Under this Regulation, an Agent is included in the subscriber, and only in the case of needing a distinction on the subscriber and agent on contents, the subscriber and agent are separately specified.

1.4.6 User
User means the individual and corporate entity that wishes to confirm the generation key and verification key of subscriber by using the certification issued by SignKorea.

1.5 Scope of Use for Official Certification

1.5.1 Meaning of Official Certification

SignKorea issues the certification that has an electronic signature generated with the generation key of the certification institution, for the relevant information with the verification key that a subscriber has submitted after confirming the consistency of the information as provided by the subscriber at the time of subscribing. Therefore, SignKorea guarantees to users that the details listed on the certification of SignKorea is genuine fact at the time of applying for the issuance of the certification, but not the guarantee of the following.

 Guarantee on specific work or purpose of subscriber and user
 Credibility of subscriber
 Invariability of information related to the identity of subscriber identification and others
 Other field of works for SignKorea

1.5.2 Validity of Official Certification

In the event that a subscriber generates the electronic signature with the generation key that is consistent to the verification key of the certification, the generated electronic signature is deemed as the signature or affixing of seal on the applicable document pursuant to Article 3 (Validity of Electronic Signature) of the Electronic Signature Act.

1.5.3 Scope of Use for Official Certification

Certification of SignKorea may be used in fields where legal rights and obligations arise including the generation of electronic signature and verification of electronic document exchange, software verification and others as well as the personal identification field on the other party under the situation where the parties do not interact face to face.

1.5.4 Limitation of Use for Certification

SignKorea does not determine separate use as prohibited scope, however, pursuant to Article 16 (Validity of Certification) of the Electronic Signature Act, the use of certification of a subscriber may be limited in the following cases.

 In the event the identification or legitimate e-commerce is impossible due to the death, arrest --and others of subscriber
 In the event the subscription is made by an incompetent person or quasi-competent person --without going-through the legal agent
 In the event the subscription is made by an incompetent person or quasi-competent person --without the agreement of the legal agent
 In the event that the effective period of certification is lapsed
 In the event that SignKorea finds out that subscriber was issued with the certification in an --illegitimate method
 In the event that SignKorea deems it necessary to limit the use of certification issued for --security reasons such as the release of generation key for the certification institution or the --security procedure related to the certification service
 In the event that the applicable certification is used for the purposes of verification on identity, --position of subscriber or certificate to prove the identity
 In the event that SignKorea may limit the use of certification

1.5.5 Effectiveness of Certification
Pursuant to Article 16 (Validity of Certification) of Electronic Signature Act, the certification issued by SignKorea shall have the validity recognized with the exception of the followings.

 The effective period of certification is lapsed
 In the event a subscriber is suspended or abolishes the certification
 In the event the designation of SignKorea as the certification institution is withdrawn
 In the event SignKorea suspended the effect of certification of subscriber pursuant to Article 17 --(Suspension of Validity of Certification) of the Electronic Signature Act
 In the event SignKorea suspended the effect of certification of subscriber pursuant to Article 18 --(repeal of Validity of Certification) of the Electronic Signature Act

2.1.1.1 Providing Accurate Information
SignKorea shall provide only accurate information and facts to the Korea Information Security Agency in relation to the following.

 Substantive inspection related to the certification institution designation
 Application to issue (including renewal and re-issuance) certification for a certification institution
 Application for suspension of validity and repeal of certification for a certification institution
 Application to restore the validity of certification for a certification institution

SignKorea shall guarantee the following matters to subscribers and users by issuing the certification for subscriber with the generation key as consistent to the verification key included in the certification for certifying institution issued by the Korea Information Security Agency.

 The information in the certification issued by SignKorea shall have no error.
 During the course of issuing the certification, there is no error of information caused by the --mistake of SignKorea on the route to SignKorea from the certification subscriber.

2.1.1.2 Providing Certification Service Related Information
SignKorea provides the Rules and related information through the homepage determined in 1.3.2 (Location of Information Storage), and registers the information related to the certification and suspension and repeal of validity on certification on the directory or web-server system to allow subscribers and users to search at all times.

2.1.1.3 Protection of Subscriber Information
SignKorea shall classify the information of subscribers as classified pursuant to Article 24 (Protection of Individual Information) of the Electronic Signature Act, and shall limit the unauthorized access of others, and does not permit the unauthorized changes or deletion by others even for the information disclosed with the Agreement of a subscriber. However, SignKorea may disclose the information in the event that the other institutions request pursuant to the provisions under the law or regulation.

2.1.1.4 Correct Use of Generation key
SignKorea may make several pairs of electronic signature keys for the use purposes as below. However, each pair of electronic signature key is usable only in the applicable field.

 The generation key made for issuing the certification shall be used only for the issuance of the --certification.
 The generation key made for confirming the time shall be used only for the confirmation of the --time.
 The generation key made for issuing the verification of the certification shall be used only for --the verification of the certification.

2.1.1.5 Notice and Action on Important Facts
In the event of having a fact that effects gravely on the reliability and validity of certification including damage, exposure, loss, stolen and others on generation key, pursuant to Article 21 (Management of electronic signature generating information) of the Electronic Signature Act, or having a fact that effects greatly on the certification work of SignKorea under Article 9 (Transfer of Certification Work), Article 10 (Cancellation and Repeal of Certification Work), Article 12 (Suspension of Designation Cancellation of Certification Work), and Article 27-2(Mutual Recognition) of the Electronic Signature Act, SignKorea shall promptly report the applicable fact to the Ministry of Information and Communication and the Korea Information Security Agency and shall take legal actions pursuant to Article 6 (Report of Acquisition and Merger) and Article 7 (Report of Suspension and Revocation of Certification Work) of the Implementation Regulation of the Electronic Signature Act. In addition, the applicable facts shall be notified by using the homepage of SignKorea in principle, and if needed, may be notified via e-mail.

