CERTIFYING

AUTHORITIES
:

By
:

Date:27.05.2020
Certificate Authority (CA) is a trusted entity that issues
Digital Certificates and public-private key pairs. The role of the
Certificate Authority (CA) is to guarantee that the individual
granted the unique certificate is, in fact, who he or she claims
to be.

The Certificate Authority (CA) verifies that the owner of the

certificate is who he says he is. A Certificate Authority (CA)
can be a trusted third party which is responsible for physically
verifying the legitimacy of the identity of an individual or
organization before issuing a digital certificate.
Certificate Authority (CA) is a critical security service in a network.
A Certificate Authority (CA) performs the following functions.

Certificate Authority (CA) Verifies the identity: The Certificate

Authority (CA) must validate the identity of the entity who
requested a digital certificate before issuing it.

Certificate Authority (CA) issues digital certificates: Once the

validation process is over, the Certificate Authority (CA) issues the
digital certificate to the entity who requsted it. Digital certificates
can be used for encryption (Example: Encrypting web traffic), code
signing, authentocation etc.

Certificate Authority (CA) maintains Certificate Revocation List

(CRL): The Certificate Authority (CA) maintains Certificate
Revocation List (CRL). A certificate revocation list (CRL) is a list of
digital certificates which are no longer valid and have been revoked and
therefore should not be relied by anyone.
Appointment of Controller and other officers

(1) The Central Government may, by notification in the Official

Gazette, appoint a Controller of Certifying Authorities for the
purpose of this Act and may also by the same or subsequent
notification appoint such of Deputy Controllers and Assistant
Controllers as it deems fit.

(2) The Controller shall discharge his functions under this Act
subject to the general control and directions of the Central
Government.

(3) The Deputy Controllers and Assistant Controllers shall perform

the functions assigned to them by the Controller under the
general superintendence and control of the Controller.
 Functions of Controller
exercising supervision over the activities of the Certifying functions,
namely :-
 certifying public keys of the Certifying Authorities;
laying down the standards to be maintained by the Certifying
Authorities;
 specifying the qualifications and experience which employees of the
Certifying Authority should possess;
 specifying the form and content of a Digital Signature Certificate
and the keY
 specifying the form and manner in which accounts shall be
maintained by the Certifying Authorities;
 specifying the terms and conditions subject to which auditors may
be appointed and the remuneration to be paid to them;
 facilitating the establishment of any electronic system by a
Certifying Authority either solely or jointly with other Certifying
Authorities and regulation of such systems;
  maintaining a data base containing the disclosure record of every
Certifying Authority containing such particulars as may be specified
by regulations, which shall be accessible to public.
Recognition of foreign Certifying Authorities

(1) Subject to such conditions and restrictions as may be specified

by regulations, the Controller may with the previous approval of the
Central Government, and by notification in the Official Gazette,
recognise any foreign Certifying Authority as a Certifying Authority
for the purpose of this Act.

(2) Where any Certifying Authority is recognised under sub-section

(1), the Digital Signature Certificate issued by such Certifying
Authority shall be valid for the purposes of this Act.

(3) The Controller may, if he is satisfied that the Certifying

Authority has contravened any of the conditions and restrictions
subject to which it was granted recognition under sub-section (1) he
may, for reasons to be recorded in writing in the Official Gazette,
revoke such recognition.
Controller to act as repository
(1) The Controller shall be the repository of all Digital
Signature Certificates issued under this Act.

(2) The Controller shall-

(a) make use of hardware, software and procedures that

are secure from intrusion and misuse;

(b) observe such other standards as may be prescribed by

the Central Government, to ensure that the secrecy and
security of the digital signatures are assured.

(3) The Controller shall maintain a computerised data

base of all public keys in such a manner that such data
base and the public keys are available to any member of
the public.
Licence to issue Digital Signature Certificates

(1) Subject to the provisions of sub-section (2), any person may make
an application, to the Controller, for a licence to issue Digital
Signature Certificates.

(2) No licence shall be issued under sub-section (1), unless the

applicant fulfills such requirements with respect to qualification,
expertise, manpower, financial resources and other infrastructure
facilities, which are necessary to issue Digital signature Certificates
as may be prescribed by the Central Government.

(3) A licence granted under this sections shall-

(a) be valid for such period as may be prescribed by the Central

Government;

(b) not be transferable or heritable;

(c) be subject to such terms and conditions as may be specified by

the regulations.
6. Application for licence

(1) Every application for issue of a licence shall be in

such form as may be prescribed by the Central
Government.

(2) Every application for issue of a licence shall be

accompanied by-

(a) a certification practice statement;

(b) a statement including the procedures with respect

to identification of the applicant;

(c) payment of such fees, not exceeding twenty-five

thousand rupees as may be prescribed by the Central
Government;

(d) such other documents, as may be prescribed by the

Central Government.
Renewal of licence

An application for renewal of a licence shall be-

(a) in such form;

(b) accompanied by such fees, not exceeding five thousand rupees, as

may be prescribed by the Central Government and shall be made not
less than forty-five days before the date of expiry of the period of
validity of the licence.
Suspension Of licence
(1) The Controller may, if he is satisfied after making such inquiry, as he may think
fit, that a Certifying Authority has,-

(a) made a statement in, or in relation to, the application for the issue or renewal
of the licence, which is incorrect or false in material particulars;

(b) failed to comply with the terms and conditions subject to which the licence
was granted;

(c) failed to maintain the standards specified under clause (b) of sub-section
(2) of section 20;

(d) contravened any provisions of this Act, rule, regulation or order made
thereunder, revoke the licence :
Provided that no licence shall be revoked unless the Certifying Authority has been
given a reasonable opportunity of showing cause against the proposed revocation.

(2) The Controller may, if he has reasonable cause to believe that there is any
ground for revoking a licence under sub-section (1), by order suspend such licence
pending the completion of any inquiry ordered by him : Provided that no licence
shall be suspended for a period exceeding ten days unless the Certifying Authority
has been given a reasonable opportunity of showing cause against the proposed
suspension.