• Effective: Partially Invalidated
  • Effective Date: 14/03/2007
CHÍNH PHỦ
Number: 26/2007/NĐ-CP
SOCIALIST REPUBLIC OF VIET NAM
Independence - Freedom - Happiness
Hà Nội , February 15, 2007

DECREE

Detailing the implementation of the Law on e-transactions regarding digital signatures and digital signature-certification services

THE GOVERNMENT

Pursuant to the December 25, 2001 Law on Organization of the Government;

Pursuant to the November 29, 2006 Law on E-Transactions;

Pursuant to the July 2, 2002 Ordinance on Handling of Administrative Violations;

At the proposal of the Minister of Post and Telematics,

DECREES:

Chapter I

GENERAL PROVISIONS

Article 1.- Regulation scope

This Decree provides in detail for digital signatures and digital certificates; the management, provision and use of digital signature-certification services.

Article 2.- Application subjects

This Decree applies to agencies and organizations providing digital signature-certification services as well as agencies, organizations and individuals choosing to use digital signatures and digital signature-certification services in e-transactions.

Article 3.- Interpretation of terms

In this Decree, the terms below are construed as follows:

1. "Digital certificate" means a type of e-certificate issued by a certification authority.

2. "Foreign digital certificate" means a digital certificate issued by a foreign certification authority.

3. "Valid digital certificate" means a digital certificate which has not yet expired, suspended or revoked.

4. "Digital signature" means a type of e-signature created by transformation of a data message using an asymmetric cryptosystem whereby the person having the initial data message and public key of the signer may accurately determine:

a/ Whether such transformation is created with a private key corresponding to the public key in the same key pair;

b/ Whether the data message has been altered since the transformation.

5. "Foreign digital signature" means a digital signature created by a subscriber using a foreign digital certificate.

6. "Digital signature-certification service" means a type of e-signature-certification service provided by a certification authority. Digital signature-certification services cover:

a/ Creating a key pair which consists of a public key and a private key for a subscriber;

b/ Issuing, extending, suspending, retrieving or revoking the digital certificate of a subscriber;

c/ Maintaining an online database on digital certificates;

d/ Other prescribed relevant services.

7. "Asymmetric cryptosystem" means a cryptosystem capable of creating key pairs each consisting of a private key and a public key.

8. "Key" means a sequence of binaries (0 and 1) used in cryptosystems.

9. "Private key" means one key in a key pair in an asymmetric cryptosystem, which is used to create a digital signature.

10. "Public key" means one key in a key pair in an asymmetric cryptosystem, which is used to verify the digital signature created by the corresponding private key in the key pair.

11. "Digitally sign" means to incorporate a private key in a software program for the automatic creation and attachment of a digital signature to a data message.

12. "Signer" means a subscriber who uses his/her private key to digitally sign a data message with his/her own name.

13. "Recipient" means an organization or individual that receives a data message signed by a signer, uses the digital certificate of that signer to verify the digital signature in the received data message and conducts related operations and transactions.

14. "Subscriber" means an organization or individual that is issued a digital certificate, accepts that certificate and holds a private key corresponding to the public key indicated in the issued digital certificate.

15. "Suspend a digital certificate" means to temporarily invalidate that certificate at a given point of time.

16. "Revoke a digital certificate" means to permanently invalidate that certificate at a given point of time.

17. "Certification authority" means an e-signature-certification service-providing organization, which provides digital signature-certification services.

Article 4.- Certification authorities

Certification authorities include:

1. Public certification authority, which is an organization proving digital signature-certification services for agencies, organizations and individuals to use in public activities. A public certification authority operates for commercial purposes.

2. Specialized certification authority, which is an organization providing digital signature-certification services for agencies, organizations and individuals having the same operational characteristics or working purposes and associated with one another by their operation charter or a legal document that defines their common organizational structure or forms of association and operation. A specialized certification authority operates in service of internal transactions and not for commercial purposes.

3. The Root Certification Authority, which is an organization providing digital signature-certification services for public certification authorities. The Root Certification Authority is unique.

Article 5.- Policies for development of digital signature-certification services

1. The State encourages the use of digital signatures and digital signature-certification services in economic, political and social domains so as to promote online information exchange and transactions aimed at raising labor productivity; expanding trade; supporting administrative reform, increasing social utilities, improving the quality of the people’s life and maintaining security and defense.

2. The State promotes the application of digital signatures and develops digital signature-certification services through key projects for raising of public awareness; dissemination of law; development of applications; organization of human resource training; research, cooperation and transfer of technologies related to digital signatures and digital signature-certification services.

3. The State adopts preferential tax and land policies and provides other incentives to support activities of public certification authorities.

Article 6.- Responsibilities for state management of digital signature-certification services

1. The Ministry of Post and Telematics shall take responsibility before the Government for performing the state management of digital signature-certification services, specifically:

a/ Submitting to the Government for promulgation or promulgating according to its competence policies, strategies, plannings and plans on development and management of digital signature-certification services;

b/ Promulgating according to its competence legal documents on digital signatures and digital signature-certification services;

c/ Assuming the prime responsibility for, and coordinating with the Ministry of Science and Technology, the Ministry of Public Security and the Government Cipher Committee in, formulating and promulgating technical criteria and compulsory standards on digital signatures and digital signature-certification services;

d/ Assuming the prime responsibility for, and coordinating with the Ministry of Public Security and the Government Cipher Committee in managing certification authorities through the grant of licenses, issuance of certificates of qualification to ensure safety for digital signatures and papers of recognition of foreign digital signatures and certificates; supervision, inspection and handling of violations; and other necessary activities;

e/ Assuming the prime responsibility for, and coordinating with the Ministry of Science and Technology, the Ministry of Public Security and the Government Cipher Committee in, effecting international cooperation on digital signature-certification services;

f/ Establishing the Root Certification Authority and maintaining its operations.

2. The Ministry of Science and Technology, the Ministry of Public Security, the Government Cipher Committee, relevant ministries and branches and People's Committees of provinces and centrally run cities shall, within the ambit of their powers and responsibilities, coordinate with the Ministry of Post and Telematics in implementing the provisions of Clause 1 of this Article.

3. The Ministry of Public Security shall assume the prime responsibility for preventing and combating hi-tech crimes involving digital signatures and digital signature-certification services.

4. The Government Cipher Committee shall establish specialized certification authorities and maintain their operations in service of agencies within the political system.

Article 7.- Prohibited acts

1. Providing digital signature-certification services and using digital signatures to oppose the State of the Socialist Republic of Vietnam, to disturb social security, order and safety, to smuggle or conduct other activities in contravention of law or against social ethics.

2. Directly or indirectly destroying the digital signature-certification system of certification authorities; obstructing the provision and use of digital signature-certification services; forging or guiding others to forge digital certificates.

3. Stealing, getting by fraud, unduly claiming, appropriating or illegally using private keys of other persons.

4. Selling, buying or transferring public certification licenses.

Chapter II

DIGITAL SIGNATURES AND DIGITAL CERTIFICATES

Article 8.- Legal validity of digital signatures

1. When the law requires a document to contain a digital signature, a data message is considered meeting the requirement if it contains a digital signature.

2. When the law requires a document to be appended with the stamp of an agency or organization, a data message is considered meeting the requirement if it contains the digital signature of the competent person defined by the law on management and use of stamps while the safety of the digital signature is assured under the provisions of Article 9 of this Decree.

