoked. Before reissuing

certificates, however, KICA should verify the following points:


a. Personal identification, stipulated by "4.2 Personal Identification for Re-issuance of a Certificate" of

these Rules.


b. The uniqueness of Public key submitted by the applicant who applied for re-registration.


c. Whether the new Public key submitted by the subscriber who applied for re-registration matches the

Private key owned by the subscriber.


d. An Identity of DN (Distinguished Name) submitted by the subscriber who applied for re-registration.


3.2.3 Renewal of Certificates


3.2.3.1 Reasons for renewal of certificates



a. Renewal of certificates refers to issuance of a new certificate intended to extend the validity of the

original certificate using the same Public key and the same DN (Distinguished Name). Subscribers who

want their certificates renewed should apply 30 days prior to the expiration of their original certificate. For

new certificates, subscribers are allowed to change information except for the Public key and DN.


b. KICA provides guidance service for renewal of certificates from 60 days prior to the expiration of the

existing certificates.


3.2.3.2 Application for renewal of certificates and renewal procedure


Procedures under "3.2.1 Issuance of Certificates" are applied to renewal of certificates, as applicable. The

certificate originally issued before registration for renewal will be revoked. Before renewing certificates,

however, KICA will verify the following points:


a. Personal identification, stipulated by "4.3 Personal Identification for Renewal of a Certificate" of these

Rules.

The identity of the Public key submitted by the subscriber who applied for renewal with the Public key

recorded in the existing certificate.

The identity of DN submitted by the subscriber who applied for renewal with the DN recorded in the

existing certificate.
3.3     Validity of Certificates


In consideration of the scope of an application, use of the certificates , security and reliability of the

technology employed, etc., KICA determines the validity of certificates as follows:




                           Class I                           Class II                     Class III

                            Corporation/       Server                                          Corporation/
      Individual                                            Individual       Individual
                           Organization       Operator                                        Organization

                                                                           Less than1
        1 Year                 1 Year          1 Year         1 Year                        Less than1 Year
                                                                               Year




3.4     Suspension of Certificate Validity


3.4.1    Reasons for Suspension of a Certificate


Reasons for suspension of a certificate are as follows:


a. When the subscriber or his representative applies the suspension of a certificate.

b. When the subscriber violates any of these Rules.

c. When the Minister of Information & Communications deems it necessary to safeguard security and

reliability of certification services.


3.4.2 Applicant for Suspension of a Certificate


Only the subscriber or his representative can apply for suspension of a certificate.




3.4.3 Application Procedure for Suspension


3.4.3.1 Application for suspension of a certificate


On completion of the application form for suspension of a certificate, the subscriber can pay personal visit

to one of the KICA offices to file the application, or transmit the application signed by his private key

through on-line communication networks.
3.4.3.2 Personal identification


KICA verifies the subscriber's personal identification pursuant to "4.4 Personal Identification for

Suspension and Revocation of a Certificate" of the Rules.


3.4.3.3 Renewal and announcement of the list of suspended certificates


KICA renews and announces the list of suspended certificates immediately, so that anybody can search

the list at any time through certification practice systems. The announcement will be posted on a directory

service, as shown under "5.2.2.4 Provision of directory service" of these Rules, and the time when it is

posted on directory service will be construed as the time of announcement.


3.5 Reinstatement of Certificate Validity


3.5.1 Applicant for Reinstatement of a Certificate


Only a subscriber or his representative can apply for reinstatement of a certificate.


3.5.2 Application Procedure for Reinstatement


3.5.2.1Application for reinstatement of a certificate


On completion of the application form for reinstatement of a certificate, a subscriber should personally visit

one of the KICA offices to file the application.


3.5.2.2 Personal identification


KICA verifies the subscriber's personal identification pursuant to "4.5 Personal Identification for

Reinstatement of a Certificate" of these Rules.


3.5.2.3 Measures of reinstatement of a certificate


KICA takes measures so that anybody can verify the reinstatement of certificates at any time through

Certification practice systems by deleting the corresponding certificates from the list of revoked

certificates.


3.5.3 Restrictions on Application for Reinstatement of a Certificate


Application for reinstatement of a certificate should be filed within 6 months from the date of suspension.
Unless application for reinstatement is filed within the specified time limit, the corresponding certificate will

be automatically revoked.


3.6 Revocation of Certificates


3.6.1Reasons for Revocation of a Certificate


a. KICA revokes the corresponding certificate when any of the following reasons arise:

   When subscriber or his representative applied to KICA for revocation.

   When KICA discovers that the subscriber obtained his certificate by fraud, forgery, or other illegal

means.

   When KICA discovers the death, missing, or dissolution of the subscriber or his organization.

   When KICA discovers the subscriber's Private key has been lost, damaged, stolen, or leaked.

   When the subscriber violates any of these Rules.


b.When the designation of KICA as licensed Certification Authority is cancelled, the corresponding

certificates are revoked.

c. When notified by the subscriber that his Private key has weaknesses, or when he discovers that his

Private key is lost, damaged, stolen or leaked for other reasons, or if he discovers that there are

weaknesses in his Key pair or algorithm, KICA revokes the corresponding subscriber's certificate pursuant

to 5.2.2.3 of these Rules.


