Regulation of Certifying Authorities for Cyber Crimes

Legal Analysis of Regulation of Certifying Authorities for Cyber Crimes including ESC & DSC

Table of Contents:

1. Introduction
2. Appointment of Controller and other Officers
3. Functions of CCA (Secs. 18-25)
4. Rules regarding issue of Licence
5. Powers of CCA
6. Duties of Certifying Authority (Secs. 30-34)
7. Electronic Signature Certificates (ESC)
8. Purpose of Digital Signature Certificate
9. Contents of Digital Signature Certificate (Rule 7)
10. Procedures relating to Electronic Signature Certificate (Secs. 35-39)
11. Duties of Subscribers

1. Introduction

Sections 17 to 34 of Chapter VI of the Act provide for the Controller of Certifying Authorities (CCA) to licence and regulate the working of Certifying Authorities (CAs). CCA also ensures that none of the provisions of the Act are violated. The regulation of certifying authorities or electronic signature infrastructure in India consists of :

• • Controller of Certifying Authority (CCA). The IT Act, 2000 provides for an appointment, functions, powers, duties of CCA (the apex regulatory body for certifying authorities in India) and other officers.
  • Certifying Authorities (CAs). A certifying authority is a trusted third party or entity that will get personal licence from the controller and will issue electronic signature certificate to the users of e-commerce. These authorities will function under the supervision and control of the controller of certifying authorities.

2. Appointment of Controller and Other Officers

Section 17 provides that the Central Government may, by notification in the Official Gazette, appoint a Controller of Certifying Authorities for the purposes of this Act. It may also be the same or subsequent notification appoint such number of Deputy Controllers, Assistant Controllers, other officers and employees as it deems fit. The controller has to functionunder the general control and directions of the Central Government and the Deputy Controllers and Assistant Controllers have to function under general superintendence and control of the controller. The controller shall have its head office at a place prescribed by the Central Government. There shall be a seal of the office of the controller.

3. Functions of CCA (Secs. 18-25)

1. 1. To act as regulator of certifying authorities (Sec. 18). The main functions of the controller are to regulate the working of certifying authorities. He performs the following functions in this regard:
      1. To exercise supervision over the activities of CAs;
      2. To certify public keys of CAs;
      3. To lay down the standards to be maintained by CAs;
      4. To specify the qualifications and experience for employee of CAs;
      5. To specify the conditions for conducting business by CAs;
      6. To specify the terms and manner for maintenance of accounts by CAs;
      7. To specify the terms and conditions for appointment of auditors and their remuneration;
      8. To facilitate the establishment of any electronic system as well as regulation of such system;
      9. To specify the manner of conducting dealings by CAs with the subscribers;
      10. To resolve any conflict of interest between CAs and the subscribers;
      11. To lay down the duties of CAs;
      12. To maintain database for every CA containing their disclosure record as well as such particulars as may be specified by regulations, which shall be accessible to public.
   2. To recognise the foreign certifying authority (Sec. 19). The controller, with the prior permission of the Central Government and by notification in the Official Gazette, may recognise any foreign certifying authority for the purpose of this Act [Sec. 19(1)].The controller may revoke such recognition by notification in the Official Gazette for reasons to be recorded in writing [Sec. 19(3)].
   3. To grant licence to CAs to issue electronic signature certificate (Sec. 21). The controller can grant a licence to any person to issue electronic signature certificate provided he applies and fulfils such requirements with respect to qualification, expertise, manpower, financial resources and other infrastructure facilities which are necessary for the issue of Electronic Signature Certificate [Sec. 21(1) and (2)].The controller may after considering the documents and such other factors, as he deems fit, grant the licence or reject the application. He may reject only after the applicant has been given a reasonable opportunity of presenting his case (Sec. 24).
   4. To suspend licence (Sec. 25). The controller may suspend licence if he is satisfied after making an enquiry that CA has:
      1. 1. made a statement which is incorrect or false in material particulars in or relation to the application for the issue or renewal of licence.
         2. failed to comply with terms and conditions necessary for granting of licence.
         3. failed to maintain standards specified in Sec. 30.
         4. contravened any provisions of the Act, rule, regulation or order made thereunder.

      The notice of suspension or revocation may be published in the database maintained by the controller (Sec. 26).

