Information Technology Laws

Unit II
Regulation of
Certifying
Authorities
Chapter VI
 The Information Technology Act, 2000
was enacted by the Indian Parliament in
June, 2000. It was notified for
implementation in October, 2000 with
the issuance of Rules under the Act.
Public Key The purpose of the Act is to promote the
use of digital signatures for the growth
Infrastructure of E-Commerce and E-Governance. It
provides legal recognition to electronic
(PKI) records and puts digital signatures at
par with handwritten signatures. The Act
defines the legal and administrative
framework for the creation of Public Key
Infrastructure (PKI) in the country to
generate trust in electronic environment.
 It helps in establishing PKI in the
country and ensure interoperability,
technical standards have been framed
in Rules and Regulations under the Act.
The Controller of Certifying Authorities
(CCA) has been appointed by the
Public Key Central Government under section 17 of
Infrastructure the Act for purposes of the IT Act. The
Office of the CCA came into existence
(PKI) on November 1, 2000. The IT Act aims
at promoting the growth of E-Commerce
and E-Governance through the use of
Electronic Signatures including Public
Key Cryptography based digital
signatures.
 The Information Technology Act, 2000
provides the required legal sanctity to the
digital signatures based on asymmetric
cryptosystems. The digital signatures are
now accepted at par with handwritten
signatures and the electronic documents
Public Key that have been digitally signed are treated
at par with paper documents.
Infrastructure The IT Act provides for the Controller of
(PKI) Certifying Authorities(CCA) to license and
regulate the working of Certifying
Authorities. The Certifying Authorities
(CAs) issue digital signature certificates
for electronic authentication of users.
 •The CCA certifies the public keys of
CAs using its own private key,
which enables users in the
cyberspace to verify that a given
certificate is issued by a licensed
Public Key CA. For this purpose it operates,
Infrastructure the Root Certifying Authority of
India(RCAI). The CCA also
(PKI) maintains the Repository of Digital
Certificates, which contains all the
certificates issued to CAs in the
country.
 The future of e-commerce and e-governance
depends on the trust that the transacting parties place
in the security of transmission and the content of
communication. Creating trust in electronic
environment involves assuring the transacting parties
about the integrity and confidentiality of the content of
documents along with authentication of the sending
Public Key and receiving parties in a manner that ensures that
both the parties cannot repudiate the transaction. The
Infrastructure paper-based concepts of identification, declaration
and proof are carried through the use of digital
(PKI) signatures in electronic environment.
Digital signatures, a form of electronic signatures, are
created and verified using Public Key Cryptography
that is based on the concept of a key pair generated
by a mathematical algorithm, the public and private
keys.
 CCA licenses Certifying Authorities (CAs) and
exercise supervision over their activities. It is
required to certify the public keys of the CAs,
lay down the standards to be maintained by
the CAs and perform several other functions
under section 18 of the Act to regulate the
Public Key functioning of CAs in the country. The
Certification Practice Statement (CPS) of the
Infrastructure Controller of Certifying Authorities states how
the PKI component(s) meet the assurance
(PKI) requirements defined in the Certificate
Policy(CP) and also security control and
operational policy & procedures and other
matters relevant to obligations and
responsibilities of the CCA and CAs in
accordance with the IT Act, Rules and
Regulations.
 • PKI refers to the entire organizational
structure that is responsible for the
establishment and maintenance of a reliable
system of public key cryptography
mentioned under Schedule V of the
Certifying Authority Rules 2000 as:
Public Key • “the architecture, organization, techniques,
Infrastructure practices and procedures that collectively
support the implementation and operation of
(PKI) a certificate-based public key cryptographic
system. It includes a set of policies,
processes, server platforms, software and
workstations used for the purposes of
administering Digital Signature Certificate
and keys”
 •The purpose of the PKI is to
generate trust in the electronic
environment. In the absence of
trust in the security of the
transmission and the content of
Public Key the communication, e-commerce
and e-governance will not find
Infrastructure acceptance among parties. The
(PKI) PKI is the medium that establishes
the validity and legality of the
digital signatures being used by
subscribers and of the bodies
issuing digital signatures to
subscribers.
 •It guarantee the authenticity of
the electronic signatures, thereby
guarantee the enforceability of
the electronic transaction for
Public Key which the signature is used. It’s
role in the electronic world is
Infrastructure equivalent to that of a notary in
(PKI) the real world. The legal basis for
the PKI in India is found under
Chapter VI (Section 17-35) of the
IT Act, along with various rules
issues by the Government.
 •India PKI is a hierarchical system
with the trust chain starting from
the Root Certifying Authority of
India (RCAI). RCAI is operated by
the Office of Controller of
Public Key Certifying Authorities,
Infrastructure Government of India. Below RCAI
(PKI) there are Certifying Authorities
(CAs) licensed by CCA to issue
Digital Signature Certificates
under the provisions of IT Act.
These are also called Licensed
CAs.
 •Hierarchy of the PKI:
• Controller of Certifying Authorities

• Certifying Authorities
Public Key
Infrastructure
(PKI) • Subscriber

• Relying Party(verifier)
 At the top of the hierarchy is the
Controller of Certifying
Authorities, which licenses
Certifying Authorities, which in
Public Key turn issues digital signature
Infrastructure certificates to subscribers.
(PKI) Under the IT Act, obligations
have been imposed not only on
the certifying authorities but also
on the subscribers as well as the
relying parties.
 CCA at the root of the trust chain in India.
Use of PKI in e-governance
As the Government of India moves toward the
implementation of E-Governance at various levels of
Government functioning, authentication of information
becomes a critical requirement. This section provides
links to some e-governance sites in India which are
Public Key using Digital Signatures.
E-Governance Sites
Infrastructure • Ministry of Corporate Affairs, Government of India
(PKI) • E-Procurement Project of Government of Andhra
Pradesh
• Indian Customs and Excise Gateway
• Karnataka Government e-Procurement System
• Directorate General of Supplies and Disposal
• Directorate General of Foreign Trade
 Under the IT Act, 2000 there are
Regulatory two regulatory authorities:
Authorities of The Controller of the Certifying
IT Act Authority (CCA)
The Cyber Appellate Tribunal
 Section 2 (1)(m) defines
Controller means the Controller
of Certifying Authorities
Controller of appointed under Section 17 (7).
Certifying The CCA has set up two
Authorities subsidiary bodies- the Root
Certifying Authority of India and
the National Repository of
Digital Certificates.
 The office of the Controller of the
Certifying Authority is a focal point
on which the IT Act operates. It is
statutory duty of the Controller to
Controller of identify, apply and draw awareness
regarding application of specific
Certifying form of technology. The regulation
Authorities of certifying authority is a statutory
function of the Controller of the
Certifying Authority and act as
administrative authority rather than
quasi-judicial body.
 Section 17
The office of CCA has 3 main
functional departments:
Technology
Finance and legal
Controller of Investigation
Certifying The Controller of Certifying
Authorities Authorities (Controller) is the apex
body in the PKI hierarchy appointed
by the Central Government (section
17) for the supervision and control
of the Certifying Authorities (CAs).
