Regulating Certifying Authorities

It is thus necessary that the certifying authorities should follow established rules and regulations as
laid down under the law. The Information Technology Act, 2000, under chapter VI provides detailed
provisions for the Controller of Certifying Authorities to regulate Certifying Authorities.
Furthermore, the Information Technology (Certifying Authorities) Rules, 2000 and the Information
Technology (Certifying Authorities) Regulations, 2001 have provided detailed guidelines
for certifying authorities.

The regulation of certifying authorities comes under the statutory function

of the Controller. Under the scheme of the Act, he has to act primarily as an
administrative authority rather than as a quasi-judicial body. The Supreme Court in A.K. Kraipak v
UOI,2. observed:

The dividing line between an administrative power and a quasi-judicial power is quite thin and being
gradually obliterated. For determining whether a power is an administrative power or a quasi-
judicial power one has to look to the nature of the power conferred, the person or persons on whom
it is conferred, the framework of the law conferring that power and the manner in which that power
is expected to be exercised. Under our Constitution the rule of law pervades over the entire field of
administration. Every organ of the State under our Constitution is regulated and controlled
by the rule of law. In a welfare state like ours it is inevitable that the jurisdiction
of the administrative bodies is increasing at a rapid rate. The concept of rule of law would lose its
validity if the instrumentalities of the State were not charged with the duty of discharging their
functions in a fair and just manner. The requirement of acting judicially in essence is nothing but a
requirement to act justly and fairly and not arbitrarily or capriciously.

In the backdrop of aforesaid facts, it is thus prudent that the following sections should be viewed
accordingly.

Appointment of Controller and other officers

Section 17. Appointment of Controller and other officers.—(1) The Central Government may, by
notification in the Official Gazette, appoint a Controller of Certifying Authorities for the purposes
of this Act and may also by the same or subsequent notification appoint such number of Deputy
Controllers, 3.Assistant Controllers, other officers and employees as it deems fit.

(2) The Controller shall discharge his functions under this Act subject to the general control and
directions of the Central Government.

(3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them
by the Controller under the general superintendence and control of the Controller.

(4) The qualifications, experience and terms and conditions of service of Controller, Deputy
Controllers, 4.Assistant Controllers, other officers and employees shall be such as may be
prescribed by the Central Government.

(5) The Head Office and Branch Office of the office of the Controller shall be at such places
as the Central Government may specify, and these may be established at such places
as the Central Government may think fit.

(6) There shall be a seal of the Office of the Controller.

Comment
The Central Government has appointed the Controller of Certifying Authorities on November 1,
2000. The Office of Controller of Certifying Authorities has three main functional departments: (a)
Technology, (b) Finance and Legal, and (c) Investigation. Each department has a Deputy Controller
and Assistant controllers, who work under the general superintendence and control
of the Controller.

Figure 7.3: Organizational Hierarchy of the Office of Controller of Certifying Authorities

The Office5. of the Controller of Certifying Authorities is the fulcrum on which the Information
Technology Act, 2000 operates. It has a statutory role to identify, apply and draw awareness
regarding application of specific form of technology. Furthermore, it establishes functional attributes
for Certifying Authorities.

In order to understand the functions of the Controller of Certifying Authorities, apart from
following the key provisions of the Act one must also follow its Certification Practice Statement (CPS)
along with Information Technology (Certifying Authorities) Rules, 2000 and Information Technology
(Certifying Authorities) Regulations, 2001.

Furthermore, the two guidelines6.: “Information Technology Security Guidelines” and “Security
Guidelines for Certifying Authorities” issued under Information Technology (Certifying Authorities)
Rules, 2000 supplement the knowledge base.

Functions of Controller

Section 18. Functions of Controller.—The Controller may perform all or any of the following
functions, namely:—

 (a)exercising supervision over the activities of the Certifying Authorities;

Comment

Controller’s supervision over the activities of the Certifying Authorities stem from the fact that as a
licensee Certifying Authority has to fulfill all the conditions stipulated by the Controller.

As per rule 31 of the Information Technology (Certifying Authorities) Rules,

2000, Certifying Authority shall have to conduct half yearly/quarterly audits and submit each audit
report to the Controller within four weeks of the completion of such audit.

It should be pointed out that the Information Technology Security Guidelines under rule 19(2) lays
down parameters for capturing audit trails [Para 10], whereas details of System Security Audit
Procedures are given in Para 9 of Security Guidelines for Certifying Authorities.

 (b)certifying public keys of the Certifying Authorities;

Comment

The Controller has established the Root Certifying Authority of India (RCAI) to certify public keys of
all CAs in India. The RCAI is responsible for:

 •Issue of licence by means of an X.509 certificate

 •Digitally signing the public key of the licensed CA

 •Generating Certificate Revocation List (CRLs) for the licences issued

The RCAI root certificate is the highest level of certification in India. It is being used to sign the public
keys of the licensed CAs in India. One of the conditions under rule 20(b) of the Information
Technology (Certifying Authorities) Rules, 2000 is that the licensed Certifying Authority shall
commence its commercial operation of generation and issue of digital signature only after it has
generated its key pair (private and corresponding public key) and submitted the public key
to the Controller.

However, it is important to note that RCAI is a functional aspect of the operations of the Controller
of Certifying Authorities. It is not a kind of separate organizational unit.

