SUBJECT: PROVIDING IMPLEMENTING RULES AND REGULATIONS ON ELECTRONIC AUTHENTICATION AND ELECTRONIC SIGNATURES

(a) a signature, contract or other record relating to such transaction may not be denied legal effect, validity or enforceability solely because it is in electronic form; and

(b) A contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic document was used in its formation.

(a) "Asymmetric or public cryptosystem" is the type of signature creation technology and refers to a system capable of generating a secure key pair, consisting of a private key for creating a digital signature, and a public key for verifying the digital signature.

(b) "Certificate" means an electronic document issued to support a secure electronic signature which purports to confirm the identity or other significant characteristics of the person who, in the case of digital signatures, holds a particular key pair or, in other cases, such signature creation or verification device or method as may be applicable under the circumstance.

(c) "Certification authority" is a type of information certifier which, in the course of its business, engages in issuing certificates in relations to cryptographic keys used for the purposes of digital signatures.

(d) "Digital Signature" is a type of secure electronic signature consisting of a transformation of an electronic document or an electronic data message using asymmetric or public cryptosystem such that a person having the initial untransformed electronic document and the signer’s public key can accurately determine;

(e) "Electronic agent" means a computer program or an electronic or other automated means used independently to initiate an action or respond to electronic messages or documents, in whole or in part, without review or action by an individual at the time of action or response.

(f) "Electronic authority signature" refers to an electronic signature that establishes the authority, position or attribute of the signer as the duly authorized proxy, agent or representative of another person, and therefore, by such signature to bind the latter as if he had created and/or issued the electronic signature himself.

(g) "Electronic data message" refers to information generated, sent, received or stored by electronic, optical or similar means.

(h) "Electronic document" refers to information or the representation of information, data, figures, symbols or other modes of written expression, described or however represented by which a right is established or an obligation extinguished or by which a fact may be proved and affirmed, which is received, recorded, transmitted, stored, processed, retrieved or produced electronically. It includes documents signed with secure electronic signatures and any printout or output, readable by sight or other means, which accurately reflects the electronic data message or electronic document. For purposes of these Rules, the term "electronic document" may be used interchangeably with "electronic data message."

(i) "Electronic signature" refers to any distinctive mark, characteristic and/or sound in electronic form, representing the identity of a person, and attached to or logically associated with the electronic data message or electronic document or any methodology or procedures employed or adopted by a person and executed or adopted by such person with the intention of authenticating or approving an electronic data message or electronic document. For purposes of these Rules, electronic signatures include digital signatures and secure electronic signatures.

(j) "Information and communication system" refers to a system intended for and capable of generating, sending, receiving, storing or otherwise processing electronic data message or electronic documents and includes the computer system or other similar device by or in which data is recorded or stored and any procedures related to the recording or storage of electronic data message or electronic document.

(k) "Information Certifier" means any person who, or entity which in curse of its business, issues certificates as means of providing identification services and/or certifying information which are used to support the use of and trust in secure electronic signatures. For purposes of these Rules, the term "information certifier" includes but is not necessarily limited to certification authorities.

(l) "Key pair" in an asymmetric cryptosystem refers to the private key and its mathematically related public key such that the latter can verify the digital signature that the former creates.

(m) "Person" means any natural or juridical person including, but not limited to, an individual, corporation, partnership, joint venture, unincorporated association, trust or other juridical entity, or any governmental authority.

(n) "Private Key" refers to the key of a key pair used to create a digital signature.

(o) "Public Key" refers to the key of a pair used to verify a digital signature.

(p) "Secure Electronic Signature" means an electronic signature which is created and can be verified through the application of a security procedure or combination of security procedures that ensures such electronic signature:

For purposes of these Rules, secure electronic signatures include but is not necessarily limited to digital signatures.

(q) "Signature creation device, method or technology" refers to any device, method or technology used to create an electronic signature in respect of which it can be shown, through the use of a security procedure or method, that such signature (a) is unique to the signer for the purpose for which it is used; (b) was created and affixed to the data message by the signer or using a means under the sole control of the signer; and (c) was created and is linked to the electronic data message to which it relates in a manner which provides reliable assurance as to the integrity of the message.

