CH A PTE R 7

REGULAT ION OF CERTIFYING

AUTHOR ITIES U N DER THE ACT
" rt is lwttt'r for a ci~l/ to be governed hy a good mnn
than rve11 by good Imus ".
- Aristotle

Internet is an open system of communication, which has its own set of

roblems. These problems relate to int~gnty, confidentiality and authentication
~f communication channels and processes. Since the computerized environment
is more proces&, based th~_per~q_-!lal.ized, it is hence necessary to have an
identification strategy to ascertain the integrity, confidentiality and authentication
of conunwtj~ation channels and processes.
Any identific.ation ~tr~tegy needs to understand the universality princip le of
In,temet (and the World Wide Web) linking countries and strangers seamlessly.
It is not merely the question of efficiency but also of reliability. A system of
identity authenti~~ti_gp is thus required. The question is who shall perform this
iden_!ity authentication function? Who shall authenticate that cl digital signature
belongs to a specific signer? Who shall be the dispenser of the public keys? After
all, it is~ matter of ·frltst.
Concept Note
Establishing Public Key Infrastructure
The solution to these problems is in the form of one or more trusted third
~~~~ ~hi~~ wilLnot o~ly au_thenticate ~at a !iigital signature ~elongs to _a
1

Pecific sigrter but also dispense the public .keys. That trusted third party is
~e1:ed t? as a "certifj.caJiQn authority". Its function is to verify and authen ticate
Ce ~entity of a subsq:iber ' (a person in whose name the Digital Signature
rtificate is issued). --
au~ _.certifying authority has to receive a licence from the 'roof certifying
sign ~ty or controller of certifying authorities, before it starts issuing digital
digi~l r~ certificates to the subscribers. The issuing certification authority's
Using / 1gnatu~~ on the digital signatur~ certificate can also be verified by
~ c -~Y, of the certification authority li!1ted in the repository of
1, In
anJ::a1, an _independent, unbiased third party that con~ ibutes to the ultimate security
of computer-based information transfers. A trusted third party does not
connote twort~iness
the existence of a trustor-trustee or other fiduciary relationship [Schedule VJ.

71
 _ LnW and p,-actice
111fMl1l(ll iOII 'f<'c/1110/0R.1/ ' . .
AS evident
72 · Repos1to r1 es a re on-hne datab
i t' rfortrl· On
, ~ 'f . author ie 5 .
, . ,ntroller of certi y111g .
. . 1 d .
ailable for retneva an u se m ve rjh.·
a~
~ to pe '·bet and o
i.acr).
st1u.,. . d · the
root o1 Ll d ther i11for111ation av ' . Jin¥ tal.fle in
l,f certificates an ° ' cofl ·tying au tho
di.gHal sig11atures. certl scfl.b er a
the s Ub
-1ating Cet
8,el,--
It is thUS nE
ruJ:es and regul,
Ad, 2()()(), und
of certifying p
I.nforination Te<
Technology (C,
guidelines for •
Figure 7.1: Levels of Hierarchy The regula
This establishes multi level authorities, often referred to as Public Ke1 of the Co_!!trol
Infrastructure (PKI) hierarchy where a set of Certifying Authorities is subordina~ administrative
to the superior Certifying Authority (Controller of Certifying Authorities). in .A.K Kraipak
. ~ PKI system ~s mu~ ~ore than -~e 'subordinate-superior' relationship "Th,
existing between the certifying authorities and the controller. · It is a set oi judicia
policies, proces~s~~~er-~tfm~s., ~oftw~~-~-~Q._...}V~_!~tati~_.).lSed for the deterrr
pu~o~ o~!:~~~~.fil!~~-~1~a~e _Certificates and public-private kfi judida
pa~, mcludmg the ability to generate, issue, maintain, and revoke _public ke; persor
:~~a:s·d~KI, re~_sents. a brand new system of creating and authenticatn'~ confer
gi a m mg relationships. to be ,
This multiple party1
relationships is based onsystem f ·
tru t Bo ~re~~g _and authenticating digital 'binding the en
identified by the certificate ts·
b as1~ y) it involves: (a) an individual or entit\ Consb
includes identification and uthscn_ er. (b) the issuer of the certificate which state 1
tained au entication of b· ( ' bodie~
r:;n .. in the certificate (Cerlifyin Au . su Jee! subscriber) infonnatio<
mtlivtdual relying on the 'certifi f(
th ~nty) and (c) the company, agenC
ca e Relying Party).
i lose it
the d ,
. . Certifying Authority requu
Issue of to act
Digital
Certificate by Signatur0
the Certifying \ Identification of the Subscribt'f In the h -a
8ecti
Authority. by the Certifying Authority ons shou]
r- Section 1 ·
Subscriber ~O'Ve .
of ~ l'IUnent
Relying Party '-ertifym
Affixation f
saine or g
Signature by ti Digital .\&sis• ... - subs
. e Subscriber -nt Coi

I In
Ftgure 7 2· C .
. . reahng B' d
,..,e (2) °l"'L
JL
--ne C
. general, an inde end m ing Relati . genera}
onships
~
and trustworthi P ent, unbiaM-~ h'
connote the •ness of computer-ba""""'d t. 1rd party that .
eXJstence of a trustor-~t information tr~ c~ntributes to the ultimate sect1r1.~1 1. ~
ee or other fiduci: ers. A trusted third party does J1l' 1970
ry relationship [Schedule VJ.
 Regulation of Certify
.
ing A ti ..
" ron t,es rmder tlte Act 73
I
As evi den t fro m the abo ve dia gra m c . . in ' roles
iss u~ aer :fy_ mg ~ul ho rity has 'tw
erfoflll. On on e ha nd , it has to ~g:i.tal signa ture certifi ca te
to the
the oth er id ent ify an d au th
to :Scriber and on th
sai d cer tifi cate for the be n~ tic ;: e su_bscriber's inform ati on
su ta.ined in the O
e r~lymgI par ty. Th e role of
aut ho rity is qu ite cru cia l as it er t a b.md mg r ti hi b
co: ,uing ea es ea ons p etw een
cen.u,~ - iber and the rel yin g pa rty .
the subscr

Regulating Ce rti fyi ng Au tho rit ies

ho riti es sho uld follow establish ed
It is:ug uls ne c:s sar y f~~ ~e cer tify ing aut
a ~~ as ow n un de r the law . The Inf orm ati on Technology
rules an re d ai
det ail ed provisions for the Contr
oller
un ert h ~l: 'ter VI pro vid es
Act, 2CJ?O,. Certifyin·g •'"\.U th on•ti·es. Fu rth erm ore , the
of Certif.ying Au on tie s to reg . .ula te
A

o 1og y (C ert ify ing Au tho riti es) Rules , 2000 and th e Inform a ti. on
Information Te chn ..
(C rtifyin" A
g uth on tie s) Re gu lat ion s, 2001 hav e pro vid ed det ail ed
Technology e . .
es.
guidelines for cer tify ing aut ho riti ction
ula tio n of cer tify ing aut ho riti es com es un de r the sta tut ory {un
The reg y. as an..
on~ olle r. Un _de r the sch em e of the Act, he }:las to act primaril
of ~e _C Co urt
tra~ ve au tho ~ty r
_ ath er tha n as a quasi-judicial body. The Su pre me
adminis
in A.K. Krazpak v. Union of Ind
ia 1 ob ser ved :
idi ng lin e be tw een an adm ini str ati ve po we r an d a quasi-
"T he div
we r is qu ite thi n an d bei ng gra du all y obl ite rat ed. For
judicial po
ng wh eth er a po we r is an adm ini str ati ve po we r or a quasi-
det erm ini
l po we r on e ha s to loo !<_ to the na tur e of the power. con fer red, tl).e
judicia rk of the law
P~r son s on w~ o~ i.!_~ ~ nfe rre d, the fra me wo
pe r~ n O!_ ect ed
fer rin g tha t po we r an d the ma nn er in wh ich tha t po we r is exp
con ov er
exe rci sed . Un de r ou r Co nst itu tio n the rul e of law per vad es
to be r ou r
. Ev ery org an of the Sta te un de
the ent ire fie ld of adm ini str ati on . . In a we lfa re
nst itu tio n is reg ula ted an d con tro lle d by ~~ _!Ule ofJ. aw
Co ati ve
t the jur isd ict ion of the adm ini str
state lik e ou rs it is ine vit abl e tha wo~ ~