 (c)laying down the standards to be maintained by the Certifying Authorities;

Comment

Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 refers to the standards that
may be considered for different activities associated with the Certifying Authorities functions.

Regulation 4 of the Information Technology (Certifying Authorities) Regulation, 2001 provides details
of various standards (as referred in rule 6) like Public Key Infrastructure, Public-key Cryptography,
Key agreement schemes, Form and size of the key pairs, Directory Services, Public Key Certificates
and Certificate Revocation List (CRL).

(d) specifying the qualifications and experience, which employees

of the Certifying Authorities should possess;

Comment

It has not been specified in either Rules or Regulations about the specific qualifications and
experience that should be possessed by the employees of the Certifying Authorities. Para 5.1 of
“Information Technology Security Guidelines” does mention that each organization shall designate a
properly trained “System Administrator” who will ensure that the protective security measure
of the system are functional. Similarly, Para 20 talks about the role of Network Administrator who
will be responsible for operation, monitoring security and functioning of the network.

(e) specifying the conditions subject to which the Certifying Authorities shall conduct their
business;

Comment

A Certifying Authority has to fulfill all the specified terms and conditions to obtain a licence to issue
Digital Signature Certificate. Regulation 3 of the Information Technology
(Certifying Authorities) Regulations, 2001 lays down those terms and conditions.

(f) specifying the contents of written, printed or visual materials and advertisements that may be
distributed or used in respect of a 7.Electronic Signature Certificate and the public key;

Comment

In order to bring uniformity and harmonization in Certifying Authorities practice, the Office of
Controller of Certifying Authorities specifies the contents of written, printed or visual materials and
advertisements that may be distributed or used in respect of a Digital Signature Certificate
and the public key in its Certification Practice Statement (CPS). However, it is significant to note that
as on November 15, 2009, no such guidelines related to Electronic Signature Certificate has been
framed by the Office of Controller of Certifying Authorities.
(g) specifying the form and content of an 8.Electronic Signature Certificate and the key;

Comment

Rule 7 of the Information Technology (Certifying Authorities) Rules, 2000 provides that all Digital
Signature Certificate issued by the Certifying Authorities shall conform to ITU X.509 version 3
standard and to have data, like: Serial Number, Signature Algorithm Identifier (used
by the Certifying Authority to sign the Certificate), Issuer Name, Validity period of the Certificate,
Name of the subscriber and Public key information of the subscriber.

(h) specifying the form and manner in which accounts shall be maintained
by the Certifying Authorities;

Comment

Under Regulation 3(vi) of the Information Technology (Certifying Authorities) Regulations 2001,
every Certifying Authority shall comply with all the financial parameters during the period of validity
of the licence, issued under the Act. Importantly, it further states that any loss to the subscriber,
which is attributable to the Certifying Authority, shall be made good by the Certifying Authority.

(i) specifying the terms and conditions subject to which auditors may be appointed
and the remuneration to be paid to them;

Comment

Rule 31 and 32 of the Information Technology (Certifying Authorities) Rules, 2000 set the terms of
audit and auditor’s relationship with Certifying Authority respectively. CCA currently has sixteen
auditors in its panel.9.

Moreover, under Regulations 3 (vii) of the Information Technology

(Certifying Authorities) Regulations 2001, every Certifying Authority shall subject itself to Compliance
Audits carried out by one of the aforesaid empanelled auditors. Such audits shall be based
on the Internet Engineering Task Force document RFC 2527- Internet X.509 PKI Certificate Policy and
Certification Practices Framework.

Scope of audit vis-à-vis licensed Certifying Authorities includes: (a) Adequacy of security policies and
implementation thereof, (b) Existence of adequate physical security, (c) Evaluation of functionalities
in technology as it supports CA operations CA’s services administration processes and procedures,
(d) Compliance to relevant CPS as approved and provided by the Controller, (e) Adequacy of
contracts/agreements for all outsourced CA operations, and (f) Adherence to Information
Technology Act, 2000, the rules and regulations thereunder, and guidelines issued by the Controller
from time-to-time.

(j) facilitating the establishment of any electronic system by a Certifying Authority either solely or
jointly with other Certifying Authorities and regulation of such systems;

Comment

The security guidelines given under rule 19(2) of the Information Technology (Certifying Authorities)
Rules, 2000 are aimed at protecting the integrity, confidentiality and availability of services, data and
systems of Certifying Authorities.

(k) specifying the manner in which the Certifying Authorities shall conduct their dealings
with the subscribers;
Comment

A CA shall have to comply with the procedures of generation, issue, archival, compromise,
revocation of Digital Signature Certificate as defined in its Certification Practice Statement (CPS). It
has to notify its subscribers about its cessation as CA [Rule 21].

Under regulation 3 of the Information Technology (Certifying Authorities) Regulations, 2001, a CA

shall use methods, which are approved by the Controller, to verify the identity of a subscriber before
issuing or renewing any public key certificate; provide time stamping service for its subscribers;
assure the confidentiality of subscriber information; and ensure the continued accessibility and
availability of its Public Key Certificates and Certificate Revocation Lists in its repository to its
subscribers and relying parties.

