CERTIFYING AUTHORITY

A Certificate Authority (or Certification Authority) is an entity that issues

digital certificates that contain a public key and therefore the identity of the
owner. The private key is not made available to the public in general but kept
secret by the end-user who generates the key pair. Further, the certificate is also
working as a confirmation or validation by the Certificate Authority that the
general public key in the given certificate belongs to the person, organization,
server or other entity noted under the certificate.

[Public Key Infrastructure: Public Key Infrastructure (PKI) is a technology for

authenticating users and devices within the digital world. The essential idea is to
possess one or more trusted parties digitally sign documents certifying that a
selected cryptographic key belongs to a selected user or device.]

Regulation of Certifying Authority (Chapter VI)

To regulate the Certifying Authorities the Central Government appoint a

Controller of Certifying Authorities to license and regulate the working of
Certifying Authorities and also ensures that no any provision of the Act is
violated.

 Section 17 deals with the ‘Appointment of Controller and other officers’.

It provides that, the Central Government appoint a Controller of
Certifying Authorities, by a notification in the Official Gazette and by
the same Gazette an appoint Deputy Controllers, Assistant Controllers,
other officers and employees.
It further provides that the Controller shall discharge his functions under
the control and directions of the Central Government and the Deputy
Controllers and Assistant Controllers shall perform the functions
 assigned to them by the Controller under the general superintendence
and control of the Controller.
The qualifications, experience and terms and conditions of service of
Controller, Deputy Controllers, Assistant Controllers, other officers and
employees and the Head Office and Branch Office of the office of the
Controller, is prescribed by the Central Government.
The Office of the Controller has a seal.
 Section 18 Deals with the ‘Functions of Controller’ and provides that
Controller of Certifying Authorities has following functions:
a) exercising supervision over the activities of the Certifying Authorities;
b) certifying public keys of the Certifying Authorities;
c) laying down the standards to be maintained by the Certifying
Authorities;
d) specifying the qualifications and experience which employees of the
Certifying Authority should possess;
e) specifying the conditions subject to which the Certifying Authorities
shall conduct their business;
f) specifying the contents of written, printed or visual materials and
advertisements that may be distributed or used in respect of a
electronic signature Certificate and the public key;
g) specifying the form and content of a electronic signature Certificate
and the key;
h) specifying the form and manner in which accounts shall be
maintained by the Certifying Authorities;
i) specifying the terms and conditions subject to which auditors may be
appointed and the remuneration to be paid to them;
j) facilitating the establishment of any electronic system by a Certifying
Authority either solely or jointly with other Certifying Authorities and
regulation of such systems;
 k) specifying the manner in which the Certifying Authorities shall
conduct their dealings with the subscribers;
l) resolving any conflict of interests between the Certifying Authorities
and the subscribers;
m) laying down the duties of the Certifying Authorities;
n) maintaining a data base containing the disclosure record of every
Certifying Authority containing such particulars as may be specified
by regulations, which shall be accessible to public.
 Section 21 deals with issuing of licence to issue Electronic Signature
Certificates, it provides that any person may make application to the
Controller for a licence to issue electronic certificate.
 Section 22 deals with ‘Application for licence’ and provides that the
application should be in the form as prescribed by the Central
Government.
It further provides that, every application shall be accompanied with the
following:
a) a certification practice statement;
b) a statement including the procedures with respect to identification of
the applicant;
c) payment of such fees, not exceeding twenty-five thousand rupees as
may be prescribed by the Central Government;
d) such other documents, as may be prescribed by the Central
Government.

Rule 10 of Information Technology (Certifying Authorities) Rules, 2000

deals with the ‘Submission of Application’ for the Certifying Authority,
it provides that every application shall be made to the Controller in the
form provided in Schedule I of the rule.
Following documents are supposed to be attached with the application:

a) a Certification Practice Statement (CPS);

b) a statement including the procedures with respect to identification of
the applicant;
c) a statement for the purpose and scope of anticipated Digital
Signature Certificate technology, management, or operations to be
outsourced;
d) certified copies of the business registration documents of Certifying
Authority that intends to be licensed;
e) a description of any event, particularly current or past insolvency,
that could materially affect the applicant's ability to act as a
Certifying Authority;
f) an undertaking by the applicant that to its best knowledge and belief it
can and will comply with the requirements of its Certification Practice
Statement;
g) an undertaking that the Certifying Authority's operation would not
commence until its operation and facilities associated with the
functions of generation, issue and management of Digital Signature
Certificate are audited by the auditors and approved by the Controller
in accordance with rule 20;
h) an undertaking to submit a performance bond or banker's guarantee
in accordance with sub-rule (2) of rule 8 within one month of
Controller indicating his approval for the grant of licence to operate
as a Certifying Authority; and
i) any other information required by the Controller.

