Certifying Authority Under

Information Technology
Act,2000
(Project Report)

Submitted To :- Submitted By :-

Mr. Atul S. Jaybhaye Name :- Srishti Sahu

Assistant Professor Semester :- VII

Section :- C

Roll No. :-172

B.A.LLB.(Hons.)

Batch XV

Date of Submission :- 15.10.2018

Hidayatullah National Law University,

Post Uparwara, Abhanpur, New Raipur - 493661 (Chhattisgarh)

Page | 1
 Declaration
I, Srishti Sahu , hereby declare that, this project report entitled, ‘Certifying Authority
Under Information Technology Act, 2000 ’ submitted to Hidayatullah National Law
University, Raipur is record of an original work done by me under the guidance of Mr. Atul
S. Jaybhaye , Assistant Professor, H.N.L.U., Raipur and that no part of this work has been
plagiarized without citations.

_________________
Name :- Srishti Sahu
Roll No. :- 172
Section :- C
Semester :- VII
B.A. LLB.(Hons.)
Batch XV
Date :- 15.10.2018

Page | 2
 ACKNOWLEDGMENTS
I, Srishti Sahu, would like to humbly present this project to Mr. Atul S. Jaybhaye. I would
first of all like to express my most sincere gratitude to Mr. Atul S. Jaybhaye for his
encouragement and guidance regarding several aspects of this project. I am thankful for
being given the opportunity of doing a project on ‘Certifying Authority Under Information
Technology Act, 2000’.

I am thankful to the library staff as well as the IT lab staff for all the conveniences
they have provided me with, which have played a major role in the completion of this project.

I would like to thank God for keeping me in good health and senses to complete
this project.

Last but definitely not the least, I am thankful to my seniors and my parents for all
their support, tips and valuable advice whenever needed. I present this project with a humble
heart.

________________
Name :- Srishti Sahu
Roll No. :- 172
Section :- C
Semester :- VII
BA LLB(Hons.)
Batch XV

Page | 3
 TABLE OF CONTENTS

Content Page No.

 Declaration
 Acknowledgements
 Table of Contents
 Introduction 1
 Objectives of Study 2
 Scope of Study 2
 Methodology of Study 2
 Introduction to Certifying Authority 3
 Role of Certifying Authority 5
 Certificate Policy 8
 Conclusion 9
 References 10

Page | 4
 1. Introduction
The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act
of the Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law
in India dealing with cybercrime and electronic commerce. It is based on the United Nations
Model Law on Electronic Commerce 1996 (UNCITRAL Model) recommended by the
General Assembly of United Nations by a resolution dated 30 January 1997.

The original Act contained 94 sections, divided in 13 chapters and 4 schedules. The laws
apply to the whole of India. Persons of other nationalities can also be indicted under the law,
if the crime involves a computer or network located in India.

The Act provides legal framework for electronic governance by giving recognition
to electronic records and digital signatures. The formations of Controller of Certifying
Authorities was directed by the Act, to regulate issuing of digital signatures. It also defines
cyber crimes and prescribed penalties for them. It also established a Cyber Appellate Tribunal
to resolve disputes rising from this new law. The Act also amended various sections of Indian
Penal Code, 1860, Indian Evidence Act, 1872, Banker's Book Evidence Act, 1891,
and Reserve Bank of India Act, 1934 to make them compliant with new technologies.

A major amendment was made in 2008. It introduced the Section 66A which penalized
sending of "offensive messages". It also introduced the Section 69, which gave authorities the
power of "interception or monitoring or decryption of any information through any computer
resource". It also introduced for child porn, cyber terrorism and voyeurism. It was passed on
22 December 2008 without any debate in Lok Sabha. The next day it was passed by the Rajya
Sabha. It was signed by the then President on 5 February 2009.