ies is inc rea sin g a!._~ r
. ap id r_at e. Th e con cep t of rul~ of law
bod d wi th
e its va lid tyj
i_ l!h ..e ins tru me nta liti ~s of ~e Sta!e were_not cha rge
los e
s m a farr an d Just ma nn er. Th
the du ty of dis ch arg ing the ir fun cti onenc e is no thi ng bu t a req uir em ent
in ess
req uir em ent of act ing jud ici all y
arb itra rily or cap ric iou sly ".
to act jus tly an d fai rly an ~ no t following
the ba ck dro p of afo res aid fac ts, it is thu s pru de nt tha t the
In
sections sho uld be vie we d acc ord ing ly.
Central
tion 17. Ap po int me nt of Co ntr oller an d other off ice rs. -(1 ) Th e
Sec ntr oll er
une nt ma y by no tif ica tio n in the Official Ga zet te, ap po int a Co
Goven by the
rtif yin g Au ilto rit ies for the pu rposes of thi s Ac t an d ma y also
of Ce ers,
seq ue nt no tif ica tio n ap po int suc h nu mb er of De pu ty Controll
~e or sub
818 lant Co ntr oll en , oth er off ice n an d em
plo ye es as it de em s fit.
jec t to
2 Th e Co ntr oll er sh all dis ch arg e his fun cti on s un de r thi s Act sub
th ( )
the Ce ntr al Go ve rnm en t.
e general con tro l an d dir ect ion s of
:---- c:rR 457.
 . _ Law and Practice
Jufamrntio,r Trclmo 1ogy
74 . d Assistant Controllers shall perfol'lll
(3) The Deputy ControUe:e ~ontroller under the general superintend the
functions assigned to them by t e%
d ront:rol of the Controller. . .
an . . s e erience and terms and condthons of serv·
(4) The quahficahon ' xp A . · tant Controllers other offi' cer8 aic,
ty Controllers ss1s ,
0
of Controller, epu h may b~ prescribed by the Central Governin lid
employees shall be sue as etlt,
d Branch Office of the office of the Controller sh
(S) The H ead Office an . fy al
be at such places as the Central Government may spect , an~ these may b,
established at such places as the Central Government may think fit.
(6)There shall be a seal of the Office of the Controller.
Comment
The Central Government has appointed the Controller of Certifyin,
Authorities on November 1, 2000. The Office of Controller of Certifyin
Authorities has three main functional departments: (a) Technology, (b) Financ
and Legal, and (c) Investigation. Each department has a Deputy Controller ani
Assistant controllers, who work under the general superintendence and contn
of the Controller.

Controller of
Certifying Authorities

Deputy
Controller Deputy
Controller Deputy
(Technology) Controller
<Finance and Legal)
(Investigation)
J
-
Assistant
Controller . ~sistant ControU;
(Technology (Finance and Legal) Assistant Controller
(Investigation)

Figure 7.3; Orga .

c l\12ational Hi
ontroller of C . erarchy of th Offi
, ertifying Authoriti~ ce of
►
Regulation of Cerl'ifyfHo I\ 1 . 75
. 1 . . ,, ut mrttlp,q 11nder the /\ ct

The Office of the Con troller of Certif in -.

s AuthorltieA is a fulcrum on which
the Information Tec hno logy Act, 2000 op: rat: 8
statutory role to identlfy,
ply and draw awa rene ss rega rdin g app li t'. It hm,
nf of specific form of technology.
ap rtherniore, it esta blishes fun ctional attr'bt catJO
u es or CerHfying Auth or1' ti es.
Fu th f . ·
orde r to und erst and e unc tion s of the C t 11
In
owi ng the ke . . on fO er of Certifying
Authorities, apa rt from foll
m~~~~~ ; ~s ~f the . Act one must
c1lso follo w its Cer tificatio n Practice Statf
2000 d ~ ongw~th Information
Technology (Ce rtify ing Aut hori ties ) Rules an orm aho n Techno logy
(Certifying Aut hori ties ) Reg ulat ions , 2001 . '
rma ti T hn 1 .
Furthermore, the two guidelines:2 'lnfo
tifying ~n th e~ti . ~ ~gy ! ecu nty
Guidelines' and 'Sec urit y Gui delj nes for Cer
ties) Rule~ 2ooroo1 es isslu e undher
Information Tec hno logy (Ce rtify ing Authori , sup p ement t e
knowledge base.
troller may perf orm all or
Section l8. F~nctions 0( Con trol ler. -Th e Con
any of the foll owi ng functions, nam ely :-
(a) exercising sup erv isio n ove
r the activities of the Certifying
Authorities;
Comment
s of the Certifying Authorities
Controller's sup ervi sion ove r the activiti~
ing Aut hori ty has to fulfill all the
stem from the fact that as a licensee Certify
conditions stip ulat ed by the Con trol ler.
(Certifying Authorities) Rules,
As per rule 31 of the Info rma tion Technology
duc t half yea rly/ qua rter ly aud its and
2000, Certifying Aut hor ity shal l hav e to con
in four weeks of the completion
submit each aud it rep ort to the Con trol ler with
of such audit.
hnology Security Guidelines
It should be poi nted out that the Info rma tion Tec
turi ng aud it trails [Para 10], whereas
under rule 19(2) lays dow n para met ers for cap
are given in para 9 of Security
details of Sys tem Sec urit y Aud it Pro ced ures
Guidelines for Cer tify ing Aut hori ties .
(b) certifying pub lic key s of the Cer
tifying Authorities;
Comment
Aut hori ty of Indi a (RCAI)
The Controller has ef;tablished the Root Certifying
to certify pub lic key s of all CA s in India.
The RCAI is responsible for:
ificate
• Issue of lice nce· by mea ns of an X.5 ~ cert
nsed CA
• Digitally signing the pub lic key of the lice
Ls) for the licen ces issued
• Gen erat ing -Cer tific ate Revocation List (CR

--------
1. Office of the Cont rolle r of Certifying Auth oritie
Technology, Gov ernm ent of India, Gate No.2
fl, Ministry of Com mun ication and.Informatio
9, Jawahar Lal Nehr u Stad ium, Lodi Road ,
n
New

. . . · , and
Delhi 110003 nology Secu nty Gwd ebnes
2· Rule 19(2) establishes two guidelines: 'Information Tech
'Security Guidelines for Certifying Authorities'
76 htJimna l ion 1,cclmo 1o~y - Law and
'
Practice
. th h . hest leve l of cert i•fi. ca tion u, . India
TI,e RCAl root_ certificate 1~ k: s•~f the licen I
th sed CAs in Indi a . One. ~
is bein g used to sign e pub ~c f ythe Info rma tion Tec hno logy (Cer
the cond ition s und er rule 20 < ) ? tifyin
l d C tifyi ng Aut hori ty shal l comrnen, g
Authorities) Ru es, 2000.
is that the license
.
er
and issu e of digi tal sign atur e only afterceit
its conm1ercial operatio~ of g~neratio
has generated its key pair (priv ate an ~ corr espo ndin g pub lic key) and submitted
the public key to the Con troll er.
.
•t • • orta nt to note that RCAI is a func tion
How ever, 1 is al aspe ct
nnp
operations of the Controller of Certifying Auth oriti . • It· t kind O f of the
es. is no a separate
organizational unit.
(c) laying dow n the standards to be
mai ntai ned by the Certifying
Authorities;
Comment
Rule 6 of the Information Technology (Cer tifyi ng
Aut hori ties ) Rule s, 2000
refers to the stan dard s that may be cons ider ed for
diff eren t acti vitie s asso ciate d
with the Certifying Authorities functions.
Regulation 4 of the Info rma tion Tec hno logy
(Cer tifyi ng Authorities)
Regulation, 2001 prov ides deta ils of vari ous stan dard
s (f1S refe rred in rule 6) like
Publ ic Key Infrastructure, Public-key Cry ptog
raph y, _Key agre eme nt schemes,
Form and size of the key pairs, Dire ctor y Services
, Pub lic Key Cert ifica tes and
Certificate Revocation List (CRL).
(d, specifying the qualifications and expe rien ce,
whi ch emp loye es of the
Certifying Authorities shou ld possess;
Com men t
It has not been specified in eith er Rule s or Reg
ulat ions abo ut the specific
quaJ~6~ations and _e_xperience that shou ld be poss esse
d by the emp loye es of the