SignKorea shall seek ways to minimize the damage to subscribers and users after the notice to promptly take action.

2.1.1.6 Compliance of Pertinent Laws and Regulation and Rules
When performing the certification service, SignKorea shall comply with the relevant regulations of the Electronic Signature Related Act and rules of the Korea Information Security Agency.

2.1.1.7 Guarantee on Verification Information
SignKorea confirms the fact only for the minimum of information needed to provide certification service from the information submitted by the subscriber, and guarantee the genuine fact on the applicable information to user. However, SignKorea does not take responsibility on the unverified information that SignKorea did not confirm, and the subscriber shall take full liability on the loss or damage incurred to the subscriber, user and SignKorea because a subscriber did not inform to SignKorea in spite of the change of information.

2.1.1.8 Limitation and Immunity
SignKorea shall not be liable for the problems arising to a subscriber, user and Registration Agency as follows in spite of complying with the related laws and regulations in certification service and complying with the responsibilities and obligations specified on the foregoing.

 Loss or damage occurred by the neglect or no performance of subscriber and user in spite of --the fact that SignKorea notified through the rules and homepage notice to subscriber and user --on the possibility of occurrence
 During the course of performing the certification service of SignKorea, the specific part of losses --occurring to subscriber and user for the following causes
--- Responsibility and obligation not defined under the Rules
--- Accuracy of information other than those specified by the Rules
--- Responsibility on lack of knowledge and negligence of user
--- Appropriateness for the completeness, current feature and specific objective included in the -----certification
 Denial on the transmission fact of certification and transmitted electronic document (hereinafter
-- referred to as “denial blocking”), however, the generation and confirmation of basic data for
-- denial blocking is available.

In addition, SignKorea shall not be liable for losses incurred by a subscriber and user caused by the following, when not cause by a defect on the certification itself or the fault of SignKorea.

 Damages caused by relying on the falsified electronic signature of a subscriber of fraud of
-- Registration Agency, subscriber or user
--- Loss following the use of certification that has the effective period lapsed
--- Loss following the use of certification that has the validity suspended or abolished
--- Loss caused by the default on obligation of a subscriber and user
 Interference caused by communication, not a system interference, of SignKorea during the --performance of certification service
 Loss of subscriber and user caused by the delay and suspension of service occurring from the --software and hardware interference of Registration Agency, subscriber or user other than --software and hardware that SignKorea provide
 Matters not set forth herewith under the Electronic Signature Related Act and present Rules, --namely, the credibility of subscribers, invariability of subscriber related information

2.1.2 Responsibility and Obligation of Subscriber

2.1.2.1 Selection of Appropriate Certification and Providing Accurate Information
Subscriber shall select and apply for certification appropriate to its own objective and understand correctly the Rules in relation to the application of the certification service, and shall provide accurate information and facts to SignKorea.

Subscriber shall fully be liable to users for the loss arising by the mistaken information of subscriber for the verification of electronic signature by using the applicable certification or relying on the information contained in the certification.

2.1.2.2 Protection of Generation Key
Pursuant to Article 21 (Management of Electronic Signature Generation Key), the subscriber shall protect the generation key as follows.

 A subscriber shall not allow the generation key to be misappropriated by using the password --of an electronic signature that only he/she knows.
 A subscriber shall be liable for the security of physical storing media such as hard disc or --diskette, and smart cards where the generation key is stored.

The full responsibility of result from non-performance of obligation to protect on the above generation key shall be on the subscriber.

2.1.2.3 Appropriate Action
A subscriber shall notify the applicable facts to SignKorea or Registration Agency promptly if the following situation occurs and take appropriate action.

 In the event of having a change on the information that SignKorea confirmed including the --personal information (name, address, e-mail address and others) of the subscriber
 In the event that the certification is not to be used due to the arrest, death and others of the --subscriber
 In the event the generation key of the subscriber is released or damaged due to the release of --password or stolen smart card or diskette
 In the event that a third party other than the certification subscriber attempts the issuance, --suspension, restoration or repeal

If the above situation occurs, the subscriber shall take the following action.

 A subscriber shall be issued new certification in the event of suspending the service for --certification of subscriber by requesting to SignKorea or Registration Agency for the repeal or --re-issuance of the applicable certification.
 However, in the event that there is no way of proving the identity of the subscriber including --arrest or death, the agent may bring the verifying document on the factual relationship and --work on behalf of the subscriber.

SignKorea shall not be liable for the problems arising to the subscriber since the subscriber does not perform the above action.

2.1.2.4 Compensation Responsibility
Subscriber shall compensate the loss to SignKorea and user in the event that it incurred a loss to SignKorea and user intentionally or maliciously by using fraudulent practice or use of false electronic signature and others.

2.1.2.5 Caution
In the event that subscriber applies to abolish via on-line, SignKorea uses the certification management program for subscriber (hereinafter referred to as “management program”) and destroys the subscriber generation key and certification of the storing device in principle. But, the generation key and certification that the subscriber separately backed up shall be destroyed by the subscriber and all the liabilities arising from not performing it shall be on the subscriber.

2.1.3 Responsibility and Obligation of User

2.1.3.1 Understanding of Use Purpose of Certification
A user shall accurately understand the use purpose and scope of use on the certification of subscriber. A user shall make the decision if the certification of SignKorea that subscriber sent is appropriate to the objective of the user and the damages incurred by the mistake of the user is the liability of the user.

