A PROCLAMATION TO PROVIDE FOR ELECTRONIC SIGNATURE
WHEREAS, it has become necessary to create conducive legal framework to promote electronic commerce and electronic government service in the country;
WHEREAS, it has become necessary to provide legal recognition to the exchange of electronic messages and determine the rights and obligations of participating parties;
WHEREAS, it has become crucial to provide legal recognition to electronic signature that promote trust in electronic communication and enable to verify the identity of participating parties, authentication of messages and ensure non-repudiation;
NOW, THEREFORE, in accordance with Article 51
(3) and 55 (2) (c) of the Constitution of the Federal Democratic Republic of Ethiopia, it is hereby proclaimed as follows:
PART ONE GENERAL
- Short Title
This Proclamation may be cited as the “Electronic Signature Proclamation No.1072/2018”.
In this Proclamation:
1/ “asymmetric cryptosystem” means a system capable of providing reliable digital signature and encryption service;
2/ “certificate” means an electronic data which links public key to the person named in the certificate and confirms the real identity of that person, and contains the information listed under Article 33 of this Proclamation;
3/“certificate provider” means a legal person duly authorized or recognized to issue certificate and related service stipulated under Article 22 of this Proclamation;
4/ “digital signature” means an electronic signature that uses asymmetric cryptosystem and meets the following requirements:
- it is uniquely linked to the signatory;
- it is capable of identifying the signatory;
- it is created using a private key that the signatory has sole control; and
- it is linked to the electronic message to which it relates in such a manner that any subsequent change of the electronic message or the signature is detectable;
5/“electronic message” means an information generated, sent, received or stored by electronic means;
6/“electronic signature” means information in electronic form, affixed to or logically associated with, an electronic message, which may be used to identify the signatory in relation to the electronic message and to indicate the signatory’s approval of the information contained in the electronic message;
7/“encryption” means a process of transforming electronic message into a form that cannot be read by a person or machine other than the intended recipient;
8/“key pair” means a private key and its corresponding public key in an asymmetric cryptosystem
9/“person” means a physical or legal person;
10/“private key” means the key used to create a digital signature
11/“public key” means the key used to verify a digital signature created using a private key;
12/ “recommended reliance limit” means the monetary amount recommended for reliance on a certificate;
13/ “relying party” means a person who acts relying on the information contained in a certificate or in the authenticity of digital signature;
14/ “repository” means a system for disclosing, storing and retrieving certificates or other information relating to certificates;
15/ “root certificate authority” means a body legally authorized to perform the power and duties stated under Article 10 of this Proclamation;
16/ “signatory” means a person who holds private key and signs either on his own behalf or on behalf of the person he represents;
17/ “subscriber” means a person who is the subject named in a certificate, accepts the authenticity of the content the certificate and owns a private key which corresponds to a public key listed in that certificate;
18/ “time stamp service” means a digitally signed notation appended to electronic message, digital signature or certificate indicating the correct date and time of an action;
19/“valid certificate” means a certificate which has been issued by a licensed or recognized certificate provider, accepted by the subscriber, not revoked, not suspended or not expired;
20/ “algorithm” means a process or set of rules to be followed in calculations or problem-solving operations, especially by a computer.
21/ any expression in the masculine gender includes the feminine.
- Scope of Application
Unless otherwise provided by other law relating to electronic message, this Proclamation shall be applicable to any electronic message exchange.
- Freedom of Contracting Parties
1/Unless otherwise expressly prohibited by law, persons may agree to use or not to use electronic signatures.
2/ Without prejudices to sub article 1 of this article, whenever the use of electronic signature is mandatory, the applicable system shall consider the situations of disabled persons.
PART TWO ELECTRONIC SIGNATURE AND
- Legal Recognition of Electronic Message
1/ No electronic message shall be denied legal effect, validity or admissibility in any legal proceeding, solely on the ground that it is in electronic form.
