BANASTHALI VIDYAPITH

FACULTY OF LAW

- Ms. Momina Zahan

UNIT - 3

Note: This material is streamed in the Google Classroom, to be used for educational purpose only and
it should not be circulated for any other purpose. In case of any circulation, the student shall be held
responsible.

Regulation of Certifying Authority:

Sec. 17 – Appointment of Controller

(1) The Central Government may, by notification in the Official Gazette, appoint a Controller of
Certifying Authorities for the purposes of this Act and may also by the same or subsequent notification
appoint such number of Deputy Controllers and Assistant Controllers as it deems fit.

(2) The Controller shall discharge his functions under this Act subject to the general control and
directions of the Central Government.

(3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the
Controller under the general superintendence and control of the Controller.

(4) The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers
and Assistant Controllers shall be such as may be prescribed by the Central Government.

(5) The Head Office and Branch Office of the office of the Controller shall be at such places as the
Central Government may specify, and these may be established at such places as the Central Government
may think fit.

(6) There shall be a seal of the Office of the Controller.

Sec. 18 – Functions of Controller

The Controller may perform all or any of the following functions, namely:—

(a) exercising supervision over the activities of the Certifying Authorities;

(b) certifying public keys of the Certifying Authorities;

(c) laying down the standards to be maintained by the Certifying Authorities;

(d) specifying the qualifications and experience which employees of the Certifying Authorities should
possess;

(e) specifying the conditions subject to which the Certifying Authorities shall conduct their business;
(f) specifying the contents of written, printed or visual materials and advertisements that may be
distributed or used in respect of a Digital Signature Certificate and the public key;

(g) specifying the form and content of a Digital Signature Certificate and the key,

(h) specifying the form and manner in which accounts shall be maintained by the Certifying Authorities;

(i) specifying the terms and conditions subject to which auditors may be appointed and the remuneration
to be paid to them;

(j) facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly
with other Certifying Authorities and regulation of such systems;

(k) specifying the manner in which the Certifying Authorities shall conduct their dealings with the
subscribers;

(l) resolving any conflict of interests between the Certifying Authorities and the subscribers;

(m) laying down the duties of the Certifying Authorities;

(n) maintaining a data base containing the disclosure record of every Certifying Authority containing
such particulars as may be specified by regulations, which shall be accessible to public.

19. Recognition of foreign Certifying Authorities

(1) Subject to such conditions and restrictions as may be specified by regulations, the Controller may with
the previous approval of the Central Government, and by notification in the Official Gazette, recognise
any foreign Certifying Authority as a Certifying Authority for the purposes of this Act.

(2) Where any Certifying Authority is recognised under sub-section (1), the Digital Signature Certificate
issued by such Certifying Authority shall be valid for the purposes of this Act.

(3) The Controller may, if he is satisfied that any Certifying Authority has contravened any of the
conditions and restrictions subject to which it was granted recognition under subsection (1) he may, for
reasons to be recorded in writing, by notification in the Official Gazette, revoke such recognition.

Sec. 27, 28, 29 & 68 – Powers of Controller

Sec. 27 - The Controller may, in writing, authorise the Deputy Controller, Assistant Controller or any
officer to exercise any of the powers of the Controller under this Chapter.

Sec. 28 - (1) The Controller or any officer authorised by him in this behalf shall take up for investigation
any contravention of the provisions of this Act, rules or regulations made thereunder.

(2) The Controller or any officer authorised by him in this behalf shall exercise the like powers
which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and shall
exercise such powers, subject to such limitations laid down under that Act.
Sec. 29 - (1)Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any
person authorised by him shall, if he has reasonable cause to suspect that any contravention of the
provisions of this Act, rules or regulations made thereunder has been committed, have access to any
computer system, any apparatus, data or any other material connected with such system, for the purpose
of searching or causing a search to be made for obtaining any information or data contained in or
available to such computer system.

(2) For the purposes of sub-section (1), the Controller or any person authorised by him may, by
order, direct any person in-charge of, or otherwise concerned with the operation of, the computer system,
data apparatus or material, to provide him with such reasonable technical and other assistance as he may
consider necessary.

