Certification Practice Statement
- 1. INTRODUCTION
- 2. RESPONSIBILITIES
- 3. IDENTIFICATION...
- 4. EXIGENCIES...
- 5. NON TECHNICAL...MEASURES
- 6. TECHNICAL...MEASURES
- 7. PROFILES...
- 8. AUDIT...
- 9. OTHER...
1. INTRODUCTION
INTRODUCTION
1.1 Overview
A Public Key infrastructure (PKI) is a set of policies, technical, human, documentary and contractual means put at the disposal of users to ensure, together with the asymmetric cryptographic system, a secured environment for digitalized exchanges.
The putting in place of such an infrastructure is indispensible for a secured and confident environment that offers a range of value added services for electronic transactions. The main function of a PKI is to ensure:
- The integrity of messages;
- The identification and authentication of the source;
- The non-repudiation from source;
- Confidentiality.
The Certification Practice Statement(CPS) or Certification Practice Statement(CPS) as defined in the present document is destined to be applied within the framework of provision of services by the Cameroon’s Government Certification Authority (CamGovCA). It covers the management and usage of certificates, for the functions of verification, authentication, integrity, conformability of keys, and of confidentiality.
The CamGovCA is submitted to laws and regulations in force on the Cameroonian territory, as well as to norms and directives enacted by member countries of CEMAC and to international conventions ratified by Cameroon and which touch on the application, elaboration, interpretation and the validity of certification policies in conformity with the present CPS.
Law No. 2010/012 of 21st December relating to Cybersecurity and Cybercriminality in Cameroon, in its Article 8, subsection 2, defines ANTIC as Government’s certification authority. The activities of digital certification of state institutions are therefore rigorously and exclusively reserved to the CamGovCA. On other hand, the state certification authority does not assume this right in the private domain.
1.2 Titling of the CPS
This document bears the following title: “Certification Practice Statement of the National Agency for Information and Communication Technologies, Government’s Certification Authority”.
The designation of object identification (OID) for the present Certification Practice Statement is: 2.16120.200001.4.2.1.
1.3 Responsibility of actors concerned
1.3.1 Responsibility of actors concerned
A certification authority is a trustworthy entity charged with creating and attributing public and private keys as well as electronic certifications. It is an autonomous entity designed in conformity with the regulations in order to carry out, in a credible and secured manner, activities of accredited certification authority.
The entity to be accredited as a certification authority can either be the central services of an administration, an agency of a local authorities or a moral person. It must possess the technical and financial capacity, as well as the exigencies prescribed by Decree No. 2012/1318/PM of 22nd May 2012 fixing conditions and modalities for obtaining authorization for the exercise of digital certification activity in Cameroon.
The functions of the Certification Authority are the following:
A certification authority must furnish to the root certification authority correct information relating notably to the creation of certificates, their suspension, revocations and renewal. A certification authority must immediately keep subscribers and all directly concerned with the certification process, of information that can have an incident on the credibility or validity of a certificate. This concerns information linked to the following aspects:
A certification authority must create its proper digital signature keys in a secured manner with the aid of credible software or material. Thereafter, it must manage the said keys with the highest degree of security by using a security module respecting the technical norms required in the domain, in order to avoid any loss, damage, or even theft of the keys. The creation of a subscriber’s digital signature key by a certification authority must be done through a secured means and by using credible material. Furthermore, the certification authority must encode the key of the digital signature of the subscriber and this is stored in a secured medium in conformity with the specifications of the algorithm of passwords. In order to ensure the integrity of digital signature creation keys, the said authority must equally safeguard all the other information that that will be directly furnished to the subscriber; in this case, it is the authentication code of messages.
For the provision of certification services, a certification authority must use its key for digital signature creation certified by the root certification authority. If the keys used in creating digital signature of a certification authority are lost, damaged, or even stolen, the authority concerned reports immediately to the root certification authority that examines the measures to be taken to ensure the security and the credibility of its certification practices.
If a certification authority recognizes the insecurity of its digital signature creation keys, the root certification authority must be informed of the fact, and later examines the measures to be taken to ensure the security and the credibility of its certification practices. If a certification authority recognizes that its digital signature algorithm is not secured, it must immediately notify the root certification authority of the situation, and examine the measures to be taken to ensure the security and the credibility of its certification practices.1.3.1.1 Furnishing and notification of correct information
1.3.1.2 Protection of the keys for digital signature creation
1.3.1.3 Usage of certified digital keys for signature creation
1.3.1.4 Notification on the loss, damage, theft of creation keys and Measures to be taken
1.3.1.5 Notification as to the vulnerability of digital signature creation keys and measures to be taken
1.3.1.6 Notification as to the vulnerability of the digital signature algorithm and Measures to be taken
1.3.2 Registration authorities
A registration authority (RA) is an entity that identifies and authenticates applicants for certificates. Following this context, it can equally initiate or transmit the applications for revocation of certificates, those for re-emission and renewal of certificates.
The Registration Authority must conform to all the exigencies of certification and of the Certification Practice Statementof the certification authority to which it has contractual links. Moreover, the RA can put in place more restrictive verification practices if recommended by its internal policy.
A registration authority interacts with a subscriber in order to furnish her with services of certificate management. Within this framework, the registration authority carries out the following operations:
- Accepts, evaluates, approves or rejects the registration of application for certificates;
- Registers all subscribers to services of the registration authority;
- Assists in all the stages of identification of subscribers conferred to it by the certification authority;
- Where need arises, use all official documents, notary or judicial acts to evaluate the subscriber’s application;
- After the approval of the request, notify the certification authority for the issuance of the certificate;
- Launches the process of re-emission, renewal, suspension, reactivation, revocation of a certificate.
1.3.3 Subscribers
A subscriber is a physical or moral person who has successfully subscribed to a certificate. He is guarantor of the veracity of information relative to the Client, as contained in the file, to manager(s) of certificates and to the carrier or owner of the certificate, as well as a regular update of the said information. The root accredited certification authority does not assume any responsibility with regard to the subscriber as to the form, the exactitude, authenticity or legal effects of the supporting documents submitted by the subscriber, managers of the certificate and the carriers(owner).
1.3.3.1 Conditions of usage of certificates
The subscriber takes the engagement to use the certificates as stipulated in the criteria defined in Section 1.4.1 of the present Certification practice statement. The subscriber recognizes that the criteria can be modified.
1.3.3.2 Obligations to inform
The subscriber guarantees that the managers and carriers of the certificate have been fully informed of the stipulations contained in the subscription contract.
