LAWS OF MALAYSIA
Act 562
DIGITAL SIGNATURE ACT 1997
ARRANGEMENT OF SECTIONS
An Act to make provision for, and to regulate the use of, digital signatures and to prowide for matters connected therewith.
BE IT ENACTED by the Seri Paduka Baginda Yang di-Pertuan Agong with the advice and consent of the Dewan Negara and Dewan Rakyat in Parliament assembled, and by the authority of the same, as follows:
PART I
PRELIMINARY
This Act may be cited as the Digital Signature Act 1997 and shall come into force on a date to be appointed by the Minister by notification in the Gazette, and the Minister may appoint different dates for different provisions of this Act.
- (1) In this Act, unless the context otherwise requires-
“accept a certificate” means-
(a) to manifest approval of a certificate, while knowing or having notice of its contents; or
(b) to apply to a licensed certification authority for a certificate, without revoking the application by delivering notice of the revocation to the licensed certification authority, and obtaining a signed, written receipt from the licensed certification authority, if the licensed certification authority subsequently issues a certificate based on the application;
“asymmetric cryptosystem” means an algorithm or series of algorithms which provide a secure key pair;
“authorised officer” means an officer authorised under section 75;
“certificate” means a computer-based record which-
(a) identifies the certification authority issuing it;
(b) names or identifies its subscriber;
(c) contains the subscriber’s public key; and
(d) is digitally signed by the certification authority issuing it;
“certification authority” means a person who issues a certificate;
“certification authority disclosure record” means an on-line and publicly accessible record which concerns a licensed certification authority which is kept by the Controller under subsection 3(5);
“certification practice statement” means a declaration of the practices which a certification authority employs in issuing certificates generally, or employed in issuing a particular certificate;
“certify” means to declare with reference to a certificate, with ample opportunity to reflect, and with a duty to apprise oneself of all material facts;
“confirm” means to ascertain through diligent inquiry and investigation;
“Controller” means the Controller of Certification Authorities appointed under section 3;
“correspond”, with reference to keys, means to belong to the same key pair;
“digital signature” means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine-
(a) whether the transformation was created using the private key that corresponds to the signer’s public key; and
(b) whether the message has been altered since the transformation was made;
“forge a digital signature” means-
(a) to create a digital signature without the authorisation of the rightful holder of the private key; or
(b) to create a digital signature verifiable by a certificate listing as subscriber a person who either does not exist or does not hold the private key corresponding to the public key listed in the certificate;
“hold a private key” means to be able to utilise a private key;
“incorporale by reference” means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated;
“issue a certificate” means the act of a certification authority in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate;
“key pair” means a private key and its corresponding public key in an asymmetric cryptosystem, where the public key can verify a digital signature that the private key creates;
“licensed certification authority” means a certification authority to whom a licence has been issued by the Controller and whose licence is in effect;
“message” means a digital representation of information;
“notify” means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person;
“person” means a natural person or a body of persons, corporate or unincorporate, capable of signing a document, either legally or as a matter of fact;
“prescribed” means prescribed by or under this Act or any regulations made under this Act;
“private key” means the key of a key pair used to create a digital signature;
“public key” means the key of a key pair used to verify a digital signature;
“publish” means to record or file in a repository;
“qualified certification authority” means a certification authority that satisfies the requirements under section 5;
“recipient” means a person who receives or has a digital signature and is in a position to rely on it;
“recognised date/time stamp service” means a date/ time Stamp service recognised by the Controller under section 70;
“recognised repository” means a repository recognised by the Controlleunder section 68;
“recommended reliance limit” means the monetary amount recommended for reliance on a certificate under section 60;
“repository” means a system for storing and retrieving certificates and other information relevant to digital signatures;
“revoke a certificate” means to make a certificate ineffective permanently from a specified time forward;
“rightfully hold a private key” means to be able to utilise a private key-
(a) which the holder or the holder’s agents have not disclosed to any person in contravention of this Act; and
(b) which the holder has not obtained through theft, deceit, eavesdropping or other unlawful means;
“subscriber” means a person who-
(a) is the subject listed in a certificate;
(b) accepts the certificate; and
(c) holds a private key which corresponds to a public key listed in that certificate;
“suspend a certificate” means to make a certificate incffective temporarily for a specified time forward;
“this Act” includes any regulations made under this Act;
“time-stamp” means-
(a) to append or attach to a message, digital signature or certificate a digitally signed notation indicating at least the date, time and identity of the person appending or attaching the notation; or
(b) the notation so appended or attached;
“transactional certificate” means a certificate, incorporating by reference one or more digital signatures, issued and valid for a specific transaction;
“trustworthy system” means computer hardware and software which-
(a) are reasonably secure from intrusion and misuse;
(b) provide a reasonable level of availability, reliability and correct operation; and
(c) are reasonably suited to performing their intended iunctions;
“valid certificate” means a certificate which-
(a) a licensed certification authority has issued;
(b) has been accepted by the subscriber listed in it;
(c) has not been revoked or suspended; and
(d) has not expired:
Provided that a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference;
“verify a digital signature” means, in relation to a given digital signature, message and public key, to determine accurately that-
(a) the digital signature was created by the private key corresponding to the public key; and
(b) the message has not been altered since its digital signature was created;
“writing” or “written” includes any handwriting, typewriting, ptinting, electronic storage or transmission, or any other method of recording information or fixing information in a form capable of being preserved.
(2) For the purposes of this Act, a certificate shall be revoked by making a notation to that effect on the certificate or by including the certificate in a set of revoked certificates.
(3) The revocation of a certificate does not mean that it is destroyed or made illegible.
PART II
CONTROLLER OF CERTIFICATION AUTHORITIES AND THE LICENSING OF CERTIFICATION AUTHORITIES