3. Foreign digital signatures and certificates recognized under the provisions of Chapter VII of this Decree have the same legal validity and effect as those issued by Vietnamese public certification authorities.

Article 9.- Conditions for safety of digital signatures

A digital signature shall be considered a safe e-signature when it meets the following conditions:

1. It is created during the term of validity of a digital certificate and is verified with the public key stated in that valid digital certificate.

2. It is created with the use of a private key corresponding to the public key indicated in the digital certificate issued by the Root Certification Authority, a public certification authority or a specialized certification authority which is granted a certificate of qualification to ensure safety for digital signatures or by a foreign certification authority accredited in Vietnam.

3. The private key is only subject to the control of the signer at the time of signing.

4. The private key and the contents of the data message are attached to the signer only when that signer has digitally signed the data message.

Article 10.- Contents of digital certificate

A digital certificate issued by the Root Certification Authority, a public certification authority or a specialized certification authority, which is granted a certificate of qualification to ensure safety for digital signatures must have the following contents:

1. The name of the certification authority.

2. The name of the subscriber.

3. The serial number of the digital certificate.

4. The term of validity of the digital certificate.

5. The public key of the subscriber.

6. The digital signature of the certification authority.

7. Restrictions on purposes and scope of use of the digital certificate.

8. Restrictions on legal liability of the certification authority.

9. Other necessary contents as prescribed by the Ministry of Post and Telematics.

Article 11.- Digital certificates of agencies and organizations

1. All holders of state titles and competent persons of agencies or organizations specified by the law on management and use of stamps are entitled to be issued digital certificates under the provisions of Clause 2, Article 8 of this Decree.

2. A digital certificate issued to a holder of a state title or a competent person of an agency or organization must state the title of that person.

3. The issuance of a digital certificate to a holder of a state title or a competent person of an agency or organization shall be based on the following documents:

a/ Documents of the agency or organization requesting the issuance of a digital signature to the competent person or the holder of a state title;

b/ Valid copy of the certificate of stamp registration of the agency, organization or state title granted in accordance with the law on management and use of stamps;

c/ Valid copy of the document certifying the title of the competent person of the agency or organization or the state title.

Article 12.- Use of digital signatures and digital certificates of agencies and organizations

1. The digital signature of a person who is issued a digital certificate under the provisions of Article 11 of this Decree shall be used only for transactions conducted within the competence of that person.

2. The signing per pro another according to law by a person competent to use his/her digital signature shall be understood to be based on the title of the signer shown in the digital certificate.

Chapter III

LICENSES FOR THE PROVISION OF PUBLIC DIGITAL SIGNATURE-CERTIFICATION SERVICES

Article 13.- Operation conditions

A certification authority may provide services to the public when meeting the following conditions:

1. Having a public certification licenses granted by the Ministry of Post and Telematics.

2. Having a digital certificate issued by the Root Certification Authority.

Article 14.- Term of license

The license granted to a public certification authority has a term of not exceeding 10 years.

Article 15.- Licensing conditions

1. Applicant conditions:

Being an enterprise set up under Vietnamese law.

2. Financial conditions:

a/ Having financial capability to establish a technical equipment system, organize and maintain operations suitable to the scope of provision of services;

b/ Having paid a collateral at a commercial bank operating in Vietnam or a having a written guarantee granted by a commercial bank operating in Vietnam, which is valued at not less than VND 5 (five) billion, or a commitment to buy insurance for handling possible risks and compensations in the provision of services and to pay expenses for the receipt and maintenance of the enterprise's database in case of revocation of its license.

3. Personnel conditions

a/ Having technical, managerial and administration staff members, security officers and customer service officers who meet the requirements on professional operations and scope of provision of services and have no criminal records;

b/ Having an at-law representative with legal knowledge about digital signatures and digital signature-certification services.

4. Technical conditions:

a/ Establishing a technical equipment system which satisfies the following requirements:

- Storing full, accurate and updated information of subscribers in service of the issuance of digital certificates throughout their validity terms;

- Ensuring that each key pair is created at random and only once, and is capable of protecting the private key even when the corresponding public key is revealed;

- Storing full, accurate and updated lists of valid and invalid digital certificates and allowing Internet users to access those lists 24 hours a day and 7 days a week;

- Being capable of discovering, warning of and blocking all illegal accesses and forms of attacks on the network and complying with information security standards;

- Being designed to minimize direct contact with the Internet environment;

- The system of distribution of keys to subscribers assures the integrity and secrecy of key pairs. When keys are distributed through a computer network, the key distribution system must use security protocols to ensure that information cannot be disclosed on line.

b/ Having feasible technical and business plans conformable with technical criteria and compulsory standards;

c/ Having plans to control the entry into and exit from the head office, the right to access the system, the right to enter and exit the place where equipment and devices used for the provision of digital signature-certification services are kept;

d/ Having contingency plans to ensure safe and smooth operations and overcome incidents;

e/ The entire equipment system used for the provision of services is located in Vietnam.

5. Other conditions:

a/ Having the head office and places of machines and equipment meeting the requirements prescribed by the law on fire prevention and fight, withstanding floods, earthquakes and electromagnetic interferences and preventing illegal human entry;

b/ Having a public certification regulation issued according to the model of the Ministry of Post and Telematics and complying with the provisions of this Decree.

Article 16.- Dossiers of application for licenses

A dossier of application for a license to provide public digital signature-certification services shall be made in six sets, each comprising:

1. An application for the grant of a public certification license to the enterprise.

2. The business registration certificate or investment certificate of the enterprise, stating its business line of providing digital signature-certification services.

3. The organization and operation charter of the enterprise.

4. A document proving the satisfaction of financial conditions specified in Clause 2, Article 15 of this Decree.

5. A scheme on the provision of services with the following principal contents:

- The business plan, including the servicing scope and target customers; service quality criteria; the financial plan and other necessary information;

- The technical plan conformable with the provisions of Clause 4 of Article 15;

- The certification regulation;

- Specific information on personal details, qualifications and degrees of employees directly involved in the provision of digital signature-certification services.

Article 17.- Verification and licensing

Within 60 working days after receiving a valid dossier of application for a license, the Ministry of Post and Telematics shall assume the prime responsibility for, and coordinate with the Ministry of Public Security, the Government Cipher Committee and concerned ministries and branches in, verifying such dossier. When the enterprise meets all the licensing conditions specified in Article 15, the Ministry of Post and Telematics shall grant it a license. In case of refusal, it shall give a written notice, clearly stating the reasons therefor.

Article 18.- Changes in licenses and re-grant of licenses

1. When wishing to change a content of its license, a public certification authority shall send a dossier of request for permission to the Ministry of Post and Telematics.

2. A dossier of request for permission to change a content of a license shall be made in six sets, each comprising a written request for request for permission to change a content of the license; a copy of the valid license; a report on the situation of operation and reasons for changing the content of the license; details of the change and other necessary documents.

3. Within 60 working days after receiving a valid dossier of request for permission to change a content of a license, the Ministry of Post and Telematics shall assume the prime responsibility for, and coordinate with the concerned ministries and branches in, verifying the dossier and conducting field inspection if necessary. When the requested change still ensures all the licensing conditions specified in Article 15, the Ministry of Post and Telematics shall grant a new license to the enterprise. When such requested change fails to ensure the licensing conditions, the Ministry of Post and Telematics shall issue a written notice clearly stating the reason.