2/ Where any law requires that information shall be in writing, such requirement shall be deemed to have been satisfied if such information is rendered or made available in an electronic form and accessible so as to be usable for subsequent reference.
- Legal Recognition of Electronic Signatures
1/ No electronic signature shall be denied legal effect, validity or admissibility as evidence in any legal proceeding, solely on the ground that it is in electronic form.
2/Where any law or customary practice requires a signature of a person or provides consequences for the absence of a signature, that requirement is deemed to be satisfied where, reliable electronic signature is used in the light of all the circumstances:
- that is appropriate for the purpose for which the data message was generated or communicated;
- an agreement entered between parties regarding electronic signature; or
considering other conditions such as the nature, extent, and type of the transaction, capability of identifying contracting parties, and the essence of the electronic message.
- Legal Presumption
In any civil proceedings involving electronic message signed with a reliable electronic signature, it shall be presumed, unless the contrary is proved, that:
1/ the electronic signature is the signature of the subscriber;
2/ the electronic signature was affixed by that person with the intention of approving the electronic message; and
3/ the electronic message and the signature has not been altered since the specific point in time to which the electronic signature was affixed.
- Digital Signature
1/ Without prejudice to the provision of sub-article (2) of Article 6, a digital signature supported by valid certificate deemed to be reliable electronic signature.
2/ A digital signature that satisfies sub-article (1) of this Article shall enjoy the legal presumption stipulated for reliable electronic signature under Article 7 of this Proclamation.
ROOT CERTIFICATE AUTHORITY AND LICENSING
- Root Certificate Authority
The Information Network Security Agency shall act as the Root Certificate Authority pursuant to the mandate given to it in its establishment Proclamation.
- Power and Duties
Without prejudice to the powers and functions provided for under this Proclamation, Root Certificate Authority shall have the following powers and duties: 1/ issue license to certificate providers and monitor
their activities and operations
2/ensure the trustworthiness and the overall security of the crypto system;
3/issue working procedures and standards that certificate providers shall follow.
11.Requirement of License
1/ No person shall operate as a certificate provider unless that person holds a valid license issued by Root Certificate Authority.
2/ Any person who wants to engage as certificate provider may lodge application to the Root Certificate Authority for the issuance of license by filling the form prescribed by the Root Certificate Authority.
3/ The applicant, while lodging application pursuant to sub-article (2) of this Article, shall accompany his application with the necessary documents prescribed in this Proclamation and the regulations and directives issued in accordance with the Provisions of this Proclamation and shall pay a prescribed license fee.
4/ Where the Root Certificate Authority is satisfied that the application submitted to obtain license is reliable, adequate and duly made in accordance with this Proclamation, and meets the requirements and procedures prescribed in regulations and directives enacted in accordance with this Proclamation, it shall grant the license.
5/ The Root Certificate Authority shall provide its decision within 30 working days after receiving an application for license and notify to the applicant in writing.
6/ Where the Root Certificate Authority denies a license, it shall notify the applicant in writing of its reasons for denial.
7/ The Root Certificate Authority shall issue a directive that set eligibility requirements for
- Conditions for Denying License
1/ Notwithstanding the provision of sub-article (7) of Article 11 of this Proclamation, any application shall be rejected, without going into detail screening, if the applicant:
- is a private individual;
- is a body corporate not established in Ethiopia;
- has been convicted of an offence and not reinstated after completion of the
2 Without prejudice to sub-article (1) of this Article, the Root Certificate Authority may prescribe additional qualification requirements to deny a license.
13.Validity Period and Renewal of License
1/ The validity period of certification license shall be five years.
2/No certificate provider shall provide any service on expired license.
3/ Any licensed certificate provider shall submit an application to the Root Certificate Authority by filling the form prescribed for the renewal of license 60 consecutive working days before the date of expiry of the license.