4. Rules Regarding Issue of Licence

1. 1. Application for licence (Rule 8). The following persons may apply for grant of licence to issue electronic signature certificate :
      1. An individual, being a citizen of India and having a capital of ` 5 crore or more in his business or profession ;
      2. A company having (i) paid up capital of not less than ` 5 crore, and (ii) net worth of not less than ` 50 crore ;However, the company in which the equity share capital held in aggregate by the non-resident Indians, foreign institutional investors, or foreign companies, exceeds 49% of its capital, shall not be eligible for the grant of licence ;
      3. A firm having capital subscribed by all partners of not less than ` 5 crore and net worth of not less than ` 50 crore ; However, the firm, in which the capital held in aggregate by any non-resident Indian and foreign national, exceeds 49% of its capital, shall not be eligible for grant of licence ;
      4. Central Government or a State Government or any of the Ministries or Departments, Agencies or Authorities of such Governments.
   2. Submission of application (Sec. 22 and Rule 10). Every application for the issue of a licence shall be in such form as may be prescribed by the Central Government and shall be accompanied by :
      1. A Certificate Practice Statement (CPS) ;
      2. A statement including the procedures with respect to identification of the applicant ;
      3. Payment of non-refundable fee of ` 25,000 ;
      4. Such other documents as may be prescribed by the Central Government.
   3. Validity of licence (Rule 13). A licence shall be valid for a period of 5 years from the date of its issue and the licence shall be non-transferable or non-heritable.
   4. Issuance of licence (Sec. 24 and Rule 16)Note. For details refer point 3 of para 8.3.
   5. Renewal of licence (Sec. 23 and Rule 15). An application for renewal of a licence shall be
      1. in such form as prescribed by the Central Government
      2. accompanied by payment of non-refundable fee of ` 25,000 and
      3. made not less than 45 days before the date of expiry of the period of validity of licence.
   6. Suspension of licence (Sec. 25 and Rule 14)Note. For details refer point 4 of para 8.3
      No Certifying Authority whose licence has been suspended shall issue any electronic signature certificate during such suspension [Sec. 25(3)].

5. Powers of CCA

The Act has conferred the following powers upon the controller of certifying authorities :

1. 1. Power to authorise in writing, the deputy or the assistant controller or any officer to exercise any of his powers (Sec. 27).
   2. Power to investigate any contravention of the Act or rules or regulations made thereunder. [Sec. 28(1)].
   3. Power to direct a certifying authority or any employee of such authority to take such measures or to cease to carry on such activities if these are necessary to ensure compliance with the provisions of the Act, rules or any regulations made thereunder [Sec. 68(1)].
   4. Power to direct any agency of the government to intercept any information transmitted through any computer resource if it is necessary in the interest of the sovereignty or integrity of India, security of state, friendly relations with foreign state etc. [Sec. 69(1)].
   5. Power to issue directions for blocking the public access of any information through any computer resource in the circumstances given under point No. 4 (Sec. 69A).
   6. Power to authorize to monitor and collect traffic data or information through any computer resource for cyber security (Sec. 69B).
   7. Power to make regulations for carrying out the purposes of this Act after consultation with the cyber regulatory advisory committee and previous approval of Central Government. The regulations may pertain to the following :
      1. Particulars regarding maintenance of database containing disclosure of record of every CA [Sec. 18(n)]
      2. Conditions and recognition of Foreign Certifying Authority [Sec. 19(1)].
      3. Terms and conditions for grant of licence to CA [Sec. 21(3)].
      4. Standards to be observed by CA [Sec. 30(d)]
   8. Power to exercise himself or through an authorized officer the following powers which are conferred on Income Tax Authorities under Chapter XIII of the Income Tax Act, 1961 :
      1. Power to inspect, enforce attendance of any person and examine him on oath,
      2. Power to conduct search and seizure,
      3. Power to requisite books of account,
      4. Power to call for information,
      5. Power to inspect and take copies of register of members or debenture holders,
      6. Power to make inquiries.

