Module_5

MODULE 5: REGULATION OF CERTIFYING AUTHORITIES.

The world of internet has the problems of integrity, authentication and confidentiality of
communication channels and processes. The Information Technology Act, 2000 accorded
legal recognition to Digital Signatures, after which the Digital signatures are being treated at
par with handwritten signatures. The success of electronic transactions depends on the trust
that the transacting parties place in the security of the transmission and content of their
communications. Therefore, the issues of authenticity, non-reputability, confidentiality and
integrity arise in such transactions. The question arises as to an authority that can
authenticate the identity and functions relating to that.

There should be an authority who confirms that a particular digital signature belongs to a
specific signer. The answer to the question comes in the form of one or more third parties,
who are the authorities, who is dispensed with the public keys and who can authenticate
that the digital signature belongs to a specific signer. Such authority is known as the
"certifying authority".

5.1 DEFINITION OF A CERTIFYING AUTHORITY

Section 2(1)(g) of Information Technology Act, 2000 defines a certifying officer as “a person
who has been granted a license to issue a Electronic Signature Certificate under section 24”.
With regard to this, section 24 of the Act lays down that a certifying authority is granted
license by the Controller after receiving an application to grant license under sub-section (1)
of section 21 and considering the documents accompanying the application and such other
factors, as he deems fit. Sub-section (2) of section 21 says that an applicant the applicant
must fulfils such requirements with respect to qualification, expertise, manpower, financial
resources and other infrastructure facilities, which are necessary to issue Digital Signature
Certificates as may be prescribed by the Central Government.

Some of the cyber legislations use the term “certification authority” in place of “certifying
authority”. For example, under Electronic Transactions Ordinance 2004 of Hong Kong, the
term "certification authority" has been defined as “a person who issues a certificate to a
person (who may be another certification authority) [under Section 2]. Electronic
Transactions Law, 2004 of the Union of Myanmar also uses the term certification authority
and defines it as “a person or an organization that has been granted a licence by the Control
Board under this Law for services in respect of the electronic signature”[Section 2(g)]. The
Security Guidelines for Certification Authorities, 1999 of Singapore define a Certification
Authority (CA) as “the relied-upon entity that issues, publishes, suspends and revokes a
certificate. The CA’s basic role is to verify and vouch for the identity of the subscriber and to
provide certificate management services. The CA may delegate the registration and
publication functions to a registration authority or repository service provider. References
to CA include RA and repository service provider unless otherwise stated”.

Under Electronic Transactions Act of 1998 of Singapore, it has been defined as "a person
who or an organization that issues a certificate". Digital Signatures Act, 1997 of
Bundesgesetzblatt defines it as “a natural or legal person who certifies the assignment of

90

public signature keys to natural persons and to this end holds a licence pursuant to § 4 of
this Act” [under § 2 (2)].

California Code of Regulations, 1998 defines says "Certification Authority means a person or
entity that issues a certificate, or in the case of certain certification processes, certifies
amendments to an existing certificate” [under 22003.a.1.E].

As per the definition provided under the Act, the certifying authority can only issue a digital
signature certificate after he gets the license from the Controller of Certifying Authorities
(CCA) to issue such license. Apart from the Act, the Certification Practice Statement (CPS),
the Information Technology (Certifying Authorities) Rules, 2000 and Information Technology
(Certifying Authority) Regulations, 2001 also provide guidelines governing the Certifying
Authorities.

5.2 APPOINTMENT OF THE CONTROLLER AND OTHER OFFICERS

Under section 17 of the Act, the provision has been laid down as to the appointment of the
CCA and other officers. It says:

“(1) The Central Government may, by notification in the Official Gazette, appoint a
Controller of Certifying Authorities for the purposes of this Act and may also by the
same or subsequent notification, appoint such number of Deputy Controllers and
Assistant Controllers, other officers and employees as it deems fit.

(2) The Controller shall discharge his functions under this Act subject to the general
control and directions of the Central Government.

(3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned
to them by the Controller under the general superintendence and control of the
Controller.

(4) The qualifications, experience and terms and conditions of service of Controller,
Deputy Controllers Assistant Controllers, other officers and employees shall be such
as may be prescribed by the Central Government.

(5) The Head Office and Branch Office of the office, of the Controller shall be at such
places as the Central Government may specify, and these may be established at such
places as the Central Government may think fit.

(6) There shall be a seal of the Office of the Controller.

5.3 WHO IS A CONTROLLER?

Under the Information Technology Act, 2000, the controller has been defined as “the
Controller of Certifying Authorities appointed under sub-section (1) of section 17” [under
Section 2(1)(m)]. In Directive 95/46/EC of the European Parliament and of the Council, it has
been defined as “the natural or legal person, public authority, agency or any other body
which alone or jointly with others determines the purposes and means of the processing of
personal data; where the purposes and means of processing are determined by national or
Community laws or regulations, the controller or the specific criteria for his nomination may
be designated by national or Community law” [under Article 2(d)]. Under section 2(b) of

91

Electronic Transactions (Amendment) Act, 2009 of Mauritius, reference has been made to
section 37 of the Act.