4. In case of reorganization, a public certification authority shall report it to the Ministry of Post and Telematics for consideration and change of the contents of its license; procedures for making such changes are provided for in Clauses 2 and 3 of this Article.

5. When its license is lost, torn, burnt or otherwise destroyed, a public certification authority may apply for a new one. In order to be granted a new license, it should send a written request to the Ministry of Post and Telematics, clearly stating the reason for renewal, and pay a fee therefor.

Article 19.- Extension of licenses

1. When wishing to extend its license, a licensed public certification authority shall send a dossier of application therefor 60 days before the expiration of the license.

2. A dossier of application for extension of a license shall be made in two sets, each comprising an application for extension of a license, a copy of the still valid license, a report on the situation of operation and results of supervision and inspection of the provision of services in the last 3 years.

3. Within 60 days after receiving a valid dossier, the Ministry of Post and Telematics shall verify it and consider the extension of the license. In case of approval, the Ministry of Post and Telematics shall extend the license for the enterprise. In case of refusal, it shall issue a written notice stating the reason.

4. A license can be extended only once for not more than one year.

Article 20.- Suspension or revocation of licenses

1. A public certification authority has its license suspended in one of the following cases:

a/ It provides services in contravention of the contents of its license;

b/ It fails to meet one of the licensing conditions during the provision of services;

c/ Other circumstances prescribed by law.

2. A public certification authority has its license revoked in one of the following cases:

a/ It fails to provide services within 12 months after getting the license without justifiable reasons;

b/ It is dissolved or goes bankrupt under relevant provisions of law;

c/ Its license for the provision of public digital signature-certification services expires;

d/ It fails to remove the suspension conditions specified in Clause 1 of this Article within the duration of suspension set by a state agency.

3. Within 90 days after the revocation of its license, a public certification authority shall reach agreement with another authority, which is operating, on the delivery of its certification databases. If failing to reach such agreement, it shall report to the Ministry of Post and Telematics thereon for consideration and settlement.

4. Expenses for the receipt and maintenance of databases of a public certification authority with a revoked license shall be paid from its collateral or insurance money.

Chapter IV

OPERATIONS OF PUBLIC CERTIFICATION AUTHORITIES

Article 21.- Dossiers of application for digital certificates

A dossier of application for a digital certificate comprises:

1. An application for a digital certificate, made according to the form set by the public certification authority.

2. Enclosed papers, including:

a/ For individuals: a valid copy of the identity card, passport or another lawful personal certification paper;

b/ For organizations: a valid copy of the establishment decision or business registration certificate or a document of equivalent validity; a letter of authorization and valid copy of the identity card, passport or another lawful personal certification paper of the authorized representative of the organization;

c/ Other papers as required by the certification regulation of the public certification authority.

Article 22.- Creation and distribution of keys

1. A key pair of an organization or individual applying for a digital certificate may be created by:

a/ The applying organization or individual;

b/ The public certification authority, based on the written request of the applying organization or individual.

2. When the applying organization or individual creates by itself, herself or himself a key pair, the public certification authority should ascertain that such organization or individual uses equipment conformable with the set standards for the creation and storage of the key pair.

3. When a public certification authority creates a key pair by itself, it is required to use safe methods to hand over the private key to the applying organization or individual and may only keep a copy of the private key upon the applicant's written request.

Article 23.- Issuance of digital certificates

1. A public certification authority shall issue a digital certificate after checking and ascertaining that:

a/ The information in the dossier is accurate;

b/ The public key in the to be-issued digital certificate is unique and corresponds to the private key of the organization or individual applying for that certificate.

2. A digital certificate shall be issued only to the applicant and must contain all the information specified in Article 10 of this Decree.

3. A public certification authority may publicize a digital certificate already issued to a subscriber in its database on digital certificates only after getting the subscriber's certification of the accuracy of information in such certificate; the publicization time limit is 24 hours after getting the subscriber's certification, unless otherwise agreed upon.

4. Unless it has plausible reasons, a public certification authority may not refuse to issue digital certificates to applying organizations or individuals.

Article 24.- Extension of digital certificates

1. At least 30 days before the expiration of its digital certificate, the subscriber who wishes to extend such certificates shall make an application therefor.

2. In case of alteration of the public key in the extended digital certificate, the subscriber shall state it clearly in his/her application; the creation and distribution of keys as well as the publicization of extended digital certificates shall comply with the provisions of Articles 22 and 23 of this Decree.

Article 25.- Alteration of key pairs

When a subscriber needs to alter his/her key pair, he/she shall make an application therefor. The creation, distribution and publicization of digital certificates with new public keys shall comply with the provisions of Articles 22 and 23 of this Decree.

Article 26.- Suspension of digital certificates

1. A digital certificate shall be suspended in one of the following cases:

a/ It is so requested in writing by the subscriber and such request has been verified by a public certification authority;

b/ The public certification authority has grounds for affirming that the digital certificate was issued in contravention of the provisions of Articles 22 and 23 of this Decree or finds out an error which affects the interests of the subscriber or the recipient;

c/ It is so requested by a legal procedure-conducting body, a security body or the Ministry of Post and Telematics;

d/ Under the conditions for suspension of the digital certificate under the contract between the subscriber and the certification authority.

2. When having grounds for suspending a digital certificate, the public certification authority shall suspend such certificate while immediately notifying the subscriber thereof and announcing on its database such suspension and its starting and ending time.

3. The public certification authority shall retrieve a digital certificate when it no longer has grounds for suspending such certificate or when the suspension duration expires.

Article 27.- Revocation of digital certificates

1. A digital certificate shall be revoked in one of the following cases:

a/ It is so requested in writing by the subscriber and the request has been verified by a public certification authority;

b/ The subscriber being an individual dies or is declared missing by a court or the subscriber being an organization is dissolved or goes bankrupt under the provisions of law;

c/ It is so requested by a legal procedure-conducting body, a security body or the Ministry of Post and Telematics;

d/ Under the revocation conditions set in the contract between the subscriber and the public certification authority.

2. When having grounds for revocation of a digital certificate, a public certification authority shall revoke it, and at the same time immediately notify the subscriber of the revocation and announce the revocation on its database on digital certificates.

Article 28.- Grant of date/time stamp

1. To grant a date/time stamp means to attach information on date and time to a data message.

2. Public certification authorities may provide date/time stamp services. The provision of date/time stamp services shall comply with technical criteria and compulsory standards applicable to such services.

3. Date and time attached to a data message means the date and time a public certification authority receives that message. The date and time attached to a data message must be digitally signed by a public certification authority.

4. The date and time attached to a data message in accordance with the provisions of Clauses 1, 2 and 3 of this Article are recognized by law.

Chapter V

RIGHTS AND OBLIGATIONS OF PARTIES PROVIDING AND USING PUBLIC DIGITAL SIGNATURE-CERTIFICATION SERVICES

Section 1. RIGHTS AND OBLIGATIONS OF PUBLIC CERTIFICATION AUTHORITIES

Article 29.- Obligations in the storage and use of information on organizations and individuals applying for digital certificates

1. Public certification authorities are obliged to store private information on organizations and individuals applying for digital certificates in a confidential and safe manner and may only use that information for purposes related to the digital certificates, unless otherwise agreed upon or provided for law.

