The Malaysian Communications and Multimedia Commission (MCMC) took over the role of the Controller of Certification Authorities after the amendment of Digital Signature Act 1997 on 1st November 2001. Under the Act and its subsidiary legislations, there are five matters required to be registered. They are:
Licensed Certification Authority
The function of a licensed certification authority is to issue to a subscriber upon application and upon satisfaction of the licensed certification authority's requirements as to the identity of the subscriber to be listed in the certificate and upon payment of the prescribed fees and charges.
Licensed certification authority, before issuing any certificate, must take all reasonable measures to check for proper identification of the subscriber to be listed in the certificate.
The licensing of certification authorities is obligatory under the Digital Signature Act 1997.
The MCMC issues two stages of licenses for certification authorities:
- The establishment stage; and
- The operation stage.
The MCMC issues the establishment stage license for a period of not exceeding one year. During the period, a person has to fulfill all licensing requirements and may apply for the operation stage.
A person is only allowed to carry on or operate as a licensed certification authorities until that person has been issued with the operation stage of the license.
A person intending to carry on or operate as a certification authority must satisfy the following requirements:
- It is a body corporate incorporated in Malaysia or a partnership within the meaning of the Partnership Act 1961;
- It maintains a registered office in Malaysia;
- It has a working capital reasonably sufficient, according to the requirement of the Commission, to enable it to carry on or operate as a certification authority;
- It files with the Commission a suitable guarantee;
- It uses a trustworthy system for the generation and management of key pairs and certificates;
- It uses an approved digital signature scheme for the generation of key pairs and for the creation and verification of digital signatures;
- It has an operating procedure that includes a certification practice statement, the measures to be taken to check the identity of subscribers to be listed in certificates, and the repositories and date/time stamp services to be used;
- It employs as operative personnel only persons who;
- Have not been convicted within the past 15 years of an offence involving fraud, false statement or deception; and
- Have demonstrated knowledge and proficiency in following the requirement of the Act and its Regulations;
- It complies with the licensing, standards and technical requirements under the Act and its Regulation; and
- It complies with such other requirement as the Commission thinks fit.