Scribd
Upload
120 views6 pages

Certifying Authority

A Certifying Authority (CA) under the Indian IT Act is licensed to issue Digital Signature Certificates (DSCs) for electronic authentication, ensuring the identity of individuals or organizations in transactions. CAs must adhere to security standards, verify identities, and follow specific procedures for issuing, suspending, and revoking DSCs, while maintaining transparency through required disclosures. The Act outlines the responsibilities and processes for CAs, including compliance with regulations and the handling of adverse events related to digital certificates.

Uploaded by

Sereena C S
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
120 views6 pages

Certifying Authority

A Certifying Authority (CA) under the Indian IT Act is licensed to issue Digital Signature Certificates (DSCs) for electronic authentication, ensuring the identity of individuals or organizations in transactions. CAs must adhere to security standards, verify identities, and follow specific procedures for issuing, suspending, and revoking DSCs, while maintaining transparency through required disclosures. The Act outlines the responsibilities and processes for CAs, including compliance with regulations and the handling of adverse events related to digital certificates.

Uploaded by

Sereena C S
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

CERTIFYING AUTHORITY (CA)

Under the Indian IT Act, a Certifying Authority (CA) is a licensed entity that issues Digital
Signature Certificates (DSCs) for electronic authentication, regulated by the Controller of
Certifying Authorities (CCA). It is a trusted body whose central responsibility is to issue,
revoke, renew and provide directories of Digital Certificates. They function under the
supervision and control of the controller of certifying authorities.

The primary function of a CA is to issue digital signature certificates. These certificates are
used to authenticate the identity of individuals or organizations in electronic transactions.
Digital signatures provide assurance that a document or message has not been tampered
with and that it originates from the claimed sender.

CAs are responsible for verifying the identity of individuals or organizations before issuing
digital signature certificates. This verification process is essential to ensure the
trustworthiness of digital signatures.

CAs are required to maintain high security standards to protect the integrity of digital
signature certificates and the Private Key Infrastructure. They must have proper hardware,
software, and procedures to ensure the security of their operations.

Section 2(g) of Information technology Act, 2000 defines Certifying Authority as a person
who has been granted a licence to issue a Digital Signature Certificate under section 24

DUTIES OF CERTIFYING AUTHORITY

1. Certifying Authority to follow certain procedures: Section 30 of the IT Act 2000


mandates that every Certifying Authority must implement secure hardware,
software, and procedures to prevent intrusion and misuse, ensure a reliable level of
service suitable for its intended functions, strictly adhere to security measures to
guarantee the secrecy and privacy of digital signatures, and comply with any
additional standards prescribed by regulations.
2. Certifying Authority to ensure compliance of the Act, etc: Section 31 of the IT Act
2000 requires that Certifying Authorities are responsible for making sure all their
employees and anyone working for them follow all the rules of the IT Act, including
any related regulations and orders, while doing their jobs.
3. Display of licence: Section 32 states that a Certifying Authority must visibly display
its operating license in a prominent location within its business premises. This
ensures transparency and allows anyone visiting the premises to easily verify that the
authority is operating legally.
4. Surrender of licence: Section 33 of the IT Act 2000 outlines the procedure for
surrendering a Certifying Authority's license when it's suspended or revoked. Firstly,
upon suspension or revocation, the CA must immediately hand over the license to
the Controller of Certifying Authorities. Secondly, failure to do so results in a criminal
offense for the license holder, punishable by up to six months imprisonment, a fine of
up to ten thousand rupees, or both.
5. Duty of Dislosure:
Section 34 of the IT Act 2000 mandates specific disclosures by Certifying Authorities
(CAs) to ensure transparency and maintain trust.
(1) Required Disclosures:
CAs must publicly disclose, as per regulations:
o Their own digital signature certificate (containing their public key).
o Their certification practice statement (outlining their operational procedures).
o Any revocation or suspension of their own CA certificate.
o Any other critical information that could negatively impact the reliability of
their issued digital certificates or their service delivery.
(2) Handling Adverse Events:
If a CA believes an event or situation has occurred that could harm the integrity of
their computer systems or the conditions of issued certificates, they must:
o Make reasonable efforts to notify potentially affected individuals, or
o Follow the procedures outlined in their certification practice statement for
dealing with such events.
6. Certifying Authority to issue Digital Signature Certificate
Section 35 of the IT Act 2000 governs the process of issuing Digital Signature
Certificates by Certifying Authorities (CAs).
 Any individual can apply for a Digital Signature Certificate using the form prescribed
by the Central Government.
 Applications must include a fee, not exceeding 25,000 rupees, as set by the Central
Government.
 Different fee structures can be established for various applicant categories.
 Applications must be accompanied by a certification practice statement or, if
unavailable, a statement with details as specified by regulations.
 Upon receiving an application, the CA reviews the certification statement and
conducts necessary inquiries.
 The CA can grant or reject the certificate, with rejections requiring written reasons.
 A certificate can only be granted if the CA verifies:
o The applicant possesses the private key corresponding to the public key in the
certificate.
o The applicant's private key can create digital signatures.
o The public key can verify signatures created by the applicant's private key.
 Applicants must be given a reasonable opportunity to explain before their application
is rejected.