Sec. 68 - Power of Controller to give directions

(1) The Controller may, by order, direct a Certifying Authority or any employee of such Authority to
take such measures or cease carrying on such activities as specified in the order if those are
necessary to ensure compliance with the provisions of this Act, rules or any regulations made
thereunder.
(2) Any person who intentionally or knowingly fails to comply with any order under sub-section (1)
shall be guilty of an offence and shall be liable on conviction to imprisonment for a term not
exceeding two years or a fine not exceeding one lakh rupees or with both.

Certifying Authority -
Certifying Authorities (CA) is granted a license to issue a digital signature certificate under Section 24 of
the Indian IT Act 2000.

Licence –

Sec. 21– Licence to issue E-signature Certificate/Becoming of Certifying Authority

(1) Subject to the provisions of sub-section (2), any person may make an application, to the Controller,
for a licence to issue Digital Signature Certificates.

(2) No licence shall be issued under sub-section (1), unless the applicant fulfills such requirements with
respect to qualification, expertise, manpower, financial resources and other infrastructure facilities, which
are necessary to issue Digital Signature Certificates as may be prescribed by the Central Government.

Rule 8 provides eligibility for applying for licence –

(1) The following persons may apply for grant of a licence to issue Digital Signature Certificates,
namely:-

a) an individual, being a citizen of India and having a capital of five crores of rupees or more in his
business or profession;
b) a company having–
(i) paid up capital of not less than five crores of rupees; and
(ii) net worth of not less than fifty crores of rupees:

Provided that no company in which the equity share capital held in aggregate by the Non-resident Indians,
Foreign Institutional Investors, or foreign companies, exceeds forty-nine per cent of its capital, shall be
eligible for grant of licence:

Provided further that in a case where the company has been registered under the Companies Act, 1956 (1
of 1956) during the preceding financial year or in the financial year during which it applies for grant of
licence under the Act and whose main object is to act as Certifying Authority, the net worth referred to in
sub-clause (ii) of this clause shall be the aggregate net worth of its majority shareholders holding at least
51% of paid equity capital, being the Hindu Undivided Family, firm or company:

Provided also that the majority shareholders referred to in the second proviso shall not include Non-
resident Indian, foreign national, Foreign Institutional Investor and foreign company:

Provided also that the majority shareholders of a company referred to in the second proviso whose net
worth has been determined on the basis of such majority shareholders, shall not sell or transfer its equity
shares held in such company-

(i) unless such a company acquires or has its own net worth of not less than fifty crores of
rupees;
(ii) without prior approval of the Controller;
c) a firm having –
(i) capital subscribed by all partners of not less than five crores of rupees; and
(ii) net worth of not less than fifty crores of rupees:

Provided that no firm, in which the capital held in aggregate by any Non-resident Indian, and foreign
national, exceeds forty-nine per cent of its capital, shall be eligible for grant of licence:

Provided further that in a case where the firm has been registered under the Indian Partnership Act, 1932
(9 of 1932) during the preceding financial year or in the financial year during which it applies for grant of
licence under the Act and whose main object is to act as Certifying Authority, the net worth referred to in
sub-clause (ii) of this clause shall be the aggregate net worth of all of its partners:

Provided also that the partners referred to in the second proviso shall not include Non-resident Indian and
foreign national:

Provided also that the partners of a firm referred to in the second proviso whose net worth has been
determined on the basis of such partners, shall not sell or transfer its capital held in such firm-

(i) unless such firm has acquired or has its own net worth of not less than fifty crores of
rupees;
(ii) without prior approval of the Controller;
d) Central Government or a State Government or any of the Ministries or Departments, Agencies or
Authorities of such Governments.

Explanation.- For the purpose of this rule,-

(i) "company" shall have the meaning assigned to it in clause 17 of section 2 of the Income-
tax Act, 1961 (43 of 1961);
(ii) "firm", "partner" and "partnership" shall have the meanings respectively assigned to them
in the Indian Partnership Act, 1932 (9 of 1932); but the expression "partner" shall also
include any person who, being a minor has been admitted to the benefits of partnership;
(iii) "foreign company" shall have the meaning assigned to it in clause (23A) of section 2 of
the Income-tax Act, 1961 (43 of 1961);
(iv) "net worth" shall have the meaning assigned to it in clause (ga) of subsection (1) of
section 3 of the Sick Industrial Companies (Special Provisions) Act, 1985 (1 of 1986);
(v) "Non-resident" shall have the meaning assigned to it as in clause 26 of section 2 of the
Income-tax Act, 1961 (43 of 1961).

