Decree No. 130/2018/ND-CP dated September 27, 2018 of the Government on detailing the Law on E-Transactions regarding digital signatures and digital signature certification services

DECREE

Detailing the Law on E-Transactions regarding digital signatures and digital signature certification services^[1]

Pursuant to the June 19, 2015 Law on Organization of the Government;

Pursuant to the November 29, 2005 Law on E-Transactions;

Pursuant to the June 29, 2006 Law on Information Technology;

Pursuant to the November 25, 2015 Law on Charges and Fees;

At the proposal of the Minister of Information and Communications;

The Government promulgates the Decree detailing the Law on E-Transactions regarding digital signatures and digital signature certification services.

Chapter I

GENERAL PROVISIONS

Article 1.Scope of regulation

This Decree prescribes in detail digital signatures and digital certificates; and the management, provision and use of digital signatures, digital certificates and digital signature certification services.

Article 2.Subjects of application

This Decree applies to agencies and organizations that manage or provide digital signature certification services, and agencies, organizations and individuals that use digital signatures, digital certificates and digital signature certification services in e-transactions.

Article 3.Interpretation of terms

In this Decree, the terms below are construed as follows:

1. “Key” means a sequence of binaries (0 and 1) used in cryptosystems.

2. “Asymmetric cryptosystem” means a cryptosystem which is able to create key pairs each consisting of a private key and a public key.

3. “Private key” means one key in a key pair in an asymmetric cryptosystem, which is used to create a digital signature.

4. “Public key” means one key in a key pair in an asymmetric cryptosystem, which is used to verify the digital signature created by the corresponding private key in the key pair.

5. “Digitally signing” means incorporating a private key into a software program for the automatic creation and attachment of a digital signature to a data message.

6. “Digital signature” means a type of e-signature which is created by transformation of a data message using an asymmetric cryptosystem whereby the person having the initial data message and public key of the signer may accurately determine:

a/ Whether such transformation is created with the private key corresponding to the public key in the same key pair;

b/ Whether the integrity of a data message has been kept since the transformation.

7. “Digital certificate” means a type of e-certificate which is issued by a digital signature certification authority with a view to providing identification information for the public key of an agency, organization or individual to certify that such agency, organization or individual signs the digital signature using the corresponding private key.

8. “Valid digital certificate” means a digital certificate which has not expired, or has not been suspended or revoked.

9. “Public digital certificate” means a digital certificate which is issued by a public digital signature certification authority.

10. “Foreign digital certificate” means a digital certificate which is issued by a foreign digital signature certification authority.

11. “Subscriber” means an agency, organization or individual that is issued a digital certificate, accepts that certificate and holds a private key corresponding to the public key shown in such certificate.

12. “Signer” means a subscriber who uses his/her private key to digitally sign a data message with his/her own name.

13. “Recipient” means an organization or individual that receives a data message digitally signed by a signer, and uses the digital certificate of such signer to verify the digital signature in such data message.

14. “Digital signature use application” means an information technology application permitting the integration and use of digital signatures for verification.

15. “Digital signature certification authority” means an e-signature certification authority that provides digital signature certification services.

16. “Public digital signature certification authority” means an organization that provides digital signature certification services for agencies, organizations or individuals for use in public activities. The provision of digital signature certification services by public digital signature certification authorities is a conditional business as prescribed by law.

17. “Specialized digital signature certification authority” means an organization that provides digital signature certification services for agencies, organizations or individuals for use in specialized activities or sectors with the same operation characteristics or purposes and connected together under their operation charters or legal documents defining their organizational structures or form of association or joint operation. Specialized digital signature certification authorities shall operate for non-commercial purposes. They include:

a/ The Government’s specialized digital signature certification authority that provides digital signature certification services for agencies of the Party and State;

b/ Specialized digital signature certification authorities of agencies or organizations, which shall register the provision of specialized digital signature certification services with a state management agency in charge of digital signature certification services as prescribed by law.

18. “Public digital signature certification agent” means a trader that assists a public digital signature certification authority in providing digital signature certification services to subscribers under an agency contract to enjoy remuneration.

19. “Certification rules” means rules applied by a digital signature certification authority determining the process and procedures for issuance and management of digital certificates, use of digital certificates of subscribers, and the relationship between the digital signature certification authority and its agents and subscribers.

20. “Service charge for maintaining the system checking digital certificate validation status” means a sum of money payable by a digital signature certification authority to the National Digital Signature Certification Authority (defined in Chapter VI of this Decree) for maintaining an online database on digital certificates and other information serving the checking of the validation status of digital certificates and effect of digital signatures of digital signature certification authorities.

21. “E-token” means a physical device containing digital certificates and private keys of subscribers.

Article 4.Digital signature certification services

Digital signature certification services constitute a type of e-signature certification services provided by a digital signature certification authority for a subscriber to certify that such subscriber is the person who has digitally signed a data message. Digital signature certification services include:

1. Creating a key pair or assisting in creating a key pair consisting of a public key and a private key for subscribers.

2. Issuing, extending, suspending, restoring or revoking digital certificates of  subscribers.

3. Maintaining an online database on digital certificates.

4. Providing necessary information to help certify subscribers’ digital signatures on data messages.

Chapter II

DIGITAL SIGNATURES AND DIGITAL CERTIFICATES

Article 5.Contents of a digital certificate

A digital certificate issued by the National Digital Signature Certification Authority, a public digital signature certification authority, the Government’s specialized digital signature certification authority, or a specialized digital signature certification authority of an agency or organization must have the following contents:

1. Name of the digital signature certification authority.

2. Name of the subscriber.

3. Code of the digital certificate.

4. Validity period of the digital certificate.

5. Public key of the subscriber.

6. Digital signature of the digital signature certification authority.

7. Restrictions on the use purpose and scope of the digital certificate.

8. Restrictions on legal liability of the digital signature certification authority.

9. Encryption algorithm.

10. Other necessary contents as prescribed by the Ministry of Information and Communications.

Article 6.Digital certificates of agencies or organizations and competent persons of agencies or organizations

1. All agencies, organizations and holders of state titles, and competent persons of agencies or organizations defined by the law on management and use of seals are entitled to be issued valid digital certificates under Clause 2, Article 8 of this Decree.

2. A digital certificate issued to a holder of a state title or a competent person of an agency or organization must show the title of such person and the name of his/her agency or organization.

3. The issuance of digital certificates to agencies, organizations and holders of state titles, and competent persons of agencies or organizations shall be based on:

a/ A written request for issuance of a digital certificate;

b/ A valid copy of the establishment decision or decision defining the functions, tasks and powers or written certification of the title of the competent person of the agency or organization or of the state title.

Article 7.Use of digital signatures and digital certificates of agencies or organizations and competent persons of agencies or organizations

1. Digital signatures of entities that are entitled to be issued digital certificates under Article 6 of this Decree may be used only for conducting transactions according to the competence of agencies or organizations and titles of such entities.

2. The on-behalf or by-order signing made under law by a competent person using his/her digital signature shall be construed as signing by the person holding the title shown in the digital certificate.

Article 8.Legal validity of digital signatures

1. In case a document is required by law to bear a signature, a data message shall be considered satisfying such requirement if it is signed by a digital signature which is secured under Article 9 of this Decree.

2. In case a document is required by law to bear the seal of an agency or organization, a data message shall be considered satisfying such requirement if it is signed by a digital signature of the agency or organization which is secured under Article 9 of this Decree.

3. Foreign digital signatures or digital certificates permitted for use in Vietnam under Chapter V of this Decree have the same legal validity and effect as digital signatures or digital certificates issued by public digital signature certification authorities of Vietnam.

Article 9.Security conditions for digital signatures

A digital signature shall be regarded as a secure e-signature when meeting the following conditions:

1. It is created in the validity period of a digital certificate and can be checked through the public key shown in such digital certificate.

2. It is created with the use of the private key corresponding to the public key shown in the digital certificate issued by:

a/ The National Digital Signature Certification Authority;

b/ The Government’s specialized digital signature certification authority;

c/ A public digital signature certification authority; or,

d/ A  specialized digital signature certification authority of the agency or organization possessing a certificate of eligibility for securing specialized digital signatures as prescribed in Article 40 of this Decree.

3. Private keys are controlled only by the signers at the time of signing.

Article 10.Identification of digital certificates

When issuing digital certificates, public digital signature certification authorities and specialized digital signature certification authorities of agencies or organizations possessing certificates of eligibility for securing specialized digital signatures shall comply with the rules on identification of digital certificates under the Certification Regulation issued by the National Digital Signature Certification Authority.

Chapter III

PUBLIC DIGITAL SIGNATURE CERTIFICATION SERVICES

Section 1

LICENSING OF PROVISION OF PUBLIC DIGITAL SIGNATURE CERTIFICATION SERVICES

Article 11.Conditions for service provision

A public digital signature certification authority may provide digital signature certification services when meeting the following conditions:

1. Possessing a license for provision of public digital signature certification services granted by the Ministry of Information and Communications.

