Selection of the certification institution (directions):
- A company limited by shares which is incorporated under the Company Act and has completed incorporation registration and acquired approval for the relevant categories of business from the Ministry of Economic Affairs.
- Providing Internet authentication services as its main category of business.
- Acting as a third party with credibility.
- The certificates issued shall conform to the Electronic Signatures Act.
- Using the digital signature system
- The operating system shall conform to the Electronic Signatures Act.
- A signature key (public key or private key) shall be no shorter than 2048 bits. An encrypted key shall be no shorter than 128 bits.
- Certificates may be issued to customers either upon their own application to the certification institution through the Internet or as generated with the assistance of securities firms and delivered to the customers.
- Security of the computer certification system of the certification institution
- Private keys used by the certification institution for issuing certification shall be stored in hardware security modules and may in no case be output in plaintext.
- Being equipped with independent computer facilities without sharing facilities with other businesses. There shall also be strict security facilities.
- Having a backup system for the Internet, software and hardware that provides backup and system recovery in the event of malfunction in the operation of the electronic authentication system.
- The computer facilities, equipment, file storage and management of public keys etc. shall be established within the territory of the R.O.C..
- Operating system
- The certification institution shall retain records of user certification for at least five years.
- With regard to digital signatures, the certification institution may not retain users' private keys.
- The certification institution shall keep the particulars of clients properly and keep the same confidential.
- The certification institution may not consign the electronic authentication business to other institutions.
- Internal audit and control
- For all the certification procedures of the certification institution from the operation of physical equipment to the implementation of the certification system, relevant documents and audit records shall be retained.
- In addition to management and operating personnel, the certification institution shall establish a security control audit department and audit personnel responsible for auditing relevant businesses.
- Operation standards for the performance of certification
- The certification institution shall produce operation standards for the performance of certification, stating the operating procedures relevant to the electronic authentication services operated or provided by the certification institution.
- The operation standards for the performance of certification shall contain the following items:
- Responsibilities of the certification institution, registration management unit and users, and the liability for compensation of the certification institution.
- Strategies and procedures for the application, issuance, receipt, use, extension, annulment and suspension of certification.
- The electronic authentication techniques, physical control measures, operating procedures and audit system of the certification institution.
- The operation standards for the performance of certification of the certification institution shall be established according to the certification regulations enacted by the competent authority.