There are following chapters in the IT Act, 2000 namely:-

 Chapter I – Preliminary
 Chapter II – Digital Signature and Electronic Signature
 Chapter III – Electronic Governance
 Chapter IV- Attribution , Acknowledgement and Dispatch of Electronic Records
 Chapter V- Secure Electronic Records and Secure Digital Signatures
 Chapter VI- Regulation of Certifying Authority
 Chapter VII- Electronic Signature Certificates

Page | 5
  Chapter VIII – Duties of Subscribers
 Chapter IX- Penalties, Compensation and Adjudication
 Chapter X – The Appellate Tribunal
 Chapter XI – Offences
 Chapter XII – Intermediaries not to be liable in certain cases
 Chapter XIII – Miscellaneous

1.1 Objectives of the Study

 To Understand the meaning of Certifying Authority and who can be Certifying

Authority.
 To understand the role and powers of Certifying Authority .
 To Understand the meaning of Certification Practice Statement (CPS).

1.2 Scope of the Study

The scope of this very vast but is limited to the provisions of Information Technology Act,
2000. The legal provisions and cases involved in relation to role of Certifying Authority are
many. The project mainly stressed upon the role of certifying Authority in issuing Digital
Signatures under the IT Act, 2000.

1.3 Methodology of Study

This study is descriptive and analytical in nature. Secondary sources have been largely used
to collect and analyze data. Books, articles and web pages have been referred to and footnotes
have been provided wherever necessary.

Page | 6
 2. Introduction to Certifying Authority
A certifying authority is an entity/authority in a network that issues digital signature
certificates(DSCs) for use by other parties(subscribers) and manages their security
credentials. CAs are characteristic of many public key infrastructure (PKI) schemes. As part
of a public key infrastructure, a CA checks with a Registration Authority(RA) to verify
information provided by the requestor of a digital certificate. If the RA verifies the requestor's
information, the CA can then issue a certificate.

Aside from commercial CAs, some providers issue digital certificates to the public at no cost.
Large institutions or government entities may have their own. Depending on the public key
infrastructure implementation, the certificate includes the owner's public key, the expiration
date of the certificate, the owner's name, and other information about the public key owner.

2.1 What is a Certifying Authority?

A Certifying Authority is a trusted body whose central responsibility is to issue, revoke,

renew and provide directories of Digital Certificates. In real meaning, the function of a
Certifying Authority is equivalent to that of the passport issuing office in the Government. A
passport is a citizen's secure document (a "paper identity"), issued by an appropriate
authority, certifying that the citizen is who he or she claims to be. Any other country trusting
the authority of that country's Government passport Office will trust the citizen's passport.

Similar to a passport, a user's certificate is issued and signed by a Certifying Authority and
acts as a proof . Anyone trusting the Certifying Authority can also trust the user's certificate.

According to Section 24 under Information Technology Act 2000 "Certifying Authority"

means a person who has been granted a licence to issue Digital Signature Certificates.

2.2 Who can be a Certifying Authority (CA)?

The IT Act 2000 gives details of who can act as a CA. Accordingly a prospective CA has to
establish the required infrastructure, get it audited by the auditors appointed by the office of
Controller of Certifying Authorities, and only based on complete compliance of the
requirements, a license to operate as a Certifying Authority can be obtained. The license is

Page | 7
issued by the Controller of Certifying Authority, Ministry of Information Technology,
Government of India.
Criteria to become a Certifying Authority

The Information Technology (Certifying Authorities) Rules , 200o under Rule 8 Provides that
following persons can become Certifying Authority :-

1. Individual who is citizen of India and whose capital in his business or profession is not
less than rupees 5 crore.

2. Partnership firm:

a) whose capital in business or profession should not be less

than rupees 5 crore and
b) whose net wealth should not be less than rupees 50 crore.

3. Company:

a) whose capital in business or profession is not less than rupees 5 crore ; and
b) net wealth is not less than rupees 50 crore.

4. Government: central government or state government or any government office or

agency.