 Section 17(1) Appointment of Controller and
other officers- The Central Government may,
by notification in the Official Gazette, appoint
a Controller of Certifying Authorities for the
purposes of this Act and may also by the same
Office of or subsequent notification appoint such
Controller of number of Deputy Controllers [, Assistant
Controllers, other officers and employees] as
Certifying it deems fit.
Authorities Section (2) The Controller shall discharge his
functions under this Act subject to the general
control and directions of the Central
Government.
 Section 17(3) The Deputy Controllers and Assistant
Controllers shall perform the functions assigned to
them by the Controller under the general
superintendence and control of the Controller.
Section 17(4) The qualifications, experience and terms
Office of and conditions of service of Controller, Deputy
Controllers [,Assistant Controllers, other officers and
Controller of employees] shall be such as may be prescribed by the
Central Government.
Certifying Section 17(5) The Head Office and Branch Office of
Authorities the office of the Controller shall be at such places as
the Central Government may specify, and these may
be established at such places as the Central
Government may think fit.
Section 17(6) There shall be a seal of the Office of the
Controller.
 Its functions include licensing of
the CAs (Section 21), specifying
Functions of the form and content of an
Controller of electronic signature and key
Certifying (Section 18(g)), laying down
Authorities applicable standards for CAs
(Section 18), recognition of
Foreign CAs (Section 19), etc.
 -Supervise the activities of the CA
Rule 31, “CA shall get its operations
audited annually, half yearly by an
Functions of auditor and submit its audit report
the CCA to the Controller within 4 weeks of
the completion of such audit.
Therefore, the CCA shall supervise
the CA through such audit reports
 -Certifies public keys of the Certifying
Authorities: CCA have established the
ROOT Certifying Authority of India to certify
public keys of all CAs in India. RCAI performs
following functions:
-Issue of license by means of X.509 certificate
-Digitally signing the public key of the licensed
CA
Functions of -Generating the CRLs for licenses issued
the CCA Rule 20(b), “The licensed Certifying Authority
shall commence its commercial operation of
generation and issue of Digital Signature only
after- it has generated its key pair, namely,
private and corresponding public key, and
submitted the public key to the Controller;
-
 Root Certifying Authority of India (RCAI)
The CCA has established the RCAI under section 18(b)
of the IT Act to digitally sign the public keys of CAs in
the country. The RCAI is operated as per the standards
laid down under the Act.
The requirements fulfilled by the RCAI include the
Root of following:
The licence issued to the CA is digitally signed by the
CCA.
Certifying All public keys corresponding to the signing private keys
of a CA are digitally signed by the CCA.
Authority of That these keys are signed by the CCA can be verified
by a relying party through the CCA's website or CA's
India own website.
Authorized CCA personnel initiate and perform Root CA
functions in accordance with the Certification Practice
Statement of Root Certifying Authority of India. The
term Root CA is used to refer to the total CA entity,
including the software and its operations.
 The Root Certifying Authority of India
has been established by the Controller
to perform its function of licensing of
CAs. This licensing is done through the
Root of issue of a X.509 certificate, known as a
Certifying root certificate, which certifies the
Authority of public keys of the CAs.
India It is the highest level of certification in
India. The license of a CA can be
verified by a subscriber through this
certificate on the website of the
Controller.
 The RCAI issues the ‘Certification
Practice Statement’ which is
adopted by the Controller, which is
Root of defined as:
Certifying “Certification Practice Statement
Authority of means a statement issued by a
India Certifying Authority to specify the
practices that the Certifying
Authority employs in issuing
Electronic Signature Certificates”
 The CPS is a comprehensive document on
the policies adopted by for the issuance
and management of digital signature
services. It provides the following
information:
Certification -Statement of how the PKI component(s)
Practice meet the assurance requirements for a
digital signature certificate.
Statement of -Security control measures
RCAI -Operational policy and procedures
-other matters relevant to obligations and
responsibilities of the Controller and CAs
in accordance with the IT Act, Rules and
regulation
 -Lays down the standards to be maintained
by the Certifying Authority: Rule 6 refers to
the standards for different activities
associated with CAs functions
-Specifies the qualifications and experience
which employees of the CA should possess-
Functions of --A person with criminal background must
not be employee of the CA
CCA --Each organization shall designate a properly
trained ‘system administrator’ who will
ensure that the protective security measure of
the system is functional.
--Role of Network administrator who will be
responsible for operation, monitoring security
and functioning of the network.
 -Specifies the contents of written, printed
or visual materials and advertisements
that may be distributed or used by the CA
in respect of an Electronic Signature
Certificate and the public key.
Functions of -Specifies the form and content of the
CCA ESC and keys:
--Rule 7, “All Digital Signature Certificates
issued by the Certifying Authorities shall
conform to ITU X.509 version 3 standard and
shall inter alia contain the following data,
namely:-
 (a) Serial Number (assigning of serial number to
the Digital Signature Certificate by Certifying
Authority to distinguish it from other certificate);
(b) Signature Algorithm ldentifier (which identifies
the algorithm used by Certifying Authority to sign
the Digital Signature Certificate);
Functions of (c) Issuer Name (name of the Certifying Authority
CCA who issued the Digital Signature Certificate);
(d) Validity period of the Digital Signature
Certificate;
(e) Name of the subscriber (whose public key the
Certificate identifies); and
(f) Public Key information of the subscriber.
 -Specifies the form and manner in which
accounts shall be maintained by the
Certifying Authorities:
--Every CA shall comply with all the
financial parameters during the period of
validity of the licence issued.
Functions of
--Any loss to the subscriber which is
CCA attributable to the CA shall be undone by
the CA
-Specifies the terms and conditions
subject to which auditors may be
appointed by the CA and remuneration to
be paid to them.
 - Facilitates the establishment of any
electronic system by a CA either solely or
jointly with other CAs and regulation of
such systems.
- Specifies the manner in which the CAs
shall conduct their dealings with the
Functions of subscribers:
CCA - - A CA shall have to comply with the
procedures of generation, issue, archival,
compromise and revocation of DSC as
defined in their CPS.
- - Rule 21, ‘they have to notify its
Subscribers about its cessation as CA
 - Resolves any conflict of Interests between
the CAs and the Subscribers:
- -Rule 12, “any dispute arising as a result of any
such arrangement between the Certifying
Authorities; or between Certifying Authorities or
Certifying Authority and the Subscriber, shall be
referred to the Controller for arbitration or
Functions of resolution.
- Dispute Resolution Procedures: The CCA
CCA can mediate between CAs and subscribers
directly or through an arbitrator.
- Appeal: though the CCA is competent under
clause 18(1) to resolve any dispute between
CAs and subscribers but Cyber Appellate
Tribunal is the competent court to decide
appeals filed by individual aggrieved by the
order of CCA.
 - Maintaining the database containing the
disclosure record of every CA containing contain
particulars which can be accessible to public.