1.3.3.3 Respect of obligations by the managers of certificates and carriers
The subscriber takes the engagement to, amongst other things, ensure the respect of the subscription contract by both certificate holders and carriers.
1.3.3.4 Publication
The clients, certificate managers and carriers or owners of certificate take the engagement to consult:
- The Certificates Revocation List (CRL), which is updated every 24 hours;
- The Certification Practice Statement of the certification authority which is in charge of the management of the lifecycle of certificate(s) used.
These documents are put at the disposal of the subscriber on the web site of the certification authority.
1.3.4 Trust worthy parties
The user parties are parties that have confidence to certificates signed by the root certification authority, these are:
- Certification authorities, including foreign certification authorities that have signed a mutual recognition agreement with Cameroonian authorities, in conformity with Article 7 sub section 2 of the law relating to Cybersecurity and Cybercriminality in Cameroon;
- Subscribers to certification authorities, and also subscribers to foreign certification authorities that have signed a mutual recognition agreement with Cameroonian authorities, in conformity with Article 7 sub section 2 of the law relating to Cybersecurity and Cybercriminality in Cameroon;
The rights of user parties are the following:
1.3.4.1 Understanding the object of usage of certificates
Trustworthy third parties must understand the justification behind the use of the CamGovCA certificate relating to the field of application and the usage of the certificates.
1.3.4.2 Verification of certificates
Before the use of a certificate, trust third parties must verify information relating thereto, notably its validity period, its impact, its use, its authenticity, etc.
1.3.5 Other Participants
The National Agency for Information and Communication Technologies (ANTIC)
According to the terms of Article 7 of Law No. 2010/012, ANTIC ensures, on behalf of the state, the regulation, control and the follow-up of activities linked to the security of information systems and electronic communication network, as well as electronic certification.
In this wise, it fulfills the mission of:
- Getting acquainted with applications for accreditation, prepares the scope statement for certification authorities and submits them for the Minister in-charge of telecommunications’ signature.
- Controlling the conformity of issued digital signatures;
- Participating in the elaboration of the national policy for security of digital certification network and of certification;
- Giving, in a consultative role, its opinion on texts touching its domain of competence;
- Controlling the activities of security of digital communication network, of information systems and certification;
- Controlling applications for homologation of cryptographic medium and delivers homologated certificates for security equipment;
- Preparing mutual recognition conventions with foreign parties and submit same for the signature of the Minister in-charge of Telecommunications;
- Participating in activities of research, training and related studies in electronic communication network security, of information systems and of certification.
As Government’s Certification Authority, ANTIC has the duty of performing the following functions:
1. Management of the lifecycle of certificates
ANTIC, as Government’s Certification Authority, has the duty of emitting, re-emitting, renewing, reactivating, modification of information, of suspending and revoking electronic certificates of its subscribers.
2. Securing applications
ANTIC, as Government’s Certification Authority, must secure Government’s applications.
Within the framework of securing the national cyberspace, it also has the duty of securing applications of private institutions while waiting for the accreditation of Certification Authorities that will exercise in the private domain.
3. Furnishing and notification of credible information
ANTIC must notify Registration Authorities, clients, subscribers as well as all stake holders, of information likely to have an impact on the credibility and the validity of a certificate that are verifiable. It concerns:
- Information on CamGovCA certificates, of RAs, of clients and subscribers. It equally concerns its number and validity;
- The Certificate Revocation List;
- Other information linked to the practice of certification.
4. Putting in place of applicable measures for the creation of illicit digital signatures
If the Agency, as Government’s Certification Authority, takes notice of the corruption of its system of creation of digital keys. It must immediately revoke all certificates issued from the said system as well as the keys, and regenerate the certificate by creating new digital signature keys. After these operations, the Agency must inform its clients, subscribers of the above facts, verifiable by anyone in order to take into account the credibility and the security of certification practices.
Equally, if ANTIC is notified by a Registration Authority, or of a client, a subscriber, an agent of the loss, damage, theft or weaknesses of its digital signature keys, the Agency must revoke the issued certificate from the latter and an announcement is made so that any person can verify same.
Moreover, if the notification received by ANTIC has been emitted by a registration authority under the control of a national organization or of a local autonomous entity, of the loss, damage, theft or the weaknesses of its electronic signature creation keys, the Agency must promptly inform the President of the Committee in charge of conflict management.
5. Putting in place of applicable measures for the vulnerability of the digital signature algorithm
In case of an indisputable fact as to the insecurity of the digital signature algorithm used in the practice of certification, ANTIC will revoke all the certificates emitted from the said algorithm. The verification of this act can be effected by whosoever is within the system of management of certification, this in view of ensuring the security and credibility of certification practices.
If ANTIC is notified by a Registration Authority, a client, a subscriber, or an agent of a flaw in its algorithm for digital signature, the Agency must revoke the issued certificate, and shall without delay, make an announcement so that any person can within the certification chain can confirm of this.
Moreover, if the notification received by ANTIC has been emitted by a registration authority under the control of a national organization or of a local autonomous entity, of the vulnerability of the algorithm of digital signature, the Agency must promptly inform the Chairperson of the Committee in charge of conflict resolution.
1.3.6 Committee in-charge of conflicts resolution between accredited certification authorities, security auditors, software security auditors and other authorised security service providers
A special provision from the Board of Directors of the Agency fixes the organization and the modalities of operation of this Committee.
1.4 Usage of the certificates
1.4.1 Domains of applicable usage
The certificates signed and delivered by CamGovCA must be used to verify the concordance of its digital signature keys.
The certificates issued by virtue of the present CPS are appropriate to establish the link that exist between an entity and a public key.
The CamRootCA signs the certificate of the Government’s certification authority (CamGovCA).
The CamGovCA signs the certificates of RAs, clients, subscribers, agents and also signs the Certificate Revocation List.
The CamGovCA bi-keys and certificates are used for purposes of signature of certificates, and of CRL. They can also be used for confidentiality purposes or for authentication.
1.4.2 Domains of forbidden usage
No usage other than that defined in paragraph 1.4.1 is covered by the present CPS. A subscriber or a RA whose certificate is emitted by CamGovCA is not authorised to:
- Emit or use certificates non compatible to X.509;
- Provide services not covered by the present CPS;
- Use its certificate to accredit a ACA, a RA or another subscriber;
- Provide services not declared by the certification policy at the moment of the signature of its certificate by the CamGovCA.
