Regulation of Certifying Authorities
Section 17. Appointment of Controller and other officers.
17(1).
The Central Government may appoint a Controller of Certifying Authorities by notification in the Official Gazette.
The appointment is don for the purposes of this Act.
The Government may also appoint Deputy Controllers, Assistant Controllers, and other officers and employees.
Such appointments can be made by the same or a subsequent notification, as the Government deems it fit.
17(2).
The Controller performs and discharges functions under this Act.
These functions are subject to the general control and directions of the Central Government.
17(3).
The Deputy Controllers and Assistant Controllers perform functions assigned by the Controller.
Their work is under the general superintendence and control of the Controller.
17(4).
The qualifications & experience of the Controller, Deputy & Assistant Controllers, and other officers and employees are prescribed by the Central Government.
Their terms and conditions of service are also prescribed by the Central Government.
17(5).
The Head Office of the Controller shall be at a place specified by the Central Government.
Branch Offices may be established at places the Central Government considers fit.
17(6).
There shall be the Seal of the Office on the Controller.
Section 18. Functions of Controller.
The Controller may perform all or any of the following functions which are:
(a).
The Controller oversees and monitors all activities of Certifying Authorities to ensure legal and technical compliance.
(b).
The Controller officially certifies the public keys used by Certifying Authorities, establishing trust in their digital signatures.
(c).
The Controller prescribes technical, security, and operational standards that every Certifying Authority must follow.
(d).
The Controller specifies minimum qualifications, expertise, and experience required for employees working in a Certifying Authority.
(e).
The Controller lays down the conditions and rules under which Certifying Authorities are permitted to operate their business.
(f).
The Controller regulates what written, printed, or visual material (including advertisements) a Certifying Authority can issue regarding:
Electronic Signature Certificates, and Public keys.
(g).
The Controller specifies the exact form and contents of: Electronic Signature Certificates, and Associated cryptographic keys.
(h).
The Controller prescribes how Certifying Authorities must maintain their books of accounts and financial records.
(i).
The Controller determines: Conditions for appointing auditors, and The remuneration payable to them.
(j).
The Controller facilitates and regulates the setting up of electronic systems by a single Certifying Authority, or multiple Certifying Authorities jointly.
(k).
The Controller Specifies the manner in which Certifying Authorities must interact with subscribers (certificate holders).
(l).
The Controller resolves conflicts of interest between: Certifying Authorities, and Subscribers.
(m).
The Controller clearly lays down the legal and operational duties that every Certifying Authority must perform.
(n).
The Controller maintains a public database containing disclosure records of every Certifying Authority, with details prescribed by regulations.
This database must be accessible to the public.
Section 19. Recognition of foreign Certifying Authorities.
19(1).
The Controller has the power to recognise a foreign Certifying Authority for the purposes of the IT Act.
This recognition is not automatic and is subject to conditions and restrictions laid down in regulations.
The Controller must obtain prior approval of the Central Government.
Recognition must be done through a notification.
The notification must be published in the Official Gazette.
Once recognised, the foreign Certifying Authority is treated as a Certifying Authority under this Act, but only for the purposes specified.
19(2).
After a foreign Certifying Authority has been recognised under 19(1):
Any electronic signature certificate issued by that Certifying Authority is legally valid, and is accepted under the IT Act.
Such certificates can be used for all purposes allowed under this Act, just like certificates issued by Indian Certifying Authorities.
19(3).
When a recognised Certifying Authority (including a foreign one) violates any condition or restriction on which its recognition was granted.
The Controller can revoke such recognition.
In order to do so:
The Controller must be satisfied that a contravention has occurred, and record the reasons in writing.
The Revocation must be done by issuing a notification, and publishing it in the Official Gazette.
Once revoked, the Certifying Authority loses its recognised status under the Act.
Section 20. [Omitted.].
Section 21. Licence to issue electronic signature Certificates.
21(1).
Any person (individual or entity) may apply to the Controller for a license to issue electronic signatures;
This right is to apply is not absolute and is subject to the conditions and limitations laid down in 21(2).
Only after satisfying those requirements under 21(2) can a licence be granted.
21(2).
A licence cannot be issued automatically merely because an application is made under 21(1).
The applicant must fulfil all the prescribed requirements.
These requirements relate to:
Qualifications.
Technical expertise.
Adequate manpower.
Sufficient financial resources.
Necessary infrastructure facilities.
All these requirements are Mandatory, and Prescribed by the Central Government through rules.
Only applicants who meet all prescribed criteria are eligible to receive a licence to issue electronic signature certificates.
21(3).
A licence granted under this section shall be:
(a). Be valid for such period as may be prescribed by the Central Government.