Certifying _Authonties. Para 5.1 of 'Info rma tion Tec
does mention that each hno logy Sec urit y Gui deli nes'
Adminis · ,, · ·
. orga niza h 1 •
tion s al desi gna te a prop erly trai ned "System
are func ti~~ ;'h? will ensu re that the prot ecti
ve secu rity mea so/e of the syste lll
who ~ be ~es ~ l y , Para 20 ta~ks abo ut the role of
Net wor k Adm inis trato~
the netw otk. ponsible for oper atio n, mon itor ing secu
rity and func tion ing ot
(e) ~perlfying the d. .
slw l cond uct
· ·- their b ~n abon s subj ect to whi ch the Cer tify ing Aut hori
· uaan.ess; ties
.
A Certify mg Com men t
Autho . ha .
to obtain a licence to i~ty Di 6
ue g1talfulfi ll all the specified term s and cond itioil5
•-~ . t~
. · s·
uuo rma tion Technology&lil's(Cer , ·
tifyi n igna tu.r~ Cert ifica te. Reg ulat ion 3 ot- we
thos e terms and conditions. . g Aut hori ties)
Regulations, 2001 lays dowll
(f). •pec ifyin g the contents of
adv
. ertis eme nts. that lllay ,b d
·-
Sign atur e Certificate and the 1-bi bWritten, prin·ted or v1su .
a1 mat ena . ls aitd
.
· - - uted or used in
e pub lic key; tesp ed o f a El ecuv'-"" •'
\
 lhe Act
Regulation of Certifying Authorities under 77
Comment
annormation in Cer tifying Au tho riti es
In order to .bring uni for mit y and -h_ ts
tify ing Au tho riti es speci fies the con ten
ractice, the Office of ~on tro ller ?f Cer
prin ted or vis ual ma ten als and adv erti sem ent s tha t ma b d · tr·b d t
p ·tten I _u ~t
of~ -A ~ resp ect. ofS a. Dig ital Sig
nat ure Certificate and the puybli~c k1sey m 1 s
as on
or USt-'U
tification Pra ctic e tate me nt _(C~S). Ho we ver , it is sign ific ant to not e tha t
Cer ate
rela ted to Electronic Sig nat ure Certific
November 15, 2009, no suc h .gu ide line s
olle r of Cer tify ing Au tho riti es.
has 1,een framed by the Office of Co ntr
a Electronic Signature Certificate
(g) specifying the form and content of
and the key;
Comment
0
7 of the Inf orm atio n Tec hno log y (Ce rtif yin g Au tho riti es) Rules, 200
Rule es
ides tha t all Dig ital Sig nat ure .Ce rtif ica te issu ed by the Cer tify ing Au tho riti
prov ial
sta nda rd and to hav e dat a, like : Ser
shall conform to f!!J X.509 ver sio n 3 to
ier (us ed by the Cer tify ing Au tho rity
Number, Signature Alg ori thm Ide ntif
y per iod of the Certificate, Na me of
sign the Certificate), Iss uer Na me , Val idit
n of .the subscriber.
the subscriber and Pub lic key inf orm atio
spe cify ing the for m and ma nne r in which accounts shall be maintained
(h)
by the Certifying Authorities;
Comment
n Tec hno log y (Certifying Au tho riti es)
Under reg ula tion 3(v i) of the Inf orm atio ncial
tho rity sha ll com ply wit h all the fina
Regulations, 2001, eve ry Cer tify ing Au
dur ing the per iod of val idit y of the licence, issu ed und er the Act.
parameters le
ntly, it fur the r sta tes tha t any los s .to the_§Ws.criber, wh ich is attr ibu tab
Importa .
4 ~ g Au tho rity , sha ll be ma_ de-g no. dJ2 r the Cer tify ing Au tho rity
to the y be
(i) specifying the terms and con
ditions subject to which auditors ma
paid to them;
appointed and the remuneration to be
Comment
hno log y (Certifying Au tho riti es)
Rules 31 and 32 of the Inf orm atio n Tec
set the term s of aud it and aud itor 's rela tion shi p wit h Cer1 tify ing
RuJes, 2000
six tee n aud itor s in its pan el.
Authority respectively. CC A has cur ren tly
er, und er reg ula tion s 3(v ii) of the ~o rm ati o~ Tec hno lo~ (C e~ g
A Mo ~~v
mg Au ~o nty sha ll sub J~t itse lf to
c:tho~ties) Regulations, 2001, eve ry Cer tify res aid em pan ele d aud itor s. Such
the afo
au~liance Au dits car ried out by one of
alJ be bas ed on the Int ern et Eng ine erin g Tas k Force doc um ent RFC 2527-
In tssh
t X. ~ Pl<I Cer tifi cat e Pol icy and Cer tifi cati on Pra ctic es Fra me wo rk.
terne es:
d Ce rti ~g Au tho riti es . inc lud
(a) Zi°pe of aud it vis- a-v is lice nse
lem ent a~o n ~e r~f , (b) Existence ~f
ad equacy of sec urit y pol icie s and imp
of fun ctio nah ties m tec hno log y as it
su~uat, ;>hysical sec urit y, (c) Eva lua tion
ope rati ons CA 's ser vic es adm inis trat ion pro ces ses and pro ced ure s,
{d) ~rt s ~A
ed and pro vid ed by the Con trol ler,
_ tnpliance to rele van t CP S as app rov

I ~
.om, ;" I,..,..~ l?n=list_emplaned_auditors.html
78 . ~
J11fonnntrm 1 111r 1,no108Y _ Law and Practice
(e) Ad eq ua cy of co ntr ac ts/ ag ts for all ou tso ur ce d CA op
ree me n . A t 2000 the ru les an d era ti
(f) Ad ,he ren ce to Inf orm ati on Te ch no log y ons, a1'd
the reu nd er, an d gu1d . • · d b c ' 11 ,f tim t . reg
the e- o- tim e ulati()v,,•t~
Co ntr o er ro m '
eh ne s iss ue y
(j) fac ilit ati ng the est ab . .
lis hm en t of an y ele ctr on ic.
Authority eit he r so lel y or sy ~t em by a Certifyi"
joi nt ly wi th oth er Ce rti fy
reg ula tio n of su ch sys tem s; in g Au th or iti es a"~

Co mm en t
Th e sec uri ty gu ide lin es giv en
un de r ru le ~9(2) of the ln fo ~a
(C ert ify ing Au tho rit ies ) Ru les tio n Technology
, 2000 ar_e au ne d at pr ote
co nfi de nti ali ty an d av ail ab ilit cti ng the integnty ,
y of ser vic es, da ta an d sy
Au tho rit ies . ste ms of Certifying
(k) sp ec ify ing the ma nn
er in wh ich th e Ce rti fy in
co nd uc t their de ali ng s wi th g Au th or iti es shall
the su bs cri be rs;
Co mm en t
A CA sh all ha ve to co mp ly
wi th the pr oc ed ur es of ge
arc hiv al, co mp rom ise , rev oc ati ne rat ion , issue,
on of Di git al Si gn atu re Ce rti
its Certification Pra cti ce Sta tem fic ate as defined in
en t (CPS). It ha s to no tif y its
its ces sat ion as CA [R ule 21]. su bs cri be rs about
Un de r reg ula tio n 3 of the Inf
orm ati on Te ch no log y (C ert ify
Regulations, 2001, a CA sh all us ing Authorities)
e me tho ds , wh ich are ap pr ov
to ve rify the ide nti ty of a su ed by the Controller,
bs cri be r be for e iss uin g or
key certificate; pro vid e tim ren ew ing an y public
e sta mp ing ser vic e for its
confidentiali ty of su bs cri be r inf su bs cri be rs; ass ure the
orm ati on ; an d en su re the co
and availability of its Pu bli nti nu ed accessibili~
c Ke y Ce rti fic ate s an d Ce rti fic
its rep osi tor y to its su bs cri be ate Re vo ca tio n Lists in
rs an d rel yin g pa rti es.
0) resolving an y conflict of
and the subscribers;
int er est s be tw ee n th e Ce rti
fy in g Authorities

Co mm en t
, The Office of Ce rti fyi ng
Au tho rit y is co mp ete nt to
be tw ~n CA s an d su bs cri be rs. res olv e an y dispute
It is im po rta nt to no te tha t as
Practice Sta tem en t, the CC A pe r its Certification
ca n me dia te be tw ee n CA s an
or ~u gh an arb itr ato d su bs cri be rs directlY
materials fro m bo th ther. Fo r thi s pu rp os e he ca n req ue st an y inf orm ati on
. . f · pa r ties, w hich are m . or or
prO VU ,lO f\.S O the Ac
t. . CP
de r as pe r the ir d we
S, an
~ un de r rud_le 12 the Inf orm ati on Te ch
R~ so 20· 00
, . . ., an y tSpute of. no log y (C ert ify·m g AuthoritieS:
be tw ee n the Certifyin an sin l
Su bs cri be r sha ll be
(m) la ,.
r g . ~~ a res u t of an y cro ss ce rti
Au ;ho nti es or be tw ee
fic ati on arr an ge n,et'
· re erre to the Co ntr oll er n Ce rti fy ing Au tho rit y and
we
for arb itr ati on or res olu tio n,
ym g do wn the du tie s of the Ce
rti fyi ng Au th or iti es;
, .