(2) The applicant being an individual, or a company, or a firm under sub-rule (1), shall submit a
performance bond or furnish a banker's guarantee from a scheduled bank in favour of the Controller in
such form and in such manner as may be approved by the Controller for an amount of not less than five
crores of rupees and the performance bond or banker's guarantee shall remain valid for a period of six
years from the date of its submission:
Provided that the company and firm referred to in the second proviso to clause (b) and the second proviso
to clause (c) of sub-rule (1) shall submit a performance bond or furnish a banker's guarantee for ten crores
of rupees:

Provided further that nothing in the first proviso shall apply to the company or firm after it has acquired
or has its net worth of fifty crores of rupees.

(3) Without prejudice to any penalty which may be imposed or prosecution may be initiated for any
offence under the Act or any other law for the time being in force, the performance bond or banker's
guarantee may be invoked–

a)when the Controller has suspended the licence under sub-section (2) of section 25 of the Act;
or
b) for payment of an offer of compensation made by the Controller; or (c) for payment of
liabilities and rectification costs attributed to the negligence of the Certifying Authority, its
officers or employees; or
c)for payment of the costs incurred in the discontinuation or transfer of operations of the
licensed Certifying Authority, if the Certifying Authority's licence or operations is
discontinued; or
d) any other default made by the Certifying Authority in complying with the provisions of
the Act or rules made thereunder.

Explanation.- "transfer of operation" shall have the meaning assigned to it in clause (47) of section 2 of
the Income-tax Act, 1961 (43 of 1961).

(3) A licence granted under this section shall—

a) be valid for such period as may be prescribed by the Central Government;

b) not be transferable or heritable;
c) be subject to such terms and conditions as may be specified by the regulations.

Sec. 22 – Application of Licence

(1) Every application for issue of a licence shall be in such form as may be prescribed by the Central
Government.

(2) Every application for issue of a licence shall be accompanied by—

a) a certification practice statement;

b) a statement including the procedures with respect to identification of the applicant;
 c) payment of such fees, not exceeding twenty-five thousand rupees as may be prescribed by the
Central Government;
d) such other documents, as may be prescribed by the Central Government

Rule 10 CCA Rules provides the details of the documents necessary for application process –

Every application for a licensed Certifying Authority shall be made to the Controller,-

(i) in the form given at Schedule-l; and

(ii) in such manner as the Controller may, from time to time, determine, supported by such
documents and information as the Controller may require and it shall inter alia include-

(a) a Certification Practice Statement (CPS);

(b) a statement including the procedures with respect to identification of the
applicant;
(c) a statement for the purpose and scope of anticipated Digital Signature Certificate
technology, management, or operations to be outsourced;
(d) certified copies of the business registration documents of Certifying Authority
that intends to be licensed;
(e) a description of any event, particularly current or past insolvency, that could
materially affect the applicant's ability to act as a Certifying Authority;
(f) an undertaking by the applicant that to its best knowledge and belief it can and
will comply with the requirements of its Certification Practice Statement;
(g) an undertaking that the Certifying Authority's operation would not commence
until its operation and facilities associated with the functions of generation, issue and
management of Digital Signature Certificate are audited by the auditors and approved
by the Controller in accordance with rule 20;
(h) an undertaking to submit a performance bond or banker's guarantee in
accordance with sub-rule (2) of rule 8 within one month of Controller indicating his
approval for the grant of licence to operate as a Certifying Authority;
(i) any other information required by the Controller

Rule 11 provides the fees necessary for the application process. The application for the grant of a licence
shall be accompanied by a non-refundable fee of twenty-five thousand rupees payable by a bank draft or
by a pay order drawn in the name of the Controller.

Sec. 24 – Procedure for grant or rejection of Licence

The Controller may, on receipt of an application under sub-section (1) of section 21, after considering the
documents accompanying the application and such other factors, as he deems fit, grant the licence or
reject the application:

Provided that no application shall be rejected under this section unless the applicant has been given a
reasonable opportunity of presenting his case.

Rule 16 provides the procedure for Issuance of Licence.—

(1) The Controller may, within four weeks from the date of receipt of the application, after considering
the documents accompanying the application and such other factors, as he may deem fit, grant or renew
the licence or reject the application:

Provided that in exceptional circumstances and for reasons to be recorded in writing, the period of four
weeks may be extended to such period, not exceeding eight weeks in all as the Controller may deem fit.