2.1.3.2 Confirmation of Contents and Effectiveness of Certification
Before using certification, a user shall confirm the contents listed on the certification of subscriber and the certification of the KISA and SignKorea on the effective period and use, and shall confirm whether each certification is suspended for validity or repeal through the certificate revocation list (hereafter referred to as the "CRL") or Real time certification status information (Online Certificate Status Protocol, OCSP).

2.1.3.3 Recognition on Applicable Responsibility Clause and Guarantee
A user shall accurately recognize the contents including the validity of certification and scope of guarantee, pertinent responsibility provision and others.

2.1.3.4 Compensation Responsibility of User
A user shall compensate for loss to SignKorea and the subscriber in the event it incurs loss to SignKorea and the subscriber in intentional or malicious method including fraud or falsified electronic signature.

2.1.4 Responsibility and Obligation of Registration Agency

2.1.4.1 Accurate Identification
Registration Agency shall fully understand the rules, and has responsibility for the accuracy of identification of the subscriber. Registration Agency shall have responsibility for losses to the subscriber, user and SignKorea caused by the error and mistake of the identification result.

2.1.4.2 Notice on Important Facts
When the application for certification is received, Registration Agency shall make the subscriber understand fully the important matters related to the use of the certification, and if necessary, it shall obtain the confirmation of affixing the seal or signature of the subscriber.

2.1.4.3 Compensation Responsibility of Registration Agency
In the event of effecting negatively on the credibility of SignKorea or incurring monetary losses negligently or intentionally, Registration Agency shall compensate the losses, and it shall also compensate for the loss incurred on subscriber or user arising due to the identification error of certification subscriber and others.

2.2.1 Notice Subject and Location
SignKorea shall notify the necessary information to subscribers and users from the important operation information such as the rules, certification, CRL and others on 1.3.2 (Location of Information Storage).

2.2.2 Frequency of Notice
In the event that there is a change on certification service information, SignKorea shall promptly notify it. The status information of public certification shall be notified on maximum 24-hour unit through the Certification Revocation List (CRL), and the status information of real time certification status information system shall be modified immediately in principle.

2.2.3 Directory
SignKorea shall register the certification and CRL on the directory system to confirm them through the information and communication network for subscribers and users

 Real name, corporation name and other legal name
 Trade-mark right obtained from Patent and Intellectual Property Office, or equivalent --institutions of other countries (requires verification statement)
 Internet domain name
 Internet IP address
 URL for WWW
 E-mail address, etc.

SignKorea structures the name and other information that the subscriber submitted in DN to store in the certification. DN becomes standard information when the user confirms the certification that the certification is issued only when the duplication of the DN of new subscriber and the DN of the existing subscriber is not overlapped.

In the event the DN is overlapped, SignKorea shall request a new DN to the subscriber, and the subscriber shall respond to it to subscribe to the certification service of SignKorea.

2.3.2 Regulation on Name Interpretation
SignKorea does not apply special interpretation regulation for accommodating various names.

2.3.3 Dispute Resolution
SignKorea shall not be liable for resolving problems if the existing subscriber uses the legal name of a new subscriber on the DN to cause litigation or dispute.

2.4.2 Dispute Resolution Procedure
In the event a dispute arises related to the certification service of SignKorea, the Ministry of Information and Communication and other pertinent departments shall inspect the violation of the Electronic Signature Related Act for SignKorea, and resolve the dispute in a prompt method following the procedure under the Electronic Signature Related Act and other pertinent laws and regulations.

2.4.3 Advice for Dispute Resolution and Court of Jurisdiction
In the event that the certification of SignKorea is required for a dispute resolution such as a litigation or arbitration in relation to the applied transaction and e-document exchange, the party to the dispute shall notify the fact to SignKorea, subscriber and user before the dispute resolution. The party to the dispute may request a review of the dispute in writing to SignKorea and the information to request for applicable review shall be delivered to the interested party. On the applicable request, SignKorea may compose the export group, collect the pertinent facts and advice for the dispute resolution in accordance to the discretion of SignKorea, however, the recommendation and consultation of the expert group does not have a mandatory feature nor is it legally binding on the outcome.

In the event that there is a dispute arising to have the request of legal resolution and SignKorea is related to the dispute, all litigations shall proceed in the court where the principle place of business for SignKorea is located.

 Software developed by SignKorea
 Rules of SignKorea
 Name of SignKorea
--- Corporate name
--- Internet domain name
 Pair of electronic signature key and others of SignKorea

In addition, the certification and the pair of electronic signature key of the subscriber belongs to the subscriber who received the certification on the applicable key.

2.6.2 Suspension and Revocation of Certification
In the event the designation of SignKorea is cancelled pursuant to Article 12 (Suspension and Designation Cancellation of Certification Work) of the Electronic Signature Act, the works are promptly transferred to other certification institutions. However, in the event the transfer of works is not possible due to the situation of other certification institutions, the necessary actions may be taken by submitting the related information such as the statement of reason and others to the Minister of Postal Service pursuant to Article 7 (Report of Cancellation of Certification Work) of Enforcement Regulation of the Electronic Signature Act.

3.2.2 For Server
SignKorea considers it as for server when the subscriber installs the generation key to the electronic machine such as the computer system, and makes up the identity of electronic equipment automatically following certain regulation through the applicable generation key, or generate the electronic signature for electronic document.

[Table ] Registration Agency in Charge following Certification Type

3.4 Grade of Certification
SignKorea makes the classification as in [Table 2] for the grade of certification depending on the scope of use for certification and use. However, SignKorea considers the risk following the frequency of use and may classify in detail for certain grades.