2.3 What is a Registration Authority (RA)?

A Registration Authority (RA) is responsible for initiating the certificate issuance process
after receiving approved application request from the Local Registration Authority.
Revocation requests for Digital Certificates from subscribers/ authorized representative of the
subscriber are also handled by the RA.

What is Local Registration Authority (LRA)?

An LRA (Local Registration Authority) is an agent of the Certifying Authority who collects
the application forms for Digital Signature Certificates and related documents, does the
verification and approves or rejects the application based on the results of the verification
process.

Page | 8
 3. Role of Certifying Authority

1. TO MAINTAIN STANDARD PRACTICE [SECTION 30]

 He must use such hardwares or softwares and other procedures which are free from
intrusion or misuse.
 He must provide reasonable level of reliability in his service as is essential to perform
his functions under this act.
 He must follow those security measures to ensure secrecy and privacy of electronic
signature.
 He must publish practice regarding Electronic Signature Certificates, number of
ESC’s issued by him and their present status.
 He has to act as repository of ESC’s issued by him.
 He will follow the standards as laid down by Controller of Certifying Authority for
this purpose.

2. TO ENSURE THE COMPLIANCE OF PROVISIONS OF THIS ACT

[SECTION 31]:

CA must ensure that every person employed or engaged by him must comply (observe or
follow) with the provisions of this act or rules or regulation made thereunder in the course of
employment or engagement and in case he fails to do so it is an offence under this act.

3.ROLE REGARDING DISPLAY OF LICENSE [SECTION 32]:

CA must display his license at conspicuous part of his business premises so that public
should know about his license.

4.ROLE REGARDING RENEWAL OF LICENSE [SECTION 23]:

 Application for renewal must be made in the form as prescribed by the central
government for this purpose. (Schedule I) .
 Must be accompanied with fee of rupees 5000.
 Application of renewal must be given not less than 45 days before the expiry of
validity of license.

Page | 9
5.ROLE TO SURRENDER HIS LICENSE [SECTION 33]:

In case CA’s license has been suspended or revoked then he must immediately surrender his
license to CCA.

Suspension or revocation of license [Section 25]

Suspension [Section 25(2)]

 It says where CCA has reasons to believe that any ground for revocation of license
exists then he may suspend the license of CA .
 Simultaneously he will start inquiry against CA
 License cannot be suspended after 10 days unless notice is given to that CA.
 During suspension CA will not issue any ESC .

Revocation [Section 25(1)]

 If after conducting inquiry CCA is satisfied that any ground exist for revocation then
he shall revoke the license.
 Grounds of revocation are
a) Statement in certification practice statement is false, misleading and incorrect.
b) Conditions of requirements subject to which license was granted has been violated.
c) CA failed to maintain standards and other security procedure as sequence under this
act.
d) CA has violated any provisions of this act and rules or regulations made thereunder.

6.DISCLOSURE [SECTION 34]:

Every CA shall disclose following in the manner laid down under the regulation:

 ESC’s issued by him

 Certification Practice Statement (CPS)
 Any notice of suspension or revocation of his license or CA’s certificate.
 Any material fact which is likely to offend reliability of ESC issued by him

7.ISSUING OF DIGITAL CERTIFICATE:

Page | 10
A CA issues digital certificates that contain a public key and the identity of the owner. The
matching private key is not similarly made available publicly, but kept secret by the end user
who generated the key pair. The certificate is also an attestation by the CA that the public key
contained in the certificate belongs to the person, organization, server or other entity noted in
the certificate.

A CA's obligation in such schemes is to verify an applicant's credentials, so that users and
relying parties can trust the information in the CA's certificates. CAs use a variety of
standards and tests to do so. In essence the Certificate Authority is responsible for saying
"yes, this person is who they say they are, and we, the CA, verify that".

Digital certificate

In cryptography, a public key certificate (also known as a digital certificate or identity

certificate) is an electronic document which uses a digital signature to bind together a public
key with an identity — information such as the name of a person or an organization, their
address, and so forth. The certificate can be used to verify that a public key belongs to an
individual.