(b). The License is not be transferable or heritable.
(c). The License is subject to such terms and conditions as may be specified by the regulations.
Section 22. Application for licence.
22(1).
Every application for a licence must follow a prescribed format.
The form of the application is not decided by the applicant.
The format is fixed by the Central Government through rules.
An application that is not in the prescribed form can be rejected.
22(2).
Every application for a licence must be submitted along with mandatory attachments.
The required accompaniments are:
(a).
Certification Practice Statement (CPS)
A document explaining how the applicant will issue, manage, suspend, and revoke electronic signature certificates.
(b).
Identification Procedures Statement
A statement detailing the procedures used to verify and identify subscribers/applicants before issuing certificates.
(c).
Prescribed Fee
Payment of a licence application fee:
Fixed by the Central Government, and Cannot exceed ₹25,000.
(d).
Other Prescribed Documents
Any additional documents required by rules made by the Central Government.
Section 23. Renewal of licence.
A renewal application must:
(a).
Be in the prescribed form
The format is fixed by the Central Government.
(b).
Be accompanied by the prescribed fee
The renewal fee: Is prescribed by the Central Government, and cannot exceed ₹5,000.
Be filed within the prescribed time
The application must bast 45 days before the licence expires.
Section 24. Procedure for grant or rejection of licence.
The Controller after receiving an application under 21(1) has to power to grant the license or reject the application after due consideration.
The Controller must examine the documents submitted with the application, and consider any other relevant factors he thinks fit.
No application shall be rejected under this section unless the applicant has been given a reasonable opportunity of presenting his case.
Section 25. Suspension of licence.
25(1).
The Controller has the power to revoke or suspend the license.
It can be exercised only after:
Making such inquiry as the Controller considers necessary, & being satisfied that grounds for revocation exist.
The Controller may revoke the licence of a Certifying Authority if it has:
(a).
Made false or incorrect statements.
Given any statement in, or related to, the application for issue or renewal of the licence.
The Given statement is false or incorrect in material particulars.
(b).
Violated licence conditions.
Failed to comply with the terms and conditions on which the licence was granted.
(c).
Failed to maintain prescribed standards.
Not maintained the procedures and standards specified under Section 30.
(d).
Contravened the law.
Violated any provision of the Act, rules, regulations, or orders made under the Act.
A licence cannot be revoked straightaway.
Before revocation, the Certifying Authority must be given a reasonable opportunity to explain, and to defend itself.
This opportunity is to show cause and explain why the proposed revocation should not be carried out.
25(2).
If the Controller has reasonable cause to believe that there exists a ground for revocation of the licence 25(1) then:
The Controller may suspend the licence temporarily.
Suspension is done by an order, and pending completion of the enquiry ordered by the Controller.
Suspension is interim in nature, not final cancellation.
Before suspension , the Certifying Authority must be given a reasonable opportunity to explain, and to defend itself.
This opportunity is to show cause and explain why the proposed suspension should not be carried out.
25(3).
A Certifying Authority whose licence is suspended cannot issue any electronic signature certificate.
Any certificate issued during the period of suspension would be unauthorised and invalid under the Act.
Section 26. Notice of suspension or revocation of licence
26(1).
When the licence of a Certifying Authority is suspended or revoked the Controller has a mandatory duty to act.
The Controller must publish a notice of suspension, or revocation, as the case may be.
The notice must be published in the database maintained by the Controller.
26(2).
The Controller has a mandatory obligation to publish a notice of suspension, or revocation, as applicable.
Such notice must be published in all the specified repositories (not just one).
The database containing notices of suspension or revocation must be made available through a website.
The website must be accessible round the clock (24×7).
The Controller has discretion to take additional steps.
If he considers it necessary, he may publicise the contents of the database.
Such publicity can be done through electronic media, or any other media, in any manner the Controller considers appropriate.
Section 27. Power to delegate.
The Controller has the power to delegate his powers.
Such delegation must be made in writing.
The Controller may authorise:
The Deputy Controller.
The Assistant Controller.
Any other officer.
The authorised person may exercise any of the powers of the Controller.
The delegation is limited to powers under this Chapter only.
28. Power to investigate contraventions.
28(1).
The authority to act lies with the Controller, or any officer authorised by him for this purpose.
Such authority must be specifically authorised.
Through that authorisation, the officer shall take up an investigation.
The investigation can relate to any contravention of:
The provisions of the Act.
The rules made under it.
The regulations made under it.
The scope is wide, covering all violations under the Act and its subordinate legislation.
28(2).
The authority to act lies wit the Controller, or any officer authorised by him for this purpose.
Such authority is vested with powers similar to those of Income-tax authorities.