In furtherance of this, clause (1) of section 37 lays down that for the purposes of this Act,
there shall be a Controller of Certification Authorities. Clause (2) of this section says that
“for the purposes of this Act, the ICT Authority shall be the Controller and may be assisted
by such of its officers and other members of its staff as may be necessary.

Taking the note of the provisions in various legislations a clear definition of
“controller” emerges. Under the IT Act, 2000, controller refers to the Controller of Certifying
Authorities as appointed by the Central Government, by notification in the Official Gazette.
The Controller has the duty to discharge his functions subject to the general control and
directions of the Central Government. The Office of the CCA came into existence on
November 1, 2000.

It is the "Apex Authority" to manage the Digital Signature System. It aims at promoting the
growth of E-Commerce and E-Governance through the wide use of digital signatures. Any
complaint filed before the CCA’s will not serve the requirement of complaint before the
Adjudicating Officer, for the purpose of adjudication under the Information Technology Act.
The appellant is required to file a complaint before the Adjudicating Officer who has the
jurisdiction for deciding the disputes of such nature (Mascon Global Limited v. Controller of
Certifying Authorities, GMAIL.COM and Google Inc.)1 After the Amendment Act of 2008,
the responsibility of the Controller to act as the repository has been removed and powers
have been given to adjudicate on Cyber Crimes and admit compositions.

Under section 17 of the Act, the Central Government has been authorized to appoint a CCA
and such number of Deputy Controllers and Assistant Controllers, as it deems fit for the
purposes of the Act, by notification in the Official Gazette. Before the Amendment Act of
2008, the CCA could only appoint Assistant controllers. The Office of the CCA came into
existence on November 1, 2000. The Rule 19(2) of the Information Technology (Certifying
Authorities) Rules, 2000 lays down the provision of the Information Technology Security
Guidelines and Security Guidelines for Certifying Authorities, for protecting the integrity,
confidentiality and availability of service of Certifying Authority, which are to be followed by
the Certifying Authorities.

5.4 FUNCTIONS OF THE CCA

Functions of the CCA are laid down in section 18 of the Act. Section 18 says that:

“The Controller may perform all or any of the following functions, namely:- Exercising
supervision over the activities of the Certifying Authorities.”

The supervision of the CCA over the activities of the Certifying Authorities stems from the
fact that the certifying authorities have to fulfill the conditions stipulated by the CCA. Rule

1 MANU/CY/ 0006/2010

92

31 of the Information Technology (Certifying Authorities) Rules, 2000 says that the Certifying
Authorities have to conduct half yearly audit of the security policy, physical security and
planning of its operation; and a quarterly audit of its repository. Further sub rule (3) of the
Rule says that the Certifying Authority has a duty to submit copy of each audit report to the
Controller within four weeks of the completion of such audit and where irregularities are
found, the Certifying Authority shall take immediate appropriate action to remove such
irregularities.

Under Para 9 of the Security Guidelines for Certifying, given under the Rule 19(2) lays down
the details of the System Security Audit Procedures, whereas the Para 10 of Information
Technology Security Guidelines lays down the parameters for capturing audit trails.

5.4.1 CERTIFYING PUBLIC KEYS OF THE CERTIFYING AUTHORITIES

The CCA operates RCAI for certifying the public keys of CA’s using it private key. The RCAI
root certificate is the highest level of certification in India, which is used to sign the public
keys of the licensed Certifying Authorities. It is the self-signed certificate. The RCAI is
responsible for: 1. Issue of License by means of an X.509 certificate; 2. digitally signing
the public key of the Licensed CA; and 3. Generating CRLs for the licenses issued.

Under Rule 20(b) of the IT Rules, it has been mentioned that the licensed Certifying
Authority shall commence its commercial operation of generation and issue of Digital
Signature only after it has generated its key pair, namely, private and corresponding public
key, and submitted the public key to the Controller.

5.4.2 LAYING DOWN THE STANDARDS TO BE MAINTAINED BY THE CERTIFYING
AUTHORITIES

Rule 6 of the IT Rules refers to the standards that may be considered for different activities
associated with the Certifying Authorities functions. Further Regulation 4(1) of the
Information Technology (Certifying Authority) Regulations, 2001 casts a duty upon every
Certifying Authority to observe the following standards for carrying out different activities
associated with its functions.

• Public Key Infrastructure;
• Public-key cryptography;
• Public-key Cryptography Standards;
• Federal Information Processing Standards;
• Discrete Logarithm (DL) systems;
• Elliptic Curve (EC) systems;
• Integer Factorization (IF) systems;
• Key agreement schemes;
• Form and size of the key pairs;
• Directory Services; and
• Public Key Certificate Standard.