Rule 11 of Information Technology (Certifying Authorities) Rules, 2000

provides that for the grant of licence or for the renewal of the licence a
non-refundable fee of twenty-five thousand rupees payable by a bank
 draft or by a pay order drawn in the name of the Controller, with the
application.

 Section 21 further provides that No licence shall be issued unless the

applicant fulfils such requirements with respect to qualification,
expertise, manpower, financial resources and other infrastructure
facilities, which are necessary to issue electronic signature Certificates.
It further provides that A licence granted under this section shall
a) be valid for such period as may be prescribed by the Central
Government;
b) not be transferable or heritable;
c) be subject to such terms and conditions as may be specified by the
regulations.
 Rule 13 of Information Technology (Certifying Authorities) Rules, 2000
deals with ‘Validity of licence’ and provides that’
1) A licence shall be valid for a period of five years from the date of
its issue.
2) The licence shall not be transferable.
 Section 23 of the Act and Rule 15 of Information Technology
(Certifying Authorities) Rules, 2000 deals with ‘Renewal of licence’ and
provides that A Certifying Authority shall submit an application for the
renewal of its licence not less than forty-five days before the date of
expiry of the period of validity of licence and the application shall be
accompanied by fees not exceeding five thousand.
 Section 24 of the Act deals with ‘Procedure for grant or rejection of
licence’ and Rule 16 & 17 of Information Technology (Certifying
Authorities) Rules, 2000 deals with ‘Issuance of Licence’ & ‘Refusal of
Licence’.
 It is provided that the Controller may, within four weeks from the date of
receipt of the application, after considering the documents
accompanying the application and such other factors, as he may deem
fit, grant or renew the licence or reject the application.
However, no application shall be rejected under this section unless the
applicant has been given a reasonable opportunity of presenting his
case.
Further, in exceptional circumstances and for reasons to be recorded in
writing, the period of four weeks may be extended to such period, not
exceeding eight weeks in all as the Controller may deem fit.
If the application for licensed Certifying Authority is approved, the
applicant shall (Rule 16):
a) submit a performance bond or furnish a banker's guarantee within
one month from the date of such approval to the Controller; and
b) execute an agreement with the Controller binding himself to
comply with the terms and conditions of the licence and the
provisions of the Act and the rules.

The Controller may refuse to grant or renew a licence if (Rule 17):

(i) the applicant has not provided the Controller with such
information relating to its business, and to any
circumstances likely to affect its method of conducting
business, as the Controller may require; or
(ii) the applicant is in the course of being wound up or
liquidated; or
(iii) a receiver has, or a receiver and manager have, been
appointed by the court in respect of the applicant; or
(iv) the applicant or any trusted person has been convicted,
whether in India or out of India, of an offence the conviction
 for which involved a finding that it or such trusted person
acted fraudulently or dishonestly, or has been convicted of
an offence under the Act or these rules; or
(v) the Controller has invoked performance bond or banker's
guarantee; or
(vi) a Certifying Authority commits breach of, or fails to observe
and comply with, the procedures and practices as per the
Certification Practice Statement; or
(vii) a Certifying Authority fails to conduct, or does not submit,
the returns of the audit; or
(viii) the audit report recommends that the Certifying Authority is
not worthy of continuing Certifying Authority's operation; or
(ix) a Certifying Authority fails to comply with the directions of
the Controller.
 Section 25 of the Act and Rule 14 of Information Technology (Certifying
Authorities) Rules, 2000 deals with ‘Suspension of licence’, it is provided
that, the Controller may revoke the licence, if he is satisfied after making
an inquiry, that a Certifying Authority has:
a) made a statement in, or in relation to, the application for the issue
or renewal of the licence, which is incorrect or false in material
particulars;
b) failed to comply with the terms and conditions subject to which the
licence was granted;
c) failed to maintain the procedures and standards specified in
section 30;
d) contravened any provisions of this Act, rule, regulation or order
made.
However, he cannot revoke a licence unless the Certifying Authority has
been given a reasonable opportunity of showing cause against the
proposed revocation.

Further, the Controller may by order suspend such licence pending the
completion of any enquiry ordered by him, if he has reasonable cause to
believe that there is any ground for revoking a licence. However, he
cannot suspend a licence for a period exceeding ten days unless the
Certifying Authority has been given a reasonable opportunity of showing
cause against the proposed suspension.

Any Certifying Authority shall not issue any electronic signature Certificate
during such suspension.