(l) resolving any conflict of interests between the Certifying Authorities and the subscribers;

Comment

The Office of Certifying Authority is competent to resolve any dispute between CAs and subscribers.
It is important to note that as per its Certification Practice Statement, the CCA can mediate between
CAs and subscribers directly or through an arbitrator. For this purpose he can request any
information or materials from both the parties, which are in order as per their CPS,
and the provisions of the Act.

Also, under Rule 12 of the Information Technology (Certifying Authorities) Rules, 2000, any dispute
arising as a result of any cross certification arrangement between the Certifying Authorities or
between Certifying Authority and the Subscriber, shall be referred to the Controller for arbitration or
resolution.

(m) laying down the duties of the Certifying Authorities;

Comment

The practices described in the CPS of Controller of Certifying Authorities are applicable to
all the licensed CAs within India. It highlights their obligations, liability, operational procedures and
security controls.

(n) maintaining a database containing the disclosure record of

every Certifying Authority containing such particulars as may be specified by regulations, which
shall be accessible to public.

Comment

The Act establishes a Repository containing Public Key Certificates issued to all licensed CAs as well
as Certificate Revocation List (CRL).

Moreover, rule 22 of the Information Technology (Certifying Authorities) Rules, 2000 refers to
Database of Certifying Authorities. The Rule states that the Controller shall maintain a database
of the disclosure record of every Certifying Authority, Cross Certifying Authority and
Foreign Certifying Authority.

Recognition of foreign Certifying Authorities

Section 19. Recognition of foreign Certifying Authorities.—(1) Subject to such conditions and
restrictions as may be specified by regulations, the Controller may with the previous approval
of the Central Government, and by notification in the Official Gazette, recognize any
foreign Certifying Authority as a Certifying Authority for the purposes of this Act.

Comment

The success of PKI depends on the acceptance of the digital signature certificates as means of
identification and authentication in the paperless environment. It should also recognize
foreign Certifying Authorities for faster implementation of digital signature certificates regime. A
foreign Certifying Authority may provide cross certification arrangement to the local licensed CA
thereby creating global acceptability of locally issued digital signature certificates.

The Controller has to seek previous approval of the Central Government before recognizing a
foreign Certifying Authority. Further, he has to notify its name in the Official Gazette. So far, no
foreign certifying authority has been recognized by the Controller. However, in exercise of the power
conferred by clause (b) of sub-section (2) of section 89 of the Act, the Controller after consultation
with the Cyber Regulations Advisory Committee and with the previous approval of Central
Government has notified the Information Technology (Recognition of
foreign Certifying Authorities operating under a Regulatory Authority) Regulations, 2013 and
Information Technology (Recognition of Foreign Certifying Authorities not operating under any
Regulatory Authority) Regulations, 2013 on April 6, 2013. In this context, India has already
Memorandum of Understanding with South Korea.

(2) Where any Certifying Authority is recognized under sub-section (1), the 10.Electronic Signature
Certificate issued by such Certifying Authority shall be valid for the purposes of this Act.

Comment

The aforesaid sub-section (2) refers to recognition of any foreign Certifying Authority as
a Certifying Authority by the Controller. The term “recognition” implies that the Controller shall
grant licence to any foreign certifying authority to act as a licensed CA in India subject to such
conditions and restrictions as may be specified by Information Technology
(Certifying Authorities) Regulations, 2001.

The recognized CA means a person who has been granted a licence to issue an Electronic Signature
Certificate, which may include a Digital Signature Certificate under section 24 of the Act. The said
Certificate issued by the recognized CA shall be valid for the purposes of this Act.

(3) The Controller may, if he is satisfied that any Certifying Authority has contravened any
of the conditions and restrictions subject to which it was granted recognition under sub-section (1)
he may, for reasons to be recorded in writing, by notification in the Official Gazette, revoke such
recognition.

Comment

The Controller has the power under aforesaid sub-section (3) to revoke the recognition granted
to the foreign Certifying Authority under sub-section (2), if he is satisfied that the said
foreign Certifying Authority has contravened any of the conditions and restrictions subject to which
it was granted recognition under sub-section (1) of the aforesaid section.

The Controller has to record the reasons behind such revocation in writing and notify the same
in the Official Gazette.

Controller to act as repository

11.Section 20. Controller to act as repository.—(1) The Controller shall be the repository of all
Digital Signature Certificates issued under this Act.

(2) The Controller shall—

 (a)make use of hardware, software and procedures that are secure from intrusion and
misuse;

 (b)observe such other standards as may be prescribed by the Central Government, to

ensure that the secrecy and security of the digital signatures are assured.

(3) The Controller shall maintain a computerized database of all public keys in such a manner that
such database and the public keys are available to any member of the public.

[Authors’ Note: Though section 20 has been repealed by the Information Technology
(Amendment) Act, 2008, section 13, nevertheless, it is important that readers’ of this chapter should
read this repealed section in order to appreciate the operational aspects of CCA vis-à-vis Public Key
Infrastructure (PKI)]. Further, the functions of Controller to act as a repository should now be seen
in the context of section 26 of the Act.

Comment

In accordance with the aforesaid section (now repealed) the Controller had earlier
established the National Repository of Digital Certificate (NRDC) to act as the repository of all Digital
Signature Certificates issued under this Act. Presently, the Controller is acting as the Root CA,
in the form of Root Certifying Authority of India (RCAI), certifying the public keys of all CAs in India.