- Rule 22 The Controller shall maintain a database of the
disclosure record of every Certifying Authority, Cross
Certifying Authority and Foreign Certifying Authority,
containing inter alia the following details:
Functions of - (a) the name of the person/names of the Directors,
nature of business, Income-tax Permanent Account
Number, web address, if any, office and residential
CCA address, location of facilities associated with functions of
generation of Digital Signature Certificate, voice and
facsimile telephone numbers, electronic mail address(es),
administrative contacts and authorized representatives;
- (b) the public key(s), corresponding to the private key(s)
used by the Certifying Authority and recognized foreign
Certifying Authority to digitally sign Digital Signature
Certificate;
 - (c) current and past versions of Certification Practice
Statement of Certifying Authority;
- (d) time stamps indicating the date and time of-
- (i) grant of licence;
- (ii) confirmation of adoption of Certification Practice
Statement and its earlier versions by Certifying Authority;
Functions of - (iii) commencement of commercial operations of
generation and issue of Digital Signature Certificate by the
Certifying Authority;
CCA - (iv) revocation or suspension of licence of Certifying
Authority;
- (v) commencement of operation of Cross Certifying
Authority;
- (vi) issue of recognition of foreign Certifying Authority;
- (vii) revocation or suspension of recognition of foreign
Certifying Authority
 - Recognition of Foreign CAs Section 19(1):
Subject to such conditions and restrictions as may be
specified by regulations, the Controller may with the
previous approval of the Central Government, and
by notification in the Official Gazette, recognise any
foreign Certifying Authority as a Certifying Authority
for the purposes of this Act.
Functions of - (2) Where any Certifying Authority is recognised
under sub-section (1), the Electronic Signature
CCA Certificate issued by such Certifying Authority shall
be valid for the purposes of this Act.
- (3) The Controller may, if he is satisfied that any
Certifying Authority has contravened any of the
conditions and restrictions subject to which it was
granted recognition under sub-section (1) he may,
for reasons to be recorded in writing, by notification
in the Official Gazette, revoke such recognition.
 Earlier the CCA was maintaining two online Repositories:
The National Repository of Digital Certificates (NRDC)
Certificate Suspension and Revocation List (CSRLs)
CCA to act as The National Repository of Digital Certificates was set up
under Section 20 of the IT Act which was later omitted by
National the Amendment Act. This repository contains all the digital
signature certificates issued by the RCAI and by Licensed
Repository of CAs. It also maintains the corresponding CRLs issued by
them. These certificates and CRLs are to be submitted to
Digital the NRDC on a weekly basis. The duties of the NRDC are:
-Publishing Self-signed certificates of RCAI
Certificates -Publishing Public key certificates of the licensed CAs
-Publishing CRLs issues by RCAI
-Publishing CPS of RCAI and CAs
 After repealing the section 20, the CCA
is maintaining the repository of
renewed and expired CA certificates as
per section 26.
CCA to act as Now burden of maintaining
National repositories is on the Licensed CA as
per section 26:
Repository of -Digital /Electronic signature
Digital Certificate
Certificates -Certificate Revocation List of DSC/ESC
Therefore, where DSC has been
suspended or revoked, the CA shall
publish the notice of suspension or
revocation in the repositories
 The CCAs have following power:
-Power relating to License (Section
21-26)
-Power to delegate (Section 27)
-Power to investigate Contraventions
Powers of the (Section 28)
CCA -Power to access computers and data
(Section 29)
-Power to give directions to CAs
(Section 68)
-Power to make regulations (Section
89)
 Power relating to License
Licence to issue [electronic signature] Certificates-Section 21:
The CCAs have power to issue a licence to a CA who issues ESC
to the subscriber.
Powers of the Who can apply for licence Section 21(1) Subject to the
CCA provisions of sub-section (2), any person may make an
application, to the Controller, for a licence to issue [electronic
Licence to issue signature] Certificates.
[electronic Requirement for granting licence Section 21(2) No licence shall
be issued under sub-section (1), unless the applicant fulfils such
signature] requirements with respect to qualification, expertise,
manpower, financial resources and other infrastructure
Certificates-Sec facilities, which are necessary to issue [electronic signature]
Certificates as may be prescribed by the Central Government.
tion 21 Validity period of licence Section 21(3) A licence granted under
this section shall— (a) be valid for such period as may be
prescribed by the Central Government; i.e. 5 years (b) not be
transferable or heritable; (c) be subject to such terms and
conditions as may be specified by the regulations.
 Application for licence- Section 22
Application in prescribed form Section22(1) Every
application for issue of a licence shall be in such form as
Powers of the may be prescribed by the Central Government.
Documents to be attached with application Section 22(2)
CCA and Rule 10-
Application for Every application for issue of a licence shall be
accompanied by—
licence- Section (a) a certification practice statement;
22 and Rule 10 (b) a statement including the procedures with respect to
identification of the applicant;
(c) payment of such fees, not exceeding twenty-five
thousand rupees as may be prescribed by the Central
Government; (Rule 11)
(d) such other documents, as may be prescribed by the
Central Government under Rule 10:
 Rule 10 Submission of Application- Every
application for a licensed Certifying Authority shall be
made to the Controller,-
Powers of the (i) in the form given at Schedule-l; and
(ii) in such manner as the Controller may, from time to
CCA time, determine, supported by such documents and
information as the Controller may require and it shall
Application inter alia include-
for licence- (a) a Certification Practice Statement (CPS);
(b) a statement including the procedures with respect
Section 22 to identification of the applicant;
and Rule 10 (c) a statement for the purpose and scope of
anticipated Digital Signature Certificate technology,
management, or operations to be outsourced;
(d) certified copies of the business registration
documents of Certifying Authority that intends to be
licensed;
 (e) a description of any event, particularly current or past
insolvency, that could materially affect the applicant's
ability to act as a Certifying Authority;
(f) an undertaking by the applicant that to its best
knowledge and belief it can and will comply with the
Powers of the requirements of its Certification Practice Statement;
CCA (g) an undertaking that the Certifying Authority's
operation would not commence until its operation and
Application facilities associated with the functions of generation, issue
and management of Digital Signature Certificate are
for licence- audited by the auditors and approved by the Controller in
accordance with rule 20;
Section 22 (h) an undertaking to submit a performance bond or
banker's guarantee in accordance with sub-rule (2) of rule
8 within one month of Controller indicating his approval
for the grant of licence to operate as a Certifying
Authority;
(i) any other information required by the Controller.
 Renewal of licence Section 23-
An application for renewal of a licence shall be—
Powers of the (a) in such form; as may be prescribed by the
Central Government i.e. Form mentioned in
CCA Schedule I
(b) accompanied by such fees, not exceeding five
Renewal of thousand rupees, as may be prescribed by
licence the Central Government (Rule 11)
(c) and shall be made not less than forty-five
Section 23 days before the date of expiry of the period of
validity of the licence.
However the provisions of Rules 8-13 apply to
renewal of licence as these apply to a fresh
application. Further such application may be
submitted in electronic form subject to such
requirement as the CCAs may deem fit. (Rule 15)
 Procedure for grant or rejection of
Powers of the Licence (Section 24):
CCA The Controller may, on receipt of an
Procedure for application under sub-section (1) of section
grant or 21, after considering the documents
accompanying the application and such other
rejection of factors, as he deems fit, grant the licence or
Licence reject the application.
Section 24 Provided that no application shall be rejected
under this section unless the applicant has
been given a reasonable opportunity of
presenting his case.
