Question & AnswerQ&A (EXECUTIVE ORDER NO. 810)
The main purpose of Executive Order No. 810 is to institutionalize the certification scheme for digital signatures in the Philippines and to direct the application of digital signatures in e-government services to ensure security, confidentiality, authenticity, integrity, and non-repudiation in electronic transactions.
The National Computer Center (NCC) under the Commission on Information and Communications Technology (CICT) is designated as the Root Certification Authority (CA).
The Root CA operates the Root CA system, issues and manages certificates to accredited government and private CAs, develops and prescribes technical standards for digital signatures in collaboration with the Bureau of Product Standards of DTI, ensures interoperability of digital certification technology, provides technical expertise, supports international cooperation including mutual recognition and cross-certification, and resolves disputes involving digital certificates.
DTI is responsible for issuing guidelines to implement the National Certification Scheme for Digital Signatures and, through its Philippine Accreditation Office (PAO), serves as the accreditation and assessment body for Certification Authorities (CAs). It issues accreditation criteria, accredits CAs, conducts assessments, and can revoke or suspend licenses of CAs for non-compliance.
A digital signature is an electronic signature consisting of a transformation of an electronic document or electronic data message using an asymmetric or public cryptosystem such that a person having the initial document and the signer's public key can determine (i) if the transformation was made using the private key corresponding to the public key, and (ii) whether the document has been altered after the transformation was made.
Government agencies and instrumentalities providing e-government services act as Registration Authorities. Their duties include identifying and registering users, transmitting certificate requests to the government CA, validating certificates and Certificate Revocation Lists (CRL), and requesting revocation of certificates.
All government agencies and instrumentalities providing electronic services must require the use of digital signatures in their e-government services to ensure the security and non-repudiation of electronic transactions. Such digital signature projects must be included in their Information Systems Strategic Plans (ISSP) submitted to NCC-CICT for approval.
The NCC, acting as both Root CA and Government CA, is authorized to charge fees to recover at least the full cost of services rendered. Government agencies as RAs may also charge fees. Fee imposition and increases are subject to existing guidelines under Memorandum Circular No. 137 (2007) and NEDA Circular No. 01-2007. Fees charged by private Accredited CAs are market-determined but must be just and reasonable.
Cases arising from issues concerning accreditation of CAs, issuance and use of digital certificates, and related matters shall be heard and resolved by the respective government agencies designated to perform the necessary services according to formulated rules and regulations.
During the initial transitory period after implementation, there may be an interim personnel complement to manage and operate the Root and Government CAs. These personnel can be on detail, reassignment, or secondment subject to Civil Service Commission rules. These arrangements will persist until private Accredited CAs become operational, after which NCC will relinquish the role of private ACA.
The NCC-CICT is directed to plan, direct, and monitor implementation, assist agencies designated as Registration Authorities, and submit an implementation plan with timetable and resources to the Office of the President. The Department of Budget and Management (DBM) is tasked with ensuring allocation of required manpower and budget resources in consultation with DTI and CICT.
The DTI is mandated to promote the application of digital signatures in ICT systems in the private sector to ensure electronic transaction security. Regulatory agencies are directed to identify critical electronic services requiring high security and consider strict requirement of digital signatures for these services.