2. To pay compensations to a subscriber and recipient in the following cases:

a/ The damage is caused by the disclosure of information on the subscriber which must be kept confidential;

b/ The damage is caused by the inclusion of inaccurate information in the digital certificate, compared to the information supplied by the subscriber.

Article 30.- Obligations related to the issuance of digital certificates

In order to ensure legitimate interests for subscribers, public certification authorities are obliged to:

1. Provide to organizations and individuals applying for digital certificates before signing contracts on the issuance of such certificates the following information on:

a/ The scope and limit of the use, extent of confidentiality, charges and fees for the grant and use of digital certificates, and other information which may affect the interests of the applying organizations or individuals;

b/ The requirements on assurance of safety in the storage and use of private keys;

c/ Procedures for making complaints and settling disputes;

d/ Other contents as decided by public certification authorities themselves.

2. Make a model contract for the issuance of digital certificates.

3. Ensure safety for the whole process of creation and hand-over of digital certificates to subscribers.

4. Be answerable to subscribers and recipients for the accuracy of information on digital certificates.

5. Pay compensations to subscribers and recipients for any damage caused by digital certificates, which are issued in contravention of the provisions of this Decree.

Article 31.- Obligations related to the extension of digital certificates

1. Upon receipt of a subscriber's request under the provisions of Article 24 of this Decree, a public certification authority shall carry out all procedures for the extension of the digital certificate of that subscriber before it expires.

2. Public certification authorities shall pay compensations to subscribers and recipients for any damage caused by the violation of Clause 1 of this Article.

Article 32.- Rights and obligations related to the suspension and retrieval of digital certificates

Public certification authorities are obliged to:

1. Ensure that the communication channel for the receipt of requests for the suspension of digital certificates operates 24 hours a day and 7 days a week.

2. Store all information on the suspension of digital certificates for at least 5 years after those certificates are suspended.

3. Fulfill all obligations related to the confidentiality of personal information and private keys of subscribers in accordance with this Decree throughout the duration of suspension of digital certificates.

4. Pay compensations to concerned parties for damage caused by the authorities' non-compliance with the provisions of Clauses 2 and 3, Article 26 of this Decree.

Article 33.- Obligations related to the revocation of digital certificates

Public certification authorities are obliged to:

1. Ensure that the communication channel for the receipt of requests for revocation of digital certificates operates 24 hours a day and 7 days a week.

2. Store all information on the revocation of digital certificates and the revoked certificates for at least 5 years after such digital certificates are revoked.

3. Keep secret private keys of subscribers when so authorized by subscribers and store information relating to digital certificates of subscribers for at least 5 years after those certificates are revoked.

4. Pay compensations to concerned parties for damage caused by the authorities' non-compliance with the provisions of Article 27 of this Decree.

Article 34.- Obligations related to the management of keys

Public certification authorities are obliged to:

1. Keep secret the whole process of creating key pairs for organizations and individuals applying for digital certificates.

2. Make use of all means and try their best to notify subscribers and concurrently apply timely remedies when discovering that the private keys of subscribers are disclosed, their integrity no longer exists or there is an error which may adversely affect the subscribers' interests.

3. Recommend subscribers to alter their key pairs when necessary so as to ensure the highest reliability and safety for their key pairs.

4. Pay compensations to subscribers and recipients for damage caused by the revelation of the process of creation of keys or by the disclosure of private keys of subscribers in the process of handing over such private keys or keeping them, for cases where public certification authorities hold those keys.

Article 35.- Obligation to suspend the issuance of new digital certificates

1. Public certification authorities shall suspend the issuance of new digital certificates in the following cases:

a/ Upon detection of errors in their service systems which may affect the interests of subscribers and recipients;

b/ Upon requests of competent state agencies.

2. When suspending the issuance of new digital certificates, public certification authorities shall publicly announce it on their websites and report it to competent state agencies.

3. During the suspension of the issuance of new digital certificates, public certification authorities shall maintain their databases on the issued digital certificates.

Article 36.- Obligation to publicize information

Public certification authorities shall publicize and maintain on their websites 24 hours a day and 7 days a week the following information:

1. The certification regulation and digital certificates.

2. The list of digital certificates of subscribers which are still valid, which have been suspended and which have been revoked.

3. Other necessary information.

Article 37.- Obligation to buy risk insurance

In case of having no collateral or bank guarantee as provided for in Clause 2, Article 15 of this Decree, public certification authorities shall buy insurance to handle possible risks, pay possible compensations to subscribers and recipients for damage caused by their faults, and pay expenses for the receipt and maintenance of their databases by other public certification authorities if their licenses are revoked.

Article 38.- Obligations related to the application for and observance of licenses

Public certification authorities are obliged to:

1. Take full responsibility before law for the accuracy of their dossiers of application for licenses.

2. Organize and maintain operations in strict compliance with the contents of their licenses and commitments in their application dossiers.

3. Pay charges and fees according to regulations.

Article 39.- Rights and obligations related to the revocation of licenses for the provision of public digital signature-certification services

1. Public certification authorities with revoked licenses shall deliver documents and databases on digital signatures and the issuance of digital certificates to the receiving organization prescribed in Clause 3, Article 20 of this Decree.

2. Public certification authorities with revoked licenses are obliged to notify subscribers of the revocation of their licenses and information on the organizations receiving their databases. When an enterprise has its license revoked because it no longer wants to provide services, it shall notify of the revocation of its license at least 3 months before it stops providing services.

3. Organizations receiving databases from certification authorities with revoked licenses shall take over the latter's rights and obligations towards subscribers and recipients.

4. Three years after the revocation of their licenses, public certification authorities may apply for new licenses. The re-licensing conditions and procedures are the same as for the first-time licensing.

Article 40.- Other rights and obligations

1. To make reports on a periodical basis or upon request of competent state agencies.

2. To submit to competent state agencies supervision, inspection and handling of violations.

3. To supply legal procedure-conducting bodies or security bodies with necessary information for assurance of information security and for criminal investigation according to the process and procedures prescribed by procedural law.

4. In cases of emergency provided for by the law on the state of emergency or in order to safeguard national security, public certification authorities are obliged to render all necessary assistance at the request of competent state agencies.

Section 2. RIGHTS AND OBLIGATIONS OF SUBSCRIBERS OF PUBLIC CERTIFICATION AUTHORITIES

Article 41.- Rights and obligations of subscribers in the supply of information

Subscribers of public certification authorities have the following rights and obligations:

1. To supply public certification authorities with truthful and accurate personal information and produce papers for the issuance of digital certificates; to take responsibility before law for damage incurred by their violations of this provision.

2. To request public certification authorities to supply written information specified in Clause 1, Article 30 of this Decree.

3. To supply private keys and necessary information for legal procedure-conducting bodies or security bodies for ensuring national security or conducting criminal investigation in accordance with law.

Article 42.- Creation, use and management of keys

Subscribers of public certification authorities have the following rights and obligations:

1. To ensure that equipment used for the creation of key pairs meets technical criteria and compulsory standards, if they create key pairs for themselves. This provision does not apply to subscribers who lease equipment for the creation of key pairs from public certification authorities.

2. To store and use their private keys in a safe and secret manner throughout the validity and suspension durations of their digital certificates.

3. If detecting that their private keys have been disclosed, stolen or illegally used, to immediately notify the relevant certification authorities thereof so that the latter can take handling measures.