3.6.2 Applicant for Revocation of a Certificate


The subscriber or his representative (including testamentary executor or legal guardian) can apply for

revocation of a certificate.


3.6.3 Application Procedure for Revocation


3.6.3.1Application for revocation of a certificate


On completion of the application form for revocation of a certificate, the subscriber should personally visit

one of the KICA offices to file the application form or transmit the application form that signed with Private

key by subscriber through Communication networks.


3.6.3.2 Personal identification


KICA verifies the subscriber's personal identification pursuant to "4.4 Personal Identification for
Suspension and Revocation of a Certificate" of the Rules.


3.6.3.3 Renewal and announcement of the list of revoked certificates


KICA renews and announces the list of revoked certificates promptly, so that anybody can verify the list at

any time through certification practice systems. Provision on the time of announcement would be the

same as in 3.4.3.3 "Renewal and announcement of the list of suspended certificates" of these Rules.


3.6.4 Time Required for Processing Revoked Certificates


If reasons for revocation of certificates and the identity of the subscriber who applied for revocation are

confirmed, then KICA will revoke the corresponding certificates promptly, as there is no grace period for

processing revoked certificates at KICA.


3.7 Frequency of Renewal for Certificate Revocation List (CRL)


KICA renews and announces CRL at least every 24 hours.


3.8 Termination of Certificate Validity


Validity of certificates issued by KICA will be terminated when the following causes arise:


a. When the term of the certificate's validity elapses.

b. When the designation of KICA as licensed Certification Authority is cancelled.

c. When the certificate issued by KICA is suspended.

d. When the certificate issued by KICA is revoked.

e. When the CA certificate issued by KISA to KICA is revoked.


3.9 Formulation of "Agreement on Use" and Notification to Subscribers



To inform subscribers of important matters concerning application for certification services, KICA reserves

the right to formulate and notify an "Agreement on Use of Licensed Certification Services", a major

provision contained in this Certification Practice Statement.


4. Personal Identification


4.1Personal Identification for Issuance of Certificates


4.1.1Use of Name
a For names used in the basic domain of certificates and the Certificate Revocation List (CRL), the method

of ITU-T X.500 DN (Distinguished Name) is applied.

b. Information contained in certificates and the Certificate Revocation List (CRL) is as follows:

   Individual/Corporation Certificate: Real name (in English) and e-mail address.

   Server Certificate: Real Name (in English) and Internet domain name (Internet IP            address such as

URLs for WWW).


4.1.2 Uniqueness of Name


KICA verifies the uniqueness of subscribers¨ DN (Distinguished Name).


4.1.3 Verification of Key pair


On receiving application for issuance of a certificate, KICA verifies whether the Public key submitted by an

applicant matches the Private key owned by an applicant through the following:


a. In applying for issuance of a certificate, the applicant should use application forms       prepared by KICA.

b.KICA verifies whether the Public key matches the Private key based on information             contained in

application form.


4.1.4 Identification by Scope of Application and Use of the Certificate


KICA verifies personal identity of the applicant based on information provided in the application form also

taking into consideration of such factors as the scope of application and use of the certificate being sought.


4.1.5 Identification by Service Type of the Subscriber


a. KICA verifies personal identity of the applicant by service type as follows:




                      Class I                          Class II                         Class III

               Corporation/          Server                                                     Corporation/
 Individual                                           Individual           Individual
               Organization        Operator                                                    Organization

                                                  ApplicatApplication ApplicatApplication ApplicatApplication
Application    Application
                                 Application by by mail or on-line    by mail or on-line    by mail or on-line
by personal    by personalv
                                 personal visit   communi-            communi-              communi-
visit          isit
                                                  cationnetworks      cationnetworks        cationnetworks
Note:   In case the identity of an applicant is already verified by RA following the same procedure as used

by KICA, the subscriber may be regarded as having fulfilled the requirement of application by personal visit

as stipulated in this statement.


b. In case the identity of a subscriber is already verified by his interview with RA, the applicant may be

regarded as having fulfilled his interview requirement.


c. The applicant who applies for issuance of a certificate is liable to provide accurate information, and if

there arises any untoward consequence due to inaccurate information, the subscriber shall be held

exclusively responsible.




4.2 Personal Identification for Re-issuance of a Certificate


Procedures of personal identification for re-issuance of a certificate are comparable to procedures of

personal identification for issuance of a certificate. The exception is when the Private key of the subscriber

is still valid and the subscriber applies for re-issuance via communication networks using electronically

signed application form then KICA should also verify the registration information and the digital signature.


4.3 Personal Identification for Renewal of a Certificate


Procedures of personal identification for renewal of a certificate are comparable to procedures of personal

identification for issuance of a certificate. The exception is when the subscriber applies for renewal via

communication networks using electronically signed application form then KICA should also verify the

changed information and the digital signature.


4.4 Personal Identification for Suspension and Revocation of a Certificate


When the subscriber or his representative personally visits one of KICA offices to apply for suspension or

revocation of a certificate, the procedures are comparable to procedures of personal identification for

issuance of a certificate. There is an exception in the case where the subscriber applies for suspension or

revocation via communication networks using electronically signed application form then KICA should also

verify the registration information and the digital signature.