These powers are those conferred under Chapter XIII of the Income-tax Act, 1961.
The Controller or authorised officer must exercise these powers in the same manner as Income-tax authorities.
The exercise of such powers is subject to the limitations and conditions laid down under the Income-tax Act, 1961.
29. Access to computers and data.
29(1).
This power to search is in addition to and does not limit the powers already given under Section 69(1).
The Controller or any person authorised by him can exercise this power to search.
The power can be used only if there is reasonable cause to suspect that a contravention of this Chapter has occurred.
If such suspicion exists, they may access any computer system, any apparatus, any data, or any other material connected with that system.
The purpose of such access is to search, or to cause a search to be made.
The objective of the search is to obtain information or data that is contained in, or available to, the computer system.
29(2).
The Controller or any person authorised by him may issue a formal order.
The order can be directed to any person in charge of, or any person concerned with the operation of the computer system, data, apparatus, or material.
Such person can be required to provide assistance.
The assistance must be technical or otherwise, and reasonable in nature.
The assistance is limited to what the Controller considers necessary for carrying out his functions under sub-section (1).
30. Certifying Authority to follow certain procedures.
Every certifying authority should:
(a).
Use hardware that is secure from intrusion and misuse.
Use software that is secure from intrusion and misuse.
Follow procedures that prevent unauthorised access or misuse.
(b).
The service must maintain a reasonable level of reliability.
The reliability should be appropriate and practical, not absolute.
The services must be reasonably suited to what they are meant to do.
Performance should match the intended functions of the service.
(c).
The entity must follow prescribed security procedures.
These procedures are aimed at protecting electronic signatures.
The goal is to ensure secrecy, and privacy of electronic signatures.
This prevents unauthorised access, use, or disclosure of electronic signatures.
(ca).
The entity must act as a repository.
It must store all electronic signature certificates.
Only certificates issued under this Act are covered.
The repository serves as a central record and reference point for such certificates.
(cb).
The entity must publish information relating to its operations.
This includes information about:
Its practices.
The electronic signature certificates it issues.
The current status of such certificates (valid, suspended, revoked, etc.).
(d).
The entity must comply with additional standards.
These standards are not fixed in the Act itself.
They are specified through regulations.
Compliance with such standards is mandatory once prescribed.
31. Certifying Authority to ensure compliance of the Act.
The Certifying Authority must ensure compliance, not just itself but also by:
Its employees, and any persons otherwise engaged by it. (Agents, consultants, contractors.).
Compliance must be during the course of employment or engagement.
The laws to be complied with include the Act, rules, regulations, and orders made under the Act.
Responsibility lies on the Certifying Authority for ensuring such compliance.
32. Display of licence.
Every Certifying Authority has the duty to display the licence physically.
It must be placed at a conspicuous (clearly visible) place.
The location must be the premises where the Certifying Authority conducts its business.
33. Surrender of licence.
33(1).
When a Certifying Authority’s licence is either suspended or revoked. the Certifying Authority must immediately surrender the licence.
The licence must be surrendered to the Controller.
There is no discretion or delay permitted.
33(2).
When a Certifying Authority does not surrender its licence after suspension or revocation then:
The person in whose favour the licence was issued is deemed to have committed an offence.
The Punishment prescribed for the above offence is:
Imprisonment up to 6 months, or
Fine up to ₹10,000, or
Both imprisonment and fine.
The liability is personal to the licence holder.
34. Disclosure.
34(1).
The duty to disclose applies to every Certifying Authority.
Disclosures must be made in the manner prescribed by regulations.
The Certifying Authority must disclose the following:
(a).
Its electronic signature certificate
The certificate that authorises it to function as a Certifying Authority.
(b).
Certification Practice Statement (CPS).
Any CPS that explains how certificates are issued, managed, suspended, or revoked.
(c).
Revocation or suspension notice.
Immediate notice if its own Certifying Authority certificate has been revoked, or suspended.
(d).
Material adverse facts
Any fact that:
Materially and adversely affects the reliability of electronic signature certificates issued by it.
Materially and adversely affects its ability to perform its services as a Certifying Authority.
34(2).
Duty of a Certifying Authority in case of a serious system or certificate risk
When the Certifying Authority itself forms the opinion that: an event has occurred, or a situation has arisen, which may materially and adversely affect:
The integrity or security of its computer system.
The conditions on which an electronic signature certificate was granted.
Then , In such a case, the Certifying Authority must do either or both of the following:
(a).
Notify affected persons.
Use reasonable efforts to inform any person likely to be affected by the event or situation.
(b).
Follow its Certification Practice Statement (CPS).
Act strictly in accordance with the procedures laid down in its CPS to handle such incidents.