[Table ] Grade of Certification and Scope of Use

Grade Scope of Use and Usage

Special Identification and electronic signature in non-face-to face situations Exchange of e-documents at financial institutions and non-financial institutions In the event the size of the e-document for exchange is large or the e-document is very --important Protection of communication channels

Platinum Identification and electronic signature in the non-face-to face situation Exchange of e-document at non-financial institution and financial institution Protection of communication channels ※ However, it may be classified depending on the risk and utilization

Gold e-business on the securities and insurance area Government permitted area such as e-Services at the G4C

Silver Identification and electronic signature through the groupware between employees in a -corporation Use only for limited purposes for specific service or service provider Government permitted area such as e-Services at the G4C

SignKorea recommends to use appropriately for the use and scope of use for each certification grade as above, and shall have no compensation responsibility on the damages occurred by the inappropriate use for certification grade by subscriber and user.

SignKorea shall issue the platinum grade in certification for mutual interface, and OID of certification shall be as follows for each issued person.
- Corporation, organization, sole proprietorship : 1.2.410.200004.5.1.1.7
- Individual : 1.2.410.200004.5.1.1.5

Subscriber shall pay the fees determined under 3.5.2 (Fees for Each Grade and Subject) to SignKorea before issuing the certification in principle.

3.5.2 Fees for Grade and Subject
SignKorea determines the standard of fees for issuance as in [Table 3] depending on the grade, subject for issuance, and use of the certification.

[Table ] Issuance fees (based on one year of effective period)

[Table 4] Certification Effective Period

The reference number and permission code that SignKorea issued to a subscriber through the system of SignKorea or Registration Agency shall be valid during the period determined under [Table 5] depending on the type of certification.

[Table ] Period for Issuing Certification

However, SignKorea may delay or refuse to issue the issuance of certification in the event that the information submitted by the subscriber has a problem in accuracy, or the subscriber has not paid the fees for issuing the certification, and in the event of having sizable subscriber the processing period may be delayed.

3.9 Compensation

3.9.2 Limitation and Immunity of Compensation
SignKorea may make compensation to a subscriber or user who has proven the cause of compensation in the event loss or damage occurs by the cause of certification or certification service of SignKorea regardless of the grade of certification. However, SignKorea shall not make compensation on the part that exceeds the total amount of compensation (2.5billion won) from the insurance that SignKorea subscribed. On the loss that exceeds the total amount of compensation of SignKorea, a subscriber or user may enter into the agreement of a separate rate following the selection of subscriber or user.

The limit of such a damage compensation is applied to all types of damages and losses occurring by trusting the certification for a certification subscriber or user. The total amount of compensation of each certification is the same regardless of electronic signature, frequency of transaction and amount related to the applicable certification.

In the event that the demand for compensation exceeds the total amount of compensation, SignKorea shall make compensation first in the order that the compensation request in writing is received after finally resolving the dispute unless there is an order by the court decision.

SignKorea shall not be responsible for the delay or be unable to process the certification service occurring by external factors (for example: war, natural disaster, circuit breakdown, fire and others) that are impossible to be controlled by SignKorea.

SignKorea confirms the identity by face-to-face through Registration Agency and others for a new subscriber in principle. In the event that the subscriber who was issued certification through direct personal contact applies for certification service to SignKorea with an electronic signature on the effective period, the identification procedure may be replaced with the verification of subscriber with the electronic signature. However, SignKorea does not recognize the application in the event the certification of subscriber is in the suspension status of validity. Notwithstanding the principle of personal contact on new subscriber, it is possible to apply for certification via on-line to SignKorea by confirming the identity on the customer information possessed by Registration Agency and attaching the electronic signature of Registration Agency.

4.2 Data Submitted for Each Certification for Identification
SignKorea composes a part of information submitted by the subscriber in DN and includes it in the certification, and other information is treated as confidential information to prevent outside disclosure.

4.2.1.1 Individual Identification Voucher
SignKorea uses one of the following as the identification voucher for individual identification.

 Resident registration card for the person subject to resident registration cards. However, in the --event it is difficult to rely on the resident registration card, the voucher can be confirmed by the --attached photo with the listing of name and resident registration number that is issued by the --head of the school under the National Institution, Local Government and Education Act
 The certified copy of resident registration and identification voucher and document of legal --agent for a person not subject for issuing the resident registration card
 Foreigner resident registration under the Immigration Act for Foreigners. However, the --identification voucher issued by the authorized administration of the applicable country or a --passport in the event of a person not issued with a foreigner registration card

Individual Identification Chart shall abide by the Article 13-3 (Identification Certification Chart) of the Implementation Regulations of the Electronic Signature Act.

4.2.1.2 Individual For Work Certification Identification
When applying for certification service for work by an individual subscriber, Registration Agency shall confirm the identity of subscriber by reviewing the application that is listed with one of the following items from 4.2.1.1 (Individual Identification Voucher).

 Name
 Resident registration number
 DN
 Usage and grade
 Address
 Telephone number
 E-mail address
 Institution and department
 Securities account number or bank account number (Limited to the cases needed)
 Other information that SignKorea requires

4.2.1.3 Individual For Server Certification Identification
When an individual subscriber applies for certification service for server, Registration Agency shall review the application listed in the following category and the individual identification voucher and confirm the identity of subscriber and existence of the server.
 URL or IP
 Name
 Resident registration number
 DN
 Usage and grade
 Address
 Telephone number
 E-mail address
 Institution and department
 Securities account number or bank account number (Limited to the cases needed)
 Other information that SignKorea requires

However, In the event an agent applies, the agent shall bring the application along with the power of attorney that SignKorea determined and the individual identification voucher of the agent.