93

5.4.3 SPECIFYING THE QUALIFICATIONS AND EXPERIENCE WHICH EMPLOYEES OF THE
CERTIFYING AUTHORITY SHOULD POSSESS

Neither under the Rules not under Regulations has the qualifications and experience of the
employees of the Certifying Authorities been laid down. Para 5.1 of the Information
Technology Security Guidelines mentions that each organization shall designate a properly
trained "System Administrator" who will ensure that the protective security measures of the
system are functional and who will maintain its security posture. Similarly under Para 20,
the responsibility of the network administrator for operation, monitoring security and
functioning of the network has been mentioned.

5.4.4 SPECIFYING THE CONDITIONS SUBJECT TO WHICH THE CERTIFYING AUTHORITIES
SHALL CONDUCT THEIR BUSINESS

A certifying authority has to fulfill all the terms and conditions specified by the CPA to obtain
license to issue the digital signature certificate. Regulation 3 of the Information Technology
(Certifying Authority) Regulations, 2001 mentions these terms and conditions.

5.4.5 SPECIFYING THE CONTENTS OF WRITTEN, PRINTED OR VISUAL MATERIALS AND
ADVERTISEMENTS THAT MAY BE DISTRIBUTED OR USED IN RESPECT OF AN
ELECTRONIC SIGNATURE CERTIFICATE AND THE PUBLIC KEY

Before the Amendment of 2008, the said provision was in respect of a digital signature
certificate. The functions of the CCA also includes the specification of the written, printed or
visual materials and advertisements that may be distributed or used in respect of an
Electronic Signature Certificate and the public key. This is done in order to bring uniformity
and harmonization in practices of the Certifying Authorities, while framing their CPS.

5.4.6 SPECIFYING THE FORM AND CONTENT OF AN ELECTRONIC SIGNATURE CERTIFICATE
AND THE KEY

Rule 7 of the Information Technology (Certifying Authorities) Rules, 2000 says that all Digital
Signature Certificates issued by the Certifying Authorities shall conform to ITU X.509 version
3 standard as per rule 6 and shall inter alia contain the following data, namely:-

• Serial Number assigned to the Digital Signature Certificate by Certifying Authority to
distinguish it from other certificate;

• Signature Algorithm identifier, which identifies the algorithm used by Certifying
Authority to sign the Digital Signature Certificate;

• Name of the Certifying Authority who issued the Digital Signature Certificate;
• Validity period of the Digital Signature Certificate;
• Name of the subscriber, whose public key the Certificate identifies; and
• Public Key information of the subscriber.

94

5.4.7 SPECIFYING THE FORM AND MANNER IN WHICH ACCOUNTS SHALL BE
MAINTAINED BY THE CERTIFYING AUTHORITIES

Regulation 3(vi) of the Information Technology (Certifying Authority) Regulations, 2001 casts
a duty upon every Certifying Authority to comply with all the financial parameters during
the period of validity of the license, issued under the Act. It further says that any loss to the
subscriber, which is attributable to the Certifying Authority, shall be made good by the
Certifying Authority.

5.4.8 SPECIFYING THE TERMS AND CONDITIONS SUBJECT TO WHICH AUDITORS MAY BE
APPOINTED AND THE REMUNERATION TO BE PAID TO THEM

Rule 31 of the Information Technology (Certifying Authorities) Rules, 2000 lay down the
terms and manner of audit. Rule 32 mentions the relationship of the auditors with the
Certifying Authorities.

The CCA has currently a panel of 15 auditors, who are:

1. M/s. AKS Information Technology Services Pvt. Ltd.

2. M/s. Financial Technologies (I) Limited

3. M/s. Spectrum Networks Solutions Pvt. Ltd.
4. M/s. Digital Age Strategies Pvt. Ltd.
5. M/s. Cyber Q Consulting Pvt. Ltd.

6. M/s. AAA Technologies Pvt. Ltd.

7. M/s. Information System Auditors & Consultants Pvt. Ltd.
8. M/s. Protiviti Consulting Pvt. Ltd.

9. M/s. Appin Software Security Pvt. Ltd.

10. Shri Arvind Kumar
11. M/s. Haribhakti & Co.

12. M/s. Qadit Systems & Solutions Pvt. Ltd.
13. M/s. Coral eSecure Private Ltd.
14. M/s. Kochar & Associates .

15. M/s. Indusface Consulting Pvt. Ltd.

Regulation 3(vii)(a) of the Information Technology (Certifying Authority) Regulations, 2001
lays down that the Certifying Authority shall subject itself to Compliance Audits that shall be
carried out by one of the empanelled Auditors duly authorized by the Controller for the

95

purpose. Such audits shall be based on the Internet Engineering Task Force document RFC
2527 – Internet X.509 PKI Certificate Policy and Certification Practices Framework.
5.4.9 FACILITATING THE ESTABLISHMENT OF ANY ELECTRONIC SYSTEM BY A CERTIFYING

AUTHORITY EITHER SOLELY OR JOINTLY WITH OTHER CERTIFYING AUTHORITIES
AND REGULATION OF SUCH SYSTEMS

The Information Technology Security Guidelines and Security Guidelines for Certifying
Authorities, which are aimed at protecting the integrity, confidentiality and availability of
service of Certifying Authority, have been mentioned in Rule 19(2) of the Information
Technology (Certifying Authorities) Rules, 2000.