The pra cti ces de scr ibe d in Co mm en t
are ap pli ca ble to all the lic en the CP S .
~
5
lia bil ity , op era tio na l pro ce d sed CA s . Co n~ oll er. of Ce rti fy ing Au~h0 ritie
ti011s,
ure s an n wi t
",... __ Ind ia. It h1ghli2:ht~
 Regulation of CertifyinK Authorities under the Act 79
d of every
( ) 111aintaining a datab ase conta ining th e disclosure recor
be specified by
·fying Authority conta ining such particulars as may
certi ·ons which shall be acces sible to publ ic·
at.1lati ' Com ment
ret,-
icates isstJed
n,e Act establishes a Reposito_~ conta ining Publi c Key Certif
all licensed CAs as well as Certificate Revocation List (CRL).
t0 Moreo ver, rule
22 of th e Infor m~ti ?n Technology (Certifying Auth orities)
2000 refers to Data base of Certi fying Authorities. The Rule states that the
Ru1es, . . d b of every Certifying
Controller shall mcamtifyt~ a Aata has~ of the discl ?sure record
Auth ority .
Authority, Cross er mg . ut onty and Foreign Certifying
1) Subje ct
Section 19. Recognition of foreign Certifying Auth oriti es.-(
t such conditions and restr ictio ns as may be speci
fied by regul ation s, the
rnme nt, and by
;1>ntroller may with the prev ious approval of the Cent ral Gove
fying Authority
notification in the Offic ial Gaze tte, recog nise any foreign Certi
as a Certifying Auth ority for the purp oses of this Act
Com ment
l signa hrre
The success of PKI depe nds on the acceptance of the digita
in the pape rless
certificates as mean s of ident ificat ion and authe ntica tion
environment. It shou ld also recog nize foreign Certifying
Auth oritie s for faster
foreign Certifying
implementation of digit al signa ture certificates regime. A
th~l..oS'Y li~eIUi_ed
Authority may prov ide cr_Q§.s certificati{)n_arr-ange ment to
CA thereby creat ing globa l accep tabili ty of locally -issue
d digital signa hrre
cerniicales-:- ---- -·~ - --· -·- - · - · -· - -- · .
Gove rnme nt
The Controller has to seek previ ous appro val of the Cent ral
has to notify its
before recognizing a forei gn Certi fying Auth ority . Furth er, he
rity has-b een
name in the Official Gaze tte. So fµ--nQ forei gn_certifying. autho
r confe rred
rec ~-~ ..!h~- ControlJer. How ever, in exercise of thethepowe Cont roller after
by clause (b) of sub-s ectio n (2) of section 89 of the Act,
mitte e and with
consultation with the Cybe r Regu lation s Advi sory Com
Infor matio n
the previous appro val of Cent ral Gove rnme nt has notified the
1echnology (Recognition of forei gn Certi fying Auth oritie s opera ting unde r a
Regu}atory Authority) Regu lation si 2013 on April 6, 2013.
(2) Where any Certi fying Auth ority is recog nised
unde r sub-s ectio n (1),
~ vEl~onic Signature Certificate issue d by such Certifying Authority shall
alid for the purp oses of this Act.
Com ment
A ~~ aforesaid sub-s ectio n (2) refers to recog nition of any
foreign Certifying
gniti~n'
un~U:ty as a Certifying Auth ority by the Cont rolle r. _The ter:m _'reco
autho nty
to that the Cont roller shall grant licence to any foreign certifymg ctions
as act as a licensed CA in India subject to such cond ition s and restri s)
Re~~ be specified by Infor matio n Technology (Certifying Authoritie
tions, 2001.
 "~- ---- ---· - - -- --- --- - - - --- -
sh all l~ -~;li~i .....

f;r the pu rp os es of th is Act.

(3) The Controller may, if he
is satisfied t~at_ an y C e~ ify in
contravened any of the cond g Au t~ ot ity ha
itions. and restr1cbons sub1
granted recognition under su ect to wh ic h it ~a
b-sectton (1) he m ay , for re
in writing, by notification in as on s to be record ~
the Official G az et te , re ro ke
su ch recognition.
Co m m en t
The Controller ha s the po we r
un de r af or es ai d su b- se ct io n
recognition gr an ted to th e fore (3) to revoke th
ign Ce rti fy in g Au th or ity un
if he is satisfied th at th e sa id de r sub-section (2
foreign Ce rti fy in g A ut ho rit y
of 'the conditions an d restrictio ha s co nt ra ve ne d an:
ns subject to w hi ch it w as gr
un de r sub-section (1) of th e af an te d recogniti~
or es aid section.
The Controller ha s to re co rd th
e re as on s be hi nd su ch re vo ca
an d notify the sa m e in th e Of tio n in writini
ficial Ga ze tte .
Section 20. Controller to ac t as
repository.---(1) Th e Co nt ro lle
repository of all Digital Signat r sh al l be tht
ure Certificates iss ue d un de
(2) The Controller sh al l- r th is Act.
(a) make us e of hardwa.re,
sc:,ftware an d pr oc ed ur es th
fro!!!.._ intrusion and J)lisuse; at are secun
(b ) observe su ch other
standards as m ay be pr es cr ib
~o ve m m en t, to ~!'s~r~ that th ed by the Centr~
signatures are assured. e se cr ec y an d se cu ri ty of th~
digital
- - · -
1 r ~3~ Th e Co nt ro lle
r sh~ll m ai nt ai n a co m pu te riz
-- ,• m such .a manner that su ed da ta ba se of all publi'
~ m em b er ~ the public. ch da ta ba se . an d _th e pu bl ic k e~ are av
·--. --~ --·- ·· ailabli
J -
{A bor's Note· Th ou gh
Te.chnold lo (A m · · sec tion 20 ha ·
s be en re pe al ed by th e InforI 'J!l
re ad er s' ·Ogy
f th i chaerrciment) Act, 2008 Ilabl
s , se cti on 13, ne ve rth el es s it is
· -pt er sh ou ld important th~
the op er ati on al aspects of CCA r~a..d th. is re ~e al ed se ' ·~
ct io n in or de r to apprec1a
the functions of Controller to
co nt ex t of section 26 of th A
:;-a-vis Pu bh c ~e y In fra str uc tu re (PKI
)]. Fi~rth;,
e ct.
t as a re po sit or y sh ou ld no w be seen U1

In accordance wi th th e afor Co m m en t
earlier es tab lis he d th e N t · . .d .
· a e sa i · se cti on (n ow re pe al ed ) th e Controll h~i
ac t as th e repository of all 1o na 1 Re p •t er
Di gi tal Si 0s1 ory of I?~gital
h'
'"" ) ,.
Present~y, th e Controller is actin Ce rti fic ate (N R ~ p.}
Au th on ty of India (RCA}), ce rt . a fa tu re Ce rti fic ate s iss ue d un de r
it ; . e Ro thi~ .ri~
ot CA , in th e fo rm of Ro ot Ce
g th e_p_ubl~~ ~~Y.~....~ ~ rttfr
India,
 Regulation of Certiifying Author
·
•t . d
t res un er the Act
81.

~ - - -- - - -~ CCA

RCAI

Internet Space r------

11 ► 1 Certifying Authorities
--:-·b_e_rs_ _;----~ Relying Parties 1" ◄:---'►
[__S_ub_scn 1

Figure 7.4: Controller to act as repository

The Certification Practice Statement (CPS) of the Controller describes the
practices employed by him in operating the RCAI services.
RCAI Services
Issue of licence by means of an X.509 certificate
Generating CRLs for the licences issued
Digitally signing the public key of the licensed CA
Table 7.1: RCAI Services
This CPS covers the practices followed by the CCA for the procedures
related to the licence/ certificate application, issuance, use, validation, suspension,
revocation and their PYnirv_ as well as the operational maintenance of the
RCAI. - -~
Moreover, rule 22 of the Information Technology (Certifying Authorities)
Rules, 2000 refers to maintenance of Database of Certifying Authorities. The Rule
states that the Controller shall maintain a database of the disclosure record of
every Certifying Authority, Cross Certifying Authority and Foreign Certifying
Authority.
Certifying Authority's systems she!,Lbe..protected to ensure network access
~~~ ~!!tkal 1iy,~teJ.ni, and services ft;,om other systems in accordance with
PG .a 17, para 18, para 19 and para 20 of the Information Technology Security
Uide1:_·_
J.ULeS.