4.2.2 Corporate Certification

4.2.2.1 Corporate Identification Voucher
SignKorea uses one of the following as the identification voucher for corporate identification.

 Certified copy of corporate registration or commercial registration under the Voluntary Matters --Proceedings Act
 Business registration under the Corporate Income Tax Act
 Tax payment number under the Income Tax Act
 Identification number and business registration certification under the Value Added Tax Act

Individual entrepreneurs shall confirm the identity with the 4.2.1.1 (Individual identification voucher) and individual business registration.

For a voluntary organization, the identity is confirmed with the identification voucher of the representative individual in the event of not having a tax number or ID number, and of the notice document of granting the tax number and ID number if there are a tax number and ID number.

The foreign corporation and voluntary organization located in a foreign country confirm their identity by applying for one of the following.

 Copy of corporate registration or commercial registration issued by the pertinent authority of --the applicable country
 Identification related verification document including the document that may be recognized for --the legal entity by the consul of the applicable country located in Korea or the authorization of --the country certified.

4.2.2.2 Identification of Corporate Certification for Work
When the corporate subscriber applies for the certification service for work, Registration Agency shall review the application listed with one of 4.2.2.1 (Corporate Identification Voucher) and the below information to confirm the identity of the corporation.

In addition, when confirming the corporate identification, the identity of the representative of the applicable corporate entity shall be confirmed. However, if the application is filed by an agent, the identity of the agent is confirmed after receiving the power of attorney from the representative of the agent.

 DN
 Usage and grade
 Quantity
 Corporate entity name
 Telephone number of enterprise
 Address of business place of corporate entity
 Securities account number or bank account number (only when necessary)
 Position of the person in charge
 Name and place of contact for person in charge
 E-mail of person in charge
 Other information needed by SignKorea

4.2.2.3 Identification of Corporate Certification for Server
When the corporate subscriber applies for the certification service for server, Registration Agency shall review the application listed with one of 4.2.2.1 (Corporate Identification Voucher) and the below information to confirm the presence of the corporation and corporation server by confirming through a reliable third party institution. However, if the application is filed by an agent, the identity of the agent is confirmed after receiving the power of attorney of the representative from the agent.

 URL or IP
 DN
 Usage and grade
 Quantity
 Corporate entity name
 Telephone number of enterprise
 Address of business place of corporate entity
 Securities account number or bank account number (only when necessary)
 Position of the person in charge
 Name and place of contact for person in charge
 E-mail of person in charge
 Other information needed by SignKorea

Registration Agency may delay the process of application in the event the reliability of data submitted by the subscriber is doubtful.

In the event that a subscriber who already received certification from the certification institution is to receive new certification, the identify of the applicable subscriber may be confirmed by the electronic signature and certification of the applicable subscriber. In this event, the certification of the applicable subscriber shall be effective at the time the identity of subscriber is confirmed by the certification institution and others.

4.4 Identification in the Process of Suspension of Effectiveness, Recovery of Effectiveness and ---Repeal
Registration Agency shall confirm the identity of the subscriber in compliance with 4.3 (Identification during the Process of New Issuance).

4.5 Identification in the Re-issuance and Renewal Process

SignKorea replaces the electronic signature verification for the identification of a subscriber during the process of re-issuance and renewal.

--5.1.1 Submission of Issuance Application
--The person who wishes to receive the certification of SignKorea or its agent (hereinafter referred --to as “Applicant”) shall possess the identification voucher following 4.2 (Data Submitted for each --Certification for Identification) and visit Registration Agency to submit the certification application --to Registration Agency. For its part, Registration Agency distributes to the Applicant the --certification registration confirmation listed with the reference number and permission code after --the identification procedure under 4.3 (Identification during the Process of New Issuance).

--5.1.2 Issuance Application
--When the Applicant inputs the reference number and permission code on the management --program provided through the homepage of SignKorea or Registration Agency, the management --program generates the electronic signature key and applies the issuance of certification to --SignKorea.

--5.1.3 Generation and Issuance of Certification
--SignKorea generates and issue the certification following X.509 Version 3 by electronic signature --with the generation key of SignKorea for the DN and verification key of the applicant and records --the certification on the directory.

--5.1.4 Acquisition of Certification
--The Applicant receives the certification generated by SignKorea through the management program --and selects the media to store the generation key and the certification, and safely stores it.

--Acquiring of certification by the subscriber means the guarantee that the following facts are true --to the users and SignKorea from the time of generating the certification to the effective period.

-- No illegal user gains the access to the generation key of subscriber.
-- Matters confirmed by SignKorea on all information in certification are true.
-- Matters that subscriber notified to SignKorea in addition to the information in the certification
--- are true.
-- Certification is used only within the scope determined by SignKorea under the rules.

--Applicant who acquired the certification of SignKorea becomes the subscriber of SignKorea.

--Acquiring the certification of SignKorea by the Applicant means that it will not incur damages to --SignKorea and users with the following and agrees that it will compensate for the damages.

--Providing false fact of subscriber or its agent
--Lack of notice of important facts due to the negligence or malicious intent of subscriber
--Loss, damage, stolen or disclosure of generation key of subscriber

--SignKorea considers that it agrees to the above contents for subscriber and agent in the event --the certification is acquired by the agent of the subscriber.

5.2 Suspension of Validity for Certification

--5.2.1 Cause
--SignKorea promptly suspends the validity of certification when requesting the suspension of validity in the following cases pursuant to Article 17 (Suspension of Validity of Certification) of the Electronic Signature Act.