 Granting of Licence (Rule 16(1)): Within
four weeks from the date of receipt of the
application and after considering the
Powers of the documents accompanying the application
and such other factors as he may deem fit,
CCA the Controller grant or renew the licence
Procedure for grant or reject the application:
or rejection of Exception
Licence Section 24
In exceptional circumstances and for
reasons to be recorded in writing, the
period of four weeks may be extended to
such period, not exceeding eight weeks
in all as the Controller may deem fit.
 Performance bond & an agreement with
the Controller (Rule 16(2))
-Where the application for licensed Certifying
Authority is approved,
Powers of the -then the applicant shall,
CCA 1)Submit a performance bond or furnish a
Procedure for grant banker’s guarantee within one month from the
or rejection of date of such approval to the Controller in
Licence Section 24 accordance with Rule 8(2) and
2) Give an undertaking to the Controller of
CAs to bind himself to comply with the terms
and conditions of the licence and the
provisions of the Act and the rules made
thereunder.
 Rejection of licence or refusal of Licence
(Rule 17)
The Controller of Certifying Authorities may
refuse to grant or renew a licence if:
1) The applicant has not provided the
Powers of the Controller of Certifying Authorities with
such information relating to its business
CCA and to any circumstances likely to affect
Rejection of Licence its method of conducting business as
or refusal of Licence the Controller of Certifying Authority may
Rule 17 require or
2) the applicant is in the course of being
wound up or liquidated or
3) a receiver has or a receiver and
manager have been appointed by the
Court in respect of the applicant or
 4) The applicant or any trusted person
has been convicted, whether in India
or out of India, of an offence the
conviction for which involved a finding
that it or such trusted person acted
Powers of the fraudulently or dishonestly, or has
been convicted of an offence under this
CCA Act or these rules, or
Rejection of Licence 5) The CCAs has invoked
or refusal of Licence performance bond or banker’s
Rule 17 guarantee or
6) A CA commits breach of or fails to
observe and comply with, the
procedures and practices as per the
CPS or
 7) A CA fails to conduct or does not
submit, the returns of the audit in
accordance with rule 31 or
Powers of the 8) The audit report recommends that the
CA is not worthy of continuing CA’s
CCA operation or
Rejection of Licence 9) A CA fails to comply with the
or refusal of Licence
Rule 17
directions of the Controller
A reasonable opportunity of being
heard: no application shall be rejected
under this section unless the applicant
has been given a reasonable
opportunity of presenting his case.
 Suspension or Revocation of Licence
(Section 25)
The Controller may, if he has reasonable
cause to believe that there is any ground
for revoking a licence under sub-section
Powers of the (1), by order suspend such licence
pending the completion of any enquiry
CCA ordered by him.
Suspension or
Revocation of The licence granted to the persons
Licence (Section 25) referred to under rule 8(1)(a)(c)
(Individual, firm and company) shall stand
suspended when the performance
bond submitted or the banker’s
guarantee furnished by such persons is
invoked under rule 8(2) (Rule 14(2))
 A reasonable opportunity of
being heard: No licence shall be
suspended for a period exceeding
ten days unless the CA has been
given a reasonable opportunity of
Powers of the showing cause against the
CCA proposed suspension.
Suspension or
Revocation of No ESC during suspension
Licence (Section 25) (Section 25(3)) : The CA whose
licence has been suspended shall
not issue any ESC during such
suspension.
 Revocation of Licence (Section 25(1))
(1) The Controller may, if he is satisfied after making
such inquiry, as he may think fit, that a Certifying
Authority has—
(a) made a statement in, or in relation to, the
Powers of the application for the issue or renewal of the licence,
which is incorrect or false in material
particulars;
CCA (b) failed to comply with the terms and conditions
Suspension or subject to which the licence was granted;
Revocation of (c) failed to maintain the procedures and
Licence (Section 25) standards specified in section 30;
(d) contravened any provisions of this Act, rule,
regulation or order made thereunder, revoke the
licence:
Provided that no licence shall be revoked unless the
Certifying Authority has been given a reasonable
opportunity of showing cause against the proposed
revocation.
 Notice of Suspension or revocation of licence
(Section 26)
(1) Where the licence of the Certifying Authority is
Powers of the suspended or revoked, the Controller shall publish
notice of such suspension or revocation, as the
CCA case may be, in the data base maintained by him.
Notice of (2) Where one or more repositories are specified,
the Controller shall publish notices of such
Suspension or suspension or revocation, as the case may be, in
all such repositories.
revocation of Provided that the data base containing the notice of
licence such suspension or revocation, as the case may be,
shall be made available through a web site which
(Section 26) shall be accessible round the clock.
Provided further that the Controller may, if he
considers necessary, publicize the contents of data
base in such electronic or other media, as he may
consider appropriate.
 Power to delegate Section 27-
Powers of the The Controller may, in writing,
CCA authorise the Deputy
Power to Controller, Assistant Controller
Delegate or any officer to exercise any of
Section 27 the powers of the Controller
under this Chapter.
 Power to investigate contraventions
Section 28-
(1) The Controller or any officer
Powers of the authorised by him in this behalf shall take
CCA up for investigation any contravention of
the provisions of this Act, rules or
Power to regulations made thereunder.
investigate (2) The Controller or any officer
contraventions authorised by him in this behalf shall
exercise powers which are conferred on
Section 28 Income-tax authorities under Chapter XIII
of the Income-tax Act, 1961 (43 of 1961),
and shall exercise such powers, subject to
such limitations laid down under that Act
 Access to computers and data
Section 29 -
1) Without prejudice to the provisions of
Powers of the sub-section (1) of section 69, the
Controller or any person authorised by
CCA him shall, if he has reasonable cause to
Power to suspect that [any contravention of the
provisions of this Chapter] has been
investigate committed, have access to any computer
system, any apparatus, data or any
contraventions other material connected with such
Section 29 system, for the purpose of searching or
causing a search to be made for
obtaining any information or data
contained in or available to such
computer system.
 2) For the purposes of sub-section
(1), the Controller or any person
authorised by him may, by order,
Powers of the direct any person in charge of, or
CCA otherwise concerned with the
Power to operation of, the computer
investigate system, data apparatus or
contraventions material, to provide him with such
Section 29 reasonable technical and other
assistance as he may consider
necessary.
 Power of Controller to give
directions Section 68-
(1) The Controller may, by order,
Powers of the direct a Certifying Authority or
CCA any employee of such
Power of Authority to take such
Controller to measures or cease carrying on
such activities as specified in
give directions the order if those are
Section 68 necessary to ensure
compliance with the provisions
of this Act, rules or any
regulations made thereunder.
 2) Any person who intentionally
or knowingly fails to comply
Powers of the with any order under
CCA sub-section (1) shall be guilty of
Power of an offence and shall be liable on
Controller to conviction to imprisonment for
give directions a term not exceeding two years
Section 68 or a fine not exceeding one lakh
rupees or with both.
 Power of Controller to make regulations
Section 89
(1) The Controller may, after consultation
Powers of the with the Cyber Regulations Advisory
Committee and with the previous
CCA approval of the Central Government, by
notification in the Official Gazette, make
Power to Make regulations consistent with this Act and
Regulations the rules made thereunder to carry out
the purposes of this Act.
