Frequently Asked Questions

PUBLIC KEY INFRASTRUCTURE (PKI)

1. What is PKI?

PKI stands for Public Key Infrastructure. To enable the use of digital signatures in an open environment (such as the Internet) where the participants do not know each other, it is necessary to know who the signer is.   PKI is a system created for this purpose and in this system a reliable third party issues an digital certificate. The certificate contains information about the person to whom the certificate is issued to. PKI uses a key pair, in which one key is public and the other is private. The system is based on asymmetric encryption. The signer signs the message with a private key, known only by the signer. The recipient can verify the authenticity of the signature and the integrity of the message with the public key given in the certificate.

THE ELECTRONIC TRANSACTIONS ACT

2. What are the purposes of enacting the ETA?
  • To facilitate electronic communications by means of reliable electronic   records; 
  • To facilitate e-commerce and to promote the development of the legal and   business infrastructure necessary to implement secure electronic commerce; 
  • To facilitate electronic filing of documents with government agencies and   statutory corporations, and to promote efficient delivery of government services   by means of reliable electronic records;        
  • To minimise the incidence of forged electronic records, intentional and   unintentional alternation of records, and fraud in electronic commerce and other   electronic transactions;    
  • To help to establish uniformity of rules, regulations and standards   regarding the authentication and other electronic transactions; and    
  • To promote public confidence in the integrity and reliability of electronic   records and e-commerce, and to foster the development of e-commerce through the   use of digital signatures to provide authenticity and integrity to   correspondence in any electronic medium.              
3. How does the ETA help in the development of e-commerce in Mauritius?

It addresses the legal issues necessary to set the stage for a secure and   pro-business environment for electronic commerce in Mauritius.

4. What are the salient features of the ETA?

Broadly,   the ETA seeks to:         

    • enact a commercial code to support e-commerce transactions;                 
    • set the legislative framework for Certification Authorities; 
    • enable electronic applications and licences for the public sector; and 
    • clarify network service providers' liability for third party content.
5. How does the ETA enact a commercial code to support e-commerce transactions?
  • The ETA clarifies the rights and obligations of transacting parties by   setting out provisions dealing with issues related to the formation of   electronic contracts. It also gives legal recognition on the use of electronic   records and signatures and their secure counterparts.
6. How does the ETA set the legislative framework for Certification Authorities?
  • The ETA stipulates the duties of Certification Authorities (CAs) and their   subscribers and provides for the appointment of a Controller of CAs to regulate   and license CAs in Mauritius. 
7. How does the ETA enable the public sector's use and acceptance of electronic records and digital signatures?

There is a provision for public sector agencies to accept electronic filing   and issue electronic documents without having to amend their respective Acts.   The ETA also provides that public sector agencies can specify as regulations,   additional requirements for the retention of electronic records under their   purview.
See Section 40 of ETA for more information.

8. How does the ETA clarify the liability of the network service providers?

The ETA provides that a service provider is not subject to criminal or civil   liability for third party material for which the provider merely provides access.
See Section 9 of ETA for more information.

9. How does the ETA compare with existing frameworks in other countries?

The ETA is partly based on the UNCITRAL Model Law on Electronic Commerce.                                        

10. What are the requirements for secure digital signatures?

Under the ETA, an digital signature shall be treated as a secure   digital signature if it can be verified, through the application of a   prescribed security procedure or a commercially reasonable security procedure   agreed to by the parties involved so long as the signature is:      

    • unique to the person using it; 
    • capable of identifying such person; 
    • created in a manner or using a means under the sole control of the person   using it; and 
    • linked to the electronic record to which it relates in a manner such that if   the record is changed, the digital signature would be invalidated. 

See Section 16 for more information.

11. What are the requirements for digital signatures to be legally binding in Mauritius?

There are 4 ways in which a digital signature can be given legal recognition   under the ETA:

    • use certificates issued by a licensed CA; 
    • use certificates issued by a CA outside Mauritius but recognised by the   Controller of CAs; 
    • use certificates issued by an approved Government CA; or 
    • establish a contractual agreement between the parties involved in the   transaction to use a prescribed digital signature mechanism that is secure. 

See Section 19 for more information.

12. What are the duties of a CA?

The duties of a CA include using trustworthy systems in performing its   services and maintaining secure procedures for the issuance, renewal,   suspension, revocation and publication of its certificates.
See Sections 24 to 32 for more information.

13. What are the duties of a subscriber of a certificate?

The duties of the subscriber include providing accurate and complete   information when applying for certificate, safeguarding the private key and   initiating suspension or revocation requests if his private key is   compromised.
See Sections 33 to 36 for more information.

14. What is the role of the Controller of CAs?

The role of the Controller of CAs (CCA) is to regulate and license the   activities of CAs in Mauritius. As CAs perform a trusted role in verifying the   identities of parties in electronic transactions, the CCA seeks to provide the   assurance that the CAs' responsibilities are met and that these services are   made available with high integrity, security and service standards.