1.5 Management of the Certification Practice Statement
1.5.1 Entity in charge of management of the CPS
The present CPS is under the responsibility of ANTIC.
1.5.2 Contact point
The General Manager of the National Agency for Information and Communication Technologies (ANTIC), Yaounde, Republic of Cameroon.
- P.O Box 6170 Yaounde;
- Telephone: (+237) 242 08 64 97- (+237) 242 08 64 98;
- Facsimile: (+237) 22 20 39 31;
- Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
1.5.3 Entity determining the conformity of this CPS with the CP
ANTIC’s management validates the conformity of the present Certification Practice Statement with the Certification Policy prescribed by the CamRootCA.
1.5.4 Procedure of approbation of the conformity of the CPS
The CamGovCA is guarantor of the application of the present CPS with the Certification Policy. It is equally responsible for its management and updating. All application for updating of the CPS follows the approbation process put in place by ANTIC. Any new version of the CPS is published without delay, in conformity to the exigencies of paragraph 2.2.
The CPS shall be declared standard after the approbation process established by the Agency that reports to the Ministry of Posts and Telecommunications for its establishment or for the revision of the said CPS, and individually, notifies the root certification authority and the registration authorities placed under its control of this fact.
The attestation of practice established or revised enters into force as from the date of validation of the CPS.
1.6 Definitions and abbreviations
1.6.1 Definitions
Subscriber: entity to whom a certificate has been issued.
Certificate subscriber: physical person empowered by a client of the CamGovCA to apply for a certificate on behalf of one or many holders, physical persons, functions or applications.
Certification Authority (CA): Trustworthy authority charged with creating and attributing public and private keys as well as digital certificates;
Registration Authority: entity charged with identifying and authenticating applicants for certificates, as well as initiating and transmitting applications for revocation of certificates, re-emission and renewal of certificates.
Certification: the act of controlling the conformity of digital signature verification keys with regard to the creation of digital signatures belonging to a moral or physical person.
Digital certificate: a digital document secured by a digital signature of the person who issued it and who attests after certifying and verifying its contents.
Digital signature creation key: A set of digital data that are used for the creation of a digital signature.
Digital signature key: A device for the creation of digital signature as well as correspondences in view of the verification of the said signatures.
Digital signature verification key: a set of digital data that are used for the verification of digital signature.
Client: organization, application, moral or physical person that has signed a contract with the CamGovCA to acquire a digital certificate.
Control of identity: act of verification of the authenticity of information on the applicant or on a certification authority, in order to ensure the credibility of the certificate during creation, the suspension, revocation and renewal.
Digital data: information generated, sent and received or stocked in digital form by use of devices such as a computer for the processing of data,.
Agent: A person that either directly by law or by delegation have the power to authorise application for certificates carrying the name of the organization. He can equally have other powers in the name of his organization such as revocation. Failure to designate one, the legal representative is the only accepted certification agent.
Distinctive name: name used to identifier the authority that has delivered the certificate as well as the proprietor of the certificate. It must respect the technical norms relating to establishments of certification authorities and peripheries.
Certification practices: Practices consisting of providing services such as certification, issuing of certificates and the management of data relating to digital certification.
Digital signature: signature obtained by an asymmetric encryption algorithm that enables the authentication of a transmitted message and the verification of its integrity.
Trust third parties: person or entity that uses the certificate received from ANTIC, based on the trust that it has for it.
1.6.2 Abbreviations
CA: Certification Authority;
ACA: Accredited Certification Authority;
ANTIC: National Agency for Information and Communication Technologies
CamGovCA: Cameroon Governmental Certification Authority
CamRootCA: Cameroon Root Certification Authority
CRL: Certificate Revocation List
CPS: Certification Practice Statement
HSM: Hardware Security Module
PKI: Public Key Infrastructure
LDAP: Lightweight Directory Access Protocol
OCSP: Online Certificate Status Protocol
RCA: Root Certification Authority
TSA: TimeStamping Authority
2. RESPONSIBILITIES
RESPONSIBILITY RELATING TO THE AVAILABILITY OF INFORMATION TO BE PUBLISHED
2.1 Entities in charged of ensuring the availability of information
Through an access protocol bases on appropriate norms, the CamGovCA publishes information on the state of certificates for registration authorities, clients, subscribers and trust third parties.
The function of publication of CamGovCA on the availability of information concerning the state of certificates through the “CRL” file. The CRL of CamGovCA is published and downloadable from its website www.camgovca.cm.
2.2 Information to be published
The CamGovCA has the obligation to publish the following information in favour of accredited certification authorities:
- The certification policy used, that is, as specified by the CamRootCA. www.rootca.cm/certification-policy.html;
- Certificate Revocation List;
- The CamGovCA certificate;
- The list of registration authorities and their various certificates;
- The certificate application form.
2.3 Timeframe and frequency of publication
The CamGovCA immediately publishes the certificates after they must have been signed. The information relating to services delivered by the CamGovCA and the engagements taken by RAs are equally published as soon as necessity demands.
The information service relating to publication of this information is available 24 hours on 24. The delays and frequencies of publication of information relating to the state of certificates as well as the exigencies of availability of the systems publishing them are described in parts 4.9 and 4.10.
2.4 Control of access to published information
All the information published by the CamGovCA is freely opened to the public. Access for modification to systems of publication (adding, deleting and modification of published information) is strictly limited to internal functions authorised through a strong access control in conformity to the PKI security charter.
3. IDENTIFICATION...
IDENTIFICATION AND AUTHENTIFICATION
3.1 Naming
The conventions of naming are respected and applied through a formal process that necessitates the approval of the CamRootCA (the issuing authority) for the names used in all the certificates.
3.1.1 Types of names
The conventions of naming are managed in conformity with the present CPS. The names used are in conformity with the specifications of the norm [X.500]. In every certificate that conforms with the norm [X.509] v3 CamGovCA (issuer) and the subscriber or RA (subject), are identified by a “Distinguished Name” (DN) of type [X.501). Precision as to the rules of construction of the DN in these fields are made in the present CPS.
3.1.2 Necessity to use explicit names
The naming conventions are managed in conformity with the present CPS. The content of fields of the subject name must have an explicit link with the subscriber or a RA.
- The distinctive name must contain the following fields:
- The country field C;
- The organizational field (O);
- The organizational Unit field (OU);
- The Common Name field (CN).
The CamGovCA defines the naming policy and reserves the right to take any decisions concerning the naming of institutions, emanating from both public or private law, and any other identified entities within the framework of signed certificates. A subscriber or an RA requesting must have the right to use the name as it deems fit, but must be able to prove the right to use a particular name.
No client, subscriber or RA is authorised to use a name already used by the CamGovCA, an RA attached to the CamGovCA or reserved by a client or a subscriber.
In case of conflict relating to a name during the submission of documents, wherein a subscriber, a client or an RA lacks control, the CamGovCA ensures that there exist a procedure to manage conflicts relating to names in the contract associated to the submitted document.
3.1.3 The use of pseudonyms by carriers
The present CPS does not authorise the use of pseudonyms in its certificates.
3.1.4 Rules of interpretation of different forms of names
The forms of names shall be interpreted in conformity with the present CPS.
3.1.5 Unity of names
The unity of names shall be interpreted in conformity with the present CPS. Anonymity or the use of pseudonyms of RAs, clients and subscribers are not supported by the present CPS.
3.2 Initial validation of identity
3.2.1 Method to prove possession of the private key
The CamGovCA verifies that the applicant is indeed in possession of the private key associated with the public key that will be registered in its certificate. This verification can be realised from the bouquet of requests for certificate to the PKCS#10 by the verification of the proof of possession.
3.2.2 Validation of the identity of an organization
The CamGovCA verifies the name, the trade registry, the taxpayer number, the identity of its legal representative and or of any person designated by the latter, directly or indirectly, to represent it.
During registration, the organization must show proof of its legal existence, proof of the identity of its legal representative as well as a chain of authorisations conferring their powers to their certification agents. The CamGovCA archives all pertinent information relating to this registration.
3.2.3 Validation of the identity of a physical person
The CamGovCA proceeds to the verification of the identity of a physical person after an interview with him following these procedures:
- Verification of identity papers and or of those of his agent;
- Control and certification relating to the capacity of the applicant and or of his agent to represent an organization.
Within the framework of the use of an information system to identify a physical person, the CamGovCA the procedure offers a level that guarantees the equivalence of physical authentication.
3.3 Identification and validation of an application for renewal of keys
The renewal of a pair of keys of a certificate automatically leads to the generation and the provision of a new certificate
For security reasons, a new certificate cannot be issued to a subscriber, a client or a RA without the renewal of the corresponding pairs of keys. (cf. title 5.6).
3.3.1 Identification and validation for a current renewal
A current renewal cannot be requested for, except the entity had initially formulated a requested for a certificate.
3.3.2 Identification and validation for a renewal aftersuspension
Following the suspension of a certificate, whatever the cause, the reactivation can be carried out as long as the expiry date of the certificate has not yet arrived. In this case, the reactivation can only be requested by the entity initially applying for suspension of the certificate.
3.3.3 Identification et validation pour un renouvellement après révocation
Following the revocation of a certificate, no matter its cause, renewal can be carried out. If an entity wishes to solicit a new certificate, a pair of keys must be simply regenerated and submitted for signature to the CamGovCA.
3.4 Identification and validation of a request for suspension
Suspension can only be requested only by the entity that initially requested the certificate.
4. EXIGENCIES...
OPERATIONAL EXIGENCIES RELATING TO THE LIFE CYCLE OF CERTIFICATES
4.1 Request for certificates
4.1.1 Origin of the request for certificates
A certificate can be requested only by the subscriber, its legal representative or his agent.
The following documents are requested within the framework of the identification of applicants for certificates:
- For the individual
- National Identity Card of the applicant or
- A passport or
- Residence Permit or
- A driver’s license.
- For the civil servant
- National Identity card of the user;
- National identity card of the applicant or of the user;
- Tax Payers’ card of the enterprise;
- Trade register of the enterprise.
- For the Registration Authority
- National Identity card of the operator;
- National Identity card of the applicant or his agent;
- National Identity Card of the legal representative;
- The tax payers’ card of the enterprise;
- Trade register of the enterprise.
4.1.2 Procedure for the establishment of an application for certificates
Any person who desires to obtain a certificate can do that by filling the certificate application form from his RA or download it. The applicant for a certificate is invited to fill all the fields of the application form and thereafter hand over to the RA operator.
The RA operator will hand over to the applicant the following information:
- A PIN code number;
- A link permitting the applicant to complete the issuing of the certificate by himself.
4.2 Processing of a request for a certificate
4.2.1 Execution of identification processes and validation of the application
The issuance of a certificate by the CamGovCA signifies that it has definitely and fully approved the request the application for certificate of an entity according to procedures described in the present CPS. The CamGovCA then conserves a trace of the identity justification presented in a photocopied form signed by both the entity concerned and by the CamGovCA. These signatures are preceded with the mention “certified true copy of the original”.
4.2.2 Acceptance and rejection of requests for certificates
Once an application for certification is received, the RA operator verifies the veracity of the information contained on the application for certification.
A written trace of the application for certification would remain at the level of the RA. It is only after this operation that the RA could permit the applicant to follow up the procedure for obtaining a digital certificate.
However, an application for certification can be rejected for the following reasons:
- Incomplete information;
- Erroneous information.
4.4 Acceptance of certificates
4.4.1 Procedure leading to the acceptance of certificates
Procedure leading to the acceptance of certificates
4.6 Renewal of a certificate
4.6.1 Possible cause for the renewal of a certificate
Possible cause for the renewal of a certificate
4.7 Issuing of a new certificate following a change in the pairs of keys
4.7.1 Possible causes for the change of pairs of keys
List of possible causes for the change of pairs of keys
4.7.2 Origin for the request of a new certificate
The processes are identical to that of the initial request. Cf. title 4.1.1
4.8 Modification of information contained in a certificate
Certificate modification policy
4.9 Suspension, reaction and revocation of certificates
4.9.4 Limits to the period of revocation of certificates
Time required to initiate revocation procedure
4.9.6 Exigencies for the verification of revocation by trust partners
Checks to be made by certificate users before use
4.9.7 Frequency for the establishment of Certificate revocation List
Frequency of publication of CRL
4.9.8 Maximum timeframe for the publication of a Certificate Registration List
Deadline for publishing of CRL
4.9.9 Availability of an online system of the verification of the state of certificates
Online certificate status verification method
4.9.10 Exigencies for the online verification of revocation of certificates by users
Checks to be made by certificate users before use
4.9.11 Other available means of information on revocations
Other available means of information on revocations
4.9.12 Specific Exigencies in case of compromise to the private key
Actions to be implemented in case of compromise of the private key of the government certification authority
4.9.14 Origins of the request for suspension
List of potential initiators of a CamGovCA certificate suspension application
4.9.15 Procedure for the treatment of a request for suspension
CamGovCA certificate revocation process
4.10 Information service on the state of certificates
4.11 End of the relation between CamGovCA and an entity placed under its authority
CamGovCA certificate revocation process in case of termination of relationship with CamRootCA
5. NON TECHNICAL...MEASURES
NON TECHNICAL SECURITY MEASURES
5.1 Physical security setting
5.1.1 Geographical location and construction of sites
Safety measures in the location and construction of the site (s) to ensure a safe working environment
5.1.3 Electricity supply and air conditioning
- Auxiliary source of electrical energy
- Measures taken to ensure good ventilation in equipment rooms
5.1.6 Conservation of data carriers
Procedures and tools for storage of information storage media necessary for the smooth running of PKI activities
5.1.7 Destruction of data carriers
Procedures and tools for decommissioning storage media of information necessary for the smooth running of PKI activities
5.2 Procedural Measures of security
5.2.3 Identification and authentication for every roles
Methods for checking the identity of staff before granting access to the system
5.3 Security measures for personal
5.3.1 Qualifications, competences and required accreditation
Minimum of skills required for each personal according to his function
5.3.3 Exigencies relating to background training
Minimum of skills required for each personal according to his training
5.3.4 Exigencies and frequency of continues training
Content and frequency of continuous training of personal
5.3.5 Frequency and sequence of rotation between assignments
Frequency and sequence of rotation between assignments
5.4 Procedure for the constitution of audit data
5.4.2 Frequency of log events management
Frequency of consultation, verification and interpretation of event logs retained
5.4.7 Notification of registration to an official of an event
Process for notification of the recording of an event
5.5 Archiving of data
5.7 Resumption following a compromise or a disaster
5.7.1 Procedure for the handling of incidents and compromises
Actions implemented in case of detection or suspicion of intrusion
5.7.2 Procedure for resumption in case of corruption of IT resources
Actions implemented in case of corruption of IT resources
5.7.3 Procedure for resumption in case of compromise of the private key of a PKI component
Actions implemented in case of detection or suspected compromise of the private key of a PKI component
6. TECHNICAL...MEASURES
TECHNICAL SECURITY MEASURES
6.1 Generation and installation of pairs of keys
6.1.1 Generation of pairs of keys
6.1.2 Transmission of a private key to the CamGovCA
Procedure for transmitting the CamGovCA private Key
6.1.3 Transmission of a public key to the CamGovCA
Procedure for transmitting the CamGovCA public Key
6.1.4 Transmission of the public key of the CamRootCA
Procedure for transmitting the CamRootCA public Key
6.1.6 Verification of the generation of parameters of pairs of keys and of their quality
Methods for verifying the process of generating key pairs
6.2 Security measures for protection of private keys and for cryptographic modules
6.2.2 Control of the private key for many persons
Distribution of responsibility for controlling the generation of private keys
6.2.3 Sequestration of the private key
Policy adopted concerning the sequestration of private keys of the CamGovCA
6.2.4 Keeping the spare of the private key
Conservation measures for a back-up copy of the private keys of the governmental authority
6.2.5 Archiving of the private key
Policy adopted concerning archiving of private keys of the CamGovCA
6.2.6 Transfer of the private key to and from a cryptographic module
Measures for the transfer and conservation of the private keys of the governmental authority
6.2.7 Method of activation of the private key
Activation process for private keys of government authority
6.2.8 Method of deactivation of the module of generation of the private key
Deactivation process for private keys of government authority
6.2.9 Method of destruction of the private key
Destruction process for private keys of government authority
6.4 Data activation
6.4.1 Generation and data activation
6.4.1.1 Generation and data activation for the CamGovCA private key
Process for generating and installing activation data for a PKI cryptographic module
6.6 Measures of security during the lifespan
6.6.1 Measures of security linked to the unfolding of systems
Arrangements for secure deployment of systems
6.6.2 Measures linked to the management of security
Measures taken to ensure the security of the cryptographic core of governmental authority
7. PROFILES...
PROFILES OF CERTIFICATES, OCSP AND CRL
8. AUDIT...
CONFORMITY AUDIT AND OTHER EVALUATIONS
The audits and evaluations concern, all those who must realise, or cause the realization, ANTIC within the framework of annual security audit to which are submitted all RAs.
The present chapter relates only to the audits and other evaluations emanating from the responsibility of CamGovCA in order to ensure the proper functioning of the system, the control of the conformity as well as the respect of engagements taken by RAs within the framework of their activity.
8.1 Frequency and or circumstances of the evaluation
Before the first start of service of a component of its system or following any significant modification within a component, the CamGovCA proceeds with conformity control of this component.
The CamGovCA equally proceeds with conformity control within all its system, following the CamRootCA’s frequency of once a year.
Internal security audit are also carried out every six (06) months in order to ensure the proper functioning of the system.
Concerning the RAs, the CamGovCA, participates on one hand, to the technical evaluation of the application for subscriptions, and on the other, to the half-yearly security audit missions.
8.2 Identities and qualification of evaluators
The control of a component is assigned by CamGovCA to a group of competent auditors in security of public key infrastructure (PKI).
8.3 Relation between the evaluators and entities evaluated
No matter the case, the auditing team cannot belong to the entity operating the control.
8.4 Topics under evaluation
Conformity controls are carried out within a component of the PKI ( punctuality controls) or covers the whole of the structure (periodic controls) with the aim of verifying the respect of engagements and practices as defined in the present CPS that is also in conformity with the elements therefrom ( procedural operations, resources put in use, etc.)
The evaluation shall be based on the following points:
- All documentation and registration;
- All terms of contract and supplies;
- onformity with laws and regulations in force;
- Physical and logical control of installations housing the system;
- Human resources and organization of work;
- Control of equipment and programs installed;
- Control of conformity of keys, certificates, numbering and electronic signature.
8.5 Actions taken after findings of the evaluations
8.5.1 Internal audit
After a conformity control, the security audit team, forwards to CamGovCA, one of the following opinions:
- ‘successful’
- ‘Failed’
- ‘To be confirmed’
Depending on the opinion, the consequences on control are the following:
- In case of failure, and given the gravity of non-conformity, the security audit team gives recommendations to the CamGovCA to correct the lapses observed. The choice of the measure to apply is chosen by the team of auditors and must respect the respect the security policy and the certification policy applied by CamGovCA. Next, a control for ‘confirmation’ permits to verify that all the points criticized have indeed been resolved.
- In case of success, the security audit team confirms to the Chief of PKI Centre to the exigencies of the present CPS and the CP attached to it.
- In case of the ‘to be confirmed’ opinion, the team of internal security auditors forwards to the CamGovCA an opinion précising the deadline within which the lapses must be repaired and also gives recommendations to the CamGovCA to respect the security and certification policies of CamGovCA. Then a ‘confirmation’ control will permit the verify that all the points brought under criticism have indeed been resolved.
8.5.2 External audits
After a conformity control, the CamRootCA forwards to the CamGovCA, one of the following recommendations:
- ‘successful’
- ‘Failed’
- ‘To be confirmed’
Depending on the opinion, the consequences on control are the following:
- In case of failure, and given the gravity of non-conformity, the CamGovCA security audit team gives recommendations to the RAs audited, which may be witnessing cessation of activities (temporal or final), on either the revocation of the certificate, the revocation of all certificate issued since the last positive control, etc. The choice of the measure to apply is determined by the CamGovCA and must enable the RA to respect the CPS programmed bythe CamGovCA.
- In case of the ‘to be confirmed’ opinion, the team of internal security auditors submit to the CamGovCA an opinion précising the deadline within which the lapses must be repaired and also gives recommendations to the CamGovCA to respect the security and certification policies of CamGovCA. Then a ‘confirmation’ control will permit to verify that all the points brought under criticism have indeed been corrected.
- In case of success, the security audit team confirms to the Chief of PKI Centre of the respect of the exigencies of the present CPS and the CP attached to it.
8.5.3 Bi-yearly auditing of RAs
After a conformity control, the CamGovCA forwards to the RA, one of the following recommendations:
- ‘successful’
- ‘Failed’
- ‘To be confirmed’
Depending on the opinion, the consequences on control are the following:
- In case of failure, and given the gravity of non-conformity, the CamGovCA security audit team gives recommendations to the RAs audited, which may be witnessing cessation of activities (temporal or final), on either the revocation of the certificate, the revocation of all certificate issued since the last positive control, etc. The choice of the measure to apply is determined by CamGovCA and must enable the RA to respect the CPS programmed by CamGovCA.
- In case of the ‘to be confirmed’ opinion, the team of internal security auditors of CamGovCA submit to the RA audited an opinion précising the deadline within which the lapses must be repaired. Then a ‘confirmation’ control will permit to verify that all the points brought under criticism have indeed been corrected.
- In case of success, the CamGovCA confirms to the RA of the respect of the exigencies of the present CPS and the CP attached to it.
As need arises unexpected or programmed controls can be undertaken by CamGovCA.
9. OTHER...
OTHER PROFESSIONAL AND LEGAL ISSUES
9.1 Tariffs
9.1.1 Tariffs for the issuing and renewal of certificates
The tariffs applied by CamGovCA respect the provisions of joint Arrêté No.00000013/MINPOSTEL/MINFI of 10th May, 2013 fixing the sum and the modalities of sums to be collected by the National Agency for Information and Communication Technologies.
9.1.2 Tariffs to gain access to State information and the revocation of certificates
Not applicable.
9.1.4 Reimbursement policy
The amounts paid for the supply and the management of electronic certificates can be reimbursed to the applicant fifteen days following the issuing of the certificate if the following conditions are met:
- If the applicant is not satisfied with the services provided by the CamGovCA;
- If it is proven that the certificate had been used only for non-commercial purposes;
- If it is proven that an error was made during the issuing of the certificate.
- If CamGovCA stops the certification activities.
9.2 Financial responsibility
9.2.1 Insurance cover
The CamGovCA takes responsibility of the risk linked to problems resulting from the use of digital certificates, within the framework of digital governance, occurring during a transaction concluded between the RA and third parties, if it is proven that the fault is on the part of the CamGovCA or one of its RAs. The CamGovCA equally compensates losses emanating from the bad quality of the process of certification, in accordance with the clauses of the duly contracted insurance policy or within the present CPS.
9.2.2 Other resources
The CamGovCA has an account in the in the Cameroonian public treasury capable of taking care of reimbursement costs of damages caused by third parties.
9.3 Confidentiality of professional data
9.3.1 Scope of confidentiality of information
Subscriber’s information not necessitating protection can, at the CamGovCA’s discretion, be made available to the public. All subscribers’ information linked to the application and the issuing of certificates is considered as being confidential and cannot be published without prior the consent of the concerned holder, except by special grant of exemption by judicial authorities.
The following are considered as being confidential information:
- The unpublished section of the CPS of the CamGovCA;
- The private keys of the CamGovCA;
- The event journal of the CamGovCA;
- Audit information of the CamGovCA;
- The reasons of revocation of a certificate of one of its RAs.
9.3.3 Responsibility with regard to protection of confidential information
The CamGovCA applies security procedures in order to guarantee the confidentiality of information identified in Title 9.3.1, in particular that which concerns the total deletion or the destruction of mediums used for data storage. During the exchange of these data, the integrity is guaranteed by a means adapted to the type of information (numbering, signature, secured envelop…). The CamGovCA cannot put at the disposal of third parties, files of subscribers for the application of certificates except within the framework of judicial enquiry.
9.4 Protection of personal data
9.4.1 Protection of personal data policy
All collection and usage of personal data by an ACA and all its components are realised in strict respect of laws and regulations in force within the Cameroonian national territory as well international conventions signed by Cameroon.
The present Declaration of Certification the Practices respects the fundamental principles in terms of protection of personal data consecrated in the laws mentioned above, and all other international conventions in force.
9.4.2 Information of a personal character
All information of a personal character collected an in the keeping of an RA on a physical or moral person or on a public administration (for example: registration procedure, revocation or safeguarded events, exchange of correspondences between the beneficiary and the RA, etc.) are considered as being confidential and cannot be divulged without the prior consent of the owner.
The List of Revoked Certificates contains only the registration numbers of certificates, and the date of their revocation. The causes of revocation of certificates are known to remain strictly confidential.
9.4.4 Responsibility in terms of protection of personal data
Application of existing legislation and regulations.
9.4.5 Notification and consensual use of personal data
In conformity with the provisions of the legislation and regulation in force in Cameroon, personal information forwarded by the carriers to a RA or to a subscriber cannot be divulged or transferred to a third party except in the following instances:
- Prior consent of the carrier;
- Decision form the courts or
- A legal authorization.
9.4.6 Conditions of divulging personal information to judicial or administrative authorities
Cf. to existing legislation and regulations.