Section 89 (2) In particular, and without prejudice to
the generality of the foregoing power,
such regulations may provide for all or
any of the following matters, namely:–
 (a) the particulars relating to maintenance of data base
containing the disclosure record of every Certifying
Authority under clause 1 [(n)] of section 18;
(b) the conditions and restrictions subject to which the
Controller may recognise any foreign Certifying
Authority under sub-section (1) of section 19;
(c) the terms and conditions subject to which a licence
Powers of the may be granted under clause (c) of sub-section (3) of
section 21;
CCA (d) other standards to be observed by a Certifying
Power to Make Authority under clause (d) of section 30;
(e) the manner in which the Certifying Authority shall
Regulations disclose the matters specified in sub-section (1) of
section 34;
Section 89 (f) the particulars of statement which shall accompany
an application under sub-section (3) of section 35.
(g) the manner by which the subscriber shall
communicate the compromise of private key to the
Certifying Authority under sub-section (2) of section
42.
 A certifying Authority is a body that has been
authorized by the controller to issue an
electronic signature certificate to a subscriber.
It is defined under Section 2(1)(g) as:
“Certifying Authority means a person who
has been granted a license to issue an
Electronic Signature Certificate under section
Certifying 24”
Authority A CA is authorized by the Controller via a ‘Root
Certificate’. Thereafter, CA plays two key roles
in the PKI system-
-it issues digital signatures to the subscriber
-it verifies the digital signature of a subscriber
on the request of the recipient or the relying
party.
 The procedure for the Licensing of CAs (Section
21-34) as laid down under the IT Act and the CA
rules (Rules 8-22)are as:
(Rule 8) -A government department or any
individual, firm or company may apply for licence to
issue DSC/ESC
-an individual (Indian citizen) with a minimum
Licensing of capital of Rs 5 Crore in his business or profession
Certifying -A company having:
--paid up capital of not less than 5 crore of rupees
Authority and net worth of not less than 50 crore of rupees
-a firm having capital subscribed by all partners of
not less than 5 crores of rupees and net worth of
not less than 50 crores of rupees
-central and state government or any agency or
ministry or department.
is eligible to make an application
 Performance bond in the form
of a banker’s guarantee Rule
8(2)
The applicant being an individual, or a
Licensing of company, or a firm under sub-rule (1), shall
submit a performance bond or furnish a
Certifying banker's guarantee from a scheduled bank in
favour of the Controller in such form and in
Authority such manner as may be approved by the
Controller for an amount of not less than five
crores of rupees and the performance bond
or banker's guarantee shall remain valid for a
period of six years from the date of its
submission.
 Provided that the company and
firm referred to in the second
proviso to clause (b) and the
second proviso to clause (c) of
Licensing of sub-rule (1) shall submit a
performance bond or furnish a
Certifying banker's guarantee for ten crores
Authority of rupees: Provided further that
nothing in the first proviso shall
apply to the company or firm after
it has acquired or has its net worth
of fifty crores of rupees.
 Performance bond or banker's guarantee
may be invoked Rule 8 (3)-
Without prejudice to any penalty which
may be imposed or prosecution may be
initiated for any offence under the Act or
Licensing of any other law for the time being in force,
the performance bond or banker's
Certifying guarantee may be invoked–
Authority (a) when the Controller has suspended
the licence under sub-section (2) of
section 25 of the Act; or
(b) for payment of an offer of
compensation made by the
Controller; or
 (c) for payment of liabilities and
rectification costs attributed to the
negligence of the Certifying Authority,
its officers or employees; or
(d) for payment of the costs incurred
Licensing of in the discontinuation or transfer of
operations of the licensed Certifying
Certifying Authority, if the Certifying Authority's
Authority licence or operations is discontinued;
or
(e) any other default made by the
Certifying Authority in complying with
the provisions of the Act or rules made
thereunder.
 Cross Certification Rule 12
(1) The licensed Certifying Authority shall have
arrangement for cross certification with other
Cross licensed Certifying Authorities within India which
shall be submitted to the Controller before the
Certification commencement of their operations as per rule 20:
Rule 12 Provided that any dispute arising as a result of any
such arrangement between the Certifying
Authorities; or between Certifying Authorities or
Certifying Authority and the Subscriber, shall be
referred to the Controller for arbitration or
resolution.
 (2) The arrangement for Cross Certification by the
licensed Certifying Authority with a Foreign
Cross Certifying Authority along with the application, shall
be submitted to the Controller in such form and in
Certification such manner as may be provided in the regulations
made by the Controller; and the licensed Certifying
Rule 12 Authority shall not commence cross certification
operations unless it has obtained the written or
digital signature approval from the Controller.
 -Before making the application, the
applicant is required to have the
entire infrastructure required in
place (Section 21(2))
Licensing of -The applicant has to make an
Certifying application in the prescribed form
Authority (Form under Schedule 1) for a
license to issue electronic signature
certificates to the Controller
(Section 22)
 In order to perform these roles in a secure manner,
the following obligations have been imposed on the
CA:
-Protection of their private key
-Maintain a website and publish the License of CAs,
Subscribers certificates and CRLs
-Publish name and contact information of the
Certifying party responsible for the CA
Authority: -In case of a compromise in their signing key,
immediately revoke all subscriber certificates,
Obligations publish details in the CRL and report to the RCAI
-have their CPS approved by the Controller
-update their CPS in accordance with the
Controller’s guidelines/policy changes
-perform their operation as a CA as per the
Interoperability Guidelines.
 -The application shall be accompanied
with such documents as are required
by the CCA and as are prescribed
under section 22 of the IT Act, Rule 10
of Certifying Authority Rules 2000.
Licensing of -On examination of the application and
after the conduct of an audit by an
Certifying empanelled auditor, the controller may
Authority grant the license.
-the license is non-transferable and
non-heritable and is valid for a period
of 5 years (Section 21 (3) read with
Rule 13))
 -The Controller may revoke the
license of a CA for:
i)Making a statement false in
material particulars
Licensing of ii) non-compliance with terms and
Certifying conditions for grant of certificate
Authority iii) non-maintenance of specified
standards under section 30 of the
Act
iv) Contravention of an applicable
law
 •
1 SafeScrypt
• 2. IDRBT
• 3. (n)Code Solutions
• 4. e-Mudhra
• 5. CDAC
• 6. Capricorn
List of • 7. NSDL e-Gov
• 8. Vsign (Verasys)
Certifying • 9. Indian Air Force
Authority • 10. CSC
• 11. RISL (RajComp)
• 12. Indian Army
• 13. IDSign
• 14. CDSL Ventures
• 15. Panta Sign
 Role regarding the Commencement of Operation by
Licensed Certifying Authorities Rule 20- The licensed
Certifying Authority shall commence its commercial
operation of generation and issue of Digital Signature only
after-
(a) it has confirmed to the Controller the adoption of
Certification Practice Statement.