4.5 Personal Identification for Reinstatement of a Certificate
Procedures of personal identification for reinstatement of a certificate are comparable to procedures of

personal identification for issuance of a certificate.


4.6 Supporting Documents for Personal Identification


4.6.1. Class I


4.6.1.1Individual


a. Adults

Application form for certification services (Prepared by KICA): 1 copy

Copy of resident card, driver's license, passport, or other photo ID (issued by national

or regional governments): Any copy of 1 document (Should bring the original).


b. Minors

   When in possession of a passport;

  - Application form for certification services (Prepared by KICA): 1 copy .

  - Copy of passport: 1 copy (Should bring the original).

  - Parent should accompany and bring ID.

   When not in possession of a passport;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of resident register: 1 copy.

  - Parent should accompany and bring ID.



c. Korean nationals abroad, foreigners.

   Korean nationals abroad;

   - Application form for certification services (Prepared by KICA): 1 copy.

   - Copy of passport, Korean nationals¨ abroad registration: Any copy of 1 document         (Should bring

the original).

   Foreigners;

   - Application form for certification services (Prepared by KICA): 1 copy.

   - Copy of an alien registration card, passport: Any copy of 1 document (Should bring          the

original).

4.6.1.2 Corporation, organization, etc.


a. Corporation

   When the representative personally applies;

  - Application form for certification services (Prepared by KICA): 1 copy.
  - Copy of business registration certificate: 1 copy (Should bring the original).

  - Copy of corporation register: 1 copy.

  - Seal-impression certificate of the corporation: 1 copy.

  - Copy of the representative's ID: 1 copy (Should bring the original).

   When the representative's legal agent applies;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of business registration certificate: 1 copy (Should bring the original).

  - Copy of corporation register: 1 copy.

  - A letter of proxy (issued by a representative of corporation): 1 copy.

  - Seal-impression certificate of the corporation: 1 copy.

  - Office-holder certificate: 1 copy.

  - Copy of the legal agent's ID: 1 copy (Should bring the original).



b. Individual business taxpayer

   When the representative personally applies;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of business registration certificate: 1 copy (Should bring the original).

  - Copy of identification card: 1 copy (Should bring the original).

   When the representative's legal agent applies;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of business registration certificate: 1 copy (Should bring the original).

  - A letter of proxy (issued by a representative of corporation): 1 copy.

  - Seal-impression certificate of an applicant: 1 copy

  - Office-holder's certificate: 1 copy.

  - Copy of the legal agent's ID: 1 copy (Should bring the original).



c. Voluntary Organization

   When the representative himself/herself applies;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of certificate of proprietary number or certificate of tax payment number: 1 copy   (Should

bring the original).

  - Copy of the representative's ID: 1 copy (Should bring the original).

   When the representative's legal agent applies;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of certificate of proprietary number or certificate of tax payment number: 1 copy   (Should

bring the original).
  - A letter of proxy (issued by the representative of organization): 1 copy.

  - Seal-impression certificate of the representative: 1 copy.

  - Office-holder's certificate: 1 copy.

  - Copy of the legal agent's ID: 1 copy (Should bring the original).



d. Foreign corporation or organization.

   When the representative personally applies.

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of a certificate of foreign corporation or organization (issued by the government         of

corresponding country certifying the existence of such a corporation or organization          in that country):

Any copy of 1 document (Should bring the original).

  - Copy of the representative's photo ID: 1 copy (Should bring the original).

   When the representative's legal agent applies.

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of a certificate of foreign corporation or organization (Issued by the government         of

corresponding country certifying the existence of such a corporation or organization          In that country):

Any copy of 1 document (Should bring the original).

  - A letter of proxy (Issued by the representative of corporation or organization): 1copy.

  - Office-holder certificate of the representative's legal agent: 1 copy (When not holding        office in the

corporation or organization concerned, a letter of proxy issued by the          representative may be

accepted).

  - Copy of the legal agent's photo ID (issued by proper authorities of that country): 1        copy (Should

bring the original).



4.6.1.3 Server

a. Corporation

   When the representative personally applies;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of business registration certificate: 1 copy (Should bring the original).

  - Copy of corporation register: 1 copy.

  - Seal-impression certificate of the corporation: 1 copy.

  - Copy of the representative's ID: 1 copy (Should bring the original).

  - Copy of a certificate of URL registration issued by the URL registration authority:

     1 copy (Should bring the original).

   When the representative's legal agent applies;

  - Application form for certification services (Prepared by KICA): 1 copy.
    - Copy of business registration certificate: 1 copy (Should bring the original).

    - Copy of corporation register: 1 copy.

    - A letter of proxy (Issued by the representative of corporation): 1 copy.

    - Seal-impression certificate of the corporation: 1 copy.

    - Office-holder certificate: 1 copy.

    - Copy of the legal agent's ID: 1 copy (Should bring the original).

    - Copy of a certificate of URL registration issued by the URL registration authority

:      1 copy (Should bring the original).



b. Individual business taxpayer

    When the representative personally applies;

    - Application form for certification services (Prepared by KICA): 1 copy.

    - Copy of business registration certificate: 1 copy (Should bring the original).