2. Possessing a digital certificate issued by the National Digital Signature Certification Authority.

Article 12.Validity period of a license

A license granted to a public digital signature certification authority is valid for 10 years.

Article 13.Licensing conditions

1. Condition on the applicant:

Being an enterprise established under Vietnam’s law.

2. Financial conditions:

a/ Making a deposit of at least 5 (five) billion Vietnam dong at a commercial bank operating in Vietnam for settling risks and paying compensations likely to arise in the course of service provision due to the fault of the public digital signature certification authority, and for paying expenses for receipt of information and maintenance of an enterprise’s database, in case of license revocation;

b/ Fully paying service charges for maintaining the system checking digital certificate validation status (in case of license re-grant).

3. Conditions on personnel:

a/ The enterprise must have employees in charge of system administration, system operation and issuance of digital certificates, ensuring information security of the system;

b/ A person referred to at Point a of this Clause must possess a university or higher degree in information security, information technology or electronics and telecommunications.

4. Technical conditions:

a/ Having a system of technical equipment satisfying the following requirements:

- Storing adequate, accurate and updated information of subscribers to serve the issuance of digital certificates throughout the validity period of digital certificates;

- Storing an adequate, accurate and updated list of valid, suspended and expired digital certificates, and allowing and instructing Internet users to have round-the-clock access;

- Creating key pairs, with each pair created randomly and used only once; having the function of ensuring that private keys are kept confidential when their corresponding public keys are known;

- Having the function of warning about, preventing and detecting illegal access in cyberspace;

- Being designed to minimize direct contact with the Internet environment;

- The system distributing keys to subscribers must ensure integrity and security of key pairs. In case of distributing keys via the computer network, the key distribution system must use security protocols ensuring no information disclosure in transmission links.

b/ Having a technical plan satisfying the requirements on information system security and compulsory technical regulations and standards on digital signatures and digital signature certification services currently in force;

c/ Having plans for controlling access to head offices, access to the system, and access to places where is installed equipment serving the provision of digital signature certification services;

d/ Having standby plans to maintain the safe and continuous operation of the system and respond to incidents, if any;

dd/ Having a plan to provide online subscriber information to the National Digital Signature Certification Authority to serve the state management of digital signature certification services;

e/ Having all equipment systems used for service provision installed in Vietnam;

g/ Having working offices, and places for installation of machinery and equipment satisfying the law-prescribed requirements on fire and explosion prevention and fighting; and being resilient to flood, inundation, earthquake, electromagnetic interference, or unauthorized access by people;

h/ Having its certification rules, made according to the model rules in the Certification Regulation of the National Digital Signature Certification Authority.

Article 14.Dossier for grant of a license

1. An application for a license for provision of public digital signature certification services, made according to Form No. 01 in the Appendix to this Decree.

2. A deposit certificate issued by a commercial bank operating in Vietnam. This certificate must include, but not limited to, an unconditional and irrevocable payment commitment clause to the deposit recipient for any amount not exceeding the deposit to settle risks and pay compensations likely to arise in the course of service provision due to the fault of the public digital signature certification authority, and pay expenses for receipt of information and maintenance of an enterprise’s database, in case of license revocation.

3. A personnel dossier, comprising curricula vitae, degrees and certificates of the enterprise’s technical workers engaged in providing digital signature certification services as specified in Clause 3, Article 13 of this Decree.

4. A technical plan as prescribed in Clause 4, Article 13 of this Decree.

5. Certification rules, made according to the model rules in the Certification Regulation of the National Digital Signature Certification Authority.

Article 15.Verification of dossiers and grant of licenses

Within 50 days after receiving a valid dossier of application for a license, the Ministry of Information and Communications shall assume the prime responsibility for, and coordinate with the Ministry of Public Security, Government Cipher Committee and related ministries and sectors in, verifying the dossier, and shall grant a license to the applying enterprise if the latter fully satisfies the conditions specified in Article 13 of this Decree. A license for provision of public digital signature certification services shall be made according to Form No. 05 in the Appendix to this Decree.

If refusing to grant a license, the Ministry of Information and Communications shall issue a written notice stating the reason.

Article 16.Modification and re-grant of licenses

1. A license shall be modified in case the holding enterprise changes its at-law representative, head office address or transaction name.

The enterprise shall submit a dossier of request for modification of a license at the Ministry of Information and Communications. Such dossier must comprise a written request for modification of a license, made according to Form No. 02 in the Appendix to this Decree, a report describing in detail the contents to be modified, and relevant documents.

Within 15 working days after receiving a complete and valid dossier, the Ministry of Information and Communications shall verify the dossier and grant a modified license to the enterprise; if refusing to grant a modified license, the Ministry shall issue a written notice stating the reason.

The validity period of a modified license is the remaining period of the original license.

2. In case its license is lost or damaged, an enterprise shall send a written request for re-grant of a license, made according to Form No. 03 in the Appendix to this Decree, stating the reason, to the Ministry of Information and Communications. Within 7 working days after receiving the request, the Ministry of Information and Communications shall consider the request and re-grant a license to the enterprise.

The validity period of a re-granted license is the remaining period of the original license.

3. An enterprise that wishes to continue providing services shall submit a dossier of request for re-grant of a license at least 90 days before the license expires. A dossier of request for re-grant of a license in case the original license expires must comprise:

a/ A written request for re-grant of a license for provision of public digital signature certification services, made according to Form No. 03 in the Appendix to this Decree;

b/ A deposit certificate issued by a commercial bank operating in Vietnam as prescribed in Clause 2, Article 14 of this Decree;

c/ Information about the enterprise’s personnel or technical changes (if any) related to the licensing conditions prescribed in Clauses 3 and 4, Article 13 of this Decree.

Within 30 days after receiving a valid dossier, the Ministry of Information and Communications shall assume the prime responsibility for, and coordinate with the Ministry of Public Security, Government Cipher Committee and related ministries and sectors in, verifying the dossier and inspecting the applying enterprise’s satisfaction of licensing conditions, and shall re-grant a license to the enterprise if the latter fully satisfies the licensing conditions. If refusing to re-grant a license, the Ministry of Information and Communications shall issue a written notice stating the reason.

The validity period of a re-granted license in case the original license expires is 10 years.

Article 17.Suspension of licenses, suspension of grant of digital certificates

1. A public digital signature certification authority will have its license suspended for no more than 6 months in one of the following cases:

a/ Providing services other than those stated in the license;

b/ Failing to satisfy one of the licensing conditions specified in Article 13 of this Decree in the course of service provision;

c/ Failing to fully pay charges for maintaining the system checking digital certificate validation status for 6 months.

2. A public digital signature certification authority may suspend issuing new digital certificates to subscribers in one of the following cases:

a/ Its license for provision of public digital signature certification services is suspended under Clause 1 of this Article;

b/ When detecting that errors in its service provision system are likely to affect the interests of subscribers and service recipients.

3. Within the suspension period, if a public digital signature certification authority can remediate the cause of suspension, the Ministry of Information and Communications shall permit the authority to continue providing services.

Article 18.Revocation of licenses

1. A public digital signature certification authority will have its license revoked in one of the following cases:

a/ It fails to provide services within 12 months after being licensed, without a plausible reason;

b/ It is dissolved or falls bankrupt under relevant law;

c/ Its license for provision of public digital signature certification services has expired;

d/ It has not fully paid charges for maintaining the system checking digital certificate validation status for 12 months;

dd/ It cannot remediate the causes of suspension specified in Clause 1 of Article 17 after the suspension period prescribed by a state agency;

e/ It no longer wishes to provide services.

2. Within 30 days after receiving a notice of revocation of its license, a public digital signature certification authority shall reach agreement with subscribers in order to hand over databases and dossiers related to service provision and assurance of the service use interests of subscribers to another public digital signature certification authority.

3. The Ministry of Information and Communications shall supervise and guide the handover among public digital signature certification authorities to ensure subscribers’ uninterrupted use of services.

If an agreement on handover of databases and dossiers cannot be reached, the Ministry of Information and Communications shall designate one or more than one public digital signature certification authority to provide services. The designated authority shall further exercise the rights and perform the obligations toward subscribers and service recipients under the contracts signed between subscribers and the authority having its license revoked.

4. Expenses for receipt of information and maintenance of relevant databases and dossiers and assurance of subscribers’ service use shall be covered by the deposit made by the public digital signature certification authority having its license revoked.

5. Three years after the date a public digital signature certification authority has its license revoked, except the case specified at Point c, Clause 1 of this Article, this authority may request re-grant of a license. Conditions and procedures for re-grant of a license are the same as those for grant of a license.

Article 19.Validity period of digital certificates issued to public digital signature certification authorities

A digital certificate issued to public digital signature certification authorities is valid for 5 years.

Article 20.Conditions for issuance of a digital certificate to a public digital signature certification authority

1. The authority possesses a valid license to provide public digital signature certification services granted by the Ministry of Information and Communications.

2. The authority has an actual technical system consistent with that described in the dossier of application for a license.

