8/7/2019 chapter VI.doc

1/3

CHAPTER- VIREGULATION OF CERTIFYING AUTHORITIES.

The world of internet has the problems of integrity, authentication andconfidentiality of communication channels and processes. The InformationTechnology Act, 2000 accorded legal recognition to Digital Signatures, after

which the Digital signatures are being treated at par with handwrittensignatures. The success of electronic transactions depends on the trust that thetransacting parties place in the security of the transmission and content oftheir communications. Therefore the issues of authenticity, non-repudiability,confidentiality and integrity arise in such transactions. The question arises asto an authority who can authenticate the identity and functions relating to that.There should be an authority who confirms that a particular digital signaturebelongs to a specific signer.

The answer to the question comes in the form of one or more thirdparties, who are the authorities, who is dispensed with the public keys and whocan authenticate the that the a digital signature belongs to a specific signer.Such authority is known as the "certifying authority".

Definition of a Certifying Authority.Section 2(1)(g) of Information Technology Act, 2000 defines a certifying officeras a person who has been granted a license to issue a Electronic SignatureCertificate under section 24. With regard to this, section 24 of the Act laysdown that a certifying authority is granted license by the Controller afterreceiving an application to grant license under sub-section (1) of section 21and considering the documents accompanying the application and such otherfactors, as he deems fit. Sub-section (2) of section 21 says that an

applicant the applicant must fulfils such requirements with respect toqualification, expertise, manpower, financial resources and other infrastructurefacilities, which are necessary to issue Digital Signature Certificates as may beprescribed by the Central Government.

Some of the cyber legislations use the term certification authority inplace of certifying authority. For example, under Electronic TransactionsOrdinance 2004 of Hong Kong, the term "certification authority" has beendefined as a person who issues a certificate to a person (who may be anothercertification authority) [under Section 2]. Electronic Transactions Law, 2004 ofthe Union of Myanmar also uses the term certification authority and defines itas a person or an organization that has been granted a licence by the Control

Board under this Law for services in respect of the electronic signature[Section2(g)]. The Security Guidelines for Certification Authorities, 1999 of Singaporedefine a Certification Authority (CA) as the relied-upon entity that issues,publishes, suspends and revokes a certificate. The CAs basic role is to verifyand vouch for the identity of the subscriber and to provide certificatemanagement services. The CA may delegate the registration and publicationfunctions to a registration authority or repository service provider. Referencesto CA include RA and repository service provider unless otherwise stated.

Under Electronic Transactions Act of 1998 of Singapore, it has beendefined as "a person who or an organization that issues a certificate". DigitalSignatures Act, 1997 of Bundesgesetzblatt defines it as a natural or legalperson who certifies the assignment of public signature keys to natural personsand to this end holds a licence pursuant to 4 of this Act [under 2 (2)].California Code of Regulations, 1998 defines says "Certification Authority

8/7/2019 chapter VI.doc

2/3

means a person or entity that issues a certificate, or in the case of certaincertification processes, certifies amendments to an existing certificate [under22003.a.1.E].

As per the definition provided under the Act, the certifying authority canonly issue a digital signature certificte after he gets the license from theController to issue such license. Apart from the Act, the Information Technology

(Certifying Authorities) Rules, 2000 and Information Technology (CertifyingAuthority) Regulations, 2001 also provide guidelines governing the CertifyingAuthorities.

Ambit and Scope of the Chapter.The chapter deals with the regulation andgovernance of the certifying authorities. It also lays down who will excercisecontrol over these authorities.

1. Appointment of Controller and Other Officers;

2. Provisions Pertaining to Digital Signature Certificates;

3. Powers of the Controller; and

4. Procedure and Compliances by the Certifying Authority.

Who is a Controller?Under the Information Technology Act, 2000, the controller has been defined asthe Controller of Certifying Authorities appointed under sub-section (1) ofsection 17 [under Section 2(1)(m)]. Further, under section 17 of the Act, theCentral Government has been authorized to appoint a Controller of CertifyingAuthorities and such number of Deputy Controllers and Assistant Controllers, asit deems fit for the purposes of the Act, by notification in the Official Gazette. InDirective 95/46/EC of the European Parliament and of the Council, it has beendefined as the natural or legal person, public authority, agency or any otherbody which alone or jointly with others determines the purposes and means ofthe processing of personal data; where the purposes and means of processingare determined by national or Community laws or regulations, the controller orthe specific criteria for his nomination may be designated by national orCommunity law [under Article 2(d)]. Under section 2(b) of ElectronicTransactions (Amendment) Act, 2009 of Mauritius, reference has been made tosection 37 of the Act.

In furtherance of this, clause (1) of section 37 lays down that for the

purposes of this Act, there shall be a Controller of Certification Authorities.Clause (2) of this section says that for the purposes of this Act, the ICTAuthority shall be the Controller and may be assisted by such of its officers andother members of its staff as may be necessary.

Taking the note of the provisions in various legislations a clear definitionof controller emerges. Under the IT Act, 2000, controller refers to theController of Certifying Authorities as appointed by the Central Government, bynotification in the Official Gazette. The Controller has the duty to discharge hisfunctions subject to the general control and directions of the CentralGovernment. The Office of the CCA came into existence on November 1, 2000.It aims at promoting the growth of E-Commerce and E-Governance through the

wide use of digital signatures. Section 57 of the Information Technology Act,2000 vests in Cyber Appellate Tribunal the jurisdiction to hear appeals from theorders of the Controller and the Appellate Tribunal has been set up with the

8/7/2019 chapter VI.doc

3/3

express and limited purpose of providing any party aggrieved from the order ofthe Controller, a forum to seek redress. Any complaint filed before theController of Certifying Authorities will not serve the requirement of complaintbefore the Adjudicating Officer, for the purpose of adjudication under theInformation Technology Act. The appellant is required to file a complaint beforethe Adjudicating Officer who has the jurisdiction for deciding the disputes of

such nature (Mascon Global Limited v. Controller of CertifyingAuthorities, GMAIL.COM and Google Inc. MANU/CY/ 0006/2010).