5.4.10 SPECIFYING THE MANNER IN WHICH THE CERTIFYING AUTHORITIES SHALL
CONDUCT THEIR DEALINGS WITH THE SUBSCRIBERS.

A Certifying Authority has to comply with the policies, procedures, and processes for issuing,
renewing, and recovering certificates that has been laid down in the Certificate Practice
Statement (CPS). Further, Rule 21 of the Information Technology (Certifying Authorities)
Rules, 2000 lay down that before ceasing to act as a Certifying Authority, a Certifying
Authority shall notify its intention to cease acting as a Certifying Authority to the subscriber.
Under Regulation 3 of the Information Technology (Certifying Authority) Regulations, 2001,
some duties have been cast upon the Certifying Authority, which refer to:

1. using methods, which are approved by the Controller, to verify the identity of a
subscriber before issuing or renewing any Public Key Certificate;

2. provide Time Stamping Service for its subscribers;

3. assure the confidentiality of subscriber information; and
4. ensure the continued accessibility and availability of its Public Key Certificates and

Certificate Revocation Lists in its repository to its subscribers and relying parties.

5.4.11 RESOLVING ANY CONFLICT OF INTERESTS BETWEEN THE CERTIFYING AUTHORITIES
AND THE SUBSCRIBERS

The office of the CCA is competent enough to resolve disputes arising between the
Certifying Authorities and the subscribers. As per its Certification Practice Statement (CPS), a
CCA can mediate between the Certifying Authorities and subscribers directly or through
arbitration. For this purpose, he can ask for any information or materials required for the
mediation, as per the CPS or the provisions of the Act.

Rule 12 of the Information Technology (Certifying Authorities) Rules, 2000 lays down that
any dispute arising as a result of any arrangement for cross certification between the
Certifying Authorities; or between Certifying Authorities or Certifying Authority and the
Subscriber, shall be referred to the Controller for arbitration or resolution.

96

5.4.12 LAYING DOWN THE DUTIES OF THE CERTIFYING AUTHORITIES

The practices described in the CPS apply to the licensed Certifying Authorities in India. A CPS
lays down their obligations, liability, operational procedures and security controls.

5.4.13 MAINTAINING A DATABASE CONTAINING THE DISCLOSURE RECORD OF EVERY
CERTIFYING AUTHORITY CONTAINING SUCH PARTICULARS AS MAY BE SPECIFIED BY
REGULATIONS, WHICH SHALL BE ACCESSIBLE TO PUBLIC

Before the Amendment of 2008, section 20 provided for the National Repository of Digital
Signatures (NRDC), which is a national repository, is maintained by the CCA. It contains all
Digital Certificates and Certificate Revocation List (CRLs) issued by all the licensed
certification authorities.

Thus, the functions of the CCA range from that of formulating guidelines and duties and
responsibilities of the certifying authorities to adjudicating the disputes.

5.4.14 RECOGNITION OF FOREIGN CERTIFYING AUTHORITIES

Section 19 of the Act gives the CCA the power to recognise any foreign Certifying Authority
for the purpose of the Act. It lays down that:

“(1) Subject to such conditions and restrictions as may be specified, by regulations, the
Controller may, with the previous approval of the Central Government, and by notification in
the Official Gazette, recognise any Certifying Authority as a Certifying Authority for the
purposes of this Act.”

The recognition of the foreign certifying authorities is done to make the implementation of
the digital signature certificate regime faster. A foreign certifying authority may provide
cross certification arrangement to the local licensed certifying authority to make it globally
accepted. The sanctity of a certificate issued by the foreign certifying authorities will be as
per the agreement between outside CA and a licensed CA in India. Such an agreement has
to be approved by the CCA.

The CCA has to take the previous approval of the Central Government, before appointing
any foreign certifying authority.

Such appointment shall be notified in the Official Gazette.

“(2) Where any Certifying Authority is recognised under sub-section (1), the Digital Signature
Certificate issued by such Certifying Authority shall be valid for the purposes of this Act.”

97

After a foreign certifying authority is recognised, he has acquired the license to act as a
licensed certifying authority in India, subject to such conditions and restrictions as may be
specified in the Information Technology (Certifying Authority) Regulations, 2001. He thus has
the license to issue a digital signature certificate under section 24.

“(3) The Controller may if he is satisfied that any Certifying Authority has contravened any of
the conditions and restrictions subject to which it was granted recognition under sub-section
(1), he may, for reasons to be recorded in writing, by notification in the Official Gazette,
revoke such recognition.”

