Malaysian Communications and Multimedia Commission
HomeTenders & NoticesCareer@MCMCMailing ListLinksFeedbackContact UsSitemapSearch
About Us
The Law
What We Do


Licensing
Certification & Certifying Agencies
Economic Regulation
Competition
Access to Facilities & Services
Technical Regulation
Spectrum Management
Numbering & Electronic Addressing
Tecnical Working Groups
Social Regulation
Quality of Service
Required Applications Service
Rate Regulation
Universal Service Provision
Information Network Security
Mandatory Standards
Industry Forums
Industry Development
International Activities
Pre-CMA 1998
Postal Services

For The Consumer
Facts & Figures
Newsdesk
Registers

  



What We Do

Licences under the Digital Signature Act 1997
Frequently Asked Questions (FAQs)
1. What is a Digital Signature?
  It can be likened to a hand signature in the digital world. Which in effect, is a secured electronic method of signing an electronic document based on the public key infrastructure (PKI) system, whereby pair of mathematically linked "keys" are used to encrypt and decrypt material/message passed from one party to the other. In other words, it transforms a message using asymmetric cryptosystem allowing a person having the initial message and the signer's public key to accurately determine:
(a) whether the transformation was created using the private key that corresponds to the signer's public key; and
(b) whether the message has been altered since the transformation was made.
   
2. What is the difference between a Digital Signature and a Digital Certificate?
 

A Digital Signature, as mentioned above, is an electronic method of signing an electronic document, whereas a Digital Certificate is a computer-based record which:

  • Identifies the certification authority issuing it;
  • Names or identifies its subscriber;
  • Contains the subscriber's public key; and
  • Is digitally signed by the certification authority issuing it.
   
3. What does it guarantee?
  It basically guarantees four essential components in establishing trust on-line and smart card based transactions, and they are: confidentiality, authentication, integrity and non-repudiation.

a) Confidentiality?
  Assures protection against third party intrusion and/or interception of messages passed between two parties.
b) Authentication?
  Assures that the person whom you are corresponding with over the network is who he claims to be with the accepted digital signature.
c) Integrity?
  Assures that the information passed between two corresponding parties have not been tampered with by any third party.
d) Non-Repudiation?
  Assures that the origin and/or issuance of a transaction or action is from the person whom he claims to be, which he cannot deny sending or receiving.
   
4. Why is that important to me?
  With a trusted on-line environment, you will be able to transact on the Internet without fear of having your personal data stolen, your information contaminated by third parties, and your transacting party denying any commercial commitment with you. Further, it assists in the development of greater Internet based activities.
   
5. How does it work?
  You can consider this scenario:

Step One
Mr. A has been awarded a contract from his client and has asked that the signed contract be sent to him electronically. He must however, still be able to guarantee the integrity of the document after its journey across the Internet and be able to authenticate the sender as the new client.

Step Two
The client sends the original document (contract) through a hash generator. This piece of software delivers a unique message "digest" of the original document. Hash generators are designed in such a way that even if one character is changed in the original contract, a completely different message digest will be delivered.

Step Three
The message digest is then encrypted with the customer's private key. This forms the client's digital signature.

Step Four
The client then uses Mr. A's public key (available from an online directory) to encrypt the original contract. The encrypted file is sent, with the digital signature attached, by email to Mr. A.

Step Five
Mr. A first uses his private key to decrypt the original message. He then uses the customer's public key (available from an online directory) to decrypt the digital signature. He is left with a message digest and what he hopes to be an authentic contract. The next process will prove the integrity of the document and authenticate the sender.

Step Six
Mr. A sends the decrypted contract through the same hash generator as the client. He then compares the digest with that of the client. If they match, Mr. A can be sure that the contract has not been tampered with during transmission. He can also guarantee the identity of the sender as the customer - the only person with access to the assigned private key used to encrypt the digital signature.
   
6. What are the common functions of a Digital Certificate?
  The common functions can be divided into three areas:
a) User authentication:
 
  • ensures better security than username and password
  • it has a strong session management
b) Encryption:
 
  • secure data transmission through by having the information encrypted
  • the intended recipient is the only person to receive the message
c) Digital Signatures:
 
  • equivalent to hand signature in the digital world
  • ensures data integrity.
   
7. What use can I put the Digital Signature to?
 
  • It can function on electronic documents the same way as physical signatures can on paper
  • It can be applied to email, Internet transactions, smart cards etc
  • It allows for secured transmission of sensitive documents on the Internet.
   
8. What is a Certification Authority?
  A Certification Authority, or CA, is the body given the licence to operate as a trusted third party in the issuance of digital certificates.
   
9. Who are the licensed CAs in Malaysia?
  At present the licensed CAs which can issue out digital certificates are Digicert Sdn Bhd and MSCTrustgate Dotcom Sdn Bhd. Both companies offer certification services with digital certificates to secure web servers, browser and email packages with a range of assurance level.
   
10. Which body regulates the activities of the CAs as well as the implementation of PKI?
  The regulating body is the Malaysian Communications and Multimedia Commission, having taken the role of the Controller of the CAs with effect from 1st November 2001. The role of the Malaysian Communications and Multimedia Commission as a Regulator is to oversee and regulate the operations of the CAs, repositories (provider of system used for storing and retrieving certificates and other information relevant to digital signatures) and date/time stamping (the attaching to message or digital signature or certificate of a digitally signed notation indicating at least the date, time and identity of the person appending or attaching the notation) services in Malaysia. Apart from that, the Malaysian Communications and Multimedia Commission is also empowered to ensure that the licensed CAs and the recognized repositories and date/time service providers maintain a high level of integrity and quality in rendering their services. The Malaysian Communications and Multimedia Commission also looks into the determination and coordination of the CA trust model and cross-certification policies with foreign CAs.

 
Quick Links
       
Communications & Multimedia Act 1998
Postal Services Act 1991
  Digital Signature Act 1997  
Digital Signature Regulations 1998
Communications & Multimedia (Licensing) Regulations 1999
Communications & Multimedia (Licensing) Regulations 2000
Communications & Multimedia (Licensing) (Amendment) Regulations 2001
Communications & Multimedia (Licensing) (Exemption) Order 2000
Register of Individual Licences
Register of Class Licences