3. The public key in the to-be-issued digital certificate is unique and goes in pair with the private key of the authority.

Article 21.Dossier for issuance of a digital certificate to a public digital signature certification authority

A dossier for issuance of a digital certificate to a public digital signature certification authority must comprise:

1. An application for a digital certificate addressed to the National Digital Signature Certification Authority, made according to Form No. 04 in the Appendix to this Decree.

2. A copy of the license for provisions of public digital signature certification services.

3. Other papers as prescribed in the Certification Regulation issued by the National Digital Signature Certification Authority.

Article 22.Verification of dossiers and issuance of digital certificates to public digital signature certification authorities

Within 30 working days after receiving a valid dossier of application for a digital certificate, the National Digital Signature Certification Authority shall verify the dossier.

1. The National Digital Signature Certification Authority shall carry out verification as follows:

a/ Checking the actual technical system of the applying public digital signature certification authority to see whether the system is consistent with that described in the dossier of application for a license;

b/ Witnessing the creation of the pair of private key and public key of the authority to ensure that the created key pair is secure under regulations.

2. If a public digital signature certification authority satisfies the conditions for issuance of a digital certificate, the National Digital Signature Certification Authority shall issue a digital certificate; otherwise, it shall issue a written refusal stating the reason.

3. The issuance of digital certificates by the National Digital Signature Certification Authority to public digital signature certification authorities must ensure the continuity of services provided to subscribers.

Section 2

SERVICE PROVISION BY PUBLIC DIGITAL SIGNATURE CERTIFICATION AUTHORITIES

Article 23.Dossier for issuance of a digital certificate to a subscriber

1. An application for a digital certificate, made according to the form set by the public digital signature certification authority.

2. Other papers, including:

a/ For an individual: people’s identity card, or citizen identity card, or passport;

b/ For an organization: establishment decision, or decision defining the functions, tasks, powers and organizational structure of, or enterprise registration certificate, or investment certificate; and people’s identity card, or citizen identity card, or passport of the at-law representative, of the organization.

3. Individuals and organizations may submit duplicates, certified copies, or copies together with their originals for verification.

Article 24.Creation of keys and distribution of keys to subscribers

1. Organizations or individuals that apply for a digital certificate may themselves create a key pair or request in writing a public digital signature certification authority to create a key pair for them.

2. In case the applicant creates a key pair by itself/himself/herself, the public digital signature certification authority must ensure that such applicant has used devices up to prescribed standards to create and store the key pair.

3. In case the public digital signature certification authority creates the key pair, it must ensure that it safely hands over the private key to the applicant and may store a backup of the private key when so requested in writing by the applicant.

Article 25.Issuance of digital certificates to subscribers

1. A public digital signature certification authority shall issue a digital certificate to a subscriber after checking and ensuring that:

a/ The information in the dossier of application for a digital certificate is accurate;

b/ The public key in the to-be-issued digital certificate is unique and goes in pair with the private key of the applicant.

2. A digital certificate shall be issued only to the applicant and must have the information details prescribed in Article 5 of this Decree.

3. A public digital signature certification authority may announce the digital certificate issued to a subscriber in its database on digital certificates only after obtaining the subscriber’s certification of the accuracy of information in such digital certificate; the announcement shall be made within 24 hours after obtaining the certification, unless otherwise agreed upon.

4. A public digital signature certification authority may not refuse to issue a digital certificate to the applicant without a plausible reason.

5. A public digital signature certification authority shall ensure safety throughout the course of creation and handover of digital certificates to subscribers.

Article 26.Extension of digital certificates for subscribers

1. At least 30 days before its/his/her digital certificate expires, a subscriber may request extension of such certificate.

2. When receiving a subscriber’s request for extension, a public digital signature certification authority shall complete procedures for extension of the digital certificate before it expires.

3. If wishing to change the public key in the to-be-extended digital certificate, a subscriber shall request such change; the creation and distribution of keys and announcement of extended digital certificates must comply with Articles 24 and 25 of this Decree.

Article 27.Change of key pairs for subscribers

If wishing to change its/his/her key pair, a subscriber shall make a written request for the change. The creation and distribution of keys and announcement of digital certificates with new public keys must comply with Articles 24 and 25 of this Decree.

Article 28.Suspension or recovery of digital certificates  of subscribers

1. A subscriber’s digital certificate shall be suspended in the following cases:

a/ The subscriber makes a written request for the suspension, which has been verified by a public digital signature certification authority as containing accurate information;

b/ The public digital signature certification authority has grounds to believe that the issued digital certificate does not comply with the provisions of Articles 24 and 25 of this Decree, or detects errors affecting the interests of the subscriber and service recipient;

c/ The suspension is requested by a proceedings-conducting body or public security agency or the Ministry of Information and Communications;

d/ The suspension is effected in accordance with the conditions for suspension of digital certificates specified in the contract between the subscriber and public digital signature certification authority.

2. When having grounds for suspending a digital certificate, a public digital signature certification authority shall suspend the certificate and, at the same time, notify the suspension to the subscriber and announce the suspension as well as starting and ending dates of the suspension period in the database on digital certificates.

3. A public digital signature certification authority shall restore the suspended digital certificate when no longer having grounds for suspension or when the suspension period expires.

Article 29.Revocation of digital certificates of subscribers

1. A subscriber’s digital certificate shall be revoked in the following cases:

a/ The subscriber makes a written request for the revocation, which has been verified by its/his/her digital signature certification authority as containing accurate information;

b/ The subscriber being an individual has died or is declared by the court as missing or the subscriber being an organization is dissolved or falls bankrupt under law;

c/ The revocation is requested by a proceedings-conducting body or public security agency or the Ministry of Information and Communications;

d/ The revocation is effected in accordance with the conditions for revocation of digital certificates  specified in the contract between the subscriber and public digital signature certification authority.

2. When having grounds for revoking a digital certificate, a public digital signature certification authority shall revoke the digital certificate and, at the same time, notify such revocation to the subscriber and make an announcement thereof in the database on digital certificates.

Article 30.Time-marking service

1. Time-marking service means an added-value service used to attach information on date and time to a data message.

2. The time-marking service shall be provided by a public digital signature certification authority in accordance with relevant compulsory technical regulations and standards for this type of service.

3. Date and time attached to a data message are the date and time when the time-marking service provider receives such data message, and are certified by such provider.

4. Timing sources of time-marking service providers must comply with regulations on national standard timing sources.

Article 31.Certification rules of public digital signature certification authorities

1. The certification rules of a public digital signature certification authority shall be formulated according to the model rules provided in the Certification Regulation of the National Digital Signature Certification Authority.

2. The certification rules of a public digital signature certification authority shall be made public under Clause 2, Article 33 of this Decree.

3. When wishing to revise its certification rules, a public digital signature certification authority shall notify such revision in writing to and get written approval thereof from the National Digital Signature Certification Authority.

Section 3

OBLIGATIONS OF PUBLIC DIGITAL SIGNATURE CERTIFICATION AUTHORITIES

Article 32.Obligations of a public digital signature certification authority toward subscribers

1. To ensure the continuous and uninterrupted use of services by subscribers throughout the validity period of digital certificates and the continuous checking of digital certificate validation status of subscribers.

2. To handle risks and pay compensations for damage to subscribers and recipients in case errors are determined to be made by the public digital signature certification authority.

3. To ensure safety of private information, personal information and devices storing digital certificates for subscribers in accordance with the law on information security and other relevant laws.

4. Regarding receipt of information:

To ensure the round-the-clock operation of the information channel to receive from subscribers information relating to the use of digital certificates.

5. Regarding management of keys:

a/ In case of detecting a sign that the private key of a subscriber is revealed or no longer intact, or any error that might badly affect the interests of a subscriber, to promptly notify it to such subscriber and at the same time apply timely preventive and remedial measures;

b/ To warn subscribers to change their key pairs when necessary to ensure the highest reliability and safety for the key pairs.

6. In case of suspension of issuance of new digital certificates:

During the suspension period, to maintain the database system related to issued digital certificates.

7. When having its license revoked, to promptly notify its subscribers of the suspension of service provision and information about the organization to receive their databases in order to guarantee the subscribers’ use of services.

8. To formulate a model contract with subscribers, which must have the following contents:

a/ Scope and limit of use, confidentiality level and expenses for the provision and use of digital certificates and other information that might affect the interests of subscribers;

b/ Requirements on assurance of safety in the storage and use of private keys;

c/ Procedures for filing complaints and resolving disputes.

9. To exercise the rights and perform the obligations of principals as prescribed by the commercial law.

Article 33.Obligations of a public digital signature certification authority toward the state management agency in charge of digital signatures and digital signature certification services

1. To publicize information:

A public digital signature certification authority shall publicize the following information and keep it public round the clock on its website:

a/ Its certification rules and digital certificate;

b/ A list of valid, suspended and revoked digital certificates of subscribers;

c/ Other necessary information as prescribed by law.

2. To update information:

A public digital signature certification authority shall update the information specified in Clause 1 of this Article within 24 hours after a change occurs.