Figure 7.4: Controller to act as repository

The Certification Practice Statement (CPS) of the Controller describes the practices employed by him
in operating the RCAI services.

Table 7.1: RCAI Services

RCAI Services

Issue of licence by means of an X.509 certificate

Generating CRLs for the licences issued

Digitally signing the public key of the licensed CA

This CPS covers the practices followed by the CCA for the procedures related
to the licence/certificate application, issuance, use, validation, suspension, revocation and their
expiry, as well as the operational maintenance of the RCAI.

Moreover, Rule 22 of the Information Technology (Certifying Authorities) Rules, 2000 refers to
maintenance of Database of Certifying Authorities. The Rule states that the Controller shall maintain
a database of the disclosure record of every Certifying Authority, Cross Certifying Authority and
Foreign Certifying Authority.
Certifying Authority’s systems shall be protected to ensure network access control to critical systems
and services from other systems in accordance with para 17, para 18, para 19 and para 20
of the Information Technology Security Guidelines.

Licence to issue Electronic Signature Certificates

Section 21. Licence to issue 12.Electronic Signature Certificates.—(1) Subject to the provisions of
sub-section (2), any person may make an application, to the Controller, for a licence to
issue 13.Electronic Signature Certificates.

(2) No licence shall be issued under sub-section (1), unless the applicant fulfills such requirements
with respect to qualification, expertise, manpower, financial resources and other infrastructure
facilities, which are necessary to issue 14.Electronic Signature Certificates as may be prescribed
by the Central Government.

(3) A licence granted under this section shall—

 (a)be valid for such period as may be prescribed by the Central Government;

 (b)not be transferable or heritable;

 (c)be subject to such terms and conditions as may be specified by the regulations.

Comment

The aforesaid section underlines the fact that any person may approach the Controller for a licence
to issue Electronic Signature Certificates, including Digital Signature Certificates. The said person has
to submit an application under rule 10 of the Information Technology (Certifying Authorities) Rules,
2000. Furthermore, regulation 3 of the Information Technology (Certifying Authority) Regulations,
2001 provides the terms and conditions of licence to issue Electronic Signature Certificates, including
Digital Signature Certificates.

Also as per rule 13 and regulation 3(i)(a) & (b) a licence is valid for a period of five years
from the date of its issue and the said licence is not transferable or heritable.

Application for licence

Section 22. Application for licence.—(1) Every application for issue of a licence shall be in such
form as may be prescribed by the Central Government.

(2) Every application for issue of a licence shall be accompanied by—

 (a)a certification practice statement;

 (b)a statement including the procedures with respect to identification of the applicant;

 (c)payment of such fees, not exceeding Rs 25000/- as may be prescribed by the Central
Government;

 (d)such other documents, as may be prescribed by the Central Government.

Comment

An application can be made for obtaining a licence to operate as a Certifying Authority under section
21 of the Act. Requirements as stipulated in sub-section 21(2) of the Act, need to be fulfilled
by the applicant for issue of a licence to operate as a CA.
The Form for application for grant of Licence to operate as a Certifying Authority that is required to
be submitted to the Controller, has been prescribed under rule 10 of the Act and appears at
Schedule I of the Rules under the Act. A licence issued to a CA will be subject to terms and
conditions under section 21(3)(c). The detailed terms and conditions are given in regulation 3
of the Regulations under the Act.

Along with the application in the format given in Schedule I of Rules, an applicant has to submit
all the documents that are essential to substantiate the claim for award of licence to operate as a
CA. It is the responsibility of the applicant to submit all documents required under the Act, Rules
and Regulations. In addition to the documents listed in Rule 10, the documents listed
in the “Guidelines for submission of application for licence to operate as
a Certifying Authority under the IT Act, 2000’ are also to be furnished.

Renewal of licence

Section 23. Renewal of licence.—An application for renewal of a licence shall be—

 (a)in such form;

 (b)accompanied by such fees, not exceeding Rs 2000/-,

as may be prescribed by the Central Government and shall be made not less than forty-five days
before the date of expiry of the period of validity of the licence.

Comment

Rule 15 states that the provisions of rule 8 to rule 13 of the Information Technology
(Certifying Authorities) Rules, 2000, will apply in the case of an application for renewal of a licence
just as they apply to a fresh application for licensed Certifying Authority.

Furthermore, the application for renewal of licence may be submitted in the form of electronic
record subject to such requirements as the Controller may deem fit.

Procedure for grant or rejection of licence

Section 24. Procedure for grant or rejection of licence.—The Controller may, on receipt of an
application under sub-section (1) of section 21, after considering the documents
accompanying the application and such other factors, as he deems fit, grant the licence or
reject the application:

Provided that no application shall be rejected under this section unless the applicant has been
given a reasonable opportunity of presenting his case.

Comment

As per rule 16 of the Information Technology (Certifying Authorities) Rules, 2000, the Controller may,
within four weeks from the date of receipt of the application, examine the documents and
information accompanying the application [rule 10(ii)] before he grants the licence or
rejects the application.