t .hSection 21. Licence to issue Eledronic Signature Certificates.-(1) Subject

of sub-section (2), any person may ma k e an app1·1cat·10n, to
0 · ·
th t e prov1s1ons
e Controller, for a licence to issue Electronic Signature Certificates.
fu.Ifi\2) No licence shall be issued under sub-section (1), unless the applicant
fin •~ such requirements with respect to qualification, expertise, manpower,
anciaI resources and other infrastructure facilities, which are necessary to
82 "'°
Info rmatio11 TrcJ logy- LAW a,1d Practice
. .
issue Electronlc S1gnatu re Certificate· s as may be prescrib ed by the C
Gove.mment. entr.
h 1
(3) A licence grante d un th
der is sec. tion s a11 -
.
(a) be valid for such ·
pe no d as ma y be pr escn be d by the C
Government; ell~~l
(b) not be transferab
le or heritable;
(c) be subject to such
terms and conditions as ma
~ re ~ il i~ . y be spec ified ~

Comment ·
The aforesaid sertion underli
nes the fact that any P~:so
Controller for a licence to issue n ~a y ap~roa ch ~
Electronic Signatur~ Certific
Signature Certificates. The sai a.tes,.mcluding Di~~:
d person is to subnut an ap
of the Information Technolog pli cation unde r rulel(
y (Certifying Authorities) Ru
regulation 3 of the Informati les , 2000 . Furthenno~.
on Technology (Certifying
2001 provides the terms and Authority) Regulatio~
conditions of licence to issue
Certificates, including Digital Electronic Signatun
Signature Certificates.
Also as per rule 13 and regula
tion 3(i)(a) and (b) a licence
of five years from the date of is valid for a perio;
its issue and the said licence
or heritable. is not transferab~
Section 22. Application for
of a licence shall be in
licence.-(1) Every ap pl ica
such form tio n for issue
Government as may be pr es cr ib ed
by the Central
(2) Every application
for issue of a licence sh all
be accompanied by -
(a) a certification practice
statement;
(b) a statement includ
ing the procedures wi th res
of the applicant; pe ct to identification
(c) payment of such fees,
not exceeding twenty-fiv
as may be prescribed by the e tho us an d rupees
Central Government· a
(d) sGuch other documents
ovemment. , as may be prescribed
~y the Central

An a r . Comment R
CertifyingPPAulCa tion ca n be ma de f
thority un d b . . of
. or O .1 a
sub-secti.on 21(2) of the Aer section 21 of th tau un g a lic en ce to opera
A t R te a, .' P
licence to operate as a cI .t, e .
c • eq wr em en ts as sti• 1 t :U
ne ed to be fulfilled by pu a et .
the ap pli ca nt for issue
The Form for application o/ J apl
Au tho rit y tha t is required f
to be ~~bgr ~t of Licen .. as
under rule 10 of the Act ce to op era te as a Certif 111
d . m1tted to the Co ntr Y :
Act. A licence issued to oll er ha s be en pre rcribt':
a a~A ap_Pears at Sc he du the
sec tio n 21(3)(c). The de tai le I of ~he Ru les under
th gulati ld Wi ll be subject to
ter
W' of r
er e ons un de r the eAct.terms an d ms an d d·t ions tJ!ld''.
d co n • Saj d.
con itio ns are giv en in
regulation 3[1,
 Regulation of Cettifying Auth 011
•'ti
under the Act
eB
83
1
give n In Sch
Alongwith the ap]:'lication in the form at that eduJ e J of Rul es; an
J'cant has to sub mit alJ the documentR
C Aar7 ~Ase~tlol to su~ stan tiate the
ap~ for awa rd of licence to ope rate 88' a
1

cla•rcant to sub mit aJl doc ume nts requ ired und
e; tht l
t ~ respomu bilHy of the
10, t~e ~~ ules and ~egu l~tione.
ap~ddition to the doc ume nts liste d in rule
licence to o~~r;:~:t:s l~st~d ~n ~he
!;uidelines for sub mis sion of app lica tion for er fym g
to be furnished .
Authority und er the IT Act, 2000' are also
Section 23. Renewal of lice nce .-A n app lica tion for renewa 1 o_f a .hce
•
nce
.
shall be- -
(a) in suc h form;
(b) acc omp anie d by suc h fees , not
exceeding fi•ve th ous and rupees
th men t and sha ll be made not I;ss
as may be pres crib ed by e Cen tral Gov ern
iry of the peri od of validity of the
~an fo ~e day s bef ore the date of exp
bcence. · r
Com men t '
1
8 to rule 13 of the Information !
Rule 15 stat es tha t the pro visi ons of rule
2000, will app ly in the case of an
Technology (Ce rtify ing Aut hor itie s) Rules,
they app ly to a fresh application for
application for ren ewa l of a licence just as
licensed Certifying Aut hor ity.
licence may be sub mit ted in the
Furthermore, the app lica tion for rene wal of
irem ents as the Controller may
form of electronic reco rd sub ject to suc h requ
deem fit.
n of lice nce .-Th e Con trol ler
Section 24. Procedure for gra nt or rejectio
-sec tion (1) of section 21, afte r
may, on receipt of an app lica tion und er sub
the app lica tion and suc h oth er
considering the doc um ent s acc omp any ing
j~ct, the application:
factors, as he dee ms fit, gra nt the licence_o:!~
Provided that no app lica tion sha ll be reje
cted und er this section unle ss the
ortu nity o~ pre sen ting his case.
app lica nt~ bee n giv en· a reas ona ble opp
Com men t
logy (Certifying Authorities )
As per rule 16 of the Info rma tion Techno
ks from the date of receipt
Rules, 2000, the Con trol ler may , wit hin fou r wee
and info rma tion acco mpa nyin g the
of the application, exa min e the doc ume nts
licence or rejects the application .
application [Rule lO(ii)] befo re he gran ts the
to gra nt or rene w a licence, if the
Under rule 17 the Con trol ler may refu se
fulf ill any one of the nine conditions
app ~t/ cert ify~ g auth orit y has failed to
.
as laid dow n und er the said rule s [(i) to (ix)]
ion, it is imp orta nt that _in
~ , as give n in the pro viso of the afor esai d s~ct
t be ~•ven ~eas?na~le o_rporturuty
~ 8Plllt of natu ral justice an app lica nt mus re his app hca hon 1s re1ected. The
f. Presenting his case to the Con trol ler, befo
said prov1.So 1s. .
man dato ry m cha ract er.
,, In Keshav Mills Co. Ltd. v. Union of Jndi
a, 1 The Sup rem e Cou rt observed:
ral justice that sho uld regulate an
~ a t are the prin cipl es of natu
1. AIR 1973 sc 389: (1973) 1 sec 380.
84
/n[ormalio11 Technology
- Law and Practiu
administrative act or
order is a m uc h mor
think it either feas e difficult on e to an
ible or even desira sw er . W ed
ardstick in this man bl e to la y do . w n an
ner. The concept of ti' y fi xed or rigo~ ni
Y
straitjacket. It is futil na tu ra1 JUS ce ca nn ' ~
e, therefore, to look fi 'ti t ot
d be pu t i
justice from various for d e ru on s or s nto
decisions an d th en tr an ar ds of natu
case. The only essent y to ap pl y th em to th e fa
ial po in t th at ha s to cts of any gi '
person concerned sh be ke pt in mi_nd in al
ou ld ha ve a reason l cases is thatv~
an d that the admin able op po rt ur ut y of
istrative authority pr es en ti ng his
an d reasonably. Whe
much to act judicial
re administrative of
co nc er ne d sh ou ld
fi ce rs ar e co nc er
ac t fairly, impar\i
ne d, th e du ty is no~
~
ly as to act fairly". ,
Section 25. Suspensio
n of licence.-(1) The '
after making such Controller may, if
inquiry, as h e m ay h e is satisfi
h a s, - th in k fit, that a C
er ti fy in g Autho I
(a) made a statemen
t in., or in relation to n
or renewa of the hc . . ,. the application
fo r the ·
particulars;1 ence, which 1s mco
rrect or false in m 1SS1
t ,
(b) faile~ to compl a e~
y with, the terms an
the hcence was gran d co nd it io ns subjec
ted; t to whi
(c) failed t~ m
aintain the standa
sub-section (2) of se rds specified un de
ction 20·, r clause (b)
(d) contravened an
made th er eu nd er y provisions of this
, re vo ke th e li ce nc A t 1
e· c , ru e, re gu la ti. .
Provided that no lic on or o«
has been given a re ence shall be revoked
proposed revocation. as on ab le o or tu ni .
un le ss t~ e C er ti fy
pp ty of sh ow in g ca in g Author
us e against I
(2 ) T he Con
is any _ground fotr ol r may if he h
r relevo king' a r
such lice as re as
~ce pe nd in g th e co tcence unde on ab le ca us e to be li ev e th at th1
m pl et io n of r su. b
Provided that no r -s~c tto· n (1)
, b y or de r suspe
cbys unl th . .- . any inquiry ordere
of sh o w :• e C er icence shall be su s d b y him:
ti ~i ng A ut ho ri ty ha d
g cause against th s :e n
e pr op d ee n e_d fo r a pe ri od exceeding I
(3) No Certify gi ve n a re as on ab le
ose . su sp en si on opporhll'
any Electroni s· ing
c . tgnatuAre utho ritif
tyicwatho
Cer e se
d lic. enee h as b.ee n su
urtng such su sp en sp en d ed shall is~
One of the remar si on .
the Controller to h l Comment
Certifying A u th o r/ ~ b le .fe ur es of the f
d inquiryatbe fore su s e: d~ re sa. 1d .
statutory authorityty se ct io n is the pow
ha~s a,~ready highligh et
by the Con troller m t~ d inm g or r~ vo ki ng
a ' du ty to act fair! th e licence o
showing cause ag ai
It should be not d h
:: f~e a Certifying 1 u ih o
" i e se ct io n 24 of
rt ' a fo rm al in qu ir
th e Act that I
proposed su sp en s· y conducl
Authoriti es) Rules ty a re as on ab le op
\~ at .u n d er rule portUlll tY
accordance w it h ~h 14 th io n or re vo ca ti
th
" ·' - e C on tron on of its licence,
... _ e
 Regulation of Certifyi 11 o Au0,,,,.11,1t'B 1111,1fi r the I\ cl
· ,, 85
.
that the licence gran ted to the perRons f . d clauses (r1 ) to (c) of
e:;~ tot~n
states le (1) of rule 8 shall stan d sus~ end :J
en e pe;f? rmance bond
sub-r ~~ or the bank er's guar ante e furn ishe d b
sub11ul (2) of that Rule. The Con trail er may a Iso y such persons ts in voked under
take cognizan ce of rule 10("11 )'
-ub-rll e while cond uc t·mg ~ . .
~ 17(v) to (viii) and regu .latio n 3(i) to (vii) an mqu1ry.
rue1 ,
on, the Controller ma
Furth~r, und er ~uh-section (2) ?f the aforesaid secti
he has reasonable cause t~
take a unzl.ateral acti_on of susp endi ng a licence, if
pend ing the completion of
t,eJieve ~at ther e exis t su_ch a grou nd for ~evocation,
nd licence could remain
any inquiry 0rd ere~ by him. U er such circumstances the od of 'suspension'
time peri
suspended f?r.~ pen od of ten days . For exte ndin g the
a reasonable oppo rtun ity
beyond ~he im~al _ten days , _t~e Controll~r has to give
to the said Cert ifyin g Aut hun ty of show ing
caus e against the prop osed extended 11
suspension. '
issue Electronic Signature
A licens~d Cer~ fyin ~ ~uth ~rit y has a legal righ t to
to the applicants unde r the
Certificates, mcl udm g Digi tal Sign atur e Certificates
phas e of its susp ensi on unde r
Act. The said righ t rem ains inop erat ive duri ng the
s, any Electronic Signature
sub-section (3) of the afor esai d section. In othe r word
which have alrea dy been
Certificates, incl udin g Digi tal Sign atur e Certificates,
ension shall deem ed to be
issued by the Cert ifyin g Auth ority prio r to its susp
valid.
licence.-(1) Where the
Section 26. Notice of suspension or revocation of
or revoked, the Controller
licence of the Certifying Authority is suspended
n, as tlie case may be, in
shall pu_blish notice of such susp ensi on or revocatio
the database maintafned by-him . · .
, the Con troll er shal l
(2) Where one or more repo sitor ies are specified
as the case may be, in all
publish notices of such susp ensi on or revo catio n,
such repositories:
of such susp ensi on or
Provided that the data base cont aini ng the noti ce
lable thro ugh a web site
revocation, as the case may be, shal l be mad e avai
which shall be acce ssib le roun d the clock:
he cons ider s necessary,
Provided furt her that the Con troll er may , if
ic or othe r med ia, as he
publicize the contents of database in such elec tron
may consider appropriate.
Comment
i~ key certificates issued to
lice The Controller oper ates a Rep osjto ry of all publ
nsed CAs and CRLs. It is refe rred as RCAI repository.
y containing:
The Controller is und er obli gatio n to main tain the repositor
• Public Key Cert ifica tes of licen sed CAs
CAs
• Authority Rev ocat ion Lists (ARLs) of licensed
n of licensed CAs
• Certificate Rev ocat ion Lists (CRLs) after revocatio
coul d affect any DSC
h l It is to be kept in min d that revo catio n of a licence
n as a rule ~hould ~ot only
b; der.globally. Hence, the noti ce of such revo catio ,· j
on real time basis.
available on 24x7 basi s but also the _C~~ upd ated
 .:)t'l-1
H f lO -· • t t L 0Oll Ull'-• - -
, "
the Deputy Controller, Assis and this Chapter. ·1 Of
the powers of the Controller un er
Comment
. . e understood and read with the section 17
The aforesaid section is tllo b h a team of Deputy Controllers, Assist of
h ·n the Contro er as . . ant
the Act, w ere, . d mployees Keeping m view the pr~
Controllers, other officers£ : ~ffice of the Controller, it seems that tht
organizational structure O e ( ) T hn O l . (b) F e
Controller has created three separate departments: a ec ogy, mance
& Legal; and (c) Investigation.
Each department is currently being headed by ?ne Deputy Controller and
assisted by Assistant Controllers and other such officers and employees.
Interestingly, the Controller may del_egate his ad~strative powers,
including power to investigate contraventions under sections 28 and 29 o!
the Act. However, his quasi-judicial power to resolve any dispute between the
Certifying Authorities and the subscribers (section 18) cannot be delegated.
Section 28. Power to investigate contraventions.-(1) The Controller or
any officer authorised by him in this behalf shall take up for investigation
any contravention of the provisions of this Act, rules or regulations made
thereunder. ·
(~) The ~ontroller or any ~ff!cer_ ~u~horised by him in this behalf shall
exercise the hke powers which are conferred on Income-tax authorities under
Cha_pter
b XIII of the Income-tax Act, 196i-a ~n--d- shall exercise
· such powers,
su Ject to such limitations laid down under that Act.
Comment
The power grar ·ed by the f .d . .
?nly. As given in the section ~;r~~:• section is only investigative in nature_
mvestigation to the Depu C tr' Coi:1troller may delegate the power ot
lt is important to note th: thon ~ er, ~ss1stant Controller or any other officer.
11
officer to investigate any c te su -s~ction (1) of section 28 authorises the said
re(111lati on ravention of th •.
0 - ons made thereunder. e provisions of this Act, rules or
One view is that th
the Act also e aforesaid sub-section (1) . .
· . grants power to the c , if read with section 75 ot
to investigate an f ontroller or f. •
person irr~ -. y o fence or contraventi an~ o fleer authorised by hiD'
offence c::vv:
or 0
0 0
~ _hi~ nationality, if ~~ec~~itted outside In~ia ~y an\
network loca·""'·d . h ~ involves a comp t t or conduct constituting tht
- -~ m 1nd B u er com 1
been inundated ~-th - ia. ased on this v· ' puter system or compute
investigate all co~~av;u~rou8 complaint~ew, th~ Offlee of the Controller ha:
spamming etcl. ntions related to data 'tt;~y1n? that t~e Controller sho_ul(
'privacy violations, defamattor