    - Copy of identification card: 1 copy (Should bring the original).

    - Copy of a certificate of URL registration issued by the URL registration authority:

      1 copy (Should bring the original).

    When the representative's legal agent applies;

    - Application form for certification services (Prepared by KICA): 1 copy.

    - Copy of business registration certificate: 1 copy (Should bring the original).

    - A letter of proxy issued by the representative: 1 copy.

    - Seal-impression certificate of the representative: 1 copy.

    - Office-holder's certificate: 1 copy.

    - Copy of the legal agent's ID: 1 copy (Should bring the original).

    - Copy of a certificate of URL registration issued by the URL registration authority:

      1 copy (Should bring the original).



c. Voluntary Organization

    When the representative personally applies;

    - Application form for certification services (Prepared by KICA): 1 copy.

    - Copy of certificate of proprietary number or certificate of tax payment number: 1     copy (Should

bring the original).

    - Copy of the representative's ID: 1 copy (Should bring the original).

    - Copy of a certificate of URL registration issued by the URL registration authority:

      1 copy (Should bring the original).

    When the representative's legal agent applies;

    - Application form for certification services (Prepared by KICA): 1 copy.
  - Copy of certificate of proprietary number or certificate of tax payment number: 1 copy         (Should

bring the original).

  - A letter of proxy issued by a representative): 1 copy.

  - Seal-impression certificate of the representative: 1 copy.

  - Office-holder's certificate: 1 copy.

  - Copy of the legal agent's ID: 1 copy (Should bring the original).

  - Copy of a certificate of URL registration issued by the URL registration authority:

     1 copy (Should bring the original).



d. Foreign corporation or organization

   When the representative personally applies;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of a certificate of foreign corporation or organization (issued by the government         of

corresponding country certifying the existence of such a corporation or organization          in that country):

Any copy of 1 document (Should bring the original).


  - Copy of the representative's photo ID: 1 copy (Should bring the original).

  - Copy of a certificate of URL registration issued by the URL registration authority:

     1 copy (Should bring the original).

   When the representative's legal agent applies;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of a certificate of foreign corporation or organization (issued by the government         of

corresponding country certifying the existence of such a corporation or organization          in that country):

Any copy of 1 document (Should bring the original).

  - Copy of the legal agent's photo ID (issued by proper authorities of that country):

     1 copy (Should bring the original).

  - Copy of a certificate of URL registration issued by the URL registration authority:

     1 copy (Should bring the original).



4.6.2. Class II


4.6.2.1 Application of individuals by personal visit


a. Adults

   Application form for certification services (Prepared by KICA): 1 copy.

   Copy of resident card, driver's license, passport, or other photo ID (issued by national

   or regional governments): Any copy of 1 document (Should bring the original).
b. Minors

   When in possession of a passport;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of passport: 1 copy (Please bring the original).

  - Parent should accompany and bring ID.

   When not in possession of a passport;

  - Application form for certification services (Prepared by KICA): 1 copy.

  - Copy of resident register: 1 copy.

  - Parent should accompany and bring ID.



4.6.2.2 Application by mail


Procedures for application by mail and personal identification will be announced separately.



4.6.3. Class III


Procedures for application and personal identification will be announced separately.


5. Responsibilities and Liabilities of Related Parties


5.1 Korea Information Security Authority (KISA)


KISA performs the following functions as stipulated by law:


a. Authentication of digital signature verification keys issued by licensed certification authorities.

b. Other services related to digital signature certification services.


5.2 Korea Information Certificate Authority (KICA)


5.2.1Provision of Licensed Certification Services


a. KICA provides the following licensed certification services to subscribers:

   Issuance, re-issuance, and renewal of certificates.

   Suspension, reinstatement, and revocation of certificates.

   Personal identification related to certification services (issuance, suspension,      reinstatement, and

revocation).

   Public announcement of information related to certificates.

   Time-stamp services.
b. KICA does not refuse to provide certification services to anyone without reasonable cause, nor does it

discriminate unduly toward any subscriber or service user.


5.2.2 KICA's Responsibilities


5.2.2.1 Provision of accurate information and public announcement


a. KICA ensures that subscribers and users may verify the reliability and validity of certificates by

announcing the following information promptly:

1) Information on KICA:

   Designation and cancellation as licensed certification authority.

   Recess, suspension, or revocation of certification services.

   Transfer, takeover, or merger of certification services.

2) Information concerning subscriber certificates:

   Subscriber certificates.

   Certificate Revocation List(CRL).

3) Certification Practice Statement of KICA.

4) Other information related to certification services.


5.2.2.2 Safekeeping of Private keys



KICA generates Key pair in a secure manner utilizing reliable software or hardware. KICA should securely

manage the private key to prevent their loss, damage, theft, or leakage.



5.2.2.3 Measures to maintain security of Private keys


a. KICA informs KISA and a subscriber when KICA discovers any events that may affect reliability or validity

of certificates, including loss, damage, theft, or leakage of Private key, or discovers any weaknesses in Key

pair or in the algorithms, through communication networks immediately. And also, KICA may revoke

subscriber certificates issued using the corresponding Private keys.

b. KICA generates new Private keys, has its Public key certified from KISA, and uses Private keys to

re-issue subscriber certificates. KICA then notifies and distributes the corresponding facts through e-mail or

communication networks.

c. Further, KICA publicly announces the corresponding facts so that anyone concerned can check them at

any time through certification management systems, and can also take measures to secure the reliability

and validity of its certification services.