(b) it has generated its key pair, namely, private and
Role of the corresponding public key, and submitted the public
key to the Controller;
Certifying (c) the installed facilities and infrastructure associated
with all functions of generation, issue and
Authority management of Digital Signature Certificate have
been audited by the accredited auditor in accordance
with the provisions of rule 31; and
(d) it has submitted the arrangement for cross
certification with other licensed Certifying
Authorities within India to the Controller.
(e) It must submit its security policy to the CCA before
commencement of operation.
 Role regarding to follow certain procedures- Section 30-
Every Certifying Authority shall,—
(a) make use of hardware, software and procedures that
are secure from intrusion and misuse;
(b) provide a reasonable level of reliability in its services
which are reasonably suited to the performance of
intended functions;
Role of the (c) adhere to security procedures to ensure that the
Certifying secrecy and privacy of the [electronic signatures] are
assured;
Authority [(ca) be the repository of all electronic signature
Certificates issued under this Act;
(cb) publish information regarding its practices, electronic
signature Certificates and current status of such
certificates; and ]
(d) observe such other standards as may be specified by
regulations.
 Role to ensure compliance of the
Act, etc Section 31-
Every Certifying Authority shall
Role of the ensure that every person employed
Certifying or otherwise engaged by it
complies, in the course of his
Authority employment or engagement, with
the provisions of this Act, rules,
regulations and orders made
thereunder.
 Role regarding Display of licence
Section 32-
Role of the
Certifying Every Certifying Authority shall
display its licence at a conspicuous
Authority place of the premises in which it
carries on its business.
 Role regarding Renewal of licence
Section 23-
An application for renewal of a licence
shall be—
Role of the (a) in such form; Schedule 1
Certifying (b) accompanied by such fees, not
Authority exceeding five thousand rupees,
as may be prescribed by the
Central Government and shall be
made not less than forty-five days
before the date of expiry of the
period of validity of the licence.
 Role to Surrender of licence Section 33-
(1) Every Certifying Authority whose
licence is suspended or revoked shall
immediately after such suspension or
revocation, surrender the licence to
Role of the the Controller.
(2) Where any Certifying Authority fails
Certifying to surrender a licence under
Authority sub-section (1), the person in whose
favour a licence is issued, shall be
guilty of an offence and shall be
punished with imprisonment which
may extend up to six months or a fine
which may extend up to ten
thousand rupees or with both.
 Role regarding Disclosure Section 34
(1) Every Certifying Authority shall disclose
in the manner specified by regulations—
(a) its electronic signature Certificate ***;
(b) any certification practice statement
Role of the relevant thereto;
Certifying (c) notice of the revocation or suspension
of its Certifying Authority certificate, if
Authority any; and
(d) any other fact that materially and
adversely affects either the reliability of
a [electronic signature] Certificate,
which that Authority has issued, or the
Authority's ability to perform its services.
 (2) Where in the opinion of the Certifying
Authority any event has occurred or any
situation has arisen which may materially and
adversely affect the integrity of its computer
system or the conditions subject to which a
[electronic signature] Certificate was granted,
then, the Certifying Authority shall–
Role of the (a) use reasonable efforts to notify any
person who is likely to be affected by that
Certifying occurrence; or
Authority (b) act in accordance with the procedure
specified in its certification practice
statement to deal with such event or
situation
Eg Where virus has affected the electronic
infrastructure of the CA, immediately he must act
and inform to the person who is likely to be
affected by the occurrence.
 Role regarding Security Guidelines Rule 19-
(1) The Certifying Authorities shall have the sole
responsibility of integrity, confidentiality and
protection of information and information
assets employed in its operation, considering
Role of the classification, declassification,
storage, access and destruction of
labeling,
Certifying information assets according to their value,
sensitivity and importance of operation.
Authority (2) Information Technology Security Guidelines
and Security Guidelines for Certifying
Authorities aimed at protecting the integrity,
confidentiality and availability of service of
Certifying Authority are given in Schedule-II
and Schedule-III respectively.
 (3) The Certifying Authority shall
formulate its Information
Technology and Security Policy for
operation complying with these
guidelines and submit it to the
Role of the Controller before commencement
Certifying of operation.
Authority Provided that any change made by
the Certifying Authority in the
Information Technology and
Security Policy shall be submitted
by it within two weeks to the
Controller.
 Role regarding Audit Rule 31-
(1) The Certifying Authority shall get its operations
audited annually by an auditor and such audit
shall include inter alia,-
(i) security policy and planning;
(ii) physical security;
Role of the (iii) technology evaluation;
Certifying (iv) Certifying Authority's services administration;
(v) relevant Certification Practice Statement;
Authority (vi) compliance to relevant Certification Practice
Statement;
(vii) contracts/agreements;
(viii) regulations prescribed by the Controller;
(ix) policy requirements of Certifying Authorities
Rules, 2000.
 (2) The Certifying Authority shall conduct,-
(a) half yearly audit of the Security
Policy, physical security and planning
of its operation;
(b) a quarterly audit of its repository.
Role of the
Certifying (3) The Certifying Authority shall submit
copy of each audit report to the
Authority Controller within four weeks of the
completion of such audit and where
irregularities are found, the Certifying
Authority shall take immediate
appropriate action to remove such
irregularities.
 Auditor's relationship with Certifying
Authority Rule 32-
(1) The auditor shall be independent of
the Certifying Authority being
audited and shall not be a software
Role of the or hardware vendor which is, or has
been providing services or supplying
Certifying equipment to the said Certifying
Authority Authority.
(2) The auditor and the Certifying
Authority shall not have any current
or planned financial, legal or other
relationship, other than that of an
auditor and the audited party
 Requirements Prior to Cessation as Certifying Authority
Rule 21-
Before ceasing to act as a Certifying Authority, a Certifying
Authority shall,-
(a) give notice to the Controller of its intention to
cease acting as a Certifying Authority: Provided
Role of the that the notice shall be made ninety days before
ceasing to act as a Certifying Authority or ninety
days before the date of expiry of licence;
Certifying (b) advertise sixty days before the expiry of licence or
Authority ceasing to act as Certifying Authority, as the case
may be, the intention in such daily newspaper or
newspapers and in such manner as the Controller
may determine;
(c) notify its intention to cease acting as a Certifying
Authority to the subscriber and Cross Certifying
Authority of each unrevoked or unexpired Digital
Signature Certificate issued by it :
 Provided that the notice shall be given sixty days
before ceasing to act as a Certifying Authority or
sixty days before the date of expiry of unrevoked or
unexpired Digital Signature Certificate, as the case
may be;
(d) the notice shall be sent to the Controller,
affected subscribers and Cross Certifying
Role of the Authorities by digitally signed e-mail and
registered post;
Certifying (e) revoke all Digital Signature Certificates that
remain unrevoked or unexpired at the end of the
Authority ninety days notice period, whether or not the
subscribers have requested revocation;
(f) make a reasonable effort to ensure that
discontinuing its certification services causes
minimal disruption to its subscribers and to
persons duly needing to verify digital signatures by
reference to the public keys contained in
outstanding Digital Signature Certificates;
 (g) make reasonable arrangements for
preserving the records for a period of
seven years;
(h) pay reasonable restitution (not
exceeding the cost involved in obtaining
Role of the the new Digital Signature Certificate) to
subscribers for revoking the Digital
Certifying Signature Certificates before the date of
expiry;
Authority (i) after the date of expiry mentioned in
the licence, the Certifying Authority shall
destroy the certificate-signing private key
and confirm the date and time of
destruction of the private key to the
Controller.