1. M/s. Mascon Global Ltd

Appe~ate Tribunal. Tu·
v. CCA, lAppeal N
examine the com .1 n ► ts appeal is ao-a·
,. _..., ,., ln -c.:. o.1-l~-2/2009)
• '
presen t V ,....,_ ,1_ _ vb
 tmd Pr lite 11 cl
87
Regulation of Certifyi11R A11tl10rilfp.i,
th at th e _C~ntroll er's po we r to investiga te con tnwention s is
Another vie ': is
d ~e rhf ym g Au lh orities and sub scribers. Interp reting the
estdcted to the hc~ nse
ng stn ct con str uct ion rules ' one ma y find th. a t th e a f oresa1'd
~tatute and applyi· 11 . .
1 estigate contraventions rela ted to
~wer of the C~ntro et cai:' ~n Y be use d to mv icates
scr ibers ~nd Electronic Signature Certif
ficensed Ce r~f Fg ~ uth on hes, ~~b vie w, is further complemented by
S1gn a~ re Ce :hfica tes), Thi s
(iJ1duding Digttal
29 and 69 of the Act.
the recent amend me nts ~ sections officer
. sub -se ctio n (2)_ gra nts the Controll er or any other
.Furthe r the on
similar to those already confer red
thorised by him, po we rs wh ich are 1.
er XIII of the Income-tax Act, 196 ,
~~me- tax authorities un de r Ch apt
res aid Ch apt er, the Co ntr oll er or any other officer aut horised
Under the afo ll
to im po un d and ret ain in its custody for such per iod

II
by him, has _the po we r in
fit, any boo ks of acc oun t or oth er documents pro duc ed before it
as it thinks er
seizure of books of account and oth
1
din g (se ctio n_ 131 ]: sea rch and
any procee fou nd as
, bul lio n, Jew elle ry or oth er valuable article or thi ng
doc um ents , mo ney
a result of such search; also, the aut
search or seizure, exa mi ne on oat h any
ho ris ed officer may, du rin g the cou
per son wh o is found to be in posses
rse of the
sion I
I

jewellery
oth er documents, money, bullion,
or control of any boo ks of acc oun t,
le art icl e or thi ng and any sta tem ent ma de by suc h per son
or other valuab g
exa mi nat ion ma y the rea fte r be use d in evidence in any pro cee din
during such Act,
132 ] un der the Ind ian Inc om e-t ax Act, 1922, or un der Income-tax
(section A];
er to cal l for inf orm ati on (se ctio n 133]; po we r of sur vey [section 133
1%1; pow judicial
er to col lec t cer tai n inf orm ati on (section 133B] and proceedings as
pow
proceedings (section 136]. ying
the po we r of Controller of Certif
The first judicial tes t exa mi nin g Co urt of Delhi in Yahoo India
sec tio n 28 cam e bef ore the Hi gh
Authorities und er
Pvt. Ltd. v. Union of India, Th e bri
2 ef facts of this case are as follows:
re ele ven not ice s Ga nua ry - July 2011) iss ued by the CCA
(a) There we
nde nt No . 2) to Ya hoo Ind ia ov er a per iod of time seeking details
(Respo s
Ya hoo to pro vid e det ail s of cer tain sus pec t e-mail Ids. These notice
from
nte d ou t tha t (a) a sus pec ted con tra ven tio n of the provision s
clearly poi on
the Ac t, rul es or reg ula tio ns ma de the reu nd er having a bea ring
of Ac t
(b) by vir tue of section 28 of the
national security is un der wa y, and
ed ~y him in this ~~half has fow er
:he Controller or an y officer aut ho ris
ven tio n of the prov1s10ns of thi s Ac
t,
to take up for inv est iga tio n" con tra
er.
rules or regulations ma de the reu nd cau se
(b) CCA not satisfied wi th the res
pon se of Yahoo Ind ia iss ued a sh ow
notice.