(2) If the application for licensed Certifying Authority is approved, the applicant shall-

(a) submit a performance bond or furnish a banker's guarantee within one month from the date of such
approval to the Controller in accordance with sub-rule (2) of rule 8; and

(b) execute an agreement with the Controller binding himself to comply with the terms and conditions of
the licence and the provisions of the Act and the rules made thereunder.

Rule 17 Refusal of Licence -

The Controller may refuse to grant or renew a licence if-

(i) the applicant has not provided the Controller with such information relating to its business, and to any
circumstances likely to affect its method of conducting business, as the Controller may require; or

(ii) the applicant is in the course of being wound up or liquidated; or

(iii) a receiver has, or a receiver and manager have, been appointed by the court in respect of the
applicant; or

(iv) the applicant or any trusted person has been convicted, whether in India or out of India, of an offence
the conviction for which involved a finding that it or such trusted person acted fraudulently or
dishonestly, or has been convicted of an offence under the Act or these rules; or

v) the Controller has invoked performance bond or banker's guarantee; or

(vi) a Certifying Authority commits breach of, or fails to observe and comply with, the procedures and
practices as per the Certification Practice Statement; or

(vii) a Certifying Authority fails to conduct, or does not submit, the returns of the audit in accordance
with rule 31; or

(viii) the audit report recommends that the Certifying Authority is not worthy of continuing Certifying
Authority's operation; or

(ix) a Certifying Authority fails to comply with the directions of the Controller

Sec. 23 – Renewal of Licence

A licence shall be valid for a period of five years from the date of its issue (Rule 13). An application for
renewal of a licence shall be—

(a) in such form;

 (b) accompanied by such fees, not exceeding five thousand rupees, as may be prescribed by the
Central Government and shall be made not less than forty-five days before the date of expiry of
the period of validity of the licence.

Sec. 32 – Display of Licence

Every Certifying Authority shall display its licence at a conspicuous place of the premises in which it
carries on its business.

Sec. 25 – Suspension of Licence

(1) The Controller may, if he is satisfied after making such inquiry, as he may think fit, that a Certifying
Authority has,—

a) made a statement in, or in relation to, the application for the issue or renewal of the licence,
which is incorrect or false in material particulars;
b) failed to comply with the terms and conditions subject to which the licence was granted;
c)failed to maintain the standards specified under clause (b) of sub-section (2) of section 20;
d) contravened any provisions of this Act, rule, regulation or order made thereunder, revoke
the licence:

Provided that no licence shall be revoked unless the Certifying Authority has been given a reasonable
opportunity of showing cause against the proposed revocation.

(2) The Controller may, if he has reasonable cause to believe that there is any ground for revoking a
licence under sub-section (1), by order suspend such licence pending the completion of any inquiry
ordered by him:

Provided that no licence shall be suspended for a period exceeding ten days unless the Certifying
Authority has been given a reasonable opportunity of showing cause against the proposed suspension.

(3) No Certifying Authority whose licence has been suspended shall issue any Digital Signature
Certificate during such suspension.

Sec. 26 – Notice of suspension or revocation of Licence

(1) Where the licence of the Certifying Authority is suspended or revoked, the Controller shall publish
notice of such suspension or revocation, as the case may be, in the database maintained by him.

(2) Where one or more repositories are specified, the Controller shall publish notices of such suspension
or revocation, as the case may be, in all such repositories:

Provided that the data base containing the notice of such suspension or revocation, as the case may be,
shall be made available through a web site which shall be accessible round the clock:

Provided further that the Controller may, if he considers necessary, publicise the contents of database in
such electronic or other media, as he may consider appropriate.

Sec. 33 – Surrender of Licence

 (1) Every Certifying Authority whose licence is suspended or revoked shall immediately after such
suspension or revocation, surrender the licence to the Controller.
(2) Where any Certifying Authority fails to surrender a licence under sub-section (1), the person in
whose favour a licence is issued, shall be guilty of an offence and shall be punished with
imprisonment which may extend up to six months or a fine which may extend up to ten thousand
rupees or with both.

Working of Certifying Authority –

Sec. 30 – Certifying Authority to follow certain procedures

Sec. 31 – Certifying Authority to ensure compliance of the Act, etc.