 ESC is to be issued by the CA
to the Subscriber. Any
subscriber having ESC can
electronically sign the
Electronic e-record.
Signature Section 2 (1)(zg) define
Certificate subscriber means a person in
whose name the ESC is
issued.
Any person can become a
subscriber.
 At the bottom of the PKI hierarchy
is the subscriber.
The Subscriber is imposed with the
obligations (Section 40-42) of
obtaining a valid DSC/ESC from a
Subscriber licensed CA and thereafter
maintaining its’ authenticity by
suitably protecting the private key.
A DSC acts as proof linking a
particular subscriber to a particular
key pair.
 Thus the DSC/ESC enables a relying
party to identify the subscriber,
obtain the public key used by him and
verify the legality of the DSC through
the public key of the CA issuing it. The
relying party, before relying on the
Subscriber digital signature, should also verify the
purpose of the DSC, its validity period,
key usage and class. Once verified,
both the relying party and the
subscriber are bound by the
electronic transaction.
 Any person can apply to a CA
through its’ Registration Authority
for a DSC/ESC. The Registration
Procedure for Authority is the body of the CA
which interacts with the
issue of subscribers for the provisions of CA
DSC/ESC to a services.
Subscriber The procedure for the issue of DSCs
as prescribed under the IT Act
(Section 35-39) and the CA Rules
(Rules 23-29).
 Certifying authority to issue [electronic
signature] Certificate—Section 35
(1) Any person may make an application to the
Certifying Authority for the issue of a [electronic
Procedure for signature] Certificate in such form as may be
prescribed by the Central Government.
issue of (2) Every such application shall be accompanied
DSC/ESC to a by such fee not exceeding twenty-five
thousand rupees as may be prescribed by the
Subscriber Central Government, to be paid to the
Certifying Authority:
Provided that while prescribing fees under
sub-section (2) different fees may be
prescribed for different classes of applicants.
 -Application can be made by any person and
shall be in the application form provided by the CA
–Schedule IV i.e Form A where applicant is a
government and banking sector and Form B where
applicant is any person other than government and
banking sector.(Rule 3) with (Section 35):
i) The prescribed fee as per the class of the
Procedure for applicant not exceeding 25000 rupees.
issue of ii) A CPS, or where there is no such CPS, a
statement containing such particulars as
DSC/ESC to a specified by regulations.
CA may charge different fee for different
Subscriber certificate on the basis of assurance level.
-DSCs are usually issues for one-two years
-on expiry of a DSC, application may be made for its
re-issue (Rule 26)
 Documents to be attached
with the Application
Section 35(3)-
Procedure for
Every such application shall be
issue of
accompanied by a certification
DSC/ESC to a practice statement or where there
Subscriber is no such statement, a statement
containing such particulars, as may
be specified by regulations.
 Granting of ESC Section 35(4) read
with Rule 23-
On receipt of an application under sub-section
(1), the Certifying Authority may, after
Procedure for consideration of the certification practice
statement or the other statement under
issue of sub-section (3) and after making such
enquiries as it may deem fit, grant the
DSC/ESC to a [electronic signature] Certificate or for reasons
Subscriber to be recorded in writing, reject the
application:
[Provided] that no application shall be
rejected unless the applicant has been given a
reasonable opportunity of showing cause
against the proposed rejection.
 Rule 23 provide for issuing the
DSC/ESC-
The Certifying Authority shall, for issuing the
Digital Signature Certificates, while complying
with the provisions of section 35 of the Act,
Procedure for also comply with the following, namely:-
issue of (a) the Digital Signature Certificate shall be
issued only after a Digital Signature
DSC/ESC to a Certificate application in the form provided
by the Certifying Authority has been
Subscriber submitted by the subscriber to the
Certifying Authority and the same has been
approved by it.
Provided that the application Form contains,
inter alia, the particulars given in the modal
Form given in Schedule-IV.
 (b) no interim Digital Signature Certificate shall
be issued;
(c) the Digital Signature Certificate shall be
generated by the Certifying Authority upon
receipt of an authorised and validated request
Procedure for for:-
issue of (i) new Digital Signature Certificates;
(ii) Digital Signature Certificates renewal;
DSC/ESC to a (d) the Digital Signature Certificate must contain
Subscriber or incorporate, by reference such information, as
is sufficient to locate or identify one or more
repositories in which revocation or suspension of
the Digital Signature Certificate will be listed, if
the Digital Signature Certificate is suspended or
revoked;
 (e) the subscriber identity verification method
employed for issuance of Digital Signature
Certificate shall be specified in the Certification
Practice Statement and shall be subject to the
approval of the Controller during the application
for a licence;
Procedure for (f) where the Digital Signature Certificate is issued
issue of to a person (referred to in this clause as a New
Digital Signature Certificate) on the basis of
DSC/ESC to a another valid Digital Signature Certificate held by
the said person (referred in this clause as an
Subscriber Originating Digital Signature Certificate) and
subsequently the originating Digital Signature
Certificate has been suspended or revoked, the
Certifying Authority that issued the new Digital
Signature Certificate shall conduct investigations
to determine whether it is necessary to suspend
or revoke the new Digital Signature Certificate;
 (g) the Certifying Authority shall provide a
reasonable opportunity for the subscriber to
verify the contents of the Digital Signature
Certificate before it is accepted;
(h) if the subscriber accepts the issued Digital
Procedure for Signature Certificate, the Certifying Authority shall
publish a signed copy of the Digital Signature
issue of Certificate in a repository;
(i) where the Digital Signature Certificate has been
DSC/ESC to a issued by the licensed Certifying Authority and
accepted by the subscriber, and the Certifying
Subscriber Authority comes to know of any fact, or
otherwise, that affects the validity or reliability
of such Digital Signature Certificate, it shall notify
the same to the subscriber immediately;
(j) all Digital Signature Certificates shall be issued
with a designated expiry date.
 Rule 24 Generation of Digital Signature
Certificate-
The generation of the Digital Signature Certificate
shall involve:
(a) receipt of an approved and verified Digital
Procedure for Signature Certificate request;
(b) creating a new Digital Signature Certificate;
issue of (c) binding the key pair associated with the
DSC/ESC to a Digital Signature Certificate to a Digital
Signature Certificate owner;
Subscriber (d) issuing the Digital Signature Certificate and
the associated public key for operational use;
(e) a distinguished name associated with the
Digital Signature Certificate owner; and
(f) a recognized and relevant policy as defined in
Certification Practice Statement.
 Rule 25 Issue of Digital Signature Certificate-
Before the issue of the Digital Signature
Certificate, the Certifying Authority shall:-
(i) confirm that the user's name does not appear
Procedure for in its list of compromised users;
(ii) comply with the procedure as defined in his
issue of Certification Practice Statement including
DSC/ESC to a verification
employment;
of identification and/or

Subscriber (iii) comply with all privacy requirements;

(iv) obtain a consent of the person requesting
the Digital Signature Certificate, that the
details of such Digital Signature Certificate
can be published on a directory service.