4. To take responsibility before law for damage caused by their violations of the provisions of Clauses 1, 2 and 3 of this Article.

Article 43.- Legal liability

1. After having agreed to allow public certification authorities to publicize their digital certificates under the provisions of Clause 3, Article 23 of this Decree or having supplied those certificates to others for transactional purposes, subscribers shall be considered having committed with recipients that they are holders of private keys corresponding to public keys on such digital certificates and information on those certificates relating to subscribers are true; they shall, at the same time, perform obligations in relation to such certificates.

2. To have the right to request concerned certification authorities to suspend or revoke the issued digital certificates and take responsibility for such request.

Section 3. OBLIGATIONS OF RECIPIENTS

Article 44.- Obligation to check information

1. Before accepting the digital signature of a signer, a recipient shall check the following information:

a/ The validity, scope of the use, limits of responsibilities and other information relating to the signer's digital certificate;

b/ Whether the digital signature is created by a private key corresponding to the public key on the signer's digital certificate.

2. The recipient is liable for damage incurred in the following cases:

a/ The recipient fails to comply with the provisions of Clause 1 of this Article;

b/ The recipient has known or been notified of the unreliability of the signer's digital certificate and private key.

Chapter VI

SPECIALIZED CERTIFICATION AUTHORITIES

Section 1. CONDITIONS AND PROCEDURES FOR REGISTRATION OF OPERATION OF SPECIALIZED CERTIFICATION AUTHORITIES

Article 45.- Conditions for operation of specialized certification authorities

A specialized certification authority must satisfy the following conditions:

1. Having enough professional technical and managerial personnel suited to the provision of digital signature-certification services.

2. Having an equipment system for the provision of services up to national security and safety standards.

Article 46.- Process and procedures for registration of operation of specialized certification authorities

Before starting operation, a specialized certification authority shall register with the Ministry of Post and Telematics the following contents:

1. The name and address of its head office.

2. Detailed information on its head and the person responsible for the administration of the equipment system for the provision of services.

3. The scope and target customers of services provided.

4. Applicable technical criteria and standards.

Article 47.- Rights and obligations of specialized certification authorities

A specialized certification authority has the following rights and obligations:

1. To issue regulations on the provision of services.

2. To issue regulations on the rights and obligations of involved parties in compliance with relevant legal provisions and principles of the legal system of Vietnam.

3. To submit to competent state agencies' supervision, inspection and handling of violations.

4. To supply to legal procedure-conducting bodies or security bodies necessary information for the assurance of information security or for criminal investigation according to the process and procedures prescribed by procedural law.

5. In cases of emergency prescribed by the law on the state of emergency or in order to ensure national security, a specialized certification authority is obliged to render all necessary assistance at the request of competent state agencies.

6. A specialized certification authority may request the Ministry of Post and Telematics to issue certificates of qualification to ensure safety for digital signatures under the provisions of Article 9 of this Decree. The conditions and procedures for the issuance of certificates of qualification to ensure safety for digital signatures shall comply with the provisions of Articles 48, 49 and 50 of this Decree.

Section 2. CONDITIONS AND PROCEDURES FOR THE ISSUANCE OF CERTIFICATES OF QUALIFICATION TO ENSURE SAFETY FOR DIGITAL SIGNATURES

Article 48.- Conditions for the issuance of certificates of qualification to ensure safety for digital signatures

Specialized certification authorities may be granted certificates of qualification to ensure safety for digital signatures only when meeting the personnel and technical conditions and other conditions specified in Clauses 3, 4 and 5, Article 15 of this Decree.

Article 49.- Dossiers of application for certificates of qualification to ensure safety for digital signatures

A dossier of application for a certificate of qualification to ensure safety for digital signatures shall be made in six sets, each comprising:

1. An application for a certificate of qualification to ensure safety for digital signatures.

2. The establishment decision and operation charter of the authority.

3. The service-provision scheme covering:

a/ The scope and target customers of services provided and other necessary information;

b/ The technical plan to ensure the observance of the provisions of Article 48 of this Decree;

c/ The certification regulation;

d/ Detailed information on personal details, qualifications and diplomas of the authority's employees to be directly engaged in the provision of digital signature-certification services.

Article 50.- Verification of dossiers and issuance of certificates of qualification to ensure safety for digital signatures

Within 60 working days after receiving a dossier of application for a certificate of qualification to ensure safety for digital signatures, the Ministry of Post and Telematics shall assume the prime responsibility for, and coordinate with the Ministry of Public Security, the Government Cipher Committee and concerned ministries and branches in, verifying the dossier and conducting field inspection. If the dossier satisfies the conditions on the provision of services specified in Article 48, the Ministry of Post and Telematics shall issue a certificate of qualification to ensure safety for digital signatures to the applying authority. When the applying authority fails to satisfy the conditions, the Ministry of Post and Telematics shall issue a written notice stating the reason therefor.

Article 51.- Rights and obligations of specialized certification authorities with certificates of qualification to ensure safety for digital signatures

A specialized certification authority with a certificate of qualification to ensure safety for digital signatures has the following rights and obligations:

1. To issue regulations on operations, rights and obligations of involved parties in compliance with relevant legal provisions and principles of Vietnam's legal system.

2. To make reports on a periodical basis or at the request of competent state agencies.

3. To submit to competent state agencies' supervision, inspection and handling of violations.

4. To supply to legal procedure-conducting bodies or security bodies necessary information for assurance of information security and for criminal investigation strictly according to the legal process and procedures.

5. In cases of emergency specified by the law on the state of emergency or in order to maintain national security, a specialized certification authority with a certificate of qualification to ensure safety for digital signatures is obliged to render all necessary assistance at the request of competent state agencies.

Chapter VII

RECOGNITION OF DIGITAL SIGNATURES, DIGITAL CERTIFICATES AND PROVISION OF SERVICES BY FOREIGN CERTIFICATION AUTHORITIES

Article 52.- Recognition of foreign digital signatures and certificates

1. Foreign digital signatures and certificates shall be recognized when foreign certification authorities issuing those certificates are granted a paper of recognition of foreign digital signatures and certificates by the Ministry of Post and Telematics.

2. A foreign certification authority may be granted a paper of recognition of foreign digital signatures and certificates when meeting the following conditions:

a/ The nation where the foreign certification authority registers operation has signed or acceded to a treaty on recognition of foreign digital signatures and certificates to which Vietnam has acceded.

b/ It has a license or certificate of qualification for the provision of digital signature-certification services and is operating.

c/ The reliability of digital signatures and digital certificates it issues is not lower than that of those issued by Vietnam's public certification authorities.

d/ It has a representative office in Vietnam for dealing with relevant matters.

Article 53.- Dossiers of application for the grant of papers of recognition of foreign digital signatures and certificates

A dossier of application for the grant of a paper of recognition of foreign digital signatures and certificates shall be made in six sets, each comprising:

1. The foreign certification authority's application for recognition of its foreign digital signatures and certificates.

2. Documents proving the satisfaction of all the conditions specified in Clauses 1, 2, 3 and 4, Article 52 of this Decree.