3. To provide information:

A public digital signature certification authority shall provide online and at real time to the National Digital Signature Certification Authority information on the numbers of valid, suspended and revoked digital certificates to serve the state management of digital signature certification services.

4. To store information:

To store all information relating to the suspension or revocation of its license and databases on subscribers and digital certificates for at least 5 years from the date its license is suspended or revoked.

5. To pay service charges for maintaining the system checking digital certificate validation status under regulations.

6. To make periodical and extraordinary reports under the regulations of the Ministry of Information and Communications and at the request of competent state agencies.

Section 4

PUBLIC DIGITAL SIGNATURE CERTIFICATION AGENTS

Article 34.Operation conditions of a public digital signature certification agent

1. Being a lawfully established economic organization or an individual engaged in commercial activities in an independent and regular manner and with a business registration.

2. Having a transaction office with a specific address.

3. Having an agency contract with a public digital signature certification authority.

Article 35.Rights and obligations of a public digital signature certification agent

1. To exercise its rights and perform its obligations prescribed by the commercial law.

2. To provide adequate guidance on dossiers and procedures for issuance of digital certificates to subscribers.

3. To publicly post up the process of issuing digital certificates at its office.

4. To ensure the round-the-clock operation of its information channel to receive requests of subscribers.

5. To report at the request of competent agencies to serve the state management of digital signature certification services.

Chapter IV

SPECIALIZED DIGITAL SIGNATURE CERTIFICATION SERVICES OF AGENCIES AND ORGANIZATIONS

Section 1

GRANT OF OPERATION REGISTRATION CERTIFICATES FOR SPECIALIZED DIGITAL SIGNATURE CERTIFICATION AUTHORITIES OF AGENCIES AND ORGANIZATIONS

Article 36.Operation conditions and registration

1. Operation conditions

An agency or organization may provide specialized digital signature certification services when obtaining an operation registration certificate granted by the Ministry of Information and Communications.

2. Conditions for operation registration

a/ Having employees in charge of system administration; system operation and issuance of digital certificates; and assurance of information safety of the system. Such an employee  must possess a university or higher degree in information security, information technology or electronics and telecommunications;

b/ Having a technical equipment system meeting the following requirements:

- Fully and accurately storing and updating information of subscribers to serve the issuance of digital certificates throughout the validity period of digital certificates;

- Being able to create key pairs, each randomly created and used only once; having the function of ensuring that private keys are kept confidential when corresponding public keys are known;

- Having the function of warning about, preventing and detecting illegal access in cyberspace;

- Being designed to minimize direct contact with the Internet environment.

c/ Having a plan on online provision of subscriber information to the National Digital Signature Certification Authority to serve the state management of digital signature certification services;

d/ Having all equipment system used for service provision installed in Vietnam;

dd/ Having working offices and places for installation of machinery and equipment satisfying the law-prescribed requirements on fire and explosion prevention and fighting, and resistant to flood, earthquake, electromagnetic interference and unauthorized access by people.

Article 37.Operation registration dossier

1. An application for an operation registration certificate of a specialized digital signature certification authority, made according to Form No. 06 in the Appendix to this Decree.

2. Documents proving the satisfaction of the operation registration conditions prescribed in Clause 2, Article 36 of this Decree.

3. Documents proving that service users have the same operation characteristics or work purposes and are interconnected under their operation charters or legal documents defining their common organizational structure or joint linkage or operation.

Article 38.Procedures for grant, suspension, revocation, modification or re-grant of operation registration certificates

1. Grant of an operation registration certificate

a/ Within 30 working days after receiving a valid operation registration dossier, the Ministry of Information and Communications shall examine the dossier and grant an operation registration certificate in case the dossier shows the full satisfaction of the operation registration conditions prescribed in Clause 2, Article 36 of this Decree. The form of the operation registration certificate of a specialized digital signature certification authority is provided in the Appendix to this Decree (Form No. 09).

In case of refusal to grant an operation registration certificate, the Ministry of Information and Communications shall issue a written reply clearly stating the reason;

b/ The operation registration certificate of a specialized digital signature certification authority is valid for 5 years.

2. Suspension of an operation registration certificate

A specialized digital signature certification authority may have its operation registration certificate suspended for up to 6 months in one of the following cases:

a/ Providing services at variance with contents of its operation registration certificate;

b/ No longer satisfying one of the conditions for grant of operation registration certificates specified in Clause 2, Article 36 of this Decree in the course of service provision.

3. Restoration of an operation registration certificate

During the suspension period, if a specialized digital signature certification authority can remediate the cause of suspension of its operation registration certificate, it may be permitted by the Ministry of Information and Communications to continue providing services.

4. Revocation of an operation registration certificate

A specialized digital signature certification authority may have its operation registration certificate revoked in one of the following cases:

a/ Failing to commence the service provision within 12 months after obtaining the operation registration certificate without any plausible reason;

b/ Being dissolved or falling bankrupt in accordance with relevant law;

c/ Failing to remediate the cause of suspension of its operation registration certificate as prescribed in Clause 2, Article 38 of this Decree after the suspension period fixed by a competent state agency;

d/ No longer wishing to provide services.

5. Modification of an operation registration certificate

An operation registration certificate shall be modified out when its holder changes one of the following information: office address, at-law representative, scope and subjects of service provision, and applied technical standards.

To have its operation registration certificate modified, a specialized digital signature certification authority shall submit a dossier of request for modification to the Ministry of Information and Communications. Such dossier must comprise a written request for modification of the operation registration certificate, made according to Form 07 in the Appendix to this Decree and enclosed with relevant documents supporting the request.

Within 15 working days after receiving a complete and valid dossier, the Ministry of Information and Communications shall examine the dossier and grant the modified operation registration certificate. In case of refusal to grant the modified certificate, it shall issue a written reply clearly stating the reason.

The validity period of a modified operation registration certificate is the remaining period of the original certificate.

6. Re-grant of an operation registration certificate when it expires

At least 30 days before its operation registration certificate expires, a specialized digital signature certification authority shall submit a dossier of request for re-grant of the certificate. Such dossier must comprise:

a/ A written request for re-grant of the certificate, made according to Form 08 in the Appendix to this Decree;

b/ Changes (if any) in information on employees and technical equipment related to the conditions for grant of certificates prescribed in Clause 2, Article 36 of this Decree.

Within 15 working days after receiving a dossier of request for re-grant of a certificate, the Ministry of Information and Communications shall examine the dossier.

In case the dossier is complete and valid, the Ministry of Information and Communications shall re-grant the certificate. In case of refusal to re-grant, it shall issue a written reply clearly stating the reason.

A re-granted operation registration certificate is valid for 5 years.

Article 39.Rights and obligations of a specialized digital signature certification authority

1. To provide specialized digital signature certification services within the scope of its operation and for eligible entities stated in its operation registration certificate granted by the Ministry of Information and Communications.

2. To determine the provision and use of specialized digital signature certification services for agencies and organizations according to the registered scope of operation and service users.

3. To make periodical and extraordinary reports under the regulations of the Ministry of Information and Communications and at the request of competent state agencies.

4. To obtain certificates of satisfaction of safety assurance conditions for specialized digital signatures granted by the Ministry of Information and Communications under Articles 9, 40 and 41 of this Decree in case they wish use specialized digital signatures in transactions with organizations and individuals to serve specialized activities within the scope of their functions and tasks.

Section 2

GRANT OF CERTIFICATES OF SATISFACTION OF SAFETY ASSURANCE CONDITIONS FOR SPECIALIZED DIGITAL SIGNATURES

Article 40.Conditions for grant of a certificate of satisfaction of safety assurance conditions for specialized digital signatures

1. Having an operation registration certificate, for a specialized digital signature certification authority.

2. Satisfying the staff and technical conditions prescribed in Clauses 3 and 4, Article 13 of this Decree.

Article 41.Dossier of application for a certificate of satisfaction of safety assurance conditions for specialized digital signatures

1. An application for a certificate of satisfaction of safety assurance conditions for specialized digital signatures, made according to Form No. 10 in the Appendix to this Decree.

2. A copy of the operation registration certificate of the specialized digital signature certification authority.

3. The decision on establishment and operation charter of the specialized digital signature certification authority.

4. Staff files, each consisting of a resume, degrees and certificates of the person engaged in the provision of specialized digital signature certification services as required in Clause 3, Article 13 of this Decree.

5. A technical plan proving satisfaction of the requirements specified in Clause 4, Article 13 of this Decree.

6. Certification rules, made according to the model rules provided in the Certification Regulation of the National Digital Signature Certification Authority.

Article 42.Procedures for grant, suspension, revocation, modification or re-grant of certificates of satisfaction of safety assurance conditions for specialized digital signatures

1. Grant of a certificate of satisfaction of safety assurance conditions for specialized digital signatures

a/ Within 60 working days after receiving a valid dossier of application for a certificate of satisfaction of safety assurance conditions for specialized digital signatures, the Ministry of Information and Communications shall assume the prime responsibility for, and coordinate with the Ministry of Public Security, Government Cipher Committee and related ministries and sectors in, examining the dossier and conducting physical inspection, then grant a certificate of satisfaction of safety assurance conditions for specialized digital signatures in case the applicant fully satisfies the conditions prescribed in Article 40 of this Decree. The form of the certificate of satisfaction of safety assurance conditions for specialized digital signatures is provided in the Appendix to this Decree (Form No. 13).