The recognition granted to such authority can be revoked/withdrawn by the CCA, in case of
any contravention of any restrictions and conditions, subject to which such recognition was
granted. The CCA has to record the reason of such revocation in the Official Gazette, by
notification, as in the case of grant of recognition.

The Malaysian Communications and Multimedia Commission lay down the criteria for
recognition of the Foreign Certification Authorities, which are:

• A foreign certification authority is eligible for recognition if an international treaty,
agreement or convention concerning the recognition of its certificates has been
concluded to which Malaysia is a party;

• It must be licensed or otherwise authorized by the relevant governmental entity in
that country to carry on or operate as a certification authority in that country;

• The certificate issued by the foreign certification authority demonstrates a level of
security equal to or more stringent than the level of security of a certificate issued by
a licensed certification authority in Malaysia;

• It has established a local agent for service of process in Malaysia;
• It complies with the standards and technical requirements under the Act and its

Regulations; and
• It complies with such other requirements as the Commission thinks fit.

5.5 PROVISIONS PERTAINING TO DIGITAL SIGNATURE CERTIFICATES

The provisions pertaining to the digital signature certificates revolve around the issues of
license, procedure of granting it and its application.

5.6 PERSONS WHO CAN APPLY FOR LICENSE TO ISSUE DIGITAL SIGNATURE
CERTIFICATES

Section 21 of the Act lays down the provisions pertaining to application for the license to
issue digital signature certificates. it says;

“(1) Subject to the provisions of sub-section (2), any person may make an application to the
Controller for a licence to issue Electronic Signature Certificates.
(2) No licence shall be issued under sub-section (1), unless the applicant fulfills such
requirements with respect to qualification, expertise, manpower, financial resources and

98

other infrastructure facilities, which are necessary to issue Electronic Signature Certificates
as may be prescribed by the Central Government.”

Section 21(1) says that any person can make an application to the CCA for license to issue
electronic signature certificates. Such an application is subject to sub-section (2), which says
that the person making the application should fulfil the requirements with respect to
qualification, expertise, manpower, financial resources and other infrastructure facilities,
which are necessary to issue Electronic Signature Certificates as may be prescribed by the
Central Government. Rule 8 of the Information Technology (Certifying Authorities) Rules,
2000 gives the detailed provision with regard to licensing of certifying authorities.

“(3) A licence granted under this section shall—
(a) be valid for such period as may be prescribed by the Central Government;
(b) not be transferable or heritable;
(c) be subject to such terms and conditions as may be specified by the regulations.”

The validity period for a license granted under this section is what has been prescribed by
the Central Government in the rule 13 of the Information Technology (Certifying Authorities)
Rules, 2000, which has fixed the validity of such license for a period of five years from the
date of its issue. Further sub-rule (2) of the same rule reiterates the non transferability
clause. The terms and conditions for the grant of license have been laid down in regulation 3
of the Information Technology (Certifying Authority) Regulations, 2001.

5.7 APPLICATION FOR LICENSE

The form of applications and the documents required for the application have been
mentioned under section 22 of the Act, which says that:

“(1) Every application for issue of a licence shall be in such form as may be prescribed by the
Central Government.”

Rule 10(i) of the Information Technology (Certifying Authorities) Rules, 2000, mentions that
every application for a licensed Certifying Authority shall be made to the Controller, in the
form given at Schedule-I of the Rules.

“(2) Every application for issue of a licence shall be accompanied by—
(a) a certification practice statement;
(b) a statement including the procedures with respect to identification of the applicant;
(c) payment of such fees, not exceeding twenty-five thousand rupees as may be

prescribed by the Central Government;
(d) such other documents, as may be prescribed by the Central Government.”

Rule 11(1) of the Information Technology (Certifying Authorities) Rules, 2000 says that the
application for the grant of a licence shall be accompanied by a non-refundable fee of
twenty-five thousand rupees payable by a bank draft or by a pay order drawn in the name of
the Controller. The other documents as mentioned in clause (d) of subsection (2) include:

99

• A statement for the purpose and scope of anticipated Digital Signature Certificate
technology, management, or operations to be outsourced;

• Certified copies of the business registration documents of Certifying Authority that
intends to be licensed;

• A description of any event, particularly current or past insolvency, that could
materially affect the applicant's ability to act as a Certifying Authority;

• An undertaking by the applicant that to its best knowledge and belief it can and will
comply with the requirements of its Certification Practice Statement;

• An undertaking that the Certifying Authority's operation would not commence until
its operation and facilities associated with the functions of generation, issue and
management of Digital Signature Certificate are audited by the auditors and
approved by the Controller in accordance with rule 20;

• An undertaking to submit a performance bond or banker's guarantee in accordance
with sub-rule (2) of rule 8 within one month of Controller indicating his approval for
the grant of licence to operate as a Certifying Authority;

• Any other information required by the Controller.