3. A receipt of the verification fee.

4. Other contents as requested by the Ministry of Post and Telematics.

Article 54.- Verification of dossiers and grant of papers of recognition of foreign digital signatures and digital certificates

Within 60 working days after receiving a dossier of application for a paper of recognition of foreign digital signatures and certificates, the Ministry of Post and Telematics shall assume the prime responsibility for, and coordinate with the Ministry of Public Security, the Government Cipher Committee and concerned ministries and branches in, verifying the dossier. If the dossier satisfies the conditions specified in Article 52, the Ministry of Post and Telematics shall grant a paper of recognition of foreign digital signatures and certificates to the foreign certification authority. If the dossier fails to satisfy the prescribed conditions, the Ministry of Post and Telematics shall issue a written notice stating the reason therefor.

Article 55.- Provision of services by foreign certification authorities

1. Investment in the provision of services by foreign certification authorities in Vietnam shall comply with the provisions of investment law and treaties on digital signature-certification services to which Vietnam has signed or acceded.

2. Operations of foreign certification authorities in Vietnam shall comply with the regulations on operation conditions, operations, rights and obligations of public certification authorities.

Chapter VIII

THE ROOT CERTIFICATION AUTHORITY

Article 56.- Establishment of the Root Certification Authority

1. The establishment of the Root Certification Authority shall comply with the provisions of Clauses 3, 4 and 5, Article 15 of this Decree.

2. The Root Certification Authority shall issue digital certificates for itself.

Article 57.- Provision of services by, rights and obligations of, the Root Certification Authority

The issuance and management of digital certificates by the Root Certification Authority, the rights and obligations of concerned parties shall comply with the provisions of Chapter IV and Chapter V of this Decree. Accordingly, the Root Certification Authority shall play the role of a public certification authority while public certification authorities shall play the role of subscribers, with the following amendments and supplements:

1. The dossier of application for a digital certificate prescribed in Article 21 of this Decree shall be added with a license of the public certification authority which is granted by the Ministry of Post and Telematics.

2. The key pair prescribed in Article 22 of this Decree is created by the public certification authority in its own system.

3. The inspection conducted before the issuance of a digital certificate prescribed in Clause 1, Article 23 of this Decree shall also cover incpection of the operation conditions specified in Clauses 4 and 5, Article 15 of this Decree.

4. The information to be made public under the provisions of Article 36 of this Decree shall be published on the website of the Root Certification Authority or a public certification authority.

Chapter IX

DISPUTES, COMPLAINTS, DENUNCIATIONS AND COMPENSATION

Article 58.- Settlement of disputes

Disputes between parties in the provision and use of public digital signature-certification services shall be settled on the basis of contracts between the parties and relevant provisions of law.

Article 59.- Complaints and denunciations

Complaints against administrative decisions and administrative acts regarding digital signatures and digital signature-certification services; denunciations with competent state agencies about acts of violation in relation to digital signatures and digital signature-certification services shall be made in compliance with the law on complaints and denunciations.

Article 60.- Compensations for damage

1. Organizations or individuals causing damage to others in the provision and use of digital signature-certification services shall pay compensations in accordance with law.

2. The Ministry of Post and Telematics shall specify compensation principles and levels in the provision and use of digital signature-certification services.

Chapter X

SUPERVISION, INSPECTION AND HANDLING OF VIOLATIONS

Article 61.- Supervision, inspection

1. Public and specialized certification authorities with certificates of qualification to ensure safety for digital signatures are subject to annual inspection by the Ministry of Post and Telematics of their observance of the provisions of this Decree.

Inspection results shall be publicized on the website of the Ministry of Post and Telematics.

2. Certification authorities and organizations and individuals using certification services are subject to supervision and inspection by competent state agencies in accordance with law.

3. The supervision of organizations and individuals that manage, provide and use digital signature-certification services shall be conducted in accordance with the supervision law.

Article 62.- Violations of principles on operation conditions

1. A fine of between VND 1,000,000 and VND 2,000,000 shall be imposed for acts of failing to fill in the procedures for renewal of one of the following papers which are lost or damaged to the extent that their contents are unreadable:

a/ License for the provision of public digital signature-certification services;

b/ Certificate of qualification to ensure safety for digital signatures;

c/ Paper of recognition of foreign digital signatures and digital certificates.

2. A fine of between VND 4,000,000 and VND 10,000,000 shall be imposed for one of the following acts:

a/ Failing to carry out the procedures for renewal of a license for the provision of public digital signature-certification services within the time limit specified in Clause 1, Article 19 of this Decree;

b/ Failing to send within the time limit specified in Clause 1, Article 19 of this Decree a dossier of application for extension of a license for the provision of public digital signature-certification services upon receipt of written notices from the Ministry of Post and Telematics;

c/ Providing specialized certification services that fail to meet the conditions specified in Clause 1, Article 45 of this Decree.

3. A fine of between VND 10,000,000 and VND 20,000,000 shall be imposed for one of the following acts:

a/ Erasing or modifying contents of a certificate of qualification to ensure safety for digital signatures;

b/ Buying, selling, transferring, leasing, lending, renting or borrowing a certificate of qualification to ensure safety for digital signatures;

c/ Supplying untruthful information and documents for the purpose of registering operation or applying for a certificate of qualification to ensure safety for digital signatures.

4. A fine of between VND 20,000,000 and VND 40,000,000 shall be imposed for one of the following acts:

a/ Erasing or modifying contents of a license for the provision of public digital signature-certification services;

b/ Erasing or modifying contents of a paper recognizing foreign digital signatures and certificates;

c/ Buying, selling, transferring, leasing, lending, renting or borrowing a paper defined at Points a and b, Clause 1 of this Article;

d/ Supplying untruthful information or documents for the purpose of applying for a license for the provision of public digital signature-certification services or for modification or extension of such licenses;

e/ Supplying untruthful information or documents for the purpose of applying for a paper recognizing foreign digital signatures and certificates;

f/ Failing to satisfy the personnel conditions specified in Clause 3, Article 15 of this Decree in the process of providing certification services;

g/ Storing copies of private keys without written requests of organizations or individuals applying for digital certificates.

5. A fine of between VND 50,000,000 and VND 70,000,000 shall be imposed for one of the following acts:

a/ Providing public certification services without a license granted by the Ministry of Post and Telematics or a digital certificate issued by the Root Certification Authority;

b/ Providing public certification services after the expiration of the digital certificate issued by the Root Certification Authority or of the public certification license.

6. A fine of between VND 70,000,000 and VND 100,000,000 shall be imposed for one of the following acts:

a/ Failing to buy insurance though having no collateral or guarantee under the provisions of Article 37 of this Decree;

b/ Failing to satisfy the financial conditions specified in Clause 2, Article 15 of this Decree in the process of providing public certification services;

c/ Failing to store full, accurate and updated information of subscribers for the issuance of digital certificates throughout the validity terms of those certificates.

Article 63.- Violations of regulations on safety and security

1. A fine of between VND 5,000,000 and VND 10,000,000 shall be imposed for one of the following acts:

a/ Illegally obstructing the use of digital certificates;

b/ Illegally storing private keys of others;

c/ Storing information on organizations or individuals applying for digital certificates without ensuring its confidentiality and safety;

d/ Using information on organizations or individuals applying for digital certificates in contravention with law;

e/ Failing to ensure safety in the process of creating or handling over digital certificates to subscribers.