9.5 Intellectual and industrial property rights
The present CPS is an instrument protected by the Code of Intellectual Property Rights, notably those relating to literary and artistic rights, to copyright royalties and related rights, as well as all applicable international conventions.
ANTIC conserves the exclusive rights of the contents of this CPS.
9.6 Contractual interpretations and guarantees
This paragraph contains stipulations relating to obligations to be respected by the CamGovCA, RAs, clients, beneficiaries and third party users. It also contains regulations relating to Laws and Regulations in force and the resolution of conflicts.
The different parties mentioned above must:
- Protect their private keys in all integrity and confidentiality;
- Use their private keys exclusively for the purposes for which they were issued and applying the appropriate means;
- Put in place technical measures and utilize necessary resources for the realization of services to which they are engaged in;
- Document their internal working procedures when it concerns a RA;
- Respect and apply the terms of the present CPS which they recognize;
- accept the result and the outcome of conformity control and in particular, provide remedies for the irregular aspects that may be pointed out if relating to a RA.
- Respect the contracts binding them to the CamGovCA.
The CamGovCA is the guarantor of the respect of the clauses contained in the present CPS. The CamGovCA engages its responsibility by signing the subscription chart and the electronic certification charter. It guarantees to put all in place to respect the clauses contained in this charter.
9.6.1 Government’s Certification Authority (CamGovCA)
The CamGovCA is responsible towards its clients, beneficiaries, certification agents and third party users of operations relating to certification services realised by one of its components. It guarantees the existing link between an identified entity and a pair of keys, and ensures that the RA acting in its name is in conformity with all the vital modalities of the present CPS.
The CamGovCA ensures that applicants of certificates and their agents for certification have knowledge and have approved of the obligations and responsibility endorsed in the application for a certificate. The CamGovCA and its personnel must respect the rights of its clients, beneficiaries and third party users of certificates in conformity to Laws and Regulations in force and the subscriber’s charter.
The CamGovCA informs third party users of the revocation of a certificate of a beneficiary or of a component of the PKI and transmits within the shortest time to the entity in charge of publication of CRL, the revocation of the certificate concerned. It signs certificates, transmits the information relating to their revocation and those necessary for their renewal.
The personnel of the CamGovCA as well as all the personnel of the RAs must conform to all the major exigencies of the present CPS. The rights of clients, beneficiaries and third part users must be respected in conformity to the laws and regulations in force, and must inform the users of these certificates of any problems noticed, notably that relating to the availability of its web site www.camgovca.cm.
9.6.2 Registration service
A Registration Authority must conform to all the exigencies of the present CPS.
Besides, a RA:
- Treats all applications for certification;
- Physically identifies all applicants for certificates or their agent if it is an enterprise or a public administration;
- Verifies the conformity of personal identification data with that contained in the certificate;
- Transmits to the CamGovCA application for emission, re-emission, renewal, suspension, reactivation, revocation, updating of certificate information and certificates treated as favorable after verification;
- Transmits in all confidentiality on a physical medium , the activation PIN code and link that will permit the beneficiary to complete the registration process.
The RA must submit to all technical control and security audit as requested by CamGovCA or CamRootCA.
The RA must:
- Use the certificate for the use for which it was issued, as indicated in the information of the of the certificate;
- Verify the validity by ensuring that the certificate is not expired;
- Verify that the certificate has not been suspended or revoked by looking at antecedent information on the currency of certificates;
- Determine the furnishing of sufficient information as to its use.
9.6.3 Beneficiaries of certificates
The beneficiary must conform to all the exigencies of the present CPS. The beneficiaries engage themselves to respect the contract that binds them to the CamGovCA, and guarantee that the information they furnish to the RA, for its identification, are exact, complete and that the documents forwarded or presented are valid. If the beneficiary is an organization, it must establish or cause the respect of the security policy in the computer posts used to issue the certificates. If compromise of a private key is suspected, it is important to inform CamGovCA as fast as possible and following directives dictated by it.
There is no case wherein the beneficiary obtains property rights over issued certificates of the CamGovCA, only the right to its use is acquired. Consequently, all the certificates remain the property of CamGovCA that issued them.
The beneficiary of the certificate issued by CamGovCA must:
- Use the certificate for the purpose for which it was issued, as indicated in the information of the certificate ( for example, extension of the uses of the key);
- Verify the validity by insuring that the certificate has not expired;
- Verify that the certificate has not been suspended or revoked by acceding to current information on the state of certificates;
- Determine whether the certificate furnishes sufficient guarantees as to its use.
9.6.4 Users of the certificates
The user must conform to all the exigencies of the present CPS prepared by CamGovCA. The beneficiary must use this private key exclusively for the purposes authorised by the present CPS, as well as respect the Laws and Regulations in force.
It guarantees that the information furnished to the CamGovCA or of a RA, for its identification or that of identified entities is exact, complete and that the documents forwarded are valid. It must protect in confidentiality and integrity its private key, its activation or access code and ensures that all reasonable measures to avoid loss, divulgation, compromise, modification or unauthorized use. The beneficiary takes the engagement to follow all prescriptions of CamGovCA to the client in matters of security policy of certification within the framework of usage of the certificate.
If there is suspicion of the compromise of a private key, it is important to inform the CamGovCA as fast as possible and following the instructions given by the latter.
The user of the CamGovCA certificate must:
- Use the certificate for the purpose for which it was issued, as indicated in the information of the certificate (for example, extension of the uses of the key);
- Verify the validity by insuring that the certificate has not expired;
- Verify that the certificate has not been suspended or revoked by acceding to current information on the state of certificates;
- Determine whether the certificate furnishes sufficient guarantees as to its use.
9.7 Limits of guarantees
With its physical and electronic installations, the CamGovCA engages itself to furnish to the certification services in conformity to legal and regulatory texts in force in Cameroon, to international norms and to the best practices in the domain of electronic certification.
The CamGovCA does not furnish any legal guarantee and declines all responsibility as to the recognition of the legal validity of the certificates, except those delivered by CamGovCA, by a non-accredited RA or a foreign RA which has not signed a convention of recognition with the Cameroonian authorities.
9.8 Limits to responsibilities
In conformity with the Laws and regulation in force, CamGovCA, its personnel, the RA, its clients, the beneficiaries, third party users are responsible for all damage emanating from the non-respect of their respective obligations as defined in the terms of the present CPS or of conventions signed with third parties.