5.8 RENEWAL OF LICENSE

Section 23 of the Act lays down the provision of renewal of license. It says:

“An application for renewal of a licence shall be—
(a) in such form;
(b) accompanied by such fees, not exceeding five thousand rupees, as may be prescribed

by the Central Government and shall be made not less than forty-five days before the
date of expiry of the period of validity of the licence.”

Rule 15(3) of the Information Technology (Certifying Authorities) Rules, 2000 says that the
application for renewal of licence may be submitted in the form of electronic record subject
to such requirements as the Controller may deem fit. Further the sub-rule (2) mentions that
a Certifying Authority shall submit the application for the renewal of its licence, within not
less than forty-five days before the date of expiry of the period of validity of licence.

As far as the fees for renewal is concerned, the rule 11(2) says that the payment of fees has
to be made through a bank draft or through a pay order drawn in the name of the
Controller.

5.9 PROCEDURE FOR GRANT OR REJECTION OF LICENSE

The procedure for grant or rejection of license has been laid under section 24 of the Act,
which says:
“The Controller may, on receipt of an application under sub-section (1) of section 21, after
considering the documents accompanying the application and such other factors, as he
deems fit, grant the licence or reject the application:

100

Provided that no application shall be rejected under this section unless the applicant has
been given a reasonable opportunity of presenting his case.”

Thus, after the receipt of the application by the certifying authorities and after considering
the documents accompanying the application and such other factors, as the CCA deems fit,
he may grant or reject the application.

The proviso to this section further says that the application for license cannot be rejected,
without giving the opportunity of presenting the case to the certifying authority.

5.10 SUSPENSION OF LICENSE

Under section 25 of the Act, the CCA has been given the power to revoke or suspend the
license of a certifying authority. The relevant provision says:

“(1) The Controller may, if he is satisfied after making such inquiry, as he may think fit,
that a Certifying Authority has—

(a) made a statement in, or in relation to, the application for the issue or renewal of the
licence, which is incorrect or false in material particulars;

(b) failed to comply with the terms and conditions subject to which the licence was
granted;

(c) failed to maintain the procedures and standards specified in section 30;
(d) contravened any provisions of this Act, rule, regulation or order made thereunder;

revoke the licence:
Provided that no licence shall be revoked unless the Certifying Authority has been
given a reasonable opportunity of showing cause against the proposed revocation.”

If the CCA is satisfied, after making such enquiry as he deems fit, that the conditions
mentioned under subsection (1) exist, he may revoke the license. Clause (c) of the
subsection (1) was replaced with the effect of the Information Technology (Removal of
Difficulties) Order, 2002. Before that effect, the clause read as “failed to maintain the
standards specified under clause (b) of sub-section (2) of section 20;"

The proviso of the subsection (1) says that a license to issue digital signature certificates can
be revoked only after the certifying authority has been given a reasonable opportunity to
show cause against the proposed revocation.

“(2) The Controller may, if he has reasonable cause to believe that there is any ground for
revoking a licence under sub-section (1), by order, suspend such licence pending the
completion of any enquiry ordered by him:
Provided that no licence shall be suspended for a period exceeding ten days unless the
Certifying Authority has been given a reasonable opportunity of showing cause against the
proposed suspension.”

101

Subsection (2) of the section says that the CCA, having reasonable cause to believe the
existence of any ground for revocation of the license, may suspend such license, during
pendency of enquiry ordered by him.

Such suspension shall not exceed ten days unless the certifying authority has been given a
reasonable opportunity to show cause against the proposed suspension.

“(3) No Certifying Authority whose licence has been suspended shall issue any Electronic
Signature Certificate during such suspension.”

A certifying authority, whose license has been suspended is not authorised to issue any
electronic signature certificate during such suspension. Such suspension has to be made
public through notice as required under section 26, which says:

“(1) Where the licence of the Certifying Authority is suspended or revoked, the Controller
shall publish notice of such suspension or revocation, as the case may be, in the data
base maintained by him.

(2) Where one or more repositories are specified, the Controller shall publish notices of
such suspension or revocation, as the case may be, in all such repositories:
Provided that the data base containing the notice of such suspension or revocation,
as the case may be, shall be made available through a web site which shall be
accessible round the clock:
Provided further that the Controller may, if he considers necessary, publicise the
contents of data base in such electronic or other media, as he may consider
appropriate.”

Section 26 of the Act says that publication of suspension or revocation of the license has to
done in the database maintained by him. Further, subsection (2) says that if one or more
repositories have been specified, the CCA has to publish such notice, as the case may be, in
all such repositories.

The proviso to the section says accentuates the availability of the database containing such
suspension or revocation through a web site, which can be accessed round the clock. The
further proviso says that if the CCA deems necessary, he may publish contents of database
in an electronic or other media, as considered appropriate by him.

The purpose of such publication is to bring to the notice of the public at large of the
suspension or revocation of license of a certifying authority to issue digital signature
certificates.