 Representations upon issuance of
Digital Signature Certificate Section
36-A Certifying Authority while issuing a
Digital Signature Certificate shall certify
Procedure for that—
issue of (a) it has complied with the provisions
DSC/ESC to a of this Act and the rules and
regulations made thereunder;
Subscriber (b) it has published the Digital Signature
Certificate or otherwise made it
available to such person relying on it
and the subscriber has accepted it;
 (c) the subscriber holds the private key
corresponding to the public key, listed in the
Digital Signature Certificate;
[(ca) the subscriber holds a private key which
Procedure for is capable of creating a digital signature;
issue of (cb) the public key to be listed in the
certificate can be used to verify a digital
DSC/ESC to a signature affixed by the private key held by
the subscriber;]
Subscriber
(d) the subscriber's public key and private key
constitute a functioning key pair;
(e) the information contained in the Digital
Signature Certificate is accurate; and
 (f) it has no knowledge of any
material fact, which if it had been
included in the Digital Signature
Certificate would adversely affect
Procedure for the reliability of the
issue of representations in clauses (a) to
DSC/ESC to a (d).
Subscriber Section 36 imposes obligations on
the CA as well as its local
registration authority to
authenticate the subscriber and to
certify DSC issued by it.
 Rule 7 Digital Signature Certificate Standard- All
Digital Signature Certificates issued by the Certifying
Authorities shall conform to ITU X.509 version 3
standard and shall inter alia contain the following data,
namely:-
(a) Serial Number (assigning of serial number to the
Procedure for Digital Signature Certificate by Certifying Authority
to distinguish it from other certificate);
issue of (b) Signature Algorithm ldentifier (which identifies
the algorithm used by Certifying Authority to sign
DSC/ESC to a the Digital Signature Certificate);
Subscriber (c) Issuer Name (name of the Certifying Authority
who issued the Digital Signature Certificate);
(d) Validity period of the Digital Signature Certificate;
(e) Name of the subscriber (whose public key the
Certificate identifies); and
(f) Public Key information of the subscriber.
 Rule 26 Certificate Lifetime-
(1) A Digital Signature Certificate,-
(a) shall be issued with a designated expiry date;
(b) which is suspended shall return to the
Procedure for operational use, if the suspension is withdrawn in
accordance with the provisions of section 37 of
issue of the Act;
(c) shall expire automatically upon reaching the
DSC/ESC to a designated expiry date at which time the Digital
Signature Certificate shall be archived;
Subscriber (d) on expiry, shall not be re-used.
(2) The period for which a Digital Signature
Certificate has been issued shall not be extended,
but a new Digital Signature Certificate may be
issued after the expiry of such period.
 Rule 27 Archival of Digital Signature Certificate- A
Certifying Authority shall archive-
(a) applications for issue of Digital Signature
Certificates;
(b) registration and verification documents of
Procedure for generated Digital Signature Certificates;
issue of (c) Digital Signature Certificates;
(d) notices of suspension;
DSC/ESC to a (e) information of suspended Digital Signature
Subscriber Certificates;
(f) information of revoked Digital Signature
Certificates;
(g) expired Digital Signature Certificates, for a
minimum period of seven years or for a
period in accordance with legal requirement.
 Section 37 Suspension of Digital Signature
Certificate-
(1) Subject to the provisions of sub-section(2),
the Certifying Authority which has issued a
Procedure for Digital Signature Certificate may suspend such
Digital Signature Certificate,
Suspension
(a) on receipt of a request to that effect from–
and (i) the subscriber listed in the Digital Signature
revocation of Certificate; or
DSC/ESC (ii) any person duly authorised to act on
behalf of that subscriber;
(b) if it is of opinion that the Digital Signature
Certificate should be suspended in public
interest.
 (2) A Digital Signature Certificate
shall not be suspended for a period
exceeding fifteen days unless the
Procedure for subscriber has been given an
opportunity of being heard in the
Suspension matter.
and (3) On suspension of a Digital
revocation of Signature Certificate under this
DSC/ESC section, the Certifying Authority
shall communicate the same to the
subscriber.
 Section 38 read with rule 29
Revocation of Digital Signature Certificate-
Procedure for (1) A Certifying Authority may revoke a
Digital Signature Certificate issued by it–
Suspension (a) where the subscriber or any other
and person authorised by him makes a
revocation of request to that effect; or
(b) upon the death of the subscriber; or
DSC/ESC (c) upon the dissolution of the firm or
winding up of the company where the
subscriber is a firm or a company.
 (2) Subject to the provisions of sub-section (3) and
without prejudice to the provisions of sub-section
(1), a Certifying Authority may revoke a Digital
Signature Certificate which has been issued by it
Procedure for at any time, if it is of opinion that–
Suspension (a) a material fact represented in the Digital
Signature Certificate is false or has been
and concealed;
revocation of (b) a requirement for issuance of the Digital
Signature Certificate was not satisfied;
DSC/ESC
(c) the Certifying Authority's private key or
security system was compromised in a
manner materially affecting the Digital
Signature Certificate's reliability;
 (d) the subscriber has been declared
insolvent or dead or where a
subscriber is a firm or a company,
which has been dissolved, wound-up
Procedure for or otherwise ceased to exist.
Suspension (3) A Digital Signature Certificate shall
not be revoked unless the subscriber
and has been given an opportunity of
revocation of being heard in the matter.
DSC/ESC (4) On revocation of a Digital Signature
Certificate under this section, the
Certifying Authority shall
communicate the same to the
subscriber.
 Rule 29 Revocation of Digital Signature
Certificate-
(1) Digital Signature Certificate shall be revoked
and become invalid for any trusted use,
Procedure for where-
(a) there is a compromise of the Digital Signature
Suspension Certificate owner's private key;
and (b) there is a misuse of the Digital Signature
Certificate;
revocation of (c) there is a misrepresentation or errors in the
Digital Signature Certificate;
DSC/ESC (d) the Digital Signature Certificate is no longer
required.
(2) The revoked Digital Signature Certificate shall
be added to the Certificate Revocation List (CRL).
 The CA may suspend or revoke the DSC:
-on receipt of a request from the subscriber/his
agent
-on the death of the subscriber
-if subscriber is a firm/ a company, on its
dissolution or winding up
Procedure for -A material fact represented in the DSC is false/
concealed
Suspend/ -A condition for the issue of the DSC is not satisfied
revoke of DSC -There is a compromise in the Cas private key/
security system
-There is a compromise in the DSC owner’s private
key
-There is a misuse of the DSC
-The CA must publish notices of such suspension/
revocations in the CRLs.
 Section 39 Notice of suspension or
revocation-
(1) Where a Digital Signature Certificate is
suspended or revoked under section 37 or
Notice of section 38, the Certifying Authority shall
publish a notice of such suspension or
Suspension revocation, as the case may be, in the
and repository specified in the Digital
Signature Certificate for publication of
revocation of such notice.
DSC/ESC (2) Where one or more repositories are
specified, the Certifying Authority shall
publish notices of such suspension or
revocation, as the case may be, in all
such repositories.