Under rule 17, the Controller may refuse to grant or renew a licence,
if the applicant/certifying authority has failed to fulfill any one of the nine conditions as laid
down under the said rule [(i) to (ix)].
Also, as given in the proviso of the aforesaid section, it is important that in the spirit of natural
justice an applicant must be given reasonable opportunity of presenting his case to the Controller,
before his application is rejected. The said proviso is mandatory in character.

In Keshav Mills Co Ltd v UOI,15. The Supreme Court observed: “…….. as to what are the principles of
natural justice that should regulate an administrative act or order is a much more difficult one to
answer. We do not think it either feasible or even desirable to lay down any fixed or rigorous
yardstick in this manner. The concept of natural justice cannot be put into a straitjacket. It is futile,
therefore, to look for definitions or standards of natural justice from various decisions and then try
to apply them to the facts of any given case. The only essential point that has to be kept in mind in
all cases is that the person concerned should have a reasonable opportunity of presenting his case
and that the administrative authority concerned should act fairly, impartially and reasonably. Where
administrative officers are concerned, the duty is not so much to act judicially as to act fairly”.

Suspension of licence

Section 25. Suspension of licence.—(1) The Controller may, if he is satisfied after making such
inquiry, as he may think fit, that a Certifying Authority has,—

 (a)made a statement in, or in relation to, the application for the issue or renewal
of the licence, which is incorrect or false in material particulars;

 (b)failed to comply with the terms and conditions subject to which the licence was
granted;

 16.(c)failed to maintain the procedures and standards specified in section 30;

 (d)contravened any provisions of this Act, rule, regulation or order made thereunder,
revoke the licence:

Provided that no licence shall be revoked unless the Certifying Authority has been given a
reasonable opportunity of showing cause against the proposed revocation.

(2) The Controller may, if he has reasonable cause to believe that there is any ground for revoking
a licence under sub-section (1), by order suspend such licence pending the completion of any
inquiry ordered by him:

Provided that no licence shall be suspended for a period exceeding ten days
unless the Certifying Authority has been given a reasonable opportunity of showing cause
against the proposed suspension.

(3) No Certifying Authority whose licence has been suspended shall issue any 17.Electronic
Signature Certificate during such suspension.

Comment

One of the remarkable features of the aforesaid section is the power of the Controller to hold
inquiry before suspending or revoking the licence of a Certifying Authority. As already highlighted
in the section 24 of the Act that the statutory authority has a “duty to act fairly”. Thus a formal
inquiry conducted by the Controller must give a Certifying Authority a reasonable opportunity of
showing cause against the proposed suspension or revocation of its licence.

It should be noted that under Rule 14 the Information Technology (Certifying Authorities) Rules,
2000 the Controller may by order suspend the licence in accordance with the aforesaid provisions
[section 25(2)]. The Rule further states that the licence granted to the persons referred to in clauses
(a) to (c) of sub-rule (1) of rule 8 shall stand suspended when the performance bond submitted
or the banker’s guarantee furnished by such persons is invoked under sub-rule (2) of that
rule. The Controller may also take cognizance of rule 10(ii), rule 17(v) to (viii) and regulation 3(i) to
(vii) while conducting an inquiry.

Further, under sub-section (2) of the aforesaid section, the Controller may take a unilateral action of
suspending a licence, if he has reasonable cause to believe that there exist such a ground for
revocation, pending the completion of any inquiry ordered by him. Under such
circumstances the licence could remain suspended for a period of ten days. For extending the time
period of “suspension” beyond the initial ten days, the Controller has to give a reasonable
opportunity to the said Certifying Authority of showing cause against the proposed extended
suspension.

A licensed Certifying Authority has a legal right to issue Electronic Signature Certificates, including
Digital Signature Certificates to the applicants under the Act. The said right remains inoperative
during the phase of its suspension under sub-section (3) of the aforesaid section. In other words, any
Electronic Signature Certificates, including Digital Signature Certificates, which have already been
issued by the Certifying Authority prior to its suspension shall deemed to be valid.

Notice of suspension or revocation of licence

Section 26. Notice of suspension or revocation of licence.—(1) Where the licence

of the Certifying Authority is suspended or revoked, the Controller shall publish notice of such
suspension or revocation, as the case may be, in the database maintained by him.

(2) Where one or more repositories are specified, the Controller shall publish notices of such
suspension or revocation, as the case may be, in all such repositories:

Provided that the data base containing the notice of such suspension or revocation, as the case
may be, shall be made available through a web site which shall be accessible round the clock:

Provided further that the Controller may, if he considers necessary, publicize the contents of
database in such electronic or other media, as he may consider appropriate.

Comment

The Controller operates a Repository of all public key certificates issued to licensed CAs and CRLs. It
is referred as RCAI repository.

The Controller is under obligation to maintain the repository containing:

 •Public Key Certificates of licensed CAs

 •Authority Revocation Lists (ARLs) of licensed CAs

 •Certificate Revocation Lists (CRLs) after revocation of licensed CAs

It is to be kept in mind that revocation of a licence could affect any DSC holder globally.
Hence, the notice of such revocation as a rule should not only be available on 24x7 basis but
also the CRLs updated on real time basis.

Power to delegate
Section 27. Power to delegate.—The Controller may, in writing, authorize the Deputy Controller,
Assistant Controller or any officer to exercise any of the powers
of the Controller under this Chapter.