 The notice for suspension and revocation of licence is given under

Section 26 of the Act.
 Under Section 28 of the Act, the Controller or any officer authorised by
him, can take up investigation for any contravention of the provisions of
this Act, rules or regulation.
 Section 30 provides certain that are to be followed by the Certifying
Authority, they shall:
a) make use of hardware, software and procedures that are secure
from intrusion and misuse;
b) provide a reasonable level of reliability in its services which are
reasonably suited to the performance of intended functions;
c) adhere to security procedures to ensure that the secrecy and
privacy of the electronic signatures are assured;
(ca) be the repository of all electronic signature Certificates
issued under this Act;
 (cb) publish information regarding its practices, electronic
signature Certificates and current status of such certificates;
and
d) observe such other standards as may be specified by regulations.
 Section 31 provides that every Certifying Authority shall ensure that
every person employed or otherwise engaged by it complies with the
provisions of this Act, rules, regulations and orders, in course of his
employment or engagement.

Electronic signature certificates (Chapter VII)

 Section 35 of the Act deals with the issuance of the Electronic Signature
Certificate, it provides that, any person can make an application,
accompanied by fees, not exceeding twenty five thousand, to the
Certifying Authority for the issue of an Electronic Signature Certificate.
It is further provided that the application shall be accompanied by
certification practice statement or where there is no such statement, a
statement containing such particulars, as may be specified by regulations.
It is also provided that on receiving an application the Certifying
Authority may grant the electronic signature Certificate or for reasons to
be recorded in writing, reject the application, after consideration of the
certification practice statement or the other statement and after making
such enquiries.
[The certificate grated under Section 35(4) is a Digital Signature
Certificate, as defined in Section 2 (1) (q)]
However, the Certifying Authority cannot reject the application unless the
applicant has been given a reasonable opportunity of showing cause
against the proposed rejection.
 Under Section 36, while issuing a Digital Signature Certificate, the
Certifying Authority shall certify that:
a) it has complied with the provisions of this Act and the rules and
regulations;
b) it has published the Digital Signature Certificate or otherwise
made it available to such person relying on it and the subscriber
has accepted it;
c) the subscriber holds the private key corresponding to the public
key, listed in the Digital Signature Certificate;
(ca) the subscriber holds a private key which is capable of creating
a digital signature;
(cb) the public key to be listed in the certificate can be used to
verify a digital signature affixed by the private key held by the
subscriber;
d) the subscriber's public key and private key constitute a functioning
key pair;
e) the information contained in the Digital Signature Certificate is
accurate; and
f) it has no knowledge of any material fact, which if it had been
included in the Digital Signature Certificate would adversely affect
the reliability of the representations in clauses (a) to (d).
 Section 37 deals with the ‘Suspension of Digital Signature Certificate’, it
provides that, the Certifying Authority may suspend the issued Digital
Signature Certificate:
a) on receiving request from:
i. the subscriber listed in the Digital Signature
Certificate; or
ii. any person duly authorised to act on he behalf of
that subscriber.
 [‘Subscriber’ is defined under Section 2(1) (zg) as subscriber means a
person in whose name the electronic signature Certificate is issued]
b) or if it is of the opinion that the Digital Signature Certificate
should be suspended in public interest.
However, the Digital Signature Certificate shall not be suspended for a
period exceeding fifteen days unless the subscriber has been given an
opportunity of being heard in the matter.
The suspension of such certificate shall be communicated to the
subscriber.
 Section 38 deals with ‘Revocation of digital signature certificate’, it
provides that, the Certifying Authority may revoke a Digital Signature
Certificate:
a) where the subscriber or any other person authorised by him makes
a request to that effect; or
b) upon the death of the subscriber; or
c) upon the dissolution of the firm or winding up of the company
where the subscriber is a firm or a company.
Without prejudice to the previous sub-section and subject to sub-section
(3), the Certifying Authority may revoke a Digital Signature Certificate,
if:
a) a material fact represented in the Digital Signature Certificate is
false or has been concealed;
b) a requirement for issuance of the Digital Signature Certificate was
not satisfied;
c) the Certifying Authority's private key or security system was
compromised in a manner materially affecting the Digital
Signature Certificate's reliability;
 d) the subscriber has been declared insolvent or dead or where a
subscriber is a firm or a company, which has been dissolved,
wound-up or otherwise ceased to exist.
Sub-section (3) provides that a digital Signature Certificate shall not be
revoked unless the subscriber has been given an opportunity of being
heard in the matter.
The suspension of such certificate shall be communicated to the
subscriber.
 Section 39 provides that, the notice of such suspension and revocation of
the certificate shall be published in the repository specified in the Digital
Signature Certificate for publication of such notice.