Scope and coverage of the scheme
- The Order prescribes general rules and guidelines for implementing the National Certification Scheme for Digital Signatures in the Philippines.
- The National Certification Scheme adopted under Executive Order No. 810 is the basis for compliance under this Order.
- The Order focuses on: (a) accreditation framework references, (b) technical standards for digital signatures, (c) identity establishment for subscribers, and (d) dispute routing and related penalties.
Accreditation and recognized technical standards
- The rules governing the accreditation of Certification Authorities (CAs) are governed by DTI DAO No. 10-09 issued on September 29, 2010.
- For the initial implementation of Executive Order No. 810, accredited CAs must use internationally-accepted standards for digital signatures.
- The internationally-accepted standards are to be prescribed by CICT–NCC (under the Commission on Information and Communications Technology and the National Computer Center) in coordination with DTI–Bureau of Product Standards (BPS).
- The standards issued by the Root CA are issued as a separate document and are updated from time to time to reflect the emergence of new international standards and/or updates to current standards.
- The interoperability objective extends to international cooperation, including mutual recognition and cross-certification.
Identity verification for digital certificates
- A subscriber must apply for a digital certificate either through an individual applicant or the authorized representative of the juridical applicant.
- Subscriber application must be made personally with a Registration Authority (RA) or directly with the CA, using face-to-face verification in addition to minimum documentary requirements.
- Face-to-face verification is mandatory for identity and address verification at application stage, including for individuals and juridical entities.
- The Root CA and accredited CAs must follow the identity establishment requirements under Sections 4.1 to 4.2, subject to renewal-related relaxations under Section 4.3.
Individual applicant: required minimum documents
- An individual applicant must submit a birth certificate printed on security paper for a Filipino citizen or an Alien Certificate of Registration (ACR) card for a foreigner.
- An individual applicant must submit a Taxpayer Identification Number (TIN).
- An individual applicant must submit one (1) Unified Multi-Purpose Identification (UMID)-compliant card; if none is available, the applicant must submit two (2) valid identification (ID) cards with photo and signature.
- The validity of the alternative ID cards is determined by reference to Bangko Sentral ng Pilipinas (BSP) Circular No. 608, Series of 2008, as may be amended.
- An individual applicant must submit a passport-size color photo taken within the last six (6) months.
- An individual applicant must prove valid address by submitting either:
- a copy of the latest utility bill showing the same address found on the valid identification card, or
- a Barangay Clearance.
- If the utility bill is in another person’s name, the applicant must show proof of relationship.
- An individual applicant must submit a phone number (mobile and/or landline number).
Waiver for individual applicants
- The RA or CA may waive the birth certificate requirement if the applicant presents a valid Philippine Passport.
Juridical applicant: authorized company representative
- An authorized company representative must submit a birth certificate printed on security paper for a Filipino citizen or an ACR card for a foreigner.
- The authorized company representative must submit a TIN.
- The authorized company representative must submit one (1) UMID-compliant card; if unavailable, the representative must submit two (2) valid ID cards with photo and signature, using BSP Circular No. 608 (Series of 2008) as basis for determining validity.
- The authorized company representative must submit either a company-issued ID card with photo and signature or a UMID-compliant card.
- The authorized company representative must submit a passport-size color photo taken within the last six (6) months.
- The authorized company representative must submit a phone number (mobile and/or landline number).
- The RA or CA may waive the birth certificate requirement if the authorized company representative presents a valid Philippine Passport.
Juridical applicant: organization requirements
- For a government juridical applicant, the juridical entity must submit:
- the TIN of the juridical applicant;
- an authorization letter/board resolution naming the authorized representative(s), up to a maximum of three (3);
- the GSIS registration number; and
- valid address supported by a copy of the latest utility bill showing the same address.
- For a non-government juridical applicant, the juridical entity must submit:
- the TIN of the juridical applicant;
- an authorization letter/board resolution naming the authorized representative, up to a maximum of three (3);
- a copy of the SEC business registration or DTI Certificate of Business Name Registration;
- a copy of the Business Permit issued by the LGU;
- an SSS employer clearance; and
- valid address supported by a copy of the latest utility bill showing the same address.
Duty to notify changes
- A juridical entity organization must be responsible for notifying the RA or CA in writing if there are changes in authorized representative(s) or address.
Certificate validity, renewal, and amended requirements
- A digital certificate has a validity period of one (1) year under the rule referenced in Section 4.3.
- For renewal of a digital certificate with the same RA or CA, the RA or CA may waive face-to-face verification of identity of the subscriber.
- For renewal, the RA or CA may allow online submission of applications for renewal of digital certificate subscriptions.
- If there are changes in the form and/or content of the subscriber’s requirements previously submitted under Sections 4.1 to 4.2, the RA or CA shall require submission of amended/new documents upon renewal.
- In that renewal situation involving amended/new requirements, the RA or CA may require face-to-face verification of the subscriber.
Dispute resolution and responsible offices
- The Philippine Accreditation Office (PAO) handles disputes pertaining to the accreditation of CAs or other issues arising from that accreditation, pursuant to DTI DAO No. 10-09 (Series of 2010).
- The National Computer Center (NCC) under the CICT, as the Root CA, handles disputes pertaining to the use and issuance of digital certificates or other issues related to the same, pursuant to NCC-CICT implementing guidelines.
Applicable laws, penalties, and consequences
- The use and issuance of digital certificates are covered by Republic Act No. 8792 (Electronic Commerce Act of 2000), Republic Act No. 8484 (Access Devices Regulation Act of 1998), and Republic Act No. 7394 (Consumer Act of the Philippines), including their implementing rules and regulations.
- Violations committed against those laws in relation to the use and issuance of digital certificates are subject to the penalties applicable under those laws and their implementing rules and regulations.
Miscellaneous provisions, separability, and effectivity
- The Order does not preclude other government agencies designated to provide necessary services to implement the scheme from issuing their own rules or guidelines.
- A separability clause provides that if any provision of the Order is declared invalid or unconstitutional, the remaining provisions remain valid and in effect.
- The Order takes effect fifteen (15) days after publication of its full text in the Official Gazette or in one (1) newspaper of general circulation.