-- In the event of having a suspicion of loss, damage, stolen or disclosure of generation key of
----subscriber
--  In the event a subscriber desires to suspend the certification of validity

--SignKorea may suspend the certification for certain time in the event an inevitable cause occurs
--for the management of certification service or is ordered for suspension by the right of the Minister
--of Information and Communication pursuant to Article 16 (Termination of Validity of Public
--Certification) of the Electronic Signature Act.

--SignKorea may suspend the validity of certification for up to 6 months after the suspension
--pursuant to Article 17 (Suspension of Validity of Certification) of the Electronic Signature Act, and
--in the event of sustaining for 6 months or longer, the certification is repealed. However, in the
--event the effective period expires during the term of suspension, it shall be deemed the same as
--the expiration of the effective period of ordinary certification.

--5.2.2 Procedure

--5.2.2.1 Submission of Application for Suspending Effectiveness
--The subscriber who possesses the certification of SignKorea may suspend the effectiveness via
--on-line through the management program without visiting the Registration Agency, and may apply
--for the suspension through the Registration Agency in the event of applying via on-line due to the
--cause of subscriber.

--5.2.2.2 Identification
--In the event that the subscriber applies for the suspension of validity to Registration Agency,
--Registration Agency shall apply for the suspension of validity to SignKorea after identifying them
--pursuant to 4.4 (Identification in Suspension of Validity, Restoration of Validity, and Repeal
--Process).

--In the event of the subscriber applying for the suspension of validity via on-line to SignKorea,
--SignKorea replaces the identification with the electronic signature of the subscriber.

--5.2.2.3 Suspension of Effectiveness and Reflection on Repeal List
--Following the request of subscriber and Registration Agency, SignKorea suspends the validity of
--certification of the subscriber promptly and pursuant to 2.2.2 (Management of Information), the
--certification status information is hereby modified.

--5.2.3 Effect
--In the event the subscriber suspends the validity of certification, SignKorea shall promptly
--suspend the validity regardless of the effective period and types of certification, but there is no
--validity on the effects and obligations of contract or legal conduct that the subscriber has
--performed before the suspension.

5.3 Restoration of Validity for Certification

--5.3.1 Cause
--SignKorea shall restore the validity of certification in the event subscriber applies for validity
--restoration of certification to SignKorea for modifying the validity of certification within 6 months
--after suspending the validity and restoring the validity of certification by SignKorea, due to the
--inevitable cause of certification service operation under the decree of the Ministry of Information
--and Communication under the provision of Article 16 (Termination of Validity of Public Certification)
--of the Electronic Signature Act.

--5.3.2 Limitation
--SignKorea considers the electronic signature made with the generation key that is consistent with
--the verification key of the suspended certification as not having legal validity, and the subscriber
--can not apply for the restoration of validity to SignKorea via on-line. Therefore, the subscriber
--shall visit Registration Agency and apply for restoration of the validity.

--5.3.3 Procedure
--When the subscriber submits the application to restore the validity to the Registration Agency
--complying to 5.2.2 (Procedure) of 5.2 (Suspension of Validity of Certification), the Registration
--Agency shall perform the identification procedure equivalent to 5.2.3 (Identification) and apply for
--the restoration of validity on the certification of subscriber to SignKorea after performing the
--identification procedure.

--SignKorea shall receive the application for validity restoration on subscriber of Registration Agency
--and promptly process it, and pursuant to 2.2.2 (Management of Information), the certification
--status information is hereby modified.

5.4 Renewal of Certification

--5.4.1 Cause
--SignKorea may extend the effective period of certification in the event the subscriber requests for
--an extension of the certification effective period.

--5.4.2 Limitation
--SignKorea does not permit the application for renewal of the subscriber through Registration
--Agency, so that the subscriber shall apply to SignKorea via on-line.

--SignKorea does not change subscriber information other than the effective period during the
--course of the renewal process. At this time, the generation key for subscriber is changed and the
--existing certification is abolished.

--5.4.3 Procedure

--5.4.3.1 Application and Identification
--SignKorea newly issues the certification for a new effective period when the subscriber submits
--renewal application via online to SignKorea that includes the electronic signature. The effective
--period of newly issued certification includes the remaining effective period of the existing effective
--period. At this time, the identification on subscriber is replaced with the verification of electronic
--signature.

--5.4.3.2 Issuance and Registration of Certification
--SignKorea shall immediately record the applicable certification to the directory immediately after
--issuing the renewed certification of the subscriber, and the existing certification is deleted from
--the directory.

--5.4.3.3 Reflection of Repeal and Repeal List
--SignKorea shall issue new certification and repeal the existing certification, and pursuant to 2.2.2 --(Management of Information), the certification status information is hereby modified.

--5.4.4. Notice of Expiration for Effective Period
--SignKorea may notify the applicable fact to the subscriber for 30 days and 7 days prior to the
--expiration of the effective period for certification for the convenience of the subscriber.

--5.4.5. Period of renewal application
--In the event that remaining effective period before expiration is less than one month, SignKorea
--principally renews the subscriber certification. However, SignKorea may adjust the application
--period considering the convenience of subscriber.

5.5 Re-issuance of Certification

--5.5.1 Cause
--SignKorea may issue new certification if the subscriber applies for new certification due to the
--problems of safety of currently using certification and repealing the certification of the subscriber.

--5.5.2 Procedure

--5.5.2.1 Re-issuance Application
--Application for re-issuance can be personally made by the subscriber requesting for re-issuance
--through the electronic signature via on-line, and the re-issuance is made after requesting the re-
--license of SignKorea since the re-issuance by on-line electronic signature is impossible.