5.2.2.4 Provision of directory service
KICA also provides directory service so that subscribers and users relying on a certificate may search

certificate of KICA, subscriber certificates, and Certificate Revocation List (CRL) at any time through on-line

communication networks.


5.2.2.5 Protection of private information and safekeeping of data security


a.With regard to the information pertaining to subscribers obtained in performing certification procedures

and the following data generated in operating certification authority, KICA does not use or disclose such

private information for purposes other than that for certification service, unless otherwise stipulated by other

laws, court order, or consent of the corresponding subscriber.

   Records related to certification application (other than what is recorded in the

certificate or information already disclosed).

   Data related to audit and certification services.



b. With regard to one's own private information, subscribers are allowed access to certification

management systems through which they may inspect or correct any relevant information.


5.2.3. Specification of Certificates and Certificate Revocation List (CRL)


5.2.3.1 Specification of certificates


KICA issues certificates pursuant to the certificate specification under ITU-T X.509 Version 3.


5.2.3.2 Specification of Certificate Revocation List (CRL)


a. KICA generates and announces Certificate Revocation List (CRL) pursuant to the specifications of the list

of revoked certificates under ITU-T X.509 Version 2.

b. When suspending certificates, KICA displays suspended certificates using the Reason Code in the

extension field of Certificate Revocation List (CRL).



5.2.4 KICA's Liabilities


5.2.4.1 Liability for Damages


KICA compensates for damages inflicted on subscribers while providing certification service in violation of

the Act, its enforcement decrees, regulations, or provisions of these Rules.


5.2.4.2 Limit of Liability
a. With regard to damages caused in connection with its certification service, KICA is not responsible for

damages exceeding the given limits even though the total amount of liability for damages incurred on

subscribers, both directly or indirectly, exceed the limit of liability for KICA.

b. The limits of liability for KICA for one valid certificate and within the limit of its validity are as follows:


                    Class I                          Class II                            Class III

                Corporation/          Server                                                          Corporation/
Individual                                          Individual             Individual
                Organization         Operator                                                        Organization




c. In case the damage where exceeds the limit of liability, and is accompanied by a judgment of a legal

court, KICA shall be responsible only within the above limits and only for cases officially resolved.


5.2.4.3 Exemption of Liability


KICA does not assume responsibility for damages caused by the following reasons:


a. Damages that are caused by using the certificates beyond specific restrictions imposed by KICA on the

scope of their application or use.

b. Damages that resulted from causes not attributable to KICA, including communication failures in

providing such certification services as issuance, re-issuance, and renewal of certificates or in announcing

lists of suspended or revoked certificates, or failures of subscribers' system.

c. Damages caused by not checking and verifying on the part of user relying on a certificate, as required

under "5.5.2 Responsibilities of user relying on a certificate" of these Rules.

d. Damages other than those that are direct and compensatory caused in connection with KICA's

certificates and certification services.

e. Damages caused by fraudulent information provided by subscribers or other illegal means.

f. Damages caused by revised information that subscribers failed


to provide due to negligence or intention.

Damages caused by careless management of Private keys on the part of subscribers.

Damages caused by reasons other than those stipulated in the Act or in the Certification Practice Statement.



5.2.4.4 Limitation on warranty
KICA does not warrant the matters such as subscribers' credit or the integrity of information related to

subscribers that are not provided under the Act and these Rules.


5.2.4.5 Security for Liability for Damages


As a security for its Liability for Damages, KICA is carrying a policy of public liability insurance.


5.3 Registration Authorities (RAs)


5.3.1 Operation of RAs


a. To perform secure and reliable registration functions, KICA may operate Registration Authorities

recruited exclusively for the purpose. RAs sign contracts with KICA and carry out their responsibilities as

specified in these Rules and in the contract.


b. The main functions of RAs are as follows:

   Receipt of application for certification services.

 - Receipt of application for certificates (issuance, re-issuance, and renewal)

 - Receipt of application for suspension or reinstatement of certificates.

 - Receipt of application for revocation of certificates.

   Personal identification of applicants for certification services.

   Requesting KICA to issue applicants' certificates and notifying to applicants.

   Other functions related to certification services as commissioned by KICA.


5.3.2 RA's Responsibilities


5.3.2.1 Observance of Certification Practice Statement


In providing licensed certification services, Registration Authorities observe these Rules and (pursuant to

5.3.1 of these Rules) carry out registration functions faithfully.


5.3.2.2 Receipt of applications for Certification services


With regard to issuance of certificates, Registration Authorities accept only those applications with accurate

information based on facts, and until verifications are completed applications are not treated as "accepted".

For personal identification, Registration Authorities observe specific guidelines set by KICA.


When the reception process is completed, Registration Authorities issue receipt slips prepared by KICA or

by the RAs themselves.
c. Registration Authorities are prohibited from refusing receipt of applications for certificate issuance,

suspension, revocation, reinstatement, etc. without good reasons. Accordingly, when refusing Registration

Authorities should clearly state the reasons why the applications in question cannot be received.