Section 33 of the Act casts a duty upon a certifying authority to surrender his license. It says:

“(1) Every Certifying Authority whose licence is suspended or revoked shall immediately
after such suspension or revocation, surrender the licence to the Controller.

102

(2) Where any Certifying Authority fails to surrender a licence under subsection (1), the
person in whose favour a licence is issued, shall be guilty of an offence and shall be
punished with imprisonment which may extend up to six months or a fine which may
extend up to ten thousand rupees or with both.”

Immediately, after the suspension or revocation of license, the certifying authority has to
surrender his license to the CCA. The failure to do so constitutes an offence, which is
punishable with imprisonment, extending up to six months or a fine extending up to ten
thousand rupees or with both.

5.11 POWERS OF THE CCA

Apart from the power to issue and revoke licenses to the certifying authorities, the CCA has
the power to delegate his powers. His power of delegation has been mentioned under
section 27 of the Act. Other powers also include the power to investigate contraventions
and the power to access to computers and data.

5.11.1 POWER OF DELEGATION

Section 27 of the Act lays down the power of the CCA to delegate his powers. It says:

“The Controller may, in writing, authorise the Deputy Controller, Assistant Controller or any
officer to exercise any of the powers of the Controller under this Chapter.”

The section says that the CCA may authorise the Deputy Controller, Assistant Controller or
any officer to exercise any of his powers given under this Chapter. Such authorisation is
given in writing. The section mentions that only the powers given to the CCA under this
chapter, like that of recognition of foreign certifying authorities, issue and revocation of
license or that of investigation, can be delegated.

This section is to be read with section 17 of the Act, which authorises the appointment of a
team of Deputy Controllers and Assistant Controllers, other officers and employees. The
other officials can be delegated the powers given to the CCA.

5.11.2 POWER TO INVESTIGATE CONTRAVENTIONS

Section 28 of the Act grants the power to the CCA or any authorised officer on his behalf to
investigate contraventions of the provisions of the Act, rules or regulations made under the
Act. The relevant provision says that:
“(1) The Controller or any officer authorized by him in this behalf shall take up for

investigation any contravention of the provisions of this Act, rules or regulations
made there under.
(2) The Controller or any officer authorized by him in this behalf shall exercise the like
powers which are conferred on Income-tax authorities under Chapter XIII of the

103

Income Tax Act, 1961 and shall exercise such powers, subject to such limitations laid
down under that Act.”

The power given under this section is investigative in nature. This power can be exercised by
the CCA or any officer authorised by him. This further establishes the power of the CCA to
delegate his powers. Further, since the provision is covered under Chapter –VI, the power
exercised under this section in confined to the certifying authorities only.

However, the subsection (1) should be read with section 75 of the Act, which lays down that
the provisions of the Act applies also to any offence or contravention committed outside
India by any person irrespective of his nationality. This provision will apply, if such an act or
conduct constituting the offence or contravention involves a computer, computer system or
computer network located in India.

Subsection (2) of the section says that the CCA or the authorized officer has the powers
similar to that conferred on Income-tax authorities under Chapter XIII of the Income Tax Act,
1961. The powers mentioned under the said Chapter are:

Power to seize and retain in his custody, any books of account or other documents
produced before it in any proceeding, for such period as it thinks fit [under section 131].

Search and seizure of books of account and other documents, money, bullion, jewellery
other valuable articles or things found as a result of such search.

The authorized officer may, during the course of search or seizure, examine on oath any
person who is found to be in possession or control of the goods searched or seized by such
officer. The statement made by such person during such examination may be used in
evidence in any proceeding [under section 132].

• Power to call for information [under section 133].
• Power of survey [under section 133 A].
• Power to collect certain information [under section 133 B] and
• Power of proceedings as judicial proceedings [under section 136].

5.11.3 POWER TO ACCESS TO COMPUTERS AND DATA

Under section 29 of the Act, the CCA or any person authorised by him has the power to
access any computer system, any apparatus, data or any other material connected with
such system, in case of any contravention committed. The relevant section says that:
“(1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any
person authorised by him shall, if he has reasonable cause to suspect that any contravention
of the provisions of this Act, rules or regulations made thereunder has been committed, have
access to any computer system, any apparatus, data or any other material connected with
such system, for the purpose of searching or causing a search to be made for obtaining any
information or data contained in or available to such computer system.

104

(2) For the purposes of sub-section (1), the Controller or any person authorised by him may,
by order, direct any person incharge of, or otherwise concerned with the operation of, the
computer system, data apparatus or material, to provide him with such reasonable technical
and other assistance as he may consider necessary.”

The essentials of the power granted under this section are:

• there must be a reasonable cause to suspect that any contravention of provisions of
the IT Act, or rules or regulations made thereunder, has been committed; and

• the purpose of having such access is to search or cause a search to be made for
obtaining any information or data contained in or available to such computer
system.