--In the event of re-issuance using the electronic signature, the subscriber possessing the
--certification of SignKorea shall apply for re-issuance to SignKorea through the management
--program via on-line. In the event of re-issuance by using the re-license, they shall follow the
--procedure of applying for a new issuance of the certification.

--5.5.2.2 Identification
--In the event of re-issuance by using the electronic signature, SignKorea shall replace the
--identification with the verification on the electronic signature of the subscriber and follow the
--procedure for new issuance in the event of re-issuance using the re-permission.

--5.5.2.3 Re-issuance
--SignKorea shall set the effective period with the remaining period of the existing effective period,
--and generate the new certification with the electronic signature on the existing DN and the new
--verification key and issue it to the subscriber.

--5.5.2.4 Existing certificate revocation and status information modification
--SignKorea shall issue the new certification and repeal the existing certification, and pursuant to
--2.2.2(Management of Information), the certification status information is hereby modified.

5.6 Repeal of Certification

--5.6.1 Cause
--SignKorea may repeal the certification of the subscriber with the following causes pursuant to
--Article 18(Repeal of Certification) of the Electronic Signature Act.

-- In the event the subscriber wishes to abolish the certification
-- In the event that the fact of loss, damage, theft or disclosure on the generation key of the
----subscriber is detected
-- In the event that the fact of death, report on missing or dissolution of the subscriber is detected
-- In the event that the fact of illegal issuance of the certification for the subscriber is detected
-- In the event that the subscriber violates important obligations under the rules
-- In the event the compliance of the obligations of the subscriber is delayed or becomes
----impossible due to natural disaster or other causes
-- Certification issuance due to error and others

--5.6.2 Procedure

--5.6.2.1 Submission of Repeal Application
--The subscriber who possesses the certification of SignKorea may apply for repeal via online
--through the management program without visiting Registration Agency, and in the event that
--online application is impossible due to the cause of the subscriber, the repeal application may be
--made through Registration Agency.

--5.6.2.2 Identification
--In the event the subscriber applies for the repeal to Registration Agency, Registration Agency
--applies for repeal to SignKorea after identifying following 4.4 (Identification during the Suspension
--of Validity, Restoration of Validity and Repeal Process).

--In the event that the subscriber applies the repeal application to SignKorea via on-line, SignKorea
--replaces the identification with the electronic signature of the subscriber.

--5.6.2.3 Existing certification revocation and status information modification
--SignKorea shall issue the new certification and repeal the existing certification, and pursuant to
--2.2.2(Management of Information), the certification status information is hereby modified.

--5.6.3 Effect
--SignKorea shall promptly repeal the validity regardless of the effective period and type of
--certification in the event the subscriber repeals the validity of certification. However, validity is not
--given to the obligations and validity on the legal actions or contract performed by the subscriber
--before the repeal.

--6.1.1 Control of Physical Approach
--SignKorea implements the following access control procedure in order to protect the key --generation system, certification generation management system, directory system, and time --confirmation system, Real time certification information system (hereinafter referred to as "Core --Certification System") from physical threats such as the infiltration of outsiders or illegal approach --and others.

-- Core certification is installed and operated within the separate restricted zone.
-- The access control system limits access to the control zone by uniting in tandem the
----identification card, finger print recognition and weight sense equipment and others.
-- Core certification system is installed in the security cabinet for the purpose of physical access
----control.
-- In order to carry out works like hardware repair and others, if an outsider is to gain the access
---- to the Core Certification System room and other places, there must be a managing person to
---- accompany.
-- By linking to the access control system, access to the control area is recorded and the record is
---- inspected regularly.
-- In response to an abnormal situation, the following system is installed and the monitor control
---- system with the warning function is installed and operated.
----- CCTV camera and monitoring system
----- Intruder monitoring system
-- Arrange the security staff to perform 24-hour security works.

--6.1.2 Power
--In order to prevent serious damage by the sudden circuit breakdown, SignKorea shall use the --power supply device for no circuit breakdown and install a separate generator for the stable --power supply.

--6.1.3 Prevention of Flood
--For the protection of important systems such as the Core Certification System from water flooding, --SignKorea shall install it at a location where it is 30cm from the floor or higher and shall use the --water leakage warning machine for prompt response and detection of leakages.

--6.1.4 Prevention of Fire
--For the protection of important systems such as the Core Certification System from fire, SignKorea --shall install the fire detector and use the portable fire extinguisher and automatic fire extinguisher --with the component that does not cause any problems on the system in time of extinguishing the --fire.

--6.1.5 Saving Media
--SignKorea shall keep the storage and record media on important information such as the --generation key of SignKorea in a safe place and control the access physically.

--6.1.6 Waste Disposal
--In the event of disposing of documents, diskettes and others, SignKorea shall destroy them in a --way so that the physical and theoretical recovery is not possible.

--6.1.7 Dual Structure
--SignKorea is made in a dual structure to operate the system in response to the case of having a --problem in one system on the major system.

--SignKorea has the dual structure for a communication line and communication service company in --order to minimize the service stoppage caused by interference on the communication lines and --communication service companies.

--6.1.8 Back up
--SignKorea shall back up periodically following the back up policy of SignKorea for the important --information that SignKorea has issued such as certification, suspension of validity for certification --and repeal list and others, and store in remote distance physically separated to the main store for --10 years from the date the effective period of applicable certification is expired or repealed.

6.2 Procedural Control

--6.2.1 Work Separation per Role
--In order to secure the safety and reliability of certification works, SignKorea shall separate the --works into each person in charge and perform them.