~ ome -tax Act requires that any person

who .is fo und to be in
l32(1)(iib)) of the Inc
I. [Sec tion ntained in the f~rm
con trol of any boo ks of acc oun t or oth er doc um ents _mai
~;ssessi on_ or _of the_Info rma bon
c reco rd as def ined in clau se (t) of sub -sec tion (I) of sec tion ~
Te electroru to insp ect SUCh
Act, 200 0, to affo rd the aut hor ised officer the necessa ry facility
bo~ olo gy , u,,.t-c
l - _ _ ,,.._
.1
88 111_~wmafio11 Trclmnlogy - Lnw n11d Prnctice
c) b tl . CCA by way of a sp eaking order d a ted 26-8-2011 irnp
(
~uf' seqlfteRns yl,1 lakhs on Yahoo Ind ia l under section 44(a ) of the Acot~f l
a 1ne o .
.shing in formati on / docu1n ent as d'irecte d b y th e c ontroller <
· - ..
no t furnl
any officer authorised by him in th1·s b e h a lf ·. . . .
'
(d) A ggneve • d b y th e rder of CCA Yahoo India filed a civil writ peti~•
o . ·, h . . llfJ
before th e Delhi High Court.2 It also challen ged t e cons~ tu.tional. validi1
of rule 3(7) of the Informa tion Techno logy (Interm ed iary Guideline
Rules, 2011.
(e) The Court3 held:
" .... ... The impugn ed order has been i5sued by the Controller
Certifyi ng Authori ties, Depart ment of Inform ation Techno logy, Minist
of Commu nication s and Informa tion Techno logy, Govern ment of lndi
It purport s to be an order under section 44(a) of The lnforma ti(
Techno logy Act, 2000. Section 46 of the said Act makes provisio n wi
regard to the power to adjudic ate. Section 46(1) of the said Act reads
under:
For the purpose of adjudgi ng under this Chapte r whethe r any pers,
has commit ted a contrav ention of any of the provisi ons of this Act or
any rule, regulati on, directio n or order made thereun der which rendi
him liable to pay penalty or compen sation the Centra l Govern ment sh,
subject to the provisio ns of sub-sec tion (3), appoin t any officer not bek
the rank of a Directo r to the Govern ment of India or an equivah
officer of a State Govern ment to be an adjudic ating officer for holdi
an inquiry in the manner prescri bed by the Central Govern ment.
The Ministr y of Commu nicatio n and Inform ation Techno logy
the _Government of India, in exercise of the powers conferr ed unc
section 46(1) of the Sdid Act, notified by virtue of an order dal
25-3-2003 that the Secreta ry of Depart ment of Inform ation Techno logy
ea~ of the states or of the Union Territo ries would be the adjudica ti
~fficer for the purpose s of Inform ation Techno logy Act, 2000. It
therefor e clear that the adjudic ating authori ty under section 46 in 50
as ~ .presen t matter is concern ed, would· not be the Controller
Certifying Authori ties who has issued the impugn ed ord er d3
26-8-2011 . The sa·d d ·
- 1
or er 1s c learly, therefo re, withou t junsd1c
. . . .011
tt ·
Conseq uently th ·
. . ' e impugn ed order is set aside" .
constitu tio~alit t
(f) It~ unporta nt to n t th h
e at t e aforesa id judgme nt did n ot touch up 01\
Guidelines) Rule0 rule 3(7) of the Inform ation Techno log y (Interm ed i
contrav ention sd 2011. Moreov er, the right of CCA to investigate
court. un er section 28 of the Act was not disturb ed by

1. This was for the first time CCA h . . 4

of the Act. as unposed a fine on an intermed iary under section
2. The petition was filed beforp H,~ LT, _, _
 lllld fr lh,• /\ cl R9
Rcs: 1ilatio11 of Ccr t(fyi11g A11 thoril lf'r~

Acces s to ('m11i1ut er~ an,J da ta. - (1 ) WJthout preJudl~e to the

section 29, Co ntroll er or any per,9on
-sech on (1) of sec ti on 69, the
visions of sub any
by him sh all , if he ha s rea sonab le cause to suspect that
p~horised s ion s of this Ch apt er has been committed '
hav,
311 •.ontion of the provi t material
c0ntra.,....to any compu t er sys em, any apparatus, data or any other
a search
purpose of searching or causi ng
('{'tSS
ll eeted with such system, for the orm ati on or data contained in or availa
ble
cont,e" -ad e for ob tai nin g an y inf
to u•
com puter system.
to such -se cti on (1), the Controller or an y
pe rson
(2) for the pu rp ose s of sub ise
him ma y, by ord er, dir ect an y person in-charge of, or otherw
thorized by pa ratus or
ed wit h the op era tio n of, the computer system, data ap n
au cem ance
able technical and other ass ist t1
::1erial, to provide him wi th such reason
15
he may consider necessary.
Comment
au tho rised
nts the Controller or any pe rso n
The aforesaid sub -se cti on (1) gra system, any ap pa ratus, dat a
we r to acc ess to an y com pu ter
by him sweeping po tem , to search for ob tai ning an y
ial con nec ted wi th suc h sys
or any other mater he
dat a co nta ine d in or ava ila ble to such com pu ter sys tem if
information or
cau se to sus pe ct tha t an y con travention un de r this Ch ap ter has
has reasonabl e ysical
ted . Th e po we r to acc ess an y such com pu ter an d da ta is ph
been commit
as well as virtual. ap par atu s,
the r, the au tho rit y to sea rch an y suc h com pu ter system, an y
Fur lim ite d to an y
or any oth er ma ter ial con nec ted wi th suc h system has bee n
data
of the Act only.
contravention un de r thi s Ch ap ter
ha s no t def ine d the wo rd 'ap pa rat us' . Hence, it wo uld be
Since, the Act
e inp ut dev ice s (sc ann ers , dig ital cameras, mi cro ph on es etc .),
proper to includ communication devices (m od em
s,
on ito r, pri nte r, spe ake rs etc .),
outpu.tdevices (m al
ce car ds) an d sto rag e dev ice s (tape drive, CD-ROM dri ves, optic
~o rk interfa
ble ha rd dri ve s etc .) wi thi n the definition of ap pa ra tus .
drives, remova by him
the sub -se cti on (2) , the Co ntr oll er or any per son au tho rised
Under cerned
rso n in-charge of, or otherw ise con .
~ e powth er to ord er dir ect an y pe
' the co mp ute r system, dat a ap pa rat us or ma ten al, to
~t he . ope rat ion of, he may
1
him wi th suc h rea son abl e tec hnical an d oth er ass istance as
de pu ter
ess to pas sw ord (s) to such com
: .
·s •de r n«essary. It may inc lud e acc sys tem.
8 er material con nec ted with such
y tern~apparatus, da ta or an y oth
rit y to fol low certR-in proced
ures.- Every
Cert~tc~ion 30. Certifying Au tho
ifying Au tho rity sh al l,-
of ha rdw are , sof tw are an d pro ced ure s tha t are sec ure
(a) ma ke use
from int rus ion an d misuse; ich are
of rel iab ilit y in its services, wh
(b) provide a rea son ab le level
reasonably sui ted to the perfor
mance of int en de d fun cti on s;
to sec uri ty pro ced ure • to en sur e tha t the secrecy an d privacy
(c) adhere
ci ian atu res are assured;
 ◄

