CERTIFYING AUTHORITY IN CYBER LAW(PART 2)

A Certificate Authority (or Certification Authority) is an entity that issues digital certificates that contain a public key and therefore the identity of the owner. The private key is not made available to the public in general but kept secret by the end-user who generates the key pair. Further, the certificate is also working as a confirmation or validation by the Certificate Authority that the general public key in the given certificate belongs to the person, organization, server or other entity noted under the certificate. [Public Key Infrastructure: Public Key Infrastructure (PKI) is a technology for authenticating users and devices within the digital world. The essential idea is to possess one or more trusted parties digitally sign documents certifying that a selected cryptographic key belongs to a selected user or device.]

Rule 10 of Information Technology (Certifying Authorities) Rules, 2000 deals with the ‘Submission of Application’ for the Certifying Authority, it provides that every application shall be made to the Controller in the form provided in Schedule I of the rule.

Following documents are to be attached with the application:

a) a Certification Practice Statement (CPS);

b) a press release including the procedures with reference to identification of the applicant;

c) a press release for the aim and scope of anticipated Digital Signature Certificate technology, management, or operations to be outsourced;

d) certified copies of the business registration documents of Certifying Authority that intends to be licensed;

e) an outline of any event, particularly current or past insolvency, that would materially affect the applicant’s ability to act as a Certifying Authority;

f) an undertaking by the applicant that to its best knowledge and belief it can and can suits the wants of its Certification Practice Statement;

g) an undertaking that the Certifying Authority’s operation wouldn’t commence until its operation and facilities related to the functions of generation, issue and management of Digital Signature Certificate are audited by the auditors and approved by the Controller in accordance with rule 20;

h) an undertaking to submit a surety bond or banker’s guarantee in accordance with sub-rule (2) of rule 8 within one month of Controller indicating his approval for the grant of licence to operate as a Certifying Authority; and

i) any other information required by the Controller.

Rule 11 of Information Technology (Certifying Authorities) Rules, 2000 provides that for the grant of licence or for the renewal of the licence a non-refundable fee of twenty-five thousand rupees payable by a bank draft or by a pay order drawn in the name of the Controller, with the application.

• Section 21 further provides that No licence shall be issued unless the applicant fulfils such requirements with reference to qualification, expertise, manpower, financial resources and other infrastructure facilities, which are necessary to issue electronic signature Certificates.

It further provides that A licence granted under this section shall

a) be valid for such period as could also be prescribed by the Central Government;

b) not be transferable or heritable;

c) be subject to such terms and conditions as could also be specified by the regulations.

• Rule 13 of Information Technology (Certifying Authorities) Rules, 2000 deals with ‘Validity of licence’ and provides that’

1) A licence shall be valid for a period of 5 years from the date of its issue.

2) The licence shall not be transferable.

• Section 23 of the Act and Rule 15 of Information Technology (Certifying Authorities) Rules, 2000 deals with ‘Renewal of licence’ and provides that A Certifying Authority shall submit an application for the renewal of its licence not less than forty-five days before the date of expiry of the period of validity of licence and the application shall be accompanied by fees not exceeding five thousand.

• Section 24 of the Act deals with ‘Procedure for grant or rejection of licence’ and Rule 16 & 17 of Information Technology (Certifying Authorities) Rules, 2000 deals with ‘Issuance of Licence’ & ‘Refusal of Licence’.

It is provided that the Controller may, within four weeks from the date of receipt of the application, after considering the documents accompanying the application and such other factors, as he may deem fit, grant or renew the licence or reject the appliance . However, no application shall be rejected under this section unless the applicant has been given a reasonable opportunity of presenting his case. Further, in exceptional circumstances and for reasons to be recorded in writing, the period of four weeks may be extended to such period, not exceeding eight weeks in all as the Controller may deem fit. If the application for licensed Certifying Authority is approved, the applicant shall (Rule 16):

a) submit a performance bond or furnish a banker’s guarantee within one month from the date of such approval to the Controller; and b) execute an agreement with the Controller binding himself to comply with the terms and conditions of the licence and the provisions of the Act and the rules.The Controller may refuse to grant or renew a licence if (Rule 17):

(i) the applicant has not provided the Controller with such information concerning its business, and to any

circumstances likely to affect its method of conducting business, because the Controller may require; or

(ii) the applicant is within the course of being aroused or liquidated; or

(iii) a receiver has, or a receiver and manager have, been appointed by the court in respect of the applicant; or

(iv) the applicant or any trusted person has been convicted, whether in India or out of India, of an offence the conviction that involved a finding that it or such trusted person acted fraudulently or dishonestly, or has been convicted of an offence under the Act or these rules; or (v) the Controller has invoked surety bond or banker’s guarantee; or

(vi) a Certifying Authority commits breach of, or fails to watch and suits , the procedures and practices as per the Certification Practice Statement; or

(vii) a Certifying Authority fails to conduct, or doesn’t submit, the returns of the audit; or

(viii) the audit report recommends that the Certifying Authority isn’t deserve continuing Certifying Authority’s operation; or

(ix) a Certifying Authority fails to suits the directions of the Controller.

  • Section 25 of the Act and Rule 14 of Information Technology (Certifying Authorities) Rules, 2000 deals with ‘Suspension of licence’, it is provided that, the Controller may revoke the licence, if he is satisfied after making
  • an inquiry, that a Certifying Authority has:

a) made a press release in, or in reference to , the appliance for the difficulty or renewal of the licence, which is wrong or false in material particulars;

b) did not suits the terms and conditions subject to which the licence was granted;

c) did not maintain the procedures and standards laid out in section 30;

d) contravened any provisions of this Act, rule, regulation or order made.

However, he cannot revoke a licence unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed revocation. Further, the Controller may by order suspend such licence pending the completion of any enquiