Section 42

Section 42 is the subscriber's foundational private key security obligation — and one of the most practically consequential provisions for DSC holders. It establishes two duties. First, positive retention: the subscriber must take all steps to retain exclusive control of their private key and prevent its disclosure to anyone. This means: keeping the private key on a hardware security token or HSM, never sharing the token's PIN with anyone, not exporting the private key to insecure media, and protecting the physical device from theft or loss. Second, immediate notification on compromise: if the private key is compromised — whether through device theft, malware, social engineering, or any other means — the subscriber must notify the CA immediately. The Explanation is critical: it removes any doubt about liability. If a subscriber fails to promptly notify the CA of a key compromise, and the key is then used to create fraudulent signatures that cause loss to third parties, the subscriber bears liability for that loss. This makes Section 42 the subscriber-side counterpart to the CA's revocation duty under Section 38 — together they create a framework where compromise → notification → revocation → protection of relying parties. In practice, subscriber failures under Section 42 are frequently cited in identity theft prosecutions under Section 66C and fraud cases under Section 66D.