2. A fine between VND 10,000,000 and VND 30,000,000 shall be imposed for one of the following acts:

a/ Stealing, getting by fraud, unduly claiming or appropriating private keys of others;

b/ Copying, disclosing or supplying private keys of subscribers in contravention of law;

c/ Accessing, disclosing or illegally using information of subscribers and certification authorities;

d/ Failing to ensure confidentiality of the whole process of creating key pairs;

e/ Using equipment not up to technical criteria and compulsory standards to create key pairs;

f/ Employing unsafe methods to hand over private keys to organizations or individuals applying for digital certificates;

g/ Creating key pairs in contravention of law;

h/ Failing to keep secret information on subscribers and their private keys throughout the duration of suspension of digital certificates;

i/ Illegally modifying information on subscribers and organizations providing digital signature-certification services;

j/ Failing to keep secret private keys of subscribers under their authorization.

3. A fine of between VND 30,000,000 and VND 50,000,000 shall be imposed for one of the following acts:

a/ Using software or technical equipment to illegally access equipment systems or databases of certification authorities, which, however, is not serious enough for examination of penal liability;

b/ Disclosing or illegally supplying private keys of specialized certification authorities;

c/ Illegally using private keys of others;

d/ Forging or guiding others to forge digital certificates;

e/ Creating digital signatures without satisfying one of the conditions specified in Article 9 of this Decree;

f/ Using technical equipment systems incapable of detecting and warning of illegal accesses and forms of attacks on the network;

g/ Using systems of distribution of keys to subscribers without ensuring integrity and confidentiality of key pairs;

h/ Failing to implement plans to control the entry into and exit from head offices or places of equipment used for the provision of certification services;

i/ Failing to implement plans to control the right to access the system of digital signature-certification services;

j/ Illegally using private keys of specialized certification authorities;

k/ Stealing private keys of specialized certification authorities;

l/ Violating other regulations on safety and security under the provisions of law.

4. A fine of between VND 50,000,000 and VND 70,000,000 shall be imposed for one of the following acts:

a/ Illegally obstructing operations of certification authorities;

b/ Illegally using private keys of public certification authorities;

c/ Disclosing or illegally supplying private keys of public certification authorities;

d/ Stealing private keys of public certification authorities.

5. A fine of between VND 70,000,000 and VND 100,000,000 shall be imposed for one of the following acts:

a/ Failing to implement or incompletely implement contingency plans for safety maintenance and smooth operation and remedy of possible incidents;

b/ Stealing private keys of the Root Certification Authority;

c/ Illegally disclosing or supplying private keys of the Root Certification Authority;

d/ Illegally using private keys of the Root Certification Authority;

e/ Destroying equipment and databases of certification authorities, which is, however, not serious enough for examination of penal liability;

f/ Failing to respond to or improperly responding to requests of competent state agencies in cases of emergency as provided for by the law on the state of emergency or in order to ensure national security.

Article 64.- Violations of regulations on technical criteria and compulsory standards

1. A fine of between VND 10,000,000 and VND 30,000,000 shall be imposed on specialized certification authorities for acts of providing certification services at variance with registered standards.

2. A fine of between VND 30,000,000 and VND 50,000,000 shall be imposed on public certification authorities for acts of providing digital signature-certification services not up to registered standards.

3. A fine of between VND 50,000,000 and VND 70,000,000 shall be imposed for one of the following acts:

a/ Having technical plans failing to ensure technical criteria in the operation process;

b/ Providing digital signature-certification services at variance with technical criteria and compulsory standards.

Article 65.- Violations of regulations on prices, charges and fees

1. Acts of violation of service prices in the provision of digital signature-certification services shall be handled under the Government's Decree No. 169/2004/ND-CP of September 22, 2004, on sanctioning of administrative violations in the pricing domain.

2. Acts of violation of charges and fees in the provision of digital signature-certification services shall be handled under the Government's Decree No. 106/2003/ND-CP of September 23, 2003, on sanctioning of administrative violations in the domain of charges and fees.

Article 66.- Violations of regulations on the provision of services

1. A fine of between VND 1,000,000 and VND 5,000,000 shall be imposed for one of the following acts:

a/ Providing improper or incomplete guidance on information specified in Clause 1, Article 30 of this Decree;

b/ Failing to provide written guidance to organizations and individuals applying for digital certificates before signing contracts on the issuance of such certificates;

c/ Failing to extend digital certificates of subscribers at their request according to regulations;

d/ Failing to ensure that the communication channel operates 24 hours a day and 7 days a week for the receipt of requests for revocation or suspension of digital certificates;

e/ Failing to store information on revoked digital certificates for at least 5 years after their revocation;

f/ Failing to supply written information specified in Clause 1, Article 30 at the subscribers' request.

2. A fine of between VND 5,000,000 and VND 10,000,000 shall be imposed for one of the following acts:

a/ Failing to notify subscribers when detecting that their private keys have been disclosed, lack integrity or detecting other errors which may adversely affect their interests;

b/ Failing to notify subscribers of the revocation of their licenses for the provision of digital signature-certification services and information on organizations receiving their databases;

c/ Failing to notify subscribers before stopping to provide services within the time limit specified in Clause 2, Article 39 of this Decree;

d/ Failing to notify subscribers of the suspension and its starting and ending time when having grounds for suspension of digital certificates of such subscribers;

e/ Failing to publicize the suspension of issuance of new digital certificates on the website;

f/ Refusing to issue digital certificates without a plausible reason;

g/ The certification regulation is publicized not in the form set by the Ministry of Post and Telematics or has contents contrary to the provisions of this Decree;

h/ Failing to publicize the certification regulation in the forms set by the Ministry of Post and Telematics;

i/ Failing to notify subscribers of the revocation of their digital certificates;

j/ Failing to register with the Ministry of Post and Telematics according to the provisions of Article 46 of this Decree;

k/ Failing to make model contracts for the issuance of digital certificates;

l/ Failing to provide date/time-stamp services up to technical criteria and compulsory standards;

m/ Failing to report to competent state agencies on the suspension of the issuance of new digital certificates.

3. A fine of between VND 10,000,000 and VND 20,000,000 shall be imposed for one of the following acts:

a/ Publicizing digital certificates issued to subscribers in databases without the subscribers' certification of the accuracy of information on such digital certificate;

b/ Failing to announce on the website digital certificates which are newly issued, suspended or revoked or the starting and ending time of the suspension;

c/ Failing to retrieve digital certificates upon the end of the suspension duration;

d/ Failing to store all information related to the suspension or revocation of digital certificates for at least 5 years;

e/ Failing to make agreement on the delivery of databases related to the provision of public digital signature-certification services upon the revocation of the license for the provision of such services;

f/ Failing to report to the Ministry of Post and Telematics on the failure to make agreement on the delivery of databases related to the provision of public digital signature-certification services upon the revocation of the license for the provision of such services;

g/ Altering key pairs without subscribers' request;

h/ Failing to store information on organizations and individuals applying for digital certificates.

4. A fine of between VND 20,000,000 and VND 40,000,000 shall be imposed for one of the following acts:

a/ Failing to suspend digital certificates at the request of subscribers or competent state agencies;

b/ Failing to revoke digital certificates at the request of subscribers or competent state agencies;

c/ Wrongly publicizing the contents of digital certificates in one's own database;

d/ Digital certificates having inadequate contents as prescribed in Article 10 of this Decree;

e/ Issuing digital certificates not suitable to the titles in a state agency or organization as provided for in Article 11 of this Decree or in contravention of law.

f/ Not allowing Internet users to access lists of valid and invalid digital certificates;

g/ Failing to comply with the suspension or revocation of licenses according to the provisions of Clauses 1 and 2, Article 20 of this Decree;

h/ Failing to publicize digital certificates issued to subscribers in databases within the time limit specified in Clause 3, Article 23 of this Decree;

i/ Granting date/time stamps in contravention of the provisions of Clause 3, Article 28 of this Decree;

j/ Failing to suspend the issuance of new digital certificates upon detection of errors in the certification system.