In case the applicant fails to fully satisfy the prescribed conditions, the Ministry of Information and Communications shall issue a written refusal to grant a certificate, clearly stating the reason;

b/ The validity period of a certificate of satisfaction of safety assurance conditions for specialized digital signatures corresponds to that of the operation registration certificate of the specialized digital signature certification authority but must not exceed 5 years.

2. Suspension of a certificate of satisfaction of safety assurance conditions for specialized digital signatures

A specialized digital signature certification authority may have its certificate of satisfaction of safety assurance conditions for specialized digital signatures suspended for up to 6 months in one of the following cases:

a/ Having its operation registration certificate suspended;

b/ Failing to satisfy one of the conditions for grant of a certificate of satisfaction of safety assurance conditions for specialized digital signatures specified in Clause 2, Article 40 of this Decree in the course of service provision.

3. Restoration of a certificate of satisfaction of safety assurance conditions for specialized digital signatures

During the suspension period, if a specialized digital signature certification authority can remediate the cause of  suspension of its certificate of satisfaction of safety assurance conditions for specialized digital signatures, the Ministry of Information and Communications may cancel the decision on suspension of the certificate.

4. Revocation of a certificate of satisfaction of safety assurance conditions for specialized digital signatures

A specialized digital signature certification authority may have its certificate of satisfaction of safety assurance conditions for specialized digital signatures revoked in one of the following cases:

a/ Having its operation registration certificate revoked;

b/ Failing to remediate the cause of suspension of its certificate of satisfaction of safety assurance conditions for specialized digital signatures specified in Clause 2, Article 42 of this Decree after the suspension period fixed by a state agency expires.

5. Modification of a certificate of satisfaction of safety assurance conditions for specialized digital signatures

A certificate of satisfaction of safety assurance conditions for specialized digital signatures shall be modified when its holder changes one of the following information: office address, at-law representative, scope of service provision and service users, and applied technical standards.

To have its certificate of satisfaction of safety assurance conditions for specialized digital signatures modified, a specialized digital signature certification authority shall submit a dossier of request for modification to the Ministry of Information and Communications. Such a dossier must comprise a written request for modification, made according to Form No. 11 in the Appendix to this Decree and enclosed with relevant documents supporting the request.

Within 15 working days after receiving a complete and valid dossier, the Ministry of Information and Communications shall examine the dossier and grant the modified certificate of satisfaction of safety assurance conditions for specialized digital signatures. In case of refusal to re-grant the modified certificate, it shall issue a written reply clearly stating the reason.

The validity period of a modified certificate of satisfaction of safety assurance conditions for specialized digital signatures is the remaining period of the original certificate.

6. Re-grant of a certificate of satisfaction of safety assurance conditions for specialized digital signatures when it expires

At least 45 days before its certificate of satisfaction of safety assurance conditions for specialized digital signatures expires, a specialized digital signature certification authority shall submit a dossier of request for re-grant of the certificate. Such a dossier must comprise:

a/ A written request for re-grant of the certificate of satisfaction of safety assurance conditions for specialized digital signatures, made according to Form No. 12 in the Appendix to this Decree;

b/ A copy of the expired operation registration certificate of the specialized digital signature certification authority;

c/ Changes in information on employees and technical equipment related to the conditions for grant of certificates specified in Clause 2, Article 40 of this Decree.

Within 30 days after receiving a valid dossier, the Ministry of Information and Communications shall assume the prime responsibility for, and coordinate with related ministries and sectors in, examining the dossier and checking whether the conditions for grant of a certificate of satisfaction of safety assurance conditions for specialized digital signatures are satisfied.

In case the specialized digital signature certification authority fully satisfies the conditions for grant of a certificate of satisfaction of safety assurance conditions for specialized digital signatures, the Ministry of Information and Communications shall re-grant such certificate. In case of refusal to re-grant the certificate, it shall issue a written reply clearly stating the reason.

A re-granted certificate of satisfaction of safety assurance conditions for specialized digital signatures is valid for 5 years.

Chapter V

FOREIGN DIGITAL CERTIFICATES AND SIGNATURES IN VIETNAM

Article 43.Conditions for use of a foreign digital certificate

1. It remains valid for use.

2. It is permitted in writing by the Ministry of Information and Communications for use in Vietnam or accepted in international transactions. No permission is required for the use of foreign digital certificates for servers and software.

Article 44.Users of foreign digital certificates

1. Vietnam-based foreign organizations and individuals.

2. Vietnamese organizations and individuals that wish to conduct e-transactions with foreign partners from countries where digital certificates of domestic digital signature certification authorities are not yet recognized.

Article 45.Scope of operation and validity period of permits for use of foreign digital certificates in Vietnam

1. The scope of operation covers e-transactions of users of foreign digital certificates specified in Article 44 of this Decree.

2. The validity period of a permit for use of a foreign digital certificate in Vietnam is 5 years but must not exceed that of such digital certificate.

Article 46.Conditions for grant of use permits

1. For a subscriber using a foreign digital certificate in Vietnam:

a/ Being one of the entities specified in Article 44 of this Decree;

b/ Having one of the following documents to verify information on the digital certificate:

- Enterprise registration certificate or investment certificate or establishment decision or decision defining the functions, tasks and powers, for organizations; people’s identity card or citizen identity paper or passport, for individuals;

- Written permission of a competent agency for lawful operation of the foreign organization or individual, for foreign subscribers;

- In case of authorized use of the digital certificate, a lawful letter of authorization or permission for use of the digital certificate is required and information about the subscriber issued with the digital certificate must be consistent with information in the letter of authorization or permission.

2. For a foreign digital certificate certification authority with a digital certificate recognized in Vietnam

a/ Having been established and lawfully operating in the country where it has registered its operation;

b/ Satisfying the list of standards for compulsory application on digital signatures and digital signature certification services promulgated by the Ministry of Information and Communications or the international standards on digital signatures that are determined by the Ministry of Information and Communications to have an equivalent level of information security;

c/ Having its professional operations certified by an audit firm to be conformable with the prestigious international standards on digital signature certification services.

Article 47.Dossier of application for a permit for use of a foreign digital certificate in Vietnam

1. An application of the subscriber for a permit for use of a foreign digital certificate in Vietnam, made according to Form No. 14 in the Appendix to this Decree.

2. Documents explaining and proving the satisfaction of the conditions prescribed in Article 46 of this Decree.

3. A valid copy of the contract (or agreement) on use of the foreign digital certificate between the subscriber and the foreign digital certificate provider, or a document proving that the subscriber is a lawful user of the foreign digital certificate.

4. A written undertaking that the use of the foreign digital certificate in Vietnam complies with Vietnam’s law on digital signatures and digital signature certification services.

Article 48.Examination of dossiers and grant of permits for use of foreign digital certificates in Vietnam

1. Within 30 working days after receiving a valid dossier of application for a permit for use of a foreign digital certificate in Vietnam, the Ministry of Information and Communications shall examine it.

2. In case the dossier shows the full satisfaction of the prescribed conditions, the Ministry of Information and Communications shall grant a permit for use of a foreign digital certificate in Vietnam. The form of the permit for use of foreign digital certificates in Vietnam is provided in the Appendix to this Decree (Form No. 15).

In case the dossier fails to show the full satisfaction of the prescribed conditions, the Ministry of Information and Communications shall issue a written notice clearly stating the reason for refusal to grant a permit.

Article 49.Modification or re-grant of permits for use of foreign digital certificates in Vietnam

1. A permit for use of a foreign digital certificate in Vietnam shall be modified in case the permit holder changes its transaction name or at-law representative, for organizations, or changes the type of digital certificate it/he/she uses.

A dossier of request for modification of a permit must comprise a written request for modification of contents of the permit, a report describing in detail contents requested to be modified, and relevant documents (if any).

Within 10 working days after receiving a complete dossier, the Ministry of Information and Communications shall examine the dossier and modify contents of the permit as requested. In case of refusal to modify the permit, it shall issue a written reply clearly stating the reason.

2. In case a permit is lost or damaged, a user of a foreign digital certificate shall send a written request for re-grant of the permit, clearly stating the reason for request to the Ministry of Information and Communications. Within 7 working days after receiving such a request, the Ministry of Information and Communications shall consider it and re-grant the permit.

3. The validity period of a modified or re-granted permit is the remaining validity period of the original permit.

Article 50.Obligations of a user of a foreign digital certificate in Vietnam

1. To use the digital certificate within the scope stated in the permit for use of the foreign digital certificate in Vietnam.

2. To report on the use of the foreign digital certificate in Vietnam to the Ministry of Information and Communications when an incident occurs or upon request.