6. Duties of Certifying Authority (Secs. 30 – 34)

1. 1. To follow certain procedures regarding security system (Sec. 30). The Act has laid down certain procedures relating to security system to be followed by the certifying authority in the performance of its services. It must :
      1. make use of hardware, software, and procedures that are secure from intrusion and misuse ;
      2. provide a reasonable level of reliable services ;
      3. adhere to security procedures to ensure the secrecy and privacy of electronic signatures ;
      4. be the repository of all Electronic Signature Certificates ;
      5. publish information regarding its practices, Electronic Signature Certificates and current status of such certificates ; and
      6. observe the specified standards.

      The above stated security procedures must ensure the achievement of 4 objectives of a security system : Confidentiality, accessibility of information, consistency of information and authorized use of resources.

   2. To ensure compliance of the Act (Sec. 31). The certifying authority must ensure that every person employed or engaged by it complies with the provisions of the Act, rules, regulations or order, made thereunder.
   3. To display its licence (Sec. 32). The certifying authority must display its licence at a conspicuous place in the premises in which it carries on its business.
   4. To surrender its licence (Sec. 33). The certifying authority must surrender its licence to the controller on its suspension or revocation.
   5. To make certain disclosures (Sec. 34). The certifying authority is required to make the following disclosures :
      1. Disclosure of Electronic Signature Certificate ;
      2. Disclosure of Certification Practice Statement (CPS) ;“Certificate Practice Statement” means a statement issued by a certifying authority to specify the practices that the certifying authority employs in issuing electronic signature certificates [Sec. 2(1)(k)]
         It also outlines the CA’s policies, practices and procedures for verifying keys and suspension, revocation and renewal of electronic signature certificates.
      3. Disclosure of notice of revocation and suspension of Certificates of Certifying Authority ;
      4. Disclosure of facts materially and adversely affecting the reliability of electronic signature certificate ;
      5. Disclosure of adverse effects to affected person [Sec. 34(2)]. The authority is bound to disclose to affected person about any event which may materially and adversely affect the integrity of the computer system or the conditions under which electronic signature certificate was granted. The certifying authority is required to act in accordance with the procedure specified in its CPS to deal with such event or situation.

7. Electronic Signature Certificates

According to Sec. 2(1)(tb) ‘Electronic Signature Certificate’ means “an electronic signature certificate issued under section 35 and includes Digital Signature Certificate.”Digital Signature Certificates are the electronic equivalent of physical or paper certificates (e.g., drivers’ licence, passport, membership card etc.). There are basically 3 types of digital signature certificates : Class I, Class II and Class III and each having different level of security.

8. Purpose of Digital Signature Certificate

A digital signature is deemed to be one of the strongest tools for cyber security. It serves the following purposes :

1. 1. It verifies the authenticity of the originator after any electronic message has been created.
   2. A digital message cannot be modified, altered or tempered with and any change to the content will render the signature invalid. Hence, it ensures integrity and confidentiality of the content.
   3. Digital Signature Certificates are legally admissible in a court of law as per the provisions of the IT Act and hence it serves as an evidence under the law and signor cannot repudiate his act subsequently.

9. Contents of Digital Signature Certificate (Rule 7)

A digital signature certificate includes the following :

1. 1. Owner’s name, organisation and location ;
   2. Issuer’s name, organisation and location ;
   3. Date of issue and period of validity ;
   4. Serial number of the certificate ;
   5. Signature algorithm identifier which identifies the algorithm used by CA to sign DSC ;
   6. Public key of the owner ;
   7. Date of expiry ;
   8. The issuer’s public key and the digital signature.