4/ Any certificate provider that submits an application for renewal of license in accordance with sub- article (3) of this Article shall provide such necessary documents as may be required and pay prescribed fee upon approval of the application.
5/ Notwithstanding sub-article (2) of this Article, a certificate provider whose license has expired may be entitled to carry on its business as if its license had not expired upon proof being submitted to the Root Certificate Authority that the certificate provider has applied for a renewal of the license within the time frame and that such application is pending for determination.
- Suspension of Certificate Work
The Root Certificate Authority may suspend the certificate work fully or partially for a time not exceeding 6 months in the following conditions:
1/ to examine the occurrence of any of the grounds, which are stated under sub article (1) of Article 15 of this proclamation that result cancelation of certificate provider licenses; or
2/ when the Root Certificate Authority considers that the grounds are not suffice to revoke the certificate provider license but defects are required to be corrected within a specified time.
3/ Root certificate Authority shall notify in writing the grounds for suspension of certificate work and measures that Certification Authority has to take to correct the defects within the time specified.
- Revocation of a License
1/ The Root Certificate Authority may revoke the license of a certificate provider in any of the following grounds if :
- the certificate provider breaches the provisions of this Proclamation or regulations and directives issued under this proclamation;
- it is proved that the license has been given based on falsified information;
- the certificate provider performs its duty contrary to the objective or condition of the license;
- the certificate provider is engaged in business activity and the business license revoked;
- the license is expired and is not renewed;
- the certificate provider is wind up or bankrupt;
the certificate provider is convicted by court of law for involving in criminal activity linked to certification that erodes the trust ;
- h) the certificate provider has failed to begin operation within three months from the date it receives a license.
2/ Notwithstanding sub-article (1) of this Article, the Root Certificate Authority, as appropriate, may request certificate provider to provide its opinion in writing regarding the revocation within 15 consecutive working days prior to the revocation of the license.
3/ If the certificate provider fails to submit its opinion within the time limit specified under sub-article (2) of this Article or if the opinion submitted is dismissed, the Root Certificate Authority shall revoke the license and notify the same in writing to the certificate provider.
- Return of License
A certificate provider whose license has been revoked in accordance with Article 15 or who submitted notice to terminate his operation within specific period of time pursuant to sub-article (5) of Article 18 of this Proclamation shall return the license for Root Certificate Authority within 10 consecutive working days.
- Effect of License Revocation or Certificate Suspension
1/ Any certificate provider whose license has been revoked shall cease its operation while it has received the license revocation letter.
2/ No certificate provider shall be allowed to perform any of suspended certification works until the suspension is lifted.
3/ Notwithstanding sub-article (1) of this Article, the Root Certificate Authority may authorize the certificate provider in writing to carry on certain certification works for the purpose of winding up its operation. The time limit will be specified in a directive.
4/ Notwithstanding sub-article (1) of this Article, the revocation of license or suspension of a certificate shall not affect the validity of any certificate issued by the certificate provider prior to such revocation or suspension of a license.
5/ Where the Root Certificate Authority revokes a license or suspends certification work of a certificate provider in accordance with Article 14 and 15 of this Proclamation, it shall determine by directive the procedures regarding the transfer of certificates and related records.
- Termination of Certificate Service
1/Any certificate provider who wishes to terminate his certification service shall provide not less than 60 (sixty) consecutive working days notice for Root Certificate Authority and its subscribers.
2/ A certificate provider who wishes to terminate its certification service in accordance with sub-article
- of this Article shall transfer its subscriber certificates and related records to another certificate provider; where it is impossible to transfer its subscriber’s certificate and related records to other certificate provider, the certificate provider shall immediately notify the same in writing to Root Certificate
3/ Where the Root Certificate Authority receives a report in accordance with sub-article (2) of this Article, it shall apply the provisions of sub-article
(5) of Article 17 of this Proclamation.
4/ The certificate provider who accepts subscribers certificates and related records in accordance with this Article shall be deemed to have issued the certificates.