9.9 Compensation
In case of an incident emanating from the use of a certificate issued by CamGovCA necessitating compensation, a competent audit firm in security matters is chosen to carry out investigations. After the findings of the firm, the entity responsible for the error shall assume responsibility for the damages emanating there-from.
9.10 Duration and anticipated end of validity of the CPS
9.10.1 Duration of the validity
The present CPS remains in application until the expiry of the lifespan of the last certificate issued within this CPS.
9.10.2 Anticipated end of validity
The publication of a new version of the CP can lead to, depending on the evolutions introduced and the necessity for CamGovCA to bring modification to the corresponding CPS.
Depending on the nature and the importance of the modifications brought to the CP, the delay for conformity will be determined in conformity with the modalities provided for by the regulations in force.
Furthermore, the putting in place of conformity does not impose the anticipated renewal of already issued certificates, except for security reasons.
9.11 Individual notification and communication between participants
In case of change of any sort intervening within the composition of the PKI, the CamGovCA must:
- At most one month before the start of the operation, validate the change by using technical expertise, in order to evaluate the impacts on the new quality and security of its functions as well as the different components;
- At most one month after the end of the operation, inform the organ in charge of qualification.
9.12 Amendment of the CPS
This part defines the exigencies in matters of administration and the management of the present CPS.
9.12.1 Procedures of amendment
The CamGovCA must ensure that the entire project for the modification of its CPS remains in conformity of the PC. In case of an important change, the CamGovCA must make use of technical expertise in order to control the impact.
9.12.2 Mechanisms and period of information on the amendments
9.12.2.1 Timeframe for notice
The CamGovCA gives to beneficiaries a notice of 30 (thirty) days and to third party users before proceeding to the modification of the present CPS which, according to the evaluation of an official of the policy, have a major effect on them.
The CamGovCA gives a 07(seven) day notice to beneficiaries and to third party users before proceeding to the modification of the present CPS, which according to the evaluation of an official of the policy, have a major effect on them.
The CamGovCA can modify the present CPS without notice to beneficiaries and third party users, when, as per evaluation of an official of the policy, have major effects on them.
9.12.2.2 Forms for the communication of opinion
In a case necessitating a notice, the CamGovCA gives notice to clients and all beneficiaries of modifications brought to the policy and to the CPS by communicating the changes brought on the website www.camgovca.cm/fr/declaration-des-pratiques-de-certification.html and the electronic message.
When the notice is destined for beneficiaries and clients, the notice is communicated by electronic message if the modifications have a major effect and on the CamGovCA’s website in all the other cases.
9.13 Stipulations relating to conflict resolution
The CamGovCA has a competent committee charged with the resolution of all conflict between beneficiaries, clients and third party users of certificates.
In case of non-acceptability of resolutions arrived at by the CamGovCA or failure to arrive at an amicable settlement , the CamRootCA can be seized by the parties or by third instance , the Ministry in-charge of Telecommunications. As a last resort, the parties expressly and exclusively give competence to the competent courts in Cameroon, notwithstanding the plurality of defendants or actions before the courts or appeal on guarantee or conservatory measures.
9.14 Competent jurisdictions
The present CPS is expressly elaborated and controlled, applied and interpreted according to the Laws and Regulations in force in Cameroon, although the emanating thereof may have effects out of the national territory.
9.15 Conformity to legislation and regulations
The laws and regulations applicable to this CPD are, in particular, those set out in Annex I below.
9.16 Other provisions
9.16.3 Consequences of a non-valid clause
The inapplicable character in a given context of a stipulation of the certification policy or that of the present CPS does not affect in any way the validity of the other dispositions or of this disposition out of this context. The policy of certification and the associated CPS continue to be applied in the absence of an inapplicable disposition and this, while respecting the intention of parties.
The headings of every section only serve only for reading convenience and can in no case be the pretext and cannot in any case be the pretext of whatsoever misrepresentation distortion of the clauses for which they stand for.
9.16.4 Application and renunciation
Any notification to be given within the framework of the certification policy that underlies the present CPS will be deemed to be given if it is sent by recorded delivery letter with a certified reception item or by telegram addressed to the elected domicile as indicated at the top of the service contract and is deemed to be received seven (07) days the date of the Postal stamp within the framework of a recorded delivery letter with a certified reception item and the day after the sending date if it concerns a telegram.
9.16.5 Force majeure
At first instance, the case of force majeure will suspend the execution of a contract. If the cases of force majeure have a longer duration than that indicated in the contract, the contract is automatically rescinded, except by express contrary agreement between the parties. The execution of the obligations will resume its normality only when the element constituting the force majeure must have ended.
CamGovCA will not be held responsible and does not take any engagement, for any lateness in the execution of obligations or for any non-execution of obligations resulting from the present CPS when the circumstances so warrant and which may result in the total or partial interruption of its activity, or of its organization, emanating from the force majeure of the Civil Code.
Expressly speaking, are considered as cases of force majeure or by chance, apart from those recognized by jurisprudence in Cameroonian courts of law, contractual clauses or all other convention binding the parties, it concerns large scale or partial strikes, lock-out, uprising, civil strife, insurrections, civil or foreign wars, nuclear risk, embargo, confiscation, capture or destruction by any public authority, bad weather, epidemics, blockage of means of transport or supply of whatsoever reason possible, earthquake, fire outbreak, storms, floods, water damage, state or legal restrictions, legal or regulatory modification of forms of commercialization, computer breakdown, blockage of electronic communication , including on telecommunication network, all major scientific findings not respecting in whole or in part the principles of cryptographic asymmetry, all consequence of technological evolution, not envisaged by CamGovCA, putting in jeopardy the norms and standards of its profession and any other matter independent of its will, does not allow for the proper execution of the present contract.
9.17 Other provisions
By virtue of Laws No.2010/012 of 21 December 2010 relating to cyber security and Cybercriminality and No. 2010/021 of 21 December 2010 regulating electronic commerce. As well as provisions of the Penal Code, applicable when an offence is committed on the national territory, all attacks or attempted attacks on the information system and electronic communication network are sanctioned, notably access and fraudulent trespass, modifications, alterations and piracy of data.
The punishment varies between six (6) months to ten (10) years imprisonment and a fine ranging from one million (1.000.000) to fifty million (5.000.000) francs CFA.
Contraband of brands, of trade and services, diagrams and models, distinctive signs, copyrights (for example: software, web pages, data bases, original texts) are sanctioned by the Laws and Regulations in force in Cameroon and of the Intellectual Property Code.