5.3.2.3 Fast, accurate, and secure registration


Registration Authorities, as befitting their role as reliable managers of registration, carry out their

responsibilities quickly, accurately, and securely.


5.3.2.4 Protection of private information and safekeeping of data security


Pursuant to 5.2.2.5 of these Rules, Registration Authorities protect the private information obtained in

performing certification and safeguard the security of data.


5.3.2.5 Safeguard of facilities and personnel


In performing certification services, Registration Authorities observe security guidelines for facilities and

personnel as set by KICA.


5.3.3 RA's Liabilities


a. In case Registration Authorities cause subscribers and users to suffer damages by violating provisions of

the Act, its enforcement decrees, regulations, and these Rules in performing certification functions, RAs

shall be subject to the same liabilities as those applicable to KICA, as shown in "5.2.4 KICA's Liabilities."

b.    As a security for such Liability for Damages, Registration Authorities may subscribe to public liability

insurance.


5.4 Subscribers


5.4.1 Subscribers' Responsibilities


5.4.1.1 Provision of accurate information


Information that subscribers provide, including changes subscribers make subsequently to them, in the

following cases, shall always be accurate and based on facts:

a. Information provided for certificate application (issuance, re-issuance, and renewal).

b. Information provided when applying for suspension of certificates.
c. Information provided when applying for reinstatement of certificates.

d. Information provided when applying for revocation of certificates.

e. Changes made to subscribers' identity as recorded in the certificates.


5.4.1.2 Generation of Key pair


Pursuant to 3.1.2 of these Rules, subscribers can generate Key pair.



5.4.1.3. Protection and safekeeping of Private keys


a. Of the generated Key pair, subscribers are responsible for safekeeping of Private keys to prevent their

loss, damage, theft, or leakage.

b. On recognizing that the Private keys belonging to them have been lost, damaged, stolen, or leaked,

subscribers should immediately notify KICA of the corresponding fact through on-line communication

networks, etc.

c. Upon recognition that the Private keys belonging to them have been lost, damaged, stolen, or leaked,

subscribers should exert themselves to reduce or confine the damage.


5.4.1.4 Use of Private key


To generate key pair having legal validity, subscribers should use the Private key that matches the Public

key contained in the KICA-issued certificate.


5.4.1.5 Verification of Certificates


On receiving new certificates, subscribers should confirm their validity, issuing body, their types, and

services before using them.


5.4.2 Subscribers' Liabilities


In case subscribers cause KICA to suffer damages by violation of subscribers' responsibilities pursuant to

these Rules or in the process of using certification services then subscribers are liable to compensate for

the damages inflicted on KICA.


5.5 User relying on a certificate


5.5.1 User relying on a certificate
Users are those who, trusting reliability of the certificates issued by KICA, conduct business with KICA

certificate holders.


5.5.2 Responsibilities of the user relying on a certificate


a. Before conducting business with KICA certificate holders, user relying on a certificate should confirm the

validity, issuing body, types, and use of the corresponding certificates.

b. Before conducting business with KICA certificate holders, users should verify and confirm whether or not

the corresponding certificates are suspended or revoked of their validity, using C.R.L.

c. For damages incurred by not observing confirmation responsibilities of users, the users are exclusively

responsible.




6. Operation of Certification System and Security Control


6.1 Physical Control


6.1.1Physical Control on Access


KICA safeguards the sites where the core certification systems are installed to prevent physical hazards,

such as intrusion, illegal access, or fire damage, as follows:


a. KICA installs and operates the core certification systems in a separate controlled area.
b. KICA controls access to the controlled area by using multi-layer access systems, which use a

combination of passwords, fingerprint recognition, weight sensing devices, etc.

c. KICA installs the core certification systems in a secure cabinet to allow for physical access control.

d. KICA has all outside hardware service technicians, etc. accompanied by the person in charge when

they enter the area where the core certification systems are installed.

e. KICA maintains and regularly reviews a log that records any entry into the controlled area in connection

with the ID authentication card.

f. KICA maintains alarm systems by installing the following surveillance control systems.

   CCTV camera monitoring system.

   Intrusion dictating system.

g. KICA may emp


loy security professionals to guard the controlled area.
6.1.2 Power Source


KICA employs UPS to prevent damage from unexpected power failures.


6.1.3 Prevention of Flood Damage


KICA installs the core certification systems at minimum height of 30cm or more to protect them from flood

damage.


6.1.4 Prevention of Fire Damage


KICA installs fire detector, portable fire extinguisher, and automatic fire extinguishing facilities to guard the

core certification systems from fire.


6.1.5 Storage Media


KICA controls physical access to its major storage media that are stored in safes.


6.1.6 Disposal of Refuse


KICA shreds and crushes documents, diskettes, and other items to prevent information from such material

from being leaked.


6.1.7 Remote Backup


KICA maintains a remote backup storage of subscriber certificates, including C.R.L, for 10 years after the

corresponding certificates are voided.


6.2 Storage and Management of Records


KICA stores all records related to the key generating system, certificate generating system, management

system, directory system, and time-stamping system in file format and manages them according to

separate KICA guidelines.