Comment

The aforesaid section is to be understood and read with the section 17 of the Act,
wherein the Controller has a team of Deputy Controllers, Assistant Controllers, other officers and
employees. Keeping in view the present organizational structure of the Office of the Controller, it
seems that the Controller has created three separate departments: (a) Technology; (b) Finance &
Legal; and (c) Investigation.

Each department is currently being headed by one Deputy Controller and assisted by Assistant
Controllers and other such officers and employees.

Interestingly, the Controller may delegate his administrative powers, including power to investigate
contraventions under sections 28 and 29 of the Act. However, his quasi-judicial power to resolve any
dispute between the Certifying Authorities and the subscribers (section 18) cannot be delegated.

Power to investigate contraventions

Section 28. Power to investigate contraventions.—(1) The Controller or any officer authorized by
him in this behalf shall take up for investigation any contravention of the provisions of this Act,
rules or regulations made thereunder.

(2) The Controller or any officer authorized by him in this behalf shall exercise the like powers
which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961, (43
of 1961) and shall exercise such powers, subject to such limitations laid down under that Act.

Comment

The power granted by the aforesaid section is only investigative in nature only. As given
in the section 27, the Controller may delegate the power of investigation to the Deputy Controller,
Assistant Controller or any other officer. It is important to note that the sub-section (1) of section 28
authorizes the said officer to investigate any contravention of the provisions of this Act, rules
or regulations made thereunder.

One view is that the aforesaid sub-section (1), if read with section 75 of the Act also grants power
to the Controller or any officer authorized by him to investigate any offence or contravention
committed outside India by any person irrespective of his nationality, if the act or conduct
constituting the offence or contravention involves a computer, computer system or computer
network located in India. Based on this view, the Office of the Controller has been inundated with
numerous complaints, praying that the Controller should investigate all contraventions related to
data theft, privacy violations, defamation, spamming etc.18.

Another view is that the Controller’s power to investigate contraventions is restricted

to the licensed Certifying Authorities and subscribers. Interpreting the statute and applying strict
construction rules, one may find that the aforesaid power of the Controller can only be used to
investigate contraventions related to licensed Certifying Authorities, Subscribers and Electronic
Signature Certificates (including Digital Signature Certificates), This view, is further complemented
by the amendments in sections 29 and 69 of the Act.
Further the sub-section (2) grants the Controller or any other officer authorized by him, powers
which are similar to those already conferred on Income-tax authorities under Chapter XIII
of the Income-tax Act, 1961.

Under the aforesaid Chapter, the Controller or any other officer authorized by him, has the power to
impound and retain in its custody for such period as it thinks fit, any books of account or other
documents produced before it in any proceeding [section 131]; search and seizure of books of
account19. and other documents, money, bullion, jewellery or other valuable article or thing found
as a result of such search; also, the authorized officer may, during the course of the search or
seizure, examine on oath any person who is found to be in possession or control of any books of
account, other documents, money, bullion, jewellery or other valuable article or thing and any
statement made by such person during such examination may thereafter be used in evidence in any
proceeding [section 132] under the Indian Income-tax Act, 1922, or under Income-tax Act, 1961;
power to call for information [section 133]; power of survey [section 133A]; power to collect certain
information [section 133B] and proceedings as judicial proceedings [section 136].

The first judicial test examining the power of Controller of Certifying Authorities under section 28
came before the High Court of Delhi in Yahoo India Pvt Ltd v UOI,20. The brief facts of this case are
as follows:

 (a)There were eleven notices (January – July 2011) issued by the CCA (Respondent No. 2) to
Yahoo India over a period of time seeking details from Yahoo to provide details of certain
suspect e-mail Ids. These notices clearly pointed out that (a) a suspected contravention
of the provisions of the Act, rules or regulations made thereunder having a bearing on
national security is underway, and (b) by virtue of section 28 of the Act the Controller or any
officer authorized by him in this behalf has power “to take up for investigation”
contravention of the provisions of this Act, rules or regulations made thereunder.

 (b)CCA not satisfied with the response of Yahoo India issued a show cause notice.

 (c)Subsequently, CCA by way of a speaking order dated 26 August 2011 imposed a fine of Rs.
11 lakhs on Yahoo India21. under section 44(a) of the Act for not furnishing
information/document as directed by the Controller or any officer authorized by him in this
behalf.

 (d)Aggrieved by the order of CCA, Yahoo India filed a civil writ petition before the Delhi High
Court.22. It also challenged the constitutional validity of rule 3(7) of the Information
Technology (Intermediary Guidelines) Rules, 2011.

 (e)The Court23. held:

…….The impugned order has been issued by the Controller of Certifying Authorities, Department of
Information Technology, Ministry of Communications and Information Technology, Government of
India. It purports to be an order under section 44(a) of The Information Technology Act, 2000.
Section 46 of the said Act makes provision with regard to the power to adjudicate. Section 46(1)
of the said Act reads as under:

For the purpose of adjudging under this Chapter whether any person has committed a contravention
of any of the provisions of this Act or of any rule, regulation, direction or order made thereunder
which renders him liable to pay penalty or compensation the Central Government shall, subject
to the provisions of sub-section (3), appoint any officer not below the rank of a Director
to the Government of India or an equivalent officer of a State Government to be an adjudicating
officer for holding an inquiry in the manner prescribed by the Central Government.