In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate
authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed
certificate) or other users ("endorsements"). In either case, the signatures on a certificate are
attestations by the certificate signer that the identity information and the public key belong
together.

Page | 11
 4. Certificate Policy

4.1 What is Certificate Policies (CP) ?

Certifying Authorities issue Digital Certificates that are appropriate to specific purposes or
applications. Certificate Policies describe the different classes of certificates issued by the
CA, the procedures governing their issuance and revocation and terms of usage of such
certificates and among other things the rules governing the different uses of these certificates.

4.2 What is a Certificate Practice Statement ?

A statement of the practices, which a certification authority employs in issuing and managing
certificates. A CPS may take the form of a declaration by the CA of the details of its
trustworthy system and the practices it employs in its operations and in support of issuance of
a certificate. General CPS framework is given in the guidelines.
The term certification practice statement (CPS) is defined as "A statement of the practices
which a certification authority employs in issuing certificates."

A certification practice statement may take the form of a declaration by the certification
authority of the details of it trustworthy system and the practices it employs in its operations
and in support of issuance of a certificate, or it may be a statute or regulation applicable to the
certification authority and covering similar subject matter. It may also be part of the contract
between the certification authority and the subscriber. A certification practice statement may
also be comprised of multiple documents, a combination of public law, private contract,
and/or declaration.

Certain forms for legally implementing certification practice statements lend themselves to
particular relationships. The certification authority's duties to a relying person are generally
based on the certification authority's representations, which may include a certification
practice statement.

Page | 12
 CONCLUSION
The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is an Act
of the Indian Parliament (No 21 of 2000) notified on 17 October 2000. It is the primary law
in India dealing with cybercrime and electronic commerce. It is based on the United Nations
Model Law on Electronic Commerce 1996 (UNCITRAL Model) recommended by the
General Assembly of United Nations by a resolution dated 30 January 1997. A certifying
authority is an entity/authority in a network that issues digital signature certificates(DSCs) for
use by other parties(subscribers) and manages their security credentials. CAs are
characteristic of many public key infrastructure (PKI) schemes. As part of a public key
infrastructure, a CA checks with a Registration Authority(RA) to verify information provided
by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA
can then issue a certificate.

A Certifying Authority is a trusted body whose central responsibility is to issue, revoke,

renew and provide directories of Digital Certificates. In real meaning, the function of a
Certifying Authority is equivalent to that of the passport issuing office in the Government. A
passport is a citizen's secure document (a "paper identity"), issued by an appropriate
authority, certifying that the citizen is who he or she claims to be. Any other country trusting
the authority of that country's Government passport Office will trust the citizen's passport.
According to Section 24 under Information Technology Act 2000 "Certifying Authority"
means a person who has been granted a licence to issue Digital Signature Certificates.

Thus, it can be concluded that certifying authorities play a vital role in the issuance of Digital
Signature Certificates also extending its scope to its validity and suspension or revocation of
such Certificates.

Page | 13
 REFERENCES

BOOKS

 The Information Technology Act , 2000 (Bare Act)

 Commentary on Information Technology Act , Apar Gupta , Lexis Nexis, 2nd Edition ,
2011.
 Computers, Internet and New Technology Laws , Karnika Seth , Lexis Nexis , 2012.
 Cyber Law in India , Dr. Farooq Ahmad , New Era Law Publication, 4 th Edition ,
2012.

WEBSITES

 https://s3-ap-southeast-1.amazonaws.com/erbuc/files/5436_b7b04385-88aa-4acc-
b8fc-c481bb056acb.pdf , 4th October , 2018.
 http://meity.gov.in/content/regulation-certifying-authorities , 4th October , 2018.
 http://cca.gov.in/cca/sites/default/files/files/rules.pdf , 4th October , 2018.
 http://www.notesbookcart.com/duties-certifying-authority-under-it-act-for-digital-
signature-cs-notes/ , 4th October , 2018.

Page | 14