(r) "Signer" means the person who uses, creates and affixes an electronic signature to an electronic data message.

(a) A method is used to identify the party sought to be bound and to indicate said party’s access to the electronic document necessary for his consent or approval through the electronic signature;

(b) Said method is reliable and appropriate for the purpose for which the electronic document was generated and communicated, in the light of all circumstances, including any relevant agreement;

(c) It is necessary for the party sought to be bound, in order to proceed further with the transaction, to have executed or provided the electronic signature; and

(d) The other party is authorized and enabled to verify the electronic signature, and to make the decision to proceed with the transaction authenticated by the same.

(a) act in accordance with the representations it makes with respect to its practices;

(b) exercise due diligence to ensure the accuracy and completeness of all material representations it makes that are relevant to the life-cycle of its certificates or which are included in its certificates;

(c) provide reasonably accessible means which enable a relying party to ascertain:

(d) provide reasonably accessible means for signers to give notice that a signature device has been compromised and ensure the operation of a timely and secure revocation service; and

(e) utilize trustworthy systems, and procedures in performing is services.

(f) engage trustworthy personnel who possess the expert knowledge, experience and qualifications necessary for its services, in particular, but not limited to, expertise in electronic signature technology and familiarity with proper security procedures;

(g) maintain sufficient financial resources to operate as an information certifier and to bear the risk of potential liability for damages;

(h) Record, whether electronically or not, for an appropriate period of time all relevant information concerning issued certificates for, but not limited to, the purpose of providing evidence of certification in legal proceedings;

(i) for purposes of issuing and maintaining a certificate, collect and utilize personal data only insofar as it is necessary for the purposes of issuing and maintaining the certificate. Such data may not be collected, sold, distributed, processed or used for any other purpose without the express consent of the data subject.

(a) the identity of the information certifier;

(b) that the person who is identified in the certificate holds, at the relevant time, the signature device referred to in the certificate;

(c) that the signature device was effective on the date when the certificate was issued;

(d) an indication of the beginning and end of the period of validity of the certificate;

(e) where applicable, any limitation on the purposes or value for which the certificate may be used; and

(f) any limitation on the scope or extent of liability that the information certifier accepts, or alternatively, information on where such limitations on the scope or extent of liability, if any, may be found.

(a) the party who has contracted with the information certifier for the provision of a certificate; or

(b) any person who reasonably relies on a certificate issued by the information certifier as regards the fact that the certificate complies with all the requirements for a certificate, and as regards the truth and accuracy, at the time of the issuance of the certificate, of all information and representations contained in the certificate.

(a) the amount of damages caused by the incorrect or defective certificate;

(b) the cost of obtaining the certificate;

(c) the nature of the information being certified;

(d) the existence and extent of any limitation on the purpose for which the certificate may be used;

(e) the existence of any statement limiting the scope or extent of the liability of the information certifier;

(f) any contributory conduct by the relying party; and

(g) any other relevant factor.

(a) Exercise reasonable care to avoid unauthorized use of his electronic signature and/or signature creation device;

(b) Notify appropriate persons, including the concerned information certifier, without undue delay if:

(c) A signer shall be liable for damages caused by failure to satisfy the requirements provided under this Rule.

(a) A person shall rely on an electronic signature only to the extent that it is reasonable to do so. If reliance on the electronic signature is not reasonable in the circumstances having regard to the factors enumerated below,

(b) In determining whether it was reasonable for a person to have relied on the electronic signature, regard shall be had, if appropriate to:

(a) In determining whether, or the extent to which, a certificate or an electronic signature is legally effective, no regard shall be had to the place where the certificate or the electronic signature was issued, nor to the country in which the issuer had its place of business.

(b) Parties to commercial and other transactions may specify that a particular information certifier or supplier or supplier of certification services, class of suppliers of certification services or class of certificates must be used in connection with messages or signatures submitted to them.

(c) Where parties agree, as between themselves, to the use of certain types of electronic signatures and certificates, that agreement shall be recognized as sufficient for the purpose of cross-border recognition.

(Sgd.) MAR ROXAS
Secretary
Department of Trade and Industry

(Sgd.) ESTRELLA F. ALABASTRO
Secretary
Department of Science and Technology