The Ministry of Communication and Information Technology to the Government of India, in exercise
of the powers conferred under section 46(1) of the said Act, notified by virtue of an order dated 25
March 2003 that the Secretary of Department of Information Technology of each of the states or
of the Union Territories would be the adjudicating officer for the purposes of Information
Technology Act, 2000. It is therefore clear that the adjudicating authority under section 46 insofar
as the present matter is concerned, would not be the Controller of Certifying Authorities who has
issued the impugned order dated 26 August2011. The said order is clearly, therefore, without
jurisdiction.

Consequently, the impugned order is set aside.

 (f)It is important to note that the aforesaid judgment did not touch
upon the constitutionality of rule 3(7) of the Information Technology (Intermediary
Guidelines) Rules, 2011. Moreover, the right of CCA to investigate any
contravention under section 28 of the Act was not disturbed by the court.

It is to be noted that similarly CCA refused to entertain complaints filed under sections 28 & 29 by
complainants Bava Mahdoom24. and Hero Motor Corp.24 The question is whether CCA
has the power to investigate any contraventions under this Act, Rules or Regulation25.? CCA may
have the power to investigate but it should be seen in the context of digital or electronic signature
certificates, subscribers of such certificates and the Certifying Authorities. An overarching power to
investigate all offences under the Act would negate the power to investigate offences granted to
police under section 78 of the Act. This could never be the intent of the legislation. The scope of
section 28 should be seen with respect to offences related to digital or electronic signatures.

Access to computers and data

Section 29. Access to computers and data.—(1) Without prejudice to the provisions of sub-section
(1) of section 69, the Controller or any person authorized by him shall, if he has reasonable cause
to suspect that 26.any contravention of the provisions of this Chapter has been committed, have
access to any computer system, any apparatus, data or any other material connected with such
system, for the purpose of searching or causing a search to be made for obtaining any information
or data contained in or available to such computer system.

(2) For the purposes of sub-section (1), the Controller or any person authorized by him may, by
order, direct any person incharge of, or otherwise concerned with the operation of, the computer
system, data apparatus or material, to provide him with such reasonable technical and other
assistance as he may consider necessary.

Comment

The aforesaid sub-section (1) grants the Controller or any person authorized by him sweeping power
to access to any computer system, any apparatus, data or any other material connected with such
system, to search for obtaining any information or data contained in or available to such computer
system if he has reasonable cause to suspect that any contravention under this Chapter has been
committed. The power to access any such computer and data is physical as well as virtual.
Further, the authority to search any such computer system, any apparatus, data or any other
material connected with such system has been limited to any
contravention under this Chapter of the Act only.

Since, the Act has not defined the word “apparatus”. Hence, it would be proper to include input
devices (scanners, digital cameras, microphones etc.), output devices (monitor, printer, speakers
etc.), communication devices (modems, network interface cards) and storage devices (tape drive,
CD-ROM drives, optical drives, removable hard drives etc.) within the definition of apparatus.

Under the sub-section (2), the Controller or any person authorized by him has the power to order,
direct any person incharge of, or otherwise concerned with the operation of, the computer system,
data apparatus or material, to provide him with such reasonable technical and other assistance as he
may consider necessary. It may include access to password(s) to such computer system, apparatus,
data or any other material connected with such system.

Certifying Authority to follow certain procedures

Section 30. Certifying Authority to follow certain procedures.—Every Certifying Authority shall,—

 (a)make use of hardware, software and procedures that are secure from intrusion and
misuse;

 (b)provide a reasonable level of reliability in its services, which are reasonably suited
to the performance of intended functions;

 (c)adhere to security procedures to ensure that the secrecy and privacy

of the 27.electronic signatures are assured; 28.[***]

 29.(ca)be the repository of all Electronic Signature Certificates issues under this Act;

 30.(cb)publish information regarding its practices, Electronic Signature Certificates and

current status of such certificate; and

 (d)observe such other standards as may be specified by regulations.

Comment

Every Certifying Authority has to fulfill the conditions as laid down under the Information Technology
(Certifying Authorities) Rules, 2000 and Information Technology (Certifying Authorities) Regulations,
2001. Furthermore, each Certifying Authority has to frame its management and operational policies
keeping in view the “Information Technology Security Guidelines” and “Security Guidelines
for Certifying Authorities” issued under Information Technology (Certifying Authorities) Rules, 2000.

The objective of the “Information Technology Security Guidelines” is to provide guidelines

to the organizations to develop internal information technology security processes.
Whereas the “Security Guidelines for Certifying Authorities” are aimed at protecting the integrity,
confidentiality and availability of their services, data and systems.

It is also important that every Certifying Authority must comply with its “Certification Practice
Statement” (CPS) framework, which is based on RFC-2527: Internet X.509 Public Key Infrastructure
Certificate Policy and Certification Practices Framework submitted along with the application to
operate as a certifying authority.
It should be observed that the basic purpose of this section is that the Certifying Authority should
not only have a secure system [section 2(1)(ze)] but also adopt and implement security procedures
[section 2(1)(zf) & section 16] as defined under the Act.