6.3 Technical Security Control


6.3.1Generation and Use of Key pair


6.3.1.1Generation of Key pair
a. KICA allows only persons authorized by KICA to generate Key pair.

b. KICA generates Key pair by using a secure key generating system that is physically separated from the

outside.


6.3.1.2 Size and hash value of Key pair


KICA uses the following size and hash values to employ secure and reliable algorithms for digital

signature key encryption.


a. For RSA and KCDSA: 1024 bit or higher.

b. For HAS-160 and SHA-1: 160 bit or higher.


6.3.2 Safeguard of Private keys


KICA stores Private keys and key generating modules in a secure storage device which is not connected

to internal or external communication networks and which is protected from physical intrusion. The Private

keys are stored in access-authorized smart cards that are safe from leakage or tampering due to the use

of double encryption codes.


6.3.2.1 Storage device for Private keys


Digital signature modules used by KICA are sealed; access authorized, and equipped with functions that

protect Private keys from leakage or tampering.

6.3.2.2 Generation and secure deletion of Private keys


KICA deletes Private keys immediately from system memory upon completion of their generation and use.




6.3.3 Replacement of Key pair


a. With newly generated Key pair, KICA applies to KISA for renewal of its Licensed CA (Certification

Authority) Certificate before expiration of the existing Certificate.

b. In case its Licensed CA (Certification Authority) Certificate expires before expiration of the subscribers'

certificates, KICA should as a matter of principle have its Certificate renewed by the Korea Information

Security Authority (KISA) prior to use.


6.3.4 Method of Disposing Private keys
When its Licensed CA (Certification Authority) Certificate expires or when Private keys are damaged or

leaked, KICA completely destroys their physical storage media.


6.3.5 Validity of Private keys


KICA and subscribers shall use Private keys only during the term of validity of the corresponding

certificates.


6.3.6 Security Control on Computers and Networks


a. For maintenance of the core certification systems, KICA manages operation records of the core

certification systems and keeps major lists of each system's current status.

b. For access control of networks, KICA employs firewall systems with certificates of assessment.

c. To protect network service from interfering attacks, KICA operates intrusion-detecting systems.




6.3.7 Record Archives


6.3.7.1Types of archival records


KICA archives the following types of records, which are related to core certification practice, general audit,

prevention of security intrusion, and operations:


a. Records of key generation and renewal.
b. Records related to application for issuance, suspension, revocation, and reinstatement of certificates.

c. Notifications of loss, damage, theft, or leakage of Private keys.

d. Records related to generation, issuance, renewal, suspension or revocation of certificates.

e. Issuance and renewal of CRL.




6.3.7.2 Safekeeping of archival records


To prevent forgery of, tampering, or damage to archival records, KICA archives records as follows;

a. Electronic documents are safely stored with Digital signatures.

b. Hard copy documents are stored in locked cabinets.


6.3.7.3 Measures for archiving records


KICA regularly archives the original records; copies are archived in physically separate and secure sites
for 10 years.


6.3.8 Recovery Measures


6.3.8.1Measures against failures of system resources and software


When system resources or software are damaged, KICA restores the system immediately using dual

backup system resources and software in order to prevent inconvenience in subscriber use.


6.3.8.2 Measures against damage or loss of data


When major data such as subscribers' certificates are damaged or lost, KICA restores them immediately

using backup data.


6.3.9 Others


6.3.9.1Storage of Public keys


KICA stores certificates containing Public keys in directory during the term of validity of the certificates or

until the certificates are revoked.




7. Management of Certification Practice


7.1 Management of Certification Practice Statement


7.1.1 Formulation and Revision of Certification Practice Statement


When formulating or revising this Certification Practice Statement or the Rules, KICA reports to the

Minister of Information & Communications of the fact, pursuant to Article 6 Clause 1 of the Digital

signature Act.


7.1.2 Reasons for Revision of Certification Practice Statement


a. When the Minister of Information & Communications orders a revision, pursuant to Article 6 Clause 2 of

the Digital signature Act.

b. When the President of KICA deems it necessary to revise the Rules.
7.1.3 Maintenance of Records Related to Revision of Certification Practice Statement


Whenever these Rules are revised, KICA should maintain records containing the following:


a. Version of rules.

b. Scope of application and outline.

c. Records related to revision.

   Existing provisions before revision.

   Particulars of revision.

   Reasons for revision, etc.


7.1.4 Procedure for Implementation


a. KICA reports the formulated or revised rules to the Minister of Information & Communications.

b. KICA announces the rules by posting news at its homepage (http: //www.signgate.com) and, if

necessary, notifies subscribers through e-mail, etc.

c. Unless otherwise stipulated, the new rules will come into effect from the day they are reported.


7.1.5 Subscriber¨s Agreement


Unless subscribers file their formal objections, within 2 weeks of announcement of changed Rules, in

writing or by electronically signed documents using the Private key that matches the certificate issued by

KICA, the corresponding subscribers will be recognized by KICA to have agreed on the changed Rules.


7.2 Interpretation and Enforcement of Certification Practice Statement


7.2.1 Applicable Laws


This Certification Practice Statement will be interpreted and applied pursuant to the Digital Signature Act

and related laws of the Republic of Korea.


