Section 39

Section 39 is the publication obligation that closes the PKI notification loop: once a Digital Signature Certificate is suspended (Section 37) or revoked (Section 38), the Certifying Authority has two mandatory duties. First, it must communicate the suspension or revocation directly to the subscriber — this is a personal notification obligation. Second, it must publish a notice of the suspension or revocation in the repository specified in the certificate itself. In the PKI architecture, every Digital Signature Certificate contains a field pointing to the CA's repository — typically a Certificate Revocation List (CRL) distribution point and/or an Online Certificate Status Protocol (OCSP) responder URL. When a certificate is suspended or revoked, the CA must update these repositories so that any software or system checking the certificate's validity will discover the changed status. The practical significance is profound: a relying party who checks a certificate's status after the Section 39 notice has been published and still relies on the certificate does so at their own risk. Conversely, a relying party who relied on a certificate before a suspension or revocation was published in the repository may have a defence that they acted in good faith on a then-valid certificate. Section 39 therefore fixes the legal moment at which the world is deemed to have notice of a certificate's invalid status — the moment of publication in the repository, not the moment of internal CA decision.