--6.2.2 Persons for Each Major Work
--SignKorea shall allocate at least 3 personnels of manager and person in charge on the key --generation works, and in the works requiring the generation key of SignKorea, the performance --shall be made by a minimum of two persons jointly as the manager and the person in charge.

--6.3 Personnel Control
--SignKorea inquires about the identity of its employees, and only those employees who have no --abnormality may perform the certification and security related works, and the personnel control is --undertaken with the subject of management who is liable for the supervision of a system-based --structure of SignKorea and all employees related to certification service, cooperative companies, --advisory human resources and some operation and management, designated engineers, etc.

--The qualification and experience of the officers and employees of SignKorea shall apply the --regulations determined under Article 2 (Standard of designation of public certification institution) --of the Electronic Signature Act, and persons applicable to Article 5 (Disqualification) of the --Electronic Signature Act shall not be an officer or employee of SignKorea.

6.4 Record

--6.4.1 Subject for Record
--SignKorea shall manage a record on the followings.

-- public certificate and CRL
-- Information submitted by subscribers
-- Details of certification issuance/suspension of validity/restoration of validity/ renewal/
----re-issuance/repeal of subscribers
-- Various inspection records for system operation
-- Operation details of system operators
-- Details of access in system room, control room and core certification system room
-- Password for smart cards
-- Decode key of smart cards
-- Other matters that SignKorea deems as needed for recording

--6.4.2 Preservation Period
--SignKorea shall differ the preservation period depending on the importance of the record subject --and the requirements of the Electronic Signature Act, and in particular, the certification related --information shall be preserved for at least 10 years from the time of expiry of certification --pursuant to Article 22 (Management of Record on Certification Service) of the Electronic Signature --Act in principle.

--SignKorea shall follow the internal regulations of SignKorea for the preservation, media and --opening methods on various records.

--6.4.3 Protection of Preservation Record
--SignKorea maintains security by applying the procedure control and physical access control on the --preservation record and enables the inquiry on work scope. In addition, to prevent the damages --and alterationof the preservation record, a thermohygrostat is installed in the preservation place --and also installed and operated is the protective facility of a fire alarm and others in response to --the occurrence of fire.

--6.4.4 Back up of Preservation Record
--SignKorea shall make a reproduction copy in response to the loss and destruction of the --preservation recordand store it in a physically separated and secured area in principle.

6.5 Compliance of Regulations
SignKorea shall comply with the internal regulations on the security measures not specified in the Certification Practice Statement in performing the certification services.

--7.1.2 Size of Key and Hash Value
--SignKorea uses the following sizes of key and hash values for using the safe and reliable --electronic signature algorithm.

-- For KCDSA and RSA: 1,024 bit or more
-- For ECDSA: 160 bit or more
-- For HAS-160 and SHA-1: 160 bit or more

7.2 Protection of Pair of Electronic Signature Key

--7.2.1 Storing device
--In order to safely store the generation key, SignKorea encodes and stores data in a storing --device that has the functions of sealing, confirming for access authorization, release and change --prevention of the generation key.

--7.2.2 Safe Deletion Method after Generation and Use
--SignKorea shall immediately delete the generation key from the system memory after an expiry of --the generation of the generation key, and shall minimize outside exposure risk when using the --generation key.

--7.2.3 Destruction Method
--SignKorea shall securely destroy the generation key in a physically irreparable method from media --where the applicable generation key is stored, in the event the generation key is damaged or --released or the effective period of the certification is expired.

7.3 Use Period of Pair of Electronic Signature Key
SignKorea uses the pairs of electronic signature keys only when the certification of the applicable pair of electronic signature key is effective.

7.4 Computer and Network Security Control
SignKorea uses the infiltration detecting system to prevent service interference attacks and other, and uses the infiltrating prevention system with the evaluation certificate of the Korea Information Security Agency for the network security.

In the event the validity of certification is suspended, SignKorea uses the repeal cause code field from the expanded area of validity suspension and repeal list of certification to display the suspension of validity for the applicable certification.

9.2 Scope of Application for Rules
SignKorea shall follow the Rules with the exception of the following when the contents of the Rules are different from the other laws and related contracts.

In the event the other contract is earlier than the initial implementation date of the Rules
In the event the other laws or instructions clearly replace the Rules
In the event the details of the Rules are prohibited by law

9.3 Report of Rules
SignKorea shall report the Rules to the Minister of Information and Communication at the time of enactment and revision based on Article 6 (Rules of Certification Works) of the Electronic Signature Act and provide certification service based on the details of the Rules.

9.4 Revision of Rules
SignKorea shall revise the Rules in the following cases.

In the event the Minister of Information and Communication orders to change the Rules pursuant --to Clause 2 of Article 6 (Rules on Certification Works) of the Electronic Signature Act
In the event SignKorea considers that the supplement or revision is necessary to reflect new --works or to improve certification service

In the event that the Rules are revised, SignKorea shall maintain and manage a record on the details of the revision including the version, cause, details and others.

9.5 Notice and Implementation of Rules
SignKorea shall notify the Rules in accordance with the following procedure.

The revised Rules are granted with a new version.
The revised Rules shall immediately notified on the homepage defined under 1.3.2 (Location of --Information Storage) of the Rules.

SignKorea shall implement the enacted or revised Rules from the reporting date of the Minister of Information and Communication pursuant to 9.3 (Report of Rules).

9.6 Subscriber Agreement
SignKorea shall deem the amendment of rules as agreed in the event of not applying by repealing the certification within 2 weeks after the subscriber is notified of the Rules.