10. Procedures Relating to Electronic Signature Certificate (Secs. 35 – 39)

1. 1. Issue of electronic signature certificate
      1. Making of application. To obtain an electronic signature certificate, an application in the prescribed form shall be made to the certifying authority. The application shall be accompanied :
         1. by such fees not exceeding ` 25,000 as may be prescribed by the Central Government. However, the Central Government may prescribe different fees for different classes of applicants.
         2. by a ‘Certification Practice Statement’ or where there is no such statement, a statement containing such particulars, as may be specified by regulations.
      2. Grant of certificate. The certificate shall be granted only after the authority is satisfied about the information furnished by the applicant. According to section 36 of the Act, a certifying authority has to make a declaration while issuing the DSC that it has complied with the provisions of the Act and that it has fulfilled all other obligations relating to the security of public and private keys of the subscribers.
         The subscriber has to convey his acceptance of the digital signature certificate and its conditions in order to make it valid. A digital signature certificate is normally granted for 1 or 2 years, after which it can be renewed.
      3. Rejection of application. The certifying authority may reject the application for reasons to be recorded in writing. However, no application shall be rejected unless the applicant has been given a reasonable opportunity of showing cause against the proposed rejection.
   2. Suspension of Digital Signature Certificate (Sec. 37). The certifying authority which has issued a digital signature certificate may suspend such DSC in the following circumstances :
      1. On the request of a subscriber or the person duly authorized by him. [Sec. 37(1)]
      2. In public interest, if the certifying authority has formed such opinion.
         However, such suspension cannot exceed a period of 15 days unless the subscriber has been given an opportunity of being heard [Sec. 37(2)]. Further, the Certifying Authority shall communicate the suspension to the subscriber [Sec. 37(3)].
   3. Revocation of Digital Signature Certificate (Sec. 38). A certifying authority can revoke a DSC under any of the following circumstances :
      1. On the request of the subscriber or any other person authorized by him.
      2. On the death of the subscriber.
      3. On the dissolution of the firm or winding up of company where subscriber is a firm or a company.
      4. If Certifying Authority is of the opinion that :
         1. a material fact represented in the DSC is false or has been concealed.
         2. a requirement for the issuance of the DSC was not satisfied.
         3. the CA’s private key or security system was compromised in a manner materially affecting the DSC’s reliability.
         4. the subscriber has been declared insolvent or dead or where a subscriber is a firm or a company, which has been dissolved, wound up or ceased to exist.

A DSC shall not be revoked unless the subscriber has been given an opportunity of being heard in the matter [Sec. 38(1)]. Further, on revocation of a DSC under this section, the authority shall communicate the same to the subscriber [Sec. 38(2)].

Notice of suspension or revocation (Sec. 39)

Where a DSC is suspended or revoked u/s 37 or u/s 38, the CA shall publish a notice of such suspension or revocation in the repository specified in the DSC for publication of such notice [Sec. 39(1)]. Further, where one or more repositories are specified, the CA shall publish notices of such suspension or revocation in all such repositories.

11. Duties of Subscribers

Definition.
According to Sec. 2(1)(zg), “Subscriber” means a person in whose name the electronic signature certificate is issued.Sectio ns 41 to 43 of Chapter VIII of Information Technology Act prescribe the following duties of subscribers who have obtained the Digital Signature Certificate from some certifying authority :

1. Generating Key Pair (Sec. 40). Where any DSC has been accepted by the subscriber, he has a duty to generate the key pair consisting of public key to which private key of the subscriber corresponds and which is to be listed in the digital signature certificate by applying the security procedure prescribed under Section 16.
2. Duty of subscriber of Electronic Signature Certificate (Sec. 40A). In respect of Electronic Signature Certificate the subscriber shall perform such duties as may be prescribed [Inserted vide ITAA, 2008].
3. Acceptance of Digital Signature Certificate (Sec. 41). Acceptance of digital certificate entitles him to the rights under it as well as imposes some obligations upon him. Sub-sections 1 and 2 of Section 41 provide the following provisions relating to acceptance of certificate by the subscriber :
   1. A subscriber shall be deemed to have accepted a DSC if he publishes or authorizes the publication of Digital Signature Certificate :
      1. to one or more persons ;
      2. in a repository, or otherwise demonstrates his approval of DSC in any manner.
   2. Acceptance of DSC amounts to certification by the subscriber to all who rely on the information contained there-in that :
      1. the subscriber holds and is entitled to hold the private key corresponding to the public key listed in the DSC.
      2. all representations made by the subscriber to the CA and all information contained in the DSC are true.
      3. all information contained in the DSC that is within the knowledge of the subscriber is true.
4. Control of Private Key (Sec. 42). Sub-sections (1) and (2) of Section 42 lay down the following duties of the subscriber relating to the control of private key :
   1. Duty to exercise reasonable care to retain control of the private key corresponding to the public key listed in the DSC.
      1. Duty to take all steps to prevent disclosure of private key.
      2. If the private key has been compromised (lost), duty to communicate the same to the certifying authority without any delay.

In case of compromise of private key till such information is given to the certifying authority, the subscriber shall continue to be liable [Explanation to Sec. 42(2)].