Further, by introducing new clauses, like (ca) and (cb), the legislative intent has been
that the repository, which was being maintained by the Controller (under section 20 of the Act,
subsequently repealed) earlier, should now be maintained by the respective Certifying Authorities.

The intended functionalities of such repository may include:

 •All Electronic Signature Certificates (including Digital Signature Certificates) issued

by the licensed CA.

 •Current status list of suspended/revoked Electronic Signature Certificates (including Digital

Signature Certificates).

 •Updated Certificate Revocation Lists (CRLs) of subscribers.

 •CPS of the licensed CA.

Certifying Authority to ensure compliance of the Act, etc

Section 31. Certifying Authority to ensure compliance of the Act, etc.—

Every Certifying Authority shall ensure that every person employed or otherwise engaged by it
complies, in the course of his employment or engagement, with the provisions of this Act,
rules, regulations and orders made thereunder.

Comment

Every Certifying Authority has to comply with the aforesaid mandatory provisions regarding his
employment or engagement. Rule 34(1) of the Information Technology (Certifying Authorities) Rules,
2000 states that the “access to confidential information by Certifying Authority’s operational staff
shall be on a “need-to-know” and “need-to-use” basis. Moreover, under regulation 3(v) [Physical,
procedural and personnel security] of the Information Technology (Certifying Authority) Regulations,
2001, every Certifying Authority is to get an independent periodic audit done through an approved
auditor, wherein the focus is on personnel employment.

It is important to note that the Certification Practice Statement (CPS) filed by each and every
applicant is required have detailed guidelines on “personnel controls”, which may include employees
background, qualifications, experience and clearance requirements.

Display of licence

Section 32. Display of licence.—Every Certifying Authority shall display its licence at a conspicuous
place of the premises in which it carries on its business.

Comment

Under the provisions of the Act, an individual, a company, a firm may apply for grant of a licence to
issue Digital Signature Certificates. Once the applicant has been issued a licence by the Controller,
then it is mandatory for the newly licensed Certifying Authority to display the licence at a
conspicuous place of the premises in which it carries on its business.

Surrender of licence
Section 33. Surrender of licence.—(1) Every Certifying Authority whose licence is suspended or
revoked shall immediately after such suspension or revocation, surrender the licence
to the Controller.

(2) Where any Certifying Authority fails to surrender a licence under sub-section (1), the person in
whose favour a licence is issued, shall be guilty of an offence and shall be punished with
imprisonment which may extend up to six months or a fine which may extend up to Rs 1000/- or
with both.

Comment

Under the aforesaid sub-section (1) every Certifying Authority whose licence has been suspended or
revoked [section 25] is to surrender its licence to the Controller immediately.

Any such failure on the part of the person to comply with the directions as given in sub-section (1) is
to be taken as a non-cognizable and bailable offence. The said person is to be punished with
imprisonment, which may extend up to six months or a fine, which may extend up to Rs 10000/- or
with both.

One should not miss the importance that has been given to this aforesaid section in the Act. It
indicates seriousness on the part of the legislature to make non-submission of a suspended or
revoked licence an offence rather a contravention under the Act.

Disclosure

Section 34. Disclosure.—(1) Every Certifying Authority shall disclose in the manner specified
by regulations—

 (a)its 31.Electronic Signature Certificate 32.[***];

 (b)any certification practice statement relevant thereto;

 (c)notice of the revocation or suspension of its Certifying Authority certificate, if any; and

 (d)any other fact that materially and adversely affects either the reliability of
a 33.Electronic Signature Certificate, which that Authority has issued, or the Authority’s
ability to perform its services.

(2) Where in the opinion of the Certifying Authority any event has occurred or any situation has
arisen which may materially and adversely affect the integrity of its computer system
or the conditions subject to which a 34.Electronic Signature Certificate was granted,
then, the Certifying Authority shall—

 (a)use reasonable efforts to notify any person who is likely to be affected by that
occurrence; or

 (b)act in accordance with the procedure specified in its certification practice statement to
deal with such event or situation.

Comment

Every Certifying Authority is to disclose the aforesaid details (a) to (d) to the Controller through filing
up of online forms on the website of the Controller on the date and time the information is made
public [Regulation 5]. The Certifying Authority has to digitally sign the information.
Furthermore, the Certifying Authority is to act in accordance with policies and procedures designed
to safeguard the “computer systems & operations” and “certificate & key management” (including
certificate registration, generation, issuance, publication, renewal, suspension, activation,
revocation, and archival) processes.

It is the duty of the Certifying Authority to ensure continued accessibility and availability of its Public
Key Certificates and updated Certificate Revocation Lists in its repository to its subscribers and
relying parties. Moreover, it is expected that the Certifying Authority either to make reasonable
efforts to notify any person (subscriber and/or relying party) or act in accordance
with the procedures laid down in its certification practice statement to resolve a crisis (sensitive)
situation.

This Chapter highlights the statutory role played by the Controller of Certifying Authorities to
identify, apply and draw awareness regarding application of specific form of
technology under the Act. It is a fulcrum around which the whole Act operates. Furthermore, it
establishes functional attributes for the Certifying Authorities. It is not an agent, fiduciary, trustee or
any other representative of any of the Certifying Authorities. That is, the Certifying Authorities have
no authority to bind the Controller, by contract or otherwise of any obligation or financial
implication.