Article 51.Foreign digital certificates accepted in international transactions

1. Foreign digital certificates accepted in international transactions are those used by subscribers not present in Vietnam and valid on data messages sent to Vietnamese agencies and organizations.

2. Agencies, organizations and individuals shall choose and take responsibility for their acceptance of foreign digital certificates in international transactions.

Chapter VI

THE NATIONAL DIGITAL SIGNATURE CERTIFICATION AUTHORITY

Article 52.Position, functions, tasks and powers of the National Digital Signature Certification Authority

1. The National Digital Signature Certification Authority is a non-business unit of the Ministry of Information and Communications providing digital signature certification services to public digital signature certification authorities and specialized digital signature certification authorities of agencies and organizations that are granted certificates of satisfaction of safety assurance conditions for specialized digital signatures, and users of foreign digital certificates that are granted permits for use of foreign digital certificates in Vietnam. The National Digital Signature Certification Authority is the sole authority in the field.

2. The National Digital Signature Certification Authority has the following tasks and powers:

a/ To build, manage, maintain and operate a technical system for performance of the functions specified in Clause 1 of this Article;

b/ To issue digital certificates to itself;

c/ To study and propose competent authorities to formulate and promulgate documents on the management and provision of digital signature certification services to specialized digital signature certification authorities of agencies and organizations that are granted certificates of satisfaction of safety assurance conditions for specialized digital signatures and users of foreign digital certificates that are granted permits for use of foreign digital certificates in Vietnam;

d/ To announce and update on its website the list of public digital signature certification authorities and specialized digital signature certification authorities that are granted operation registration certificates, foreign digital certificates permitted for use in Vietnam, and foreign digital certificates accepted in foreign transactions;

dd/ To lobby for the recognition of Vietnam’s digital signature certification services by foreign countries and international organizations.

Article 53.Service provision by the National Digital Signature Certification Authority

The issuance of digital certificates and provision of digital signature certification services to digital signature certification authorities must comply with the provisions in Chapters III and IV of this Decree:

1. The National Digital Signature Certification Authority plays the role and has the rights and obligations like a public digital signature certification authority as prescribed in Chapter III of this Decree. Digital signature certification authorities play the role and have the rights and obligations like subscribers as prescribed in Chapter III of this Decree.

2. In addition to complying with Clause 1 of this Article, the National Digital Signature Certification Authority and digital signature certification authorities shall comply with the following provisions:

a/ Key pairs referred to in Article 24 of this Decree shall be created by digital signature certification authorities themselves on their systems;

b/ Contents that need to be checked before the issuance of digital certificates are specified in Clause 1, Article 25 of this Decree, and additional inspection of satisfaction of the operation conditions shall be conducted under Clauses 3 and 4, Article 13 of this Decree;

c/ Public information specified in Clause 2, Article 33 of this Decree shall be publicized on the website of the National Digital Signature Certification Authority or websites of public digital signature certification authorities;

d/ Digital signature certification authorities using digital certificates provided by the National Digital Signature Certification Authority shall pay service charges for maintaining the system checking digital certificate validation status in accordance with the Law on Charges and Fees.

Article 54.Certification Regulation of the National Digital Signature Certification Authority

1. The Certification Regulation of the National Digital Signature Certification Authority shall be promulgated by the Ministry of Information and Communications to guide the processes and procedures for provision of digital signature certification services, having the following contents:

a/ Model contract between public digital signature certification authorities and their agents;

b/ Model contract between public digital signature certification authorities and their subscribers;

c/ Model certification rules of public digital signature certification authorities and specialized digital signature certification authorities having certificates of satisfaction of safety assurance conditions for specialized digital signatures.

2. Digital signature certification authorities, public digital signature certification agents and subscribers using foreign digital certificates permitted for use in Vietnam shall implement the provisions of the Certification Regulation of the National Digital Signature Certification Authority.

Chapter VII

GOVERNMENT’S SPECIALIZED DIGITAL SIGNATURE CERTIFICATION SERVICES

Article 55.Position, functions, tasks and powers of the Government’s specialized digital signature certification authority

1. The Government’s specialized digital signature certification authority is a body attached to the Government Cipher Committee that provides the Government’s specialized digital signature certification services to Party and State agencies.

2. The Government’s specialized digital signature certification authority has the following tasks and powers:

a/ To manage, maintain and operate a technical system to provide the Government’s specialized digital signature certification services to Party and State agencies;

b/ To issue digital certificates to itself;

c/ To formulate and submit to competent authorities for promulgation and guidance professional processes of provision, management and use of the Government’s specialized digital signature certification services;

d/ To guide on an annual basis agencies, organizations and individuals in reporting and reviewing the management and organization of use of digital certificates and digital signature certification services in Party and State agencies;

dd/ To have its staff, operation funds and working offices provided by the State to perform its tasks, manage and maintain its operations in order to provide digital certificates and digital signature certification services to meet practical needs of Party and State agencies and ensure security and safety of its operation.

Article 56.Government’s specialized digital signature certification services

The Government’s specialized digital signature certification authority shall provide the following services:

1. Creation and distribution of key pairs.

2. Issuance of digital certificates.

3. Extension of digital certificates.

4. Modification of digital certificates.

5. Revocation of digital certificates.

6. Restoration of e-tokens.

7. Publicization and maintenance of an online database on digital certificates.

8. Online checking of digital certificates.

9.  Time-marking.

Article 57.Use of the Government’s specialized digital signature certification services

Digital signature certification services provided by the Government’s specialized digital signature certification authority may be used in e-transactions of Party and State agencies using digital signatures.

Article 58.Creation and distribution of key pairs

1. The Government’s specialized digital signature certification authority shall create key pairs of subscribers (public keys and private keys).

2. Public keys shall be attached to digital certificates and made public online on the website of the Government’s specialized digital signature certification authority.

3. A private key corresponding to a subscriber’s digital certificate may be stored on an e-token and delivered to the subscriber by safe methods.

Article 59.Validity period of digital certificates

1. A digital certificate of the Government’s specialized digital signature certification authority is valid for 20 years.

2. A digital certificate issued to a subscriber is valid for 5 years at most.

3. The validity period of an extended digital certificate is 3 years at most.

Article 60.Conditions for issuance of a digital certificate

1. Conditions for issuance of a digital certificate to an individual:

a/ Being a cadre, civil servant or public employee of a Party or State agency that needs to conduct e-transactions;

b/ Making a written request certified by the head of his/her managing agency or organization.

2. Conditions for issuance of a new digital certificate to a competent person of an agency or organization under the regulations on management and use of seals, or to a state title holder:

a/ Being a competent person of an agency or organization under a Party or State agency under the regulations on management and use of seals or a state title holder that needs to conduct e-transactions;

b/ Making a written request certified by the head of his/her managing agency or organization.

3. Conditions for issuance of a digital certificate to an agency or organization:

a/ Having the legal person status;

b/ Possessing its establishment decision or the certification given by the head of its superior agency or organization;

c/ Having a written request made by a person assigned by the agency or organization to manage its digital certificate, certified by the head of its managing agency or organization.

4. Conditions for issuance of a digital certificate for equipment, services and software

a/ Equipment, services and software are owned or managed by agencies or organizations having the legal person status;

b/ Managers of digital certificates of equipment, services and software must be competent persons of agencies or organizations as prescribed by the regulations on management and use of seals;

c/ Having a written request made by a person assigned by an agency or organization to manage digital certificates of equipment, services and software, certified by the head of its managing agency or organization.

Article 61.Dossiers of request for issuance of digital certificates

1. A dossier of request for issuance of a digital certificate to an individual must comprise an individual’s written request for issuance of a digital certificate, certified by his/her managing agency or organization.

2. A dossier of request for issuance of a digital certificate to a competent person of an agency or organization under the regulations on management and use of seals or to a state title holder must comprise a written request for issuance of a digital certificate made by the competent person of the agency or organization under the regulations on management and use of seals or by the state title holder, certified by his/her managing agency and organization.

3. A dossier of request for issuance of a digital certificate to an agency or organization must comprise a written request of a person assigned by the agency or organization to manage its digital certificate, certified by the head of his/her managing agency or organization.

4. A dossier of request for issuance of a digital certificate for equipment, services and software must comprise a written request of a person assigned by an agency or organization to manage digital certificates of equipment, services and software and the written certification of the software copyright ownership given by the software management agency or organization, certified by the head of his/her managing agency or organization.