90 Info rmatio n Tec hnology - Law and Pra

ctice
(ca) be the repository of all
Electronic Signature Certi fic
ates iss
under this Act;
(cb) publish information reg
arding its practic~s, Electron
Certificates and current status ic Signal
of such certificate; and
(d) observe su ch oth er sta nd
ard s as ma y be sp ec ifi ed by
reguia tic
Comment
Every Certifying Authority has
to ful fill th_e. co nd iti on s as laid
the Information Technology (Cert down un
ifying Au tho nti es) Rules, 2000
Technology (Certifying Autho an d Inforrnat
rities) Regulations, 2001 . Fu
Certifying Authority has to fra rthermore, e
me its ma na ge me nt an d opera
keeping in view the 'Informatio tional poll,
n Technology Security Gu ide lin
Guidelines for Certifying Autho es' an d 'Seat
rities' iss ue d un de r Inf orm ati
(Certifying Authorities) Rules, 200 on Technoh
0
The objective of the 'Informa
tion Technology Se cu rit y Gu
to provide guidelines to the idelines'
organizations to de ve lop int
technology security processes. W ern al informat
hereas the 'Security Gu ide lin es
Authorities' are aimed at protec for Certify
ting the integrity, co nfi de nti ali
of their services, data an d system ty an d av ailabil
s.
, I~ ~ ~o im po ~a nt that every
Certifying Au tho rit y mu st co
Certification Practice Statemen mply with
t' (CPS) framework, wh ich is
2527:!nternet X.509 Public Key Inf ba sed on R1
rastructure Certificate Policy and
Practic~s Framework submitted along Certificat.
authonty. wi th the ap pli ca tio n to op era te
as a certifyi
~t ~hould be observed tha t the
basic pu rp os e of thi s section
Certifying Authority should no is that t
~J 0· 6 as e e un
t only ha ve a sec ure sy ste
~u; )alsodadfinoptd an d implement
de r the Act.
security pro ce du res [section
m [section 2 1

2(l )(zf)
Furth
has been er bythe
that introd ·
uc ~g new c~auses, like (ca) an
(under section 20 :~p :1t ory , wh d (cb), the legislative inte
ich wa s be ing ma int ain ed by
maintained b th e ~c t, subsequently repealed) the Controll
. y e respective Certifying Autho ea rli er, should now I
The intended functionalities f rities .
• All Electr . . .
o such repository ma y inc lud
Certificates°)~c Sd1gnature Certif e:
. 1Ssue by the licensedicaCA tes (including Digital Signat
ul
• Current status list of sus
(including Di git als · pe nded /re . . te
vo ke d Ele
• ignature Certificates) ctronic Signature Certifica
Updated Certificate Revocation
• CPS of the licensed CA .
LiSt5 (CRLs) of subscribers
~e ~o n 31. Certifying Authn,.;,...
r., ~-
 the l\ci
Rrg11/ntion of Crr t[fyi11,~ I\ 11 t1,o,-/f ll'tJ ,,,.,d,,r 91
Comm en t
'd .d
c.r0ry Certifying Au
1, ·
tho rity has to comply with the a foresa1 man atory
.. of the
ov"
rovisions regardmg ts e?1~lo ym ent or engagement. Rul e 34(1)
! ~ ol ogy .<Ce rhf ym g ~ u~ hor ities) Rul es, 2000 states that the "access
fnfc,rn,ation be
g Au tho rity 's operationa l staff shalJ
confidential inform ation by Ce rtifyin tion
se" basis. Moreover, under regula
: a "need- to-k now " and "need-to-u hnology
3(v) [Physical, pro c~ ura l and ~er
sonnel security] of the Information Tec
ing Au tho n!y ) _Re gul ~ho ns, 200 1, every Certifying Autho rity is to get
(Certify the
oug h an approved auditor, wherein
an independen t penochc aud it don e thr
focus is on personnel em plo ym ent .
It is important to not e tha t the Certifi
cation Practice Statement (CPS) filed ,,"
~ve ry app lica nt is req uir ed hav e detailed guidelines on 'pe rsonnel
by each and
', wh ich m~ y inc lud e em plo yee s background, qualifications, experience
controls
and clearance .reqwrements.
y Certifying Authority shall display
Section 32. Display of licence.-Ever
at a con spi cuo us pla ce of the pre mis es in wh ich it carries on its
its licence
business.
Comment
ivid ual, a company, a firm ma y app ly
Under the pro vis ion s of the Act, an ind
lice nce to iss ue Dig ital Sig nat ure Certificates . Once the applicant
for grant of a
n is.5ued a lice nce by the Co ntr olle r, then it is ma nda tor y for the newly
has bee of
sed Cer tify ing Au tho rity to dis pla y the licence at a conspicuous place
licen
the premises in wh ich it carries on
its business.
) Every Certifying Au tho rity wh ose
licence is sus pen ded
- -----
or
___
Section 33. Su" end er of lice nce .-(1
rev oke
revocation, sur ren der the lice nce to
.

(2) Where any Ce rtif yin g Au tho

section (1), the per son in wh ose fav
d sha ll imm
the Co
edi ate ly aft er suc h sus pen sio n or
.... oller.
..........ntr
rity fails to sur ren der a licence und
our a licence is iss ued , sha ll be gui
er sub -
lty of
y ext end up
Ut offence and sha ll be pu nis
hed wit h imp riso nm ent wh ich ma
or wit h
to six months or a fine wh ich ma
y extend up to ten tho usa nd rup ees
both.
Co mm ent
afo res aid sub -se ctio n (1) eve ry Certifying Author!ty ':h ose licence
has Und er the the
bee n sus pen ded or rev oke d [se ctio n 25] is to sur ren der its licence to
C
<>ntroller immediately. ns as
son to com ply wit h the directio
. Any such failure- on the par t of the per ffence.
~~-
~ sub-sec tion (1) is to be tak en as
a no~-cognizable a~d bailable o
1he h imp riso nm ent , which may extend up
sa
to . id per son is to be pun ish ed wit
a fine, wh ich ma y ext end up to ten tho usand rup ees or with
ho~~ Ino nths or

en to this aforesaid
s the imp ort anc e tha t has bee n giv
seen~- should not Itmisind the legislature to
ltlake II\ the Act. ica tes ser iou sne ss on the par t of 1

oke d licence an offence rather a

'

bmission of a sus pen ded or rev

conh-...~on~su
 111_format iot1 Tec _ Law and Pra
92 hMo log y ctice
. 34 D C e r ti f y in g A
Section · is d o su re.- (1) Ev e r y u t h o ri t y s h a
the manner specified . b r eg u la ti o n s- l l d isclose .
Y
(a) it s Electro • s·1 n a tu r e C rt"1 ficate w h i c • 'l\
nic & e h c o n t a i ns t he p u bli
corresponding • t key us c
. . to th e pnvaD~ it a l e d b y t h a t e r t1·fy-"1 n g c 1.
t ll
to d1S1 a Y s ig n a n o th e r t g Signature C A u tholl..t)
(b ) an ce e r t i f ic a t e ;
rtification prac . t r e l e rt\~
Y
(c) notice of th ti c e s ta te men v a n t t h e reto;
e revocat·1 0n o r s u s p e n s i o .
certificate, if a n of its Cert . .
ny; a n d i f y i n g A u tho
(d) any other ~h.
f a d th a t m a te ,. ,,
reliability o f a r ia ll y and a~ve
Electronic S ig r s e l y ~ f f e c ts
has issued, o r n a tu r e C e r ti f e it h e r the
th e A u th o r it y ic a te , w h i ~ h
(2) Where in 's a b i l i t y t o t h a t A u th o n~
th e o p in io n o f perform its
or any situatio th e C e r ti f y in s e r v ic e s .
n has arisen w g Authority a
in te g ri ty of its h ic h m a y m a ny event has
computer s y s te terially and occuned
Signature Certi m o r th e c o n d adversely a
ficate w a s gra it io n s s u b j e c f f e c t the
nted, t h e n , t h t to which a
(a) use reason e C e r t if y in g Electronic
able e f f o r ts to Authority s
affected b y th n hall-
a t occurrence;o ti f y a n y p e r s o n w h o
(b ) a c t ~ or i s l i k e l y to b
accordance w i e
practice s ta te m t h the pro
e n t to d e a l w c e d u r e s p e c i f i e d i n i t s
ith such eve
n t o r s i t u a t i certification
Every rtifyin on.
Controller Cthero g Authority is C o m m e n t
the date d ugh filing u p of n li nd i 1
to th
.
an time the sfc o s e e .
Authority is to o
informatio · e orm.s o n t a f o r e s a id details (a)
Furth d ig it a ll y . h e w b .t f t o (d ) to the
t h n_ is m a d e p u b li c ( R e s i e o th e C o n tr o
and procedrm
e ore, the Ce s ig n e in f o r m a ti o n e g u l a t i o n 5 ] T h C o ll e r ori
u re s d rtifyin A
• ~ c .: __ te .. g uthor1.ty . . . e '- ,i~~h1nun,g
e s ig n e d to s a f e g u a r d t
h , is t o ac t .
-1 .U lU l,
issuance puabnlidcaktiey e comput m accordance
man ement'
prOCesse's_ o n renaegw l
( in c lu d in g ~ fi
w i t h p olicie~
' a , s u s p e n s io n c e r ti · c a t r s y s t e m s and operat
lt is the duty a t i e i o n s' and
and av ailabili O
f ' c V a ti o n r e g i· s t r a t i•o n , g
.
Lists . . ty the ertify• e n e r a tion,
o f it s PubC li A ' revocation
, a n d a rchival
11\ its re
expect,e(i th posito
m g u th o r it y
at th e ~ Key Certifica to )
notify any n A ry to its s u b tes en
th e n n
.
r '- 1.SO n ,
. Certif
yino A e s 'b a n d U p ds u r e c o n t i n ue d ~f"'""''