5. A fine of between VND 40,000,000 and VND 70,000,000 shall be imposed for one of the following acts:

a/ Failing to deliver documents and databases according to the provisions of Clause 1, Article 39 of this Decree;

b/ Failing to report to the Ministry of Post and Telematics for consideration on changes in the contents, the revocation or renewal of licenses in strict accordance with regulations on licenses upon merger, joint venture, association or organizational restructuring of public certification authorities;

c/ Organizing or providing digital signature-certification services at variance with the contents of licenses for the provision of public digital signature-certification services;

d/ Failing to suspend the issuance of new digital certificates at the request of competent state agencies;

e/ Failing to maintain database systems related to the issued digital certificates during the suspension of issuance of new digital certificates.

6. A fine of VND 70,000,000 and VND 100,000,000 shall be imposed for one of the following acts:

a/ Failing to maintain on line lists of valid and invalid digital certificates 24 hours a day and 7 days a week;

b/ Failing to store full, accurate and updated lists of valid and invalid digital certificates for at least 5 years;

c/ The certification authorities which are granted by the Ministry of Post and Telematics licenses for the provision of public digital signature-certification services or certificates of qualification to ensure safety for digital signatures failing to base their certification equipment system in Vietnam.

d/ Failing to maintain on the website information specified in Article 36 of this Decree 24 hours a day and 7 days a week.

Article 67.- Violation of regulations on the use of services

1. A fine of between VND 10,000,000 and VND 20,000,000 shall be imposed for acts of supplying private keys or necessary information for legal procedure-conducting bodies or security bodies.

2. A fine of between VND 20,000,000 and VND 30,000,000 shall be imposed for one of the following acts:

a/ Supplying untruthful information for the purpose of applying for digital certificates;

b/ Using digital signatures corresponding to digital certificates of agencies or organizations defined in Article 12 of this Decree when no longer holding the titles corresponding to those certificates.

Article 68.- Violation of regulations on reporting, information supply, supervision and inspection

A fine of between VND 5,000,000 and VND 15,000,000 shall be imposed for one of the following acts:

Violations of reporting regulations:

1. Supplying untruthful or insufficient information upon request made by competent state agencies in accordance with law.

2. Failing to comply with the supervision and inspection by competent state agencies.

Article 69.- Additional sanctions and remedies

Apart from the principal sanctions, depending on the nature and severity of their violations, organizations or individuals may also be subject to one or several of the following additional sanctions or remedies:

1. Suspension or termination of the issuance of new digital certificates, for one of the acts of violation specified at Point c, Clause 2 of Article 62; Point d, Clause 2 of Article 63; Article 64; and Point b, Clause 2, Points a, c and d, Clause 3 of Article 66, of this Decree.

2. Revocation of licenses for the provision of public digital signature-certification services or certificates of qualification to ensure safety for digital signatures or papers of recognition of foreign digital signatures and certificates, for one of the acts of violation specified at Points b and c, Clause 2 of Article 62; Point d, Clause 2 of Article 63; Article 64; and Point b, Clause 2, Points a, c and d, Clause 3 of Article 66, of this Decree.

3. Confiscation of material evidences and means used in the commission of administrative violations, for one of the acts of violation specified at Point b, Clause 2 of Article 62; Clause 1, Point a, b, c and d, Clause 2, Points a, b, c and d, Clause 3, and Point a, Clause 4 of Article 63; and Point c, Clause 2 of Article 66, of this Decree.

4. Forcible restoration of the original state which has been altered due to administrative violations, for one of the acts of violation specified at Point b, Clause 1, Point b, Clause 3 of Article 63 of this Decree.

5. Forcible compliance with state regulations, for acts of violation specified in Clause 1, Points a and c, Clause 2 and Clause 3 of Article 62; Point d, Clause 2, Point d, Clause 3 of Article 63; Article 64; Clause 1, Points a and b, Clause 2 and Clause 3 of Article 66 and Article 68 of this Decree.

Article 70.- Sanctioning competence

1. Inspectors specialized in post, telecommunications and information technology who are on duty have the competence:

a/ To impose fines of up to VND 200,000;

b/ To confiscate material evidences and means used in the commission of administrative violations which are worth up to VND 2,000,000;

c/ To apply remedies under the provisions of Clauses 4 and 5, Article 69 of this Decree;

d/ To exercise powers defined in Clause 2 of Article 46 and Clause 2 of Article 48 of the Ordinance on Handling of Administrative Violations.

2. Chief inspectors of provincial/municipal Post and Telematics Services have the competence:

a/ To impose fines of up to VND 20,000,000;

b/ To apply additional sanctions and remedies under the provisions of Article 69 of this Decree;

d/ To exercise powers defined in Clause 1 of Article 46 of the Ordinance on Handling of Administrative Violations.

3. The chief inspector of the Ministry of Post and Telematics has the competence:

a/ To impose fines of up to VND 100,000,000;

b/ To apply additional sanctions and remedies under the provisions of Article 69 of this Decree;

d/ To exercise powers defined in Clause 1, Article 46 of the Ordinance on Handling of Administrative Violations.

4. Inspectors and chief inspectors of other specialized inspection agencies have the same competence to sanction administrative violations in the domain of digital signatures and digital signature-certification services as inspectors specialized in post, telecommunications and information technology within the scope of their management provided for by the Government.

People's security forces, customs, tax and market control forces have the competence specified in Articles 31, 34, 36 and 37 of the Ordinance on Handling of Administrative Violations to sanction administrative violations of digital signatures and digital signature-certification services which are directly related to their management domains specified in this Decree.

5. Sanctioning competence of People's Committees at all levels

Presidents of People's Committees at all levels have the competence prescribed in Articles 28, 29 and 30 of the Ordinance on Handling of Administrative Violations to sanction administrative violations of digital signatures and digital signature-certification services under the provisions of this Decree.

Article 71.- Sanctioning principles, statute of limitations and procedures; aggravating and extenuating circumstances

The sanctioning principles, statute of limitations and procedures, aggravating and extenuating circumstances as well as time limits for consideration as having not yet been sanctioned for administrative violations of digital signatures and digital signature-certification services shall comply with the provisions of he Ordinance on Handling of Administrative Violations.

Article 72.- Examination for penal liability

Acts of abusing digital signatures and digital signature-certification services to oppose the State of the Socialist Republic of Vietnam and disturb social security, order and safety and other serious acts of violation related to digital signatures and digital signature-certification services which show criminal signs shall be examined for penal liability in accordance with law.

Chapter XI

IMPLEMENTATION PROVISIONS

Article 73.- Implementation provisions

This Decree takes effect 15 days after its publication in "CONG BAO."

Ministers, heads of ministerial-level agencies, heads of government-attached agencies and presidents of provincial/municipal People's Committees shall implement this Decree.

Thủ tướng

(Signed)

 

Nguyen Tan Dung

 
This div, which you should delete, represents the content area that your Page Layouts and pages will fill. Design your Master Page around this content placeholder.