Representations upon issuance of Digital Signature Certificate

Section 36 of the IT Act 2000 outlines the representations a Certifying Authority (CA)
must make when issuing a Digital Signature Certificate. Essentially, the CA guarantees the
following:

 (a) Compliance: The CA has followed all the rules of the IT Act and related
regulations.

 (b) Publication and Acceptance: The certificate has been published or made
available to those relying on it, and the subscriber has accepted it.

 (c) Key Ownership: The subscriber owns the private key that matches the public key
in the certificate.

 (d) Functioning Key Pair: The subscriber's public and private keys work together
correctly.

 (e) Accuracy: The information within the Digital Signature Certificate is accurate.
 (f) No Undisclosed Material Facts: The CA is unaware of any crucial information that,
if included, would undermine the certificate's reliability.

Suspension of Digital Signature Certificate by the Certifying Authority

Section 37 of the IT Act 2000 details the suspension process for Digital Signature
Certificates.

Grounds for Suspension:

 A Certifying Authority (CA) can suspend a Digital Signature Certificate:

o Upon receiving a request from the certificate's subscriber or their authorized


representative.

o If the CA believes suspension is necessary in the public interest.

Time Limit and Hearing:

 A suspension cannot exceed 15 days unless the subscriber has been given a chance
to present their case.

 This ensures that a CA does not overly suspend a certificate without due process.

Communication:

 When a certificate is suspended, the CA must inform the subscriber.

Revocation of Digital Signature Certificate by Certifying Authority

Section 38 of the IT Act 2000 outlines the conditions and procedures for revoking a
Digital Signature Certificate.

Grounds for Revocation (Subscriber-Initiated or Automatic):

 A Certifying Authority (CA) can revoke a certificate:

o Upon request from the subscriber or their authorized representative.


o Upon the subscriber's death.

o Upon the dissolution of a subscriber firm or the winding up of a subscriber


company.

Grounds for Revocation (CA-Initiated):

 A CA can also revoke a certificate if it believes:

o A significant fact in the certificate is false or concealed.

o A requirement for issuing the certificate was not met.

o The CA's private key or security system has been compromised, significantly
impacting the certificate's reliability.

o The subscriber has been declared insolvent or deceased, or if the subscriber


is a firm or company, it has dissolved or ceased to exist.

Hearing Requirement:

 A certificate cannot be revoked without providing the subscriber a chance to be


heard. This ensures fairness and due process.

Communication of Revocation:

 Upon revocation, the CA must promptly inform the subscriber.

Notice of suspension or revocation.

Section 39 of the IT Act 2000 mandates the public notification of Digital Signature
Certificate suspensions or revocations.

(1) Publication in Repository:

 When a Digital Signature Certificate is suspended or revoked under Section 37 or 38,


the Certifying Authority (CA) must publish a notice of this action in the designated
repository specified within the Digital Signature Certificate itself. This repository
serves as a public record for such notifications.

(2) Multiple Repositories:


 If the Digital Signature Certificate lists multiple repositories for such notices, the CA is
obligated to publish the suspension or revocation notice in all of those repositories.
This ensures widespread dissemination of the information.

You might also like