Subsection (2) of the Act empowers the CCA or the person authorised to direct any person
in charge of, or concerned with the operation of, the computer system, data apparatus or
material, by order and the purpose of such an order is to provide him with such reasonable
technical and other assistance as he may consider necessary. Such kind of assistance may
include assistance in providing entry to the computer system or material.

Since the term apparatus has not been defined, it may refer to the input devices (digital
cameras, scanners, etc.), output devices (printer, speakers etc.), communication devices
(modem) and storage devices (hard disk, removable hard drives, CDs etc.). The
contraventions mentioned under the Act, refers to those given under section 43 of the Act.

5.12 PROCEDURE AND COMPLIANCES BY THE CERTIFYING AUTHORITY

Section 30 of the Act lays down some procedures to be followed by a Certifying Authority.
The relevant provision says that:

“Every Certifying Authority shall,--
(a) make use of hardware, software, and procedures that are secure from intrusion and

misuse;
(b) provide a reasonable level of reliability in its services which are reasonably suited to

the performance of intended functions;
(c) adhere to security procedures to ensure that the secrecy and privacy of the Electronic

signatures;
(ca) be the repository of all Electronic Signature Certificates issued under this Act;
(cb) publish information regarding its practices, Electronic Signature Certificates and

current status of such certificates; and
(d) observe such other standards as may be specified by regulations.”

The certifying authorities have to fulfil the conditions laid down under the Information
Technology (Certifying Authorities) Rules, 2000 and the Information Technology (Certifying
Authority) Regulations, 2001. Each certifying authority has to frame its management and
operational policies keeping in mind the Information Technology Security Guidelines and
Security Guidelines for Certifying Authorities issued under the Rules.

105

After the amendment of 2008, the clauses (ca) and (cb) were added, thereby forming the
certifying authorities the repository of all Electronic Signature Certificates issued under the
Act.

In a nutshell, a certifying authority has to ensure the reliability in its service and secrecy and
privacy of electronic signatures; make the use of softwares and computer system, free from
misuse and also he has the responsibility to publish the practices followed by him.

Under section 31 of the Act, the certifying authority has the duty to ensure the compliance
of the Act, rules and regulations by every person employed by him or engaged by him, in
course of his employment or engagement. It says;

“Every Certifying Authority shall ensure that every person employed or otherwise engaged by
it complies, in the course of his employment or engagement, with the provisions of this Act,
rules, regulations or orders made thereunder.”

Rule 31(1) of the Information Technology (Certifying Authorities) Rules, 2000 lays down that
that requirement of access to confidential information by Certifying Authority's operational
staff to be on a "need-to-know" and "need-to-use" basis. Further, Regulation 3(v) of the
Information Technology (Certifying Authority) Regulations, 2001 casts a duty upon every
Certifying Authority to get an independent periodic audit done through an approved
auditor.

A CPS must also mention the guidelines on controlling the employees, their qualifications,
background and experience.

5.13 DISPLAY OF LICENSE

Section 32 of the Act lays down a duty upon every Certifying Authority to display its licence
at a conspicuous place of the premises in which it carries on its business. The relevant
provision says:

“Every Certifying Authority shall display its licence at a conspicuous place of the premises in
which it carries on its business.”

5.14 DISCLOSURE OF CERTAIN DOCUMENTS

Section 33 of the Act lays down a duty upon the certifying authority to disclose certain
documents. The relevant provision says that:

“(1) Every Certifying Authority shall disclose in the manner specified by regulations--
(a) its Electronic Signature Certificate

106

(b) any certification practice statement relevant thereto;
(c) notice of the revocation or suspension of its Certifying Authority certificate, if any;

and
(d) any other fact that materially and adversely affects either the reliability of a

Electronic Signature Certificate, which that Authority has issued, or the Authority's
ability to perform its services.
(2) Where in the opinion of the Certifying Authority any event has occurred or any
situation has arisen which may materially and adversely affect the integrity of its
computer system or the conditions subject to which a Electronic Signature Certificate
was granted, then, the Certifying Authority shall--
(a) use reasonable efforts to notify any person who is likely to be affected by that
occurrence; or (b) act in accordance with the procedure specified in its certification
practice statement to deal with such event or situation.”
Subsection (1) mentions the documents which have to be shown by the certifying
authorities. Prior to the Amendment of 2008, the clause (a) included the phrase “which
contains the public key corresponding to the private key used by that Certifying Authority to
digitally sign another Electronic Signature Certificate”. Under Regulation 5(2), it has been
mentioned that the disclosure shall be made available to the Controller through filling up of
online forms on the Web site of the Controller on the date and time the information is made
public. Further the Certifying Authority shall digitally sign the information.

Subsection (2) of the Act lays casts a duty upon the certifying authority to use reasonable
efforts to notify any person who is likely to be affected by an event or situation which may
materially and adversely affect the integrity of its computer system or the conditions subject
to which a Electronic Signature Certificate was granted or to act in accordance with the
procedure specified in its certification practice statement to deal with such event or
situation.

107