15. How does one know if a CA is licensed by the Controller of CAs?
  • The Controller of CAs will maintain a publicly accessible database   containing a CA disclosure record for each licensed CA. 

ELECTRONIC TRANSACTIONS (CERTIFICATION AUTHORITY) REGULATIONS

16. Why is there a need to enact the Regulations?

During   online transactions, transacting parties may not be able to reliably verify each   other's identity. A CA thus plays the important role of a trusted third party in   vouching for the identities of holders of certificates that it issues (i.e. its   subscribers). The Regulations seek to set a benchmark for the integrity and   security of the services offered by CAs.

17. What is the purpose of enacting the Regulations?

The   Regulations aim to ensure high standards of integrity, security and service levels for licensed CAs in Mauritius by:                                    

    • putting in place a licensing scheme for CAs; 
    • laying down the administrative framework for licensing by the Controller of CAs; and 
    • stipulating the licensing criteria for CAs in Mauritius and the continuing operational requirements after obtaining a licence. 
18. When were the Regulations enacted?

The Regulations   were enacted on 1st of December 2010.                                    

19. Is it mandatory for a CA to be licensed in Mauritius?

Yes, CAs operating in Mauritius shall be duly licensed by the   Controller of CAs.                                    

20. What are the licensing criteria that CAs will be evaluated against?

The criteria that CAs will be evaluated against include their financial standing, operational policies and procedures, and the security of their   systems.

21. What are the auditing requirements?

CAs that   apply to be licensed will have to be audited for compliance against the ETA, the Regulations, its Certificate Practice Statement (CPS), the Security Directives  and other licensing conditions imposed by the Controller of CAs.

22. Under what circumstances will the licence of a CA be revoked or suspended?

A CA's licence will be revoked if the CA is wound up or at the request of the CA. The Controller of CAs may also revoke or suspend the   CA's licence if it fails to comply with any mandatory conditions pertaining to   the issuance/ renewal of the licence.

23. Are foreign CAs recognised in Mauritius?

Foreign CAs are recognised in Mauritius if they

  • demonstrate a level of security equal to or more stringent than the level of security of a certificate issued by a licensed Certification Authority of Mauritius. 
  • provide for or has established a local agent for service of process in Mauritius. 
  • comply with the standards and other requirements under the Act and Regulations. 
24. How should public sector agencies apply?

Public sector agencies applying to become an approved CA in Mauritius should:

  • make an application to the Ministry of Information and Communication Technology. 
  • fill out the Approval form.
  • have the technical infrastructure located in Mauritius.
  • comply with the standards and other requirements under the Act and Regulations. Refer to section 15,16 and 17 of the Electronic Transaction (Certification Authorities) Regulation 2010

LICENSING PROCESS

25. What are the steps involved in the licensing process?

The entire  licensing/recognition/approval process involves: 

    • Application submission on prescribed form; 
    • Application Processing; and 
    • Award or Reject of Application. 
26. What are the documents to be submitted for the application of a CA's licence?

An application has to be accompanied by the following documents:

    • certified true copies of the insurance certificate 
    • cheque or bank draft of Rs 5,000 should be crossed 'Account Payee' only 
    • certified true copies of the company's resolution 
    • business plans (including cash flow projections and budget statements) 
    • audited accounts for the past 3 years (if applicable) 
    • the CA's Certification Practice Statement (CPS) 
    • technical specifications of the CA system and CA security policies and standards 
    • organisational chart and details of all trusted personnel 
    • report of the initial audit within 4 weeks upon completion of the audit (if available at that point in time) 
    • a certified copy of the licence of an existing foreign CA applying for recognition in Mauritius
    • copy of Data Controller Certificate issued by the Data Protection Office.                                          
27. How long does the licensing process take?

Provided that all the required information and documents are in order, the   application can be processed within 90 days.

28. What are the fees payable for a CA to be licensed?

The application/ renewal fee payable is Rs5,000 in respect of   each submission. In addition, the applicant must also pay an initial licence fee of Rs50,000 and an annual licence fee   of Rs50,000 for the entire duration of the licence upon approval of the application.

29. Who carries out the audit of a CA ?

The audit of the   CA is carried out by such auditor as the Controller may appoint or determine.                                    

30. Must a licensed CA be re-audited if its CPS is changed?

Yes, a re-audit is necessary. The auditors can recommend whether a full   or partial audit is required.                                    

31. Is it mandatory for a CA to obtain insurance?

Yes, a CA must be minimally insured against liability arising   from errors or omissions on its part, its officers or employees.                                    

DIGITAL SIGNATURE

32. What is a digital signature?

A digital signature is a signature produced by using the public key method. With a digital signature it is possible   to verify that the recipient receives the message in its original form and that   the signer is who he or she claims to be. The creator of the digital signature   has a private key, which is needed to sign the message. The recipient of the   message has signer's public key, which can be used to verify the signature.   Digital signatures are based on the Public Key Infrastructure (PKI) and the use   of asymmetric encryption methods and hash functions.