7.2.2 Jurisdiction of Litigation Court


All litigation concerning certification services between KICA and subscriber or user relying on a certificate

shall be referred to the Seoul District Court.


7.2.3 Mediation of Disputes


a. Should there arise a dispute between subscriber and user relying on a certificate, KICA may present a
plan for mediation or recommend an agreement by requesting the related parties to present relevant

material and investigating their compliance with the Digital Signature Act and Certification Practice

Statement.

b. Should there arise a dispute between KICA and its subscriber or user relying on a certificate, KICA may

request The Korea Information Security Authority (KISA) to mediate the dispute. KISA may present a plan

for mediation or recommend corrective measures by requesting related parties to present relevant

material and investigating their compliance with the Digital Signature Act and Certification Practice

Statement.




Supplement




1.        Korea Information Certificate Authority (KICA)

          Korea Information Certificate Authority (KICA) is a Licensed Certification Authority
          designated by the Ministry of Information & Communications on Feb. 10, 2000,
          pursuant to Article 4 of the Digital Signature Act.


1.1       Contact Information



          The following locations provide information on KICA certification services:


          a.   URL: http://www.signgate.com/english/index.html
          b.   e-mail: kica@signgate.com
          c.   Address: Korea Information Certificate Authority Hankyung Bldg., 9th F. 441
               Chunglim-dong, Chung-ku, Seoul.
          d.   Tel: +82-2-360-3000.
          e.   Fax: +82-2-360-3209.


1.2       Websites



          Websites related to KICA certification services are as follows:


          a.   Certification                               Practice                              Statement:
               http://www.signgate.com/english/service/service.html.
           b.    Directory (List of Certificates, List of Suspended or Revoked Certificates):
                 ldap://ldap.signgate.com
           c.    CA certificate issued by KISA: http://www.rootca.or.kr/cert.htm
           d.    CRL of Licensed Certification Authorities: http://www.rootca.or.kr/crl.htm


1.3        Public announcement



1.3.1      Announcement of information by KICA



           KICA announces all information concerning issuance and management of certificates,
           so that interested parties may review such information at any time through certification
           practice systems.


1.3.2      Frequency of announcement



           a.    KICA announces all information concerning issuance and management of
                 certificates as soon as certificates are processed, so that interested parties may
                 review such information at any time through certification practice system.
           b.    CRL is renewed and announced daily, even when no changes are made to the lists,
                 so that interested parties may review such information at any time through
                 certification practice system.



2.         Definition of Terms




2.1     Subscriber (Digital signature Act, Article 2 Clause 11)


Those who have obtained KICA certificates for Public keys on the basis of their contracts with KICA for use

of licensed certification services.


2.2     Certification Authority (Digital signature Act, Article 2.Clause 9)


Those who provide licensed certification services by obtaining the designation from the Information &

Communications Minister pursuant to Article 4 of the Act.


2.3     Private information (Act, Article 2 Clause 12)
Information pertaining to a living person, whose identity can be recognized by his name or resident

registration number, etc., which are contained in that information (Including such information that can be

used, not alone but in combination with other information, to easily identify the corresponding person).


2.4    Asymmetric crytosystem (Act, Article 2 Clause 13)


An encryption method in which the key that is used to encrypt information and the key that is used to

decrypt information are different.


2.5    Directory


X.500 compliant directory systems that store lists of issued, suspended, or revoked certificates and are

used to provide public announcement and search services to users relying on certificates.


2.6    User relying on a certificate


Those who use certificates issued by KICA, trusting their reliability, and carry out transactions with

certificate holders.


2.7    Personal identification


The act of verifying the integrity of information concerning the subscriber and his application for issuance,

renewal, suspension, or revocation of certificates in order to secure reliability of certificates.


2.8    Certification (Act, Article 2 Clause 6)


Act of verifying or certifying that the Public key matches the Private keys held by corporations or individuals.


2.9    Certification practice system (Act, Article 2 Clause 10)


Systems providing certification services including issuance of certificates and management of records, etc.


2.10   Certificates (Act, Article 2 Clause 7)


Digital data that verifies or certifies Public key matches the Private keys held or used by corporations or

individuals.


2.11   Certification practice (Act, Article 2 Clause 8)
Services related to issuance of certificates and maintenance of records related to certification, and other

related functions.


2.12   Digital or electronic document (Act, Article 2 Clause 1)


Information or data, which are generated, transmitted by, or stored digitally in computers or other

information processing equipment.


2.13   Digital signature (Act, Article 2 Clause 2)


Electronic data that is generated by Private key, using asymmetric encryption, unique to the corresponding

electronic message, that is utilized to identify the writer of the message and its integrity from forgery or

tampering, etc.


2.14   Public key (Act, Article 2 Clause 4)


Electronic data that is used to authenticate (verify) Digital signature.


2.15   Private keys (Act, Article 2 Clause 3)


Electronic data that is used to generate Digital signature.


2.16 Key pair (Act, Article 2 Clause 5)


Private key and its matching Public key.


2.17   Core certification systems


Systems used for key generation, certificate generation, certificate management, directory, and time

stamping service.

								
To top