Sec. 34 – Disclosure

E – Signature Certificate –

Sec. 35 – Certifying Authority to issue E-Signature Certificate

Certificate.—(1) Any person may make an application to the Certifying Authority for the issue of a
Electronic Signature Certificate in such form as may be prescribed by the Central Government.

(2) Every such application shall be accompanied by such fee not exceeding twenty-five thousand rupees
as may be prescribed by the Central Government, to be paid to the Certifying Authority:

Provided that while prescribing fees under sub-section (2) different fees may be prescribed for different
classes of applicants.

(3) Every such application shall be accompanied by a certification practice statement or where there is no
such statement, a statement containing such particulars, as may be specified by regulations.

(4) On receipt of an application under sub-section (1), the Certifying Authority may, after consideration
of the certification practice statement or the other statement under sub-section (3) and after making such
enquiries as it may deem fit, grant the 1[electronic signature] Certificate or for reasons to be recorded in
writing, reject the application:

Provided that no application shall be rejected unless the applicant has been given a reasonable opportunity
of showing cause against the proposed rejection.

Digital Signature Certificate –

Sec. 35 – Application for E-Signature Certificate (Same as above)

Sec. 36 – Representations upon issuance of DSC

A Certifying Authority while issuing a Digital Signature Certificate shall certify that—

(a) it has complied with the provisions of this Act and the rules and regulations made thereunder;
(b) it has published the Digital Signature Certificate or otherwise made it available to such person relying
on it and the subscriber has accepted it;

c) the subscriber holds the private key corresponding to the public key, listed in the Digital Signature
Certificate;

(ca) the subscriber holds a private key which is capable of creating a digital signature;

(cb) the public key to be listed in the certificate can be used to verify a digital signature affixed by the
private key held by the subscriber;]

(d) the subscriber's public key and private key constitute a functioning key pair;

(e) the information contained in the Digital Signature Certificate is accurate; and

(f) it has no knowledge of any material fact, which if it had been included in the Digital Signature
Certificate would adversely affect the reliability of the representations in clauses (a) to (d).

Sec. 37 – Suspension of DSC

(1) Subject to the provisions of sub-section (2), the Certifying Authority which has issued a Digital
Signature Certificate may suspend such Digital Signature Certificate,–

(a) on receipt of a request to that effect from–

i. the subscriber listed in the Digital Signature Certificate; or
ii. any person duly authorised to act on behalf of that subscriber;
(b) if it is of opinion that the Digital Signature Certificate should be suspended in public interest.

(2) A Digital Signature Certificate shall not be suspended for a period exceeding fifteen days unless the
subscriber has been given an opportunity of being heard in the matter.

(3) On suspension of a Digital Signature Certificate under this section, the Certifying Authority shall
communicate the same to the subscriber.

Sec. 38 – Revocation of DSC

1) A Certifying Authority may revoke a Digital Signature Certificate issued by it–

(a) where the subscriber or any other person authorised by him makes a request to that effect; or
(b) upon the death of the subscriber; or
(c) upon the dissolution of the firm or winding up of the company where the subscriber is a firm
or a company.

(2) Subject to the provisions of sub-section (3) and without prejudice to the provisions of sub-section (1),
a Certifying Authority may revoke a Digital Signature Certificate which has been issued by it at any time,
if it is of opinion that–

(a) a material fact represented in the Digital Signature Certificate is false or has been concealed;
(b) a requirement for issuance of the Digital Signature Certificate was not satisfied;
 (c) the Certifying Authority's private key or security system was compromised in a manner
materially affecting the Digital Signature Certificate's reliability;
(d) the subscriber has been declared insolvent or dead or where a subscriber is a firm or a
company, which has been dissolved, wound-up or otherwise ceased to exist.

(3) A Digital Signature Certificate shall not be revoked unless the subscriber has been given an
opportunity of being heard in the matter.

(4) On revocation of a Digital Signature Certificate under this section, the Certifying Authority shall
communicate the same to the subscriber.

Sec. 39 – Notice of Suspension or Revocation

1) Where a Digital Signature Certificate is suspended or revoked under section 37 or section 38, the
Certifying Authority shall publish a notice of such suspension or revocation, as the case may be, in the
repository specified in the Digital Signature Certificate for publication of such notice.