Article 62.Order and procedures for issuance of digital certificates

1. Requests for issuance of digital certificates

a/ Issuance of a digital certificate to an individual:

An individual shall make a written request for issuance of a digital certificate prescribed in Clause 1, Article 61 of this Decree and send it to the Government’s specialized digital signature certification authority.

b/ Issuance of a digital certificate to a competent person of an agency or organization under the regulations on management and use of seals or to a state title holder:

A competent person of an agency and organization under the regulations on management and use of seals or a state title holder shall make a written request for issuance of a digital certificate, certified by his/her managing agency or organization, and the dossier specified in Clause 2, Article 61 of this Decree and send them to the Government’s specialized digital signature certification authority.

c/ Issuance of a digital certificate to an agency or organization:

A competent person of an agency or organization under the regulations on management and use of seals who is assigned by his/her agency or organization to manage its digital certificateshall make a written request for issuance of a digital certificate, certified by his/her managing agency or organization, and the dossier specified in Clause 3, Article 61 of this Decree and send them to the Government’s specialized digital signature certification authority.

d/ Issuance of digital certificates for equipment, services and software:

A competent person of an agency or organization under the regulations on management and use of seals who is assigned by his/her agency or organization to manage digital certificates of equipment, services and software shall make a written request for issuance of a digital certificate, certified by his/her managing agency or organization, and send it to the Government’s specialized digital signature certification authority.

2. Within 3 working days after receiving a valid dossier, the Government’s specialized digital signature certification authority shall examine the dossier, create a key pair and digital certificate and provide an e-token for the subscriber. The authority shall notify the time and place of receipt of the e-token to the agency or organization managing the subscriber.

3. Agencies and organizations managing subscribers shall receive e-tokens from the Government’s specialized digital signature certification authority. After delivering an e-token to the subscriber, the managing agency and organization shall send a written request on the effective date of the digital certificate to the Government’s specialized digital signature certification authority.

4. Within 1 working day after receiving a request on the effective date of the digital certificate, the Government’s specialized digital signature certification authority shall make public the subscriber’s digital certificate on its website. The subscriber’s digital certificate takes effect after it is publicized by the Government’s specialized digital signature certification authority.

Article 63.Conditions for extension of digital certificates

1. A digital certificate may be requested for extension only once and must remain valid for at least 60 days counting to the date of request for extension.

2. Agencies, organizations and individuals shall make written requests for extension of digital certificates and have such requests approved by their managing agencies.

Article 64.Order and procedures for extension of digital certificates

1. Requests for extension of digital certificates

a/ Extension of digital certificates for individuals:

An individual shall make a written request for extension of his/her digital certificate, certified by his/her managing agency or organization, and send it to the Government’s specialized digital signature certification authority;

b/ Extension of digital certificates for competent persons of agencies or organizations under the law on management and use of seals or for state title holders:

A competent person of an agency or organization under the regulations on management and use of seals or a state title holder shall make a written request for extension of a digital certificate (not including the document specified at Point b, Clause 2, Article 61 of this Decree), certified by his/her managing agency or organization, and send it to the Government’s specialized digital signature certification authority.

c/ Extension of digital certificates for agencies or organizations:

A competent person of an agency or organization under the regulations on management and use of seals who is assigned by his/her agency or organization to manage its digital certificate shall make a written request for extension of a digital certificate (not including the document specified at Points b and c, Clause 3, Article 61 of this Decree), certified by his/her managing agency or organization, and send it to the Government’s specialized digital signature certification authority;

d/ Extension of digital certificates for equipment, services and software

A competent person of an agency or organization under the regulations on management and use of sealswho isassigned by his/her agency and organization to manage digital certificates of equipment, services and software shall make a written request for extension of a digital certificate, certified by his/her managing agency or organization, and send it to the Government’s specialized digital signature certification authority.

2. Within 3 working days after receiving a request for extension of a digital certificate,  the Government’s specialized digital signature certification authority shall extend the subscriber’s digital certificate and notify thereof to the managing agency or organization.

In case of refusing to extend a digital certificate, the Government’s specialized digital signature certification authority shall notify such in writing to the managing agency or organization, clearly stating the reason.

Article 65.Conditions for modification of digital certificates

1. A digital certificate requested to be modified must remain valid for at least 60 days and the validity period of a modified digital certificate is the same as that of the original certificate.

2. Agencies, organizations and individuals shall make written requests for modification of digital certificates and have such requests certified by their managing agencies or organizations.

Article 66.Cases of modification of digital certificates.

1. For a digital certificate of an individual:

a/ Changes in the agency or organization where he/she works and the changed information is inconsistent with that shown in the digital certificate;

b/ Changes in email address.

2. For a digital certificate of a competent person of an agency or organization under the regulations on management and use of seals or of a state title holder:

Changes in an individual’s competence under the regulations on management and use of seals or changes in a state title.

3. For a digital certificate of an agency or organization:

Changes in the name or address of an agency or organization and the changed information is no longer consistent with that shown in the digital certificate.

4. For a digital certificate for equipment, services and software:

Changes in the names of equipment, services and software or upgrading of its/their version(s) or addition of its/their function(s) and the changed information is no longer consistent with that shown in the digital certificate.

Article 67.Order and procedures for modification of digital certificates

1. Requests for modification of  digital certificates

a/ Modification of a digital certificate of an individual:

An individual shall make a written request for modification of his/her digital certificate, certified by his/her managing agency or organization, and send it to the Government’s specialized digital signature certification authority;

b/ Modification of a digital certificate of a competent person of an agency or organization under the law on management and use of seals or of a state title holder:

A competent person of an agency or organization under the regulations on management and use of seals or a state title holder shall make a written request for modification of a digital certificate and the dossier specified in Clause 2, Article 61 of this Decree and send them to the Government’s specialized digital signature certification authority;

c/ Modification of a digital certificate of an agency or organization:

A competent person of an agency or organization under the regulations on management and use of seals who is assigned by the agency or organization to manage its digital certificate shall make a written request for the modification of the digital certificate, certified by his/her managing agency or organization, and send it to the Government’s specialized digital signature certification authority;

d/ Modification of a digital certificate for equipment, services and software:

A competent person of an agency or organization under the regulations on management and use of seals who is assigned by the agency and organization to manage the digital certificate for equipment, services and software  shall make a written request for the modification of the digital certificate, certified by his/her managing agency and organization, and send it to the Government’s specialized digital signature certification authority.

2. Within 3 working days after receiving a request for modification of the digital certificate, the Government’s specialized digital signature certification authority shall modify the subscriber’s digital certificate and notify the managing agency or organization thereof.

In case of refusing to modify the digital certificate, the Government’s specialized digital signature certification authority shall notify such in writing to the managing agency or organization, clearly stating the reason.

Article 68.Cases of revocation of digital certificates

1. For digital certificates of any type:

a/ Digital certificates expire;

b/ At a written request of subscribers, certified by their managing agencies or organizations, when private keys are revealed or suspected to be revealed ; e-tokens are lost or other cases showing unsafety; or e-tokens are damaged;

c/ At a written request of proceedings-conducting bodies or public security agencies;

d/ At a written request of subscriber-managing agencies or organizations;

dd/ Subscribers violate the provisions on management and use of e-tokens in Article 74 of this Decree.

2. For digital certificates of individuals:

a/ The cases specified in Clause 1 of this Article;

b/ An individual’s working position has changed but information on his/her new working position is inconsistent with that shown in the digital certificate;

c/ An individual has retired, quitted his/her job or died.

3. For digital certificates of competent persons of agencies or organizations prescribed in the regulations on management and use of seals or of state title holders:

a/ The cases specified in Clauses 1 and 2 of this Article;

b/ Changes in an individual’s competence under the regulations on management and use of seals or changes in a state title.

4. For digital certificates of agencies or organizations:

a/ The cases specified in Clause 1 of this Article;

b/ Agencies or organizations are dissolved.

5. For digital certificates of equipment, services and software:

a/ The cases specified in Clause 1 of this Article;

b/ Equipment, services or software stop(s) working.

Article 69.Competence to request revocation of digital certificates

1. The Government’s specialized digital signature certification authority shall automatically revoke expired digital certificates and concurrently notify managing agencies or organizations of the revocation of e-tokens.

2. For all cases of revocation of digital certificates not for the reason of their expiration, a written request for revocation shall be promptly sent to managing agencies or organizations.

3. In case a subscriber being an individual has retired, quitted his/her job, moved to another agency, or died, his/her managing agency or organization is competent to send its request for revocation of his/her digital certificate to the Government’s specialized digital signature certification authority.

4. In case a subscriber being an organization is dissolved , its managing agency or organization is competent to send its request for revocation of its digital certificate to the Government’s specialized digital signature certification authority.

5. A request for revocation of a digital certificate sent to the Government’s specialized digital signature certification authority shall be made in writing as soon as possible.

Article 70.Dossier, order and procedures for revocation of digital certificates

1. A dossier of request for revocation of a digital certificate must comprise:

a/ A written request for revocation of a digital certificate of an individual, certified by his/her managing agency or organization; or,

b/ A written request for revocation of a digital certificate, made by a proceedings-conducting body or public security agency.

2. Order and procedures for revocation of a digital certificate:

Within 12 hours after receiving a request for revocation of a digital certificate, the Government’s specialized digital signature certification authority shall invalidate the digital certificate and publicize the revocation of the certificate on its website; and concurrently notify the revocation of the e-token to the managing agency or organization.

Article 71.Revocation of an e-token after a digital certificate expires or is revoked

1. A subscriber shall deliver the e-token to his/her/its managing agency or organization after his/her/its digital certificate expires or is revoked.

2. The agency or organization managing the subscriber shall revoke the e-token in case a subscriber being an individual has retired, quitted his/her job or died or a subscriber being a dissolved agency or organization has been transferred to the Government’s specialized digital signature certification authority.

3. E-token revocation process:

a/ Within 5 working days after revoking a digital certificate, the managing agency or organization shall revoke the e-token of the expired or revoked digital certificate and deliver it to the Government’s specialized digital signature certification authority;

b/ The e-token delivery and receipt process shall be recorded in minutes.

Article 72.Issuance of a digital certificate after the original certificate expires or is revoked

1. If fully satisfying the conditions prescribed in Article 63 of this Decree, a subscriber wishing to be issued a digital certificate after his/her/its original certificate expires or is revoked may be considered to be issued a new one.

2. The dossier, order and procedures for issuance of a new digital certificate after the original certificate expires or is revoked are similar to those for the first-time issuance of a digital certificate.

Article 73.Restoration of e-tokens

1. Cases subject to e-token restoration:

a/ An e-token shall be locked if wrong passcodes have been entered for the number of times exceeding that prescribed by the Government’s specialized digital signature certification authority;

b/ The resumption of operation of an e-token requires the implementation the e-token restoration process;

c/ Only the Government’s specialized digital signature certification authority and its authorized organizations may restore e-tokens;

d/ The list of organizations authorized by the Government’s specialized digital signature certification authority to restore e-tokens shall be made public on the website of the Government’s specialized digital signature certification authority.

2. A dossier of request for restoration of an e-token must comprise a subscriber’s written request for restoration of an e-token, certified by the managing agency or organization.

3. E-token restoration process:

a/ A subscriber shall send his/her/its written request for e-token restoration, certified by the managing agency, to the Government’s specialized digital signature certification authority;

b/ Within 24 hours after receiving a written request for e-token restoration, the Government’s specialized digital signature certification authority or its authorized organization shall restore the e-token and notify such to the subscriber and his/her/its managing agency or organization.

Article 74.E-token management

1. E-tokens shall be managed in accordance with current laws.

2. Not to use tools, programs or any other forms to change data or damage e-tokens.

Chapter VIII

RIGHTS AND OBLIGATIONS OF SUBSCRIBERS, SIGNERS, RECIPIENTS, AND ORGANIZATIONS AND INDIVIDUALS THAT DEVELOP  DIGITAL SIGNATURE APPLICATIONS OR PROVIDE DIGITAL SIGNATURE SOLUTIONS

Article 75.Rights and obligations of subscribers using public digital signature certification services

1. To request public digital signature certification authorities to provide information specified in Clause 8, Article 32 of this Decree in written form.

2. To request their digital signature certification authorities to suspend or revoke the issued digital certificates and take responsibility for such request.

3. To provide truthful and accurate information under regulations to public digital signature certification authorities.

4. To ensure that equipment used for the creation of the key pair complies with compulsory technical regulations and standards if a subscriber creates a key pair for himself/herself/itself. This provision does not apply to subscribers that rent equipment for the creation of key pairs from public digital signature certification authorities.

5. To store and use their private keys in a safe and secret manner throughout the validity and suspension periods of their digital certificates.

6. If detecting that their private keys have been revealed, stolen or illegally used, to notify the relevant digital signature certification authority thereof within 24 hours so that the latter can take handling measures.

7.  After having agreed to allow public digital signature certification authorities to publicize their digital certificates under Clause 3, Article 25 of this Decree or after having supplied those certificates to others for transaction purposes, subscribers shall be regarded as having committed with recipients that they are lawful holders of private keys corresponding to public keys on such digital certificates and that subscriber-related information on those certificates is true; they shall, at the same time, perform obligations in relation to such digital certificates.

8. To take responsibility before law if violating Clause 3, 4, 5, 6 or 7 of this Article and other relevant regulations.

Article 76.Rights and obligations of subscribers using specialized digital signature certification services of agencies or organizations

1. To use services within the scope prescribed in the certification rules of their digital signature certification authorities.

2. To store and use their private keys in a safe and secret manner throughout the validity and suspension periods of their digital certificates.

3. If detecting that their private keys have been revealed, stolen or illegally used, to notify the relevant digital signature certification authority thereof within 24 hours so that the latter can take handling measures.

Article 77.Rights and obligations of subscribers using foreign digital certificates permitted for use in Vietnam

1. To have the rights and obligations like subscribers using public digital signature certification services within the scope and purposes prescribed in permits for use of foreign digital certificates in Vietnam.

2. If detecting that their private keys have been revealed, stolen or illegally used, to notify the relevant digital signature certification authority and the Ministry of Information and Communications thereof within 24 hours so that the latter can take handling measures.

Article 78.Obligations of signers before digital signing

Before digital signing, signers shall follow the process of checking digital certificate validation status below:

1. To check their digital certificate validation status in the technical systems of  the digital signature certification authorities have issued such certificates.

2. In case a signer uses a digital certificate issued by a public digital signature certification authority: to check the validation status of the digital certificate of the digital signature certification authority in the technical system of the National Digital Signature Certification Authority.

3. If the results of checking mentioned in Clauses 1 and 2 of this Article are concurrently valid, signers may digitally sign. If the results of checking mentioned in Clause 1 or 2 of this Article are invalid, signers may not digitally sign.

Article 79.Obligations to check validation status of digital certificates or digital signatures upon receipt of digitally signed data messages

1. Before accepting a digital signature of a signer, a recipient shall check the following information:

a/ Digital certificate validation status, use scope, restrictions on responsibilities, and other information on the signer’s digital certificate;

b/ Whether the digital signature is created by a private key corresponding to the public key on the signer’s digital certificate;

c/ For digital signatures created by foreign digital certificates permitted for use in Vietnam, to check the validation status of digital certificates in both the system of the National Digital Signature Certification Authority and the systems of foreign digital certificate certification authorities that have issued such certificates.

2. A recipient shall follow checking process below:

a/ To check the digital certificate validation status at the time of digital signing, use scope, restrictions on responsibilities, and other information on the digital certificate under Article 5 of this Decree in the technical systems of digital certificate certification authorities that have issued such certificates;

b/ In case a signer uses a digital certificate issued by a public digital signature certification authority: to check the validation status of the digital certificate of the digital signature certification authority that has issued such certificate at the time of digital signing in the technical system of the National Digital Signature Certification Authority;

c/ Digital signatures on data messages shall be valid only when the results of checking mentioned in Clauses 1 and 2 of this Article are concurrently valid.

3. A recipient shall take responsibility when:

a/ Failing to comply with Clauses 1 and 2 of this Article;

b/ Having known or been notified of the unreliability of the signer’s digital certificate and private key.

Article 80.Responsibilities of organizations and individuals developing digital signature use applications

1. To satisfy compulsory technical regulations and standards on digital signatures and digital signature certification services currently in force.

2. To ensure technological neutrality and refrain from using technical barriers to restrict the use of digital signatures by one or more than one digital signature certification authority.

3. To update digital certificates of digital signature certification authorities in applications at the request of the latter or a competent agency as prescribed by law to ensure the verification results are accurate.

4. To satisfy the process of checking digital certificate validation status prescribed in Article 78, and Clause 2, Article 79, of this Decree.

Article 81.Responsibilities of organizations and individuals providing digital signature solutions

1. To provide solutions complying with compulsory technical regulations and standards on digital signatures and digital signature certification services currently in force.

2. To encourage the provision of solutions complying with the world’s popular and advanced standards on digital signatures.

Chapter IX

IMPLEMENTATION PROVISIONS

Article 82.Transitional provision

Within 2 years from the effective date of this Decree, lawfully operating digital signature certification authorities shall satisfy the conditions for service provision prescribed in this Decree.

Article 83.Effect

1. This Decree takes effect on November 15, 2018.

2. This Decree replaces the Government’s Decree No. 26/2007/ND-CP of February 15, 2007, detailing the Law on E-Transactions regarding digital signatures and digital signature-certification services; Decree No. 106/2011/ND-CP of November 23, 2011, amending and supplementing a number of articles of the Decree No. 26/2007/ND-CP, and Decree No. 170/2013/ND-CP of November 13, 2013, amending and supplementing a number of articles of Decrees No. 26/2007/ND-CP and No. 106/2011/ND-CP.

Article 84.Organization of implementation and implementation responsibility

1. Ministries, ministerial-level agencies, government-attached agencies, provinces and centrally run cities, and agencies and organizations involved in the application of information technology in the operation of state agencies and the provision of online public services to people and enterprises shall promote the application and use of digital signatures and digital signature certification services in accordance with this Decree to ensure safety for e-transactions between state agencies and people and enterprises.

2. Ministers, heads of ministerial-level agencies, heads of government-attached agencies, chairpersons of provincial-level People’s Committees and related organizations and individuals shall implement this Decree.-

On behalf of the Government
Prime Minister
NGUYEN XUAN PHUC

* The Appendix to this Decree is not translated.