| Legislative: |
Promulgated by the Fiscal Information Agency, Ministry of Finance on December 21, 2007. |
| Content: |
1. The certification authority that applies to join the E-Invoice Platform shall meet the following requirements:
(1) That has been approved by the competent authority of the Electronic Signature Act as a certification authority;
(2) The certification authority has provided the service of issuing certificates for more than one year after approval by the competent authority of the Electronic Signature Act;
(3) The number of certificates has been legally issued by the certification authority exceeds fifty thousand or above;
(4) The certification authority shall periodically pass the ISO27001 international standard or other standards recognized by the Ministry of Finance;
(5) The certificate level of the certification authority is based on the Certification Practice Statement (CPS), and the applicable certificate level and type shall be approved by the Ministry of Finance. The scope of applicable business shall specify what can be used for the application item of "electronic uniform invoice";
(6) Mechanical rooms, equipment, file storage, and key management must be sourced in the territory of the Republic of China. According to the actual situation, the Ministry of Finance may inspect the independence, security, finance, technology, personnel management, and other matters of the certification authority on site;
(7) The verification and function of the certificate provided by the certification authority shall include: correction and validation of private key, correction and validation of certificate information, the symmetry of the key, the electronic signature, and the encryption and decryption of the transmission of data;
(8) The certification authority shall self-review the certificate issuance process of the registration authority and establish a system control mechanism to manage the registration authority. The review of the registration authority shall meet the following requirements:
A. The registration authority for acceptance of the application for the certificate shall use the over-the-counter process to handle the identity confirmation or other procedures sufficient to identify the true identity of the applicant when applying for certificate operations or related service matters, so as to avoid others from applying under false names;
B. The certification authority shall take responsibility to make sure that the certificate issuance process of the registration authority meets the above requirements and provides an external audit report. If the registration authority violates the foregoing, the certification authority shall stop the certificate issued by the registration authority from being used for the business of electronic uniform invoice;
C. The Registration authority shall inform the user of the certificate that its certificate is applicable to electronic uniform invoice, and the agreement with users shall state that the user certificate may be used in the "electronic uniform invoice" application;
D. The user participating in the electronic uniform invoice must be the business object of the registration authority and fill in the application form to apply for the certificate;
(9) Safety requirements:
A. The completion and privacy of the information can be confirmed and be able to identify the user and prevent later denial;
B. The uniqueness, identification, reliability, and ability to connect the relation with the content of electronic documents;
C. A unique signature used by the signatory for a specific purpose;
D. The identity of the signatory can be objectively identified;
E. A safe and reliable way made by the signatory in, or using a safe and reliable facility or method that can be solely controlled by the signatory, and cannot easily be forged or cracked after production;
F. The contents of the signed electronic documents can be determined whether they have been tampered with or not.
2. The certification authority in compliance with the preceding point shall attach the following documents for examination when filing an application:
(1) Copies of certification practice statement approved by the competent authority of the Electronic Signature Act and a copy of the approval;
(2) The report of the external audit result of the certification authority;
(3) Proof of the time period the certification authority provided the service of issuing certificates externally;
(4) A comparison table to describe the types and assurance levels of certificates participating in the operation of electronic uniform invoice;
(5) Evidence of the actual performance of the number of certificates issued by the certification authority;
(6) Copies of agreement between the registration authority and certification authority (The scope of application contained in the agreement shall cover the application item of electronic uniform invoice);
(7) Template of the agreement between the registration authority and the users;
(8) The report of the external audit of the registration authority.
3. Application Procedure:
(1) The certification authority desiring to apply to join the E-Invoice Platform shall prepare the relevant application documents (as mentioned in the previous point) by the certification authority on its own and send a letter to apply;
(2) After the certification authority passes the examination, the registration authority for acceptance of the application for the certificate may apply to the certification authority to join the E-Invoice Platform, and the agreement signed by the two parties shall state that "the scope of application shall cover the application of electronic uniform invoice";
(3) After approving the registration authority, the certification authority shall update the list of registration authorities after sending a letter to the Ministry of Finance and with the consent of the Ministry of Finance. The certification authority shall be responsible for confirming and updating the list of registration authorities and notify the Ministry of Finance in the event of any change.
4. When certificates issued by the certification authority are used for transactions of the electronic uniform invoice, the certification authority that issued the certificates shall bear the burden of proof when transaction disputes may arise.
5. The certification authority shall be liable for damages of users of its electronic uniform invoice due to its operations or providing certification services, application, and issuance of certificate, and other related operation procedures.
6. The certification authority shall provide a "verify registration authority" service mechanism for the E-Invoice Platform to verify whether the registration authority has been approved, and shall complete the relevant tests with the E-Invoice Platform.
7. The Ministry of Finance may recruit impartial persons such as scholars and experts to participate in the examination. The Ministry of Finance may cancel the qualification of any certification authorities that have passed the examination if there is violation of the Directions. |