33. What are digital signatures used for?

Digital signatures are used to electronically ensure the integrity of electronically transmitted information   and also to ensure that the person sending the information is who he or she   claims to be and cannot later deny having sent the information. Therefore   digital signatures have additional features compared to handwritten signatures.

34. What kind of keys are used in creating digital signatures?

The public key encryption is used in creating digital signatures. The public key encryption is based on the use of key pairs   (private/public). The message is encrypted with one key and decrypted with the   other. The digital signature is created using the signer's private key. The   recipient can verify the signature using the signer's public key.                                    

35. How is a digital signature created and verified?

The signer first computes the hash value of the message that intends to be signed. The hash value is like a compressed version   of the message. Hash algorithms work so that it is very hard to find two   messages with the same hash value. When the signer has computed the hash value   the signer transforms it to a signature with the private key. The recipient of   the message transforms the signature back to the hash value with the sender's   public key, and then compares the hash value computed from the message. If these   hash values match it can with certainty be verified that the message and the   signature belong to the holder of the private key used to sign the message.   Since the signer uses a unique private key to sign the message the signature is   authentic.                                    

CERTIFICATES

36. What is a certificate?

In simple terms, a certificate is a data structure that binds the name of the person the certificate is issued to and that person's   public key together. The certificate is an electronic proof issued by a reliable   authority - a certification authority. It verifies that the public key and other   information in the certificate, for instance, the person's name/identity,   correspond to each other. Certificate also includes the name of certification   authority and a period of validity for the certificate. The certification   authority's digital signature guarantees the origin and integrity of the   certificate. When a signed message is received, the recipient can search for the   certificate in a directory with the sender's personal data. The signature can be   verified by using the public key given in the certificate. Certificates are   issued not only to individuals but also to associations, organisations and   computer devices.                                  

37. What does a certificate contain?

The   certificate contains, among other things, the public key of the holder, the name of the holder, the period of validity for the certificate, the name of the   certification authority that issued the certificate and the serial number of the   certificate. The issuing certification authority digitally signs the   certificate.                                  

38. What is a Controller of Certification Authority (CCA)?

The   Controller of Certification Authorities as the “Root” Authority certifies the technologies, infrastructure and practices of all the Certification Authorities   licensed to issue Digital Signature Certificates.                                  

39. What is a Certification Authority (CA)?

A certification authority is an organisation that issues certificates, and signs the certificates and the revocation lists with its   private key.

40. What is a Registration Authority (RA)?

A Registration   Authority (RA) can be used to offload many of the administrative functions from the CA, including end-user registration.

41. What is a Certificate Revocation List (CRL)?

A Certificate Revocation List (CRL) is a compilation of certificates that a certification authority has revoked before their period of validity has expired. A revoked certificate cannot be restored to use.                                  

42. What can certificates be used for?

Certificates can be used, for instance, for the following purposes:
Privacy: certificates can be used to encrypt and decrypt messages.
Authenticity: certificates can be used to digitally sign a message. A digital signature verifies the authenticity of the sender of the message and that the message has remained unaltered.
Access control: certificates can be used to control, for instance, the access of employees to the organisation's intranet.

43. What is certification service operation?

Certification service operation means issuing and maintaining certificates. Certification service operation includes registration of the applicants, creation of certificates, distribution of certificates through the   directory service, revocation of certificates and revocation list service.

ENCRYPTION METHODS

44. What is a key?

A key is a long number sequence that is used as a parameter for the encryption and decryption algorithms. Symmetric algorithms use the same key for encryption and decryption.   Public key algorithms use both a public and private key. The length of the key   is an important factor in ensuring the security of communications. The key   lengths are given in bits. In symmetric encryption a key length of 128 bits and in asymmetric encryption a key length of 1024 is considered to be secure                                  

45. What are encryption algorithms?

Encryption algorithms are mathematical formulas that are used to transform a readable message to a message that can only be read by the intended recipient. In this encryption method the information is encrypted so that only the intended recipient is able to read and   transform the message. The message can be intercepted, but it is useless to a   person, who cannot decrypt it. Encryption and decryption of the information requires, in addition to the encryption algorithm, a key. Only the person, who has the right key and the algorithm, can decrypt a message encrypted in this way.                                    

46. What are the algorithms for a public key?

The algorithms of a public key are encryption algorithms that require two keys: a public and a private key. When one of these keys is used to encrypt the message only the other key is able decrypt it. The private key must be kept secret. The public key may be published, for instance, in a public directory. The public key can be used to verify the message that has been signed with a private key or to encrypt a message that can only be decrypted with the private key.
If someone wants to send you a message it can be encrypted using your public key and you can decrypt it with your private key. Since you are the only one with access to your private key, you are also the only one who can decrypt the message. Public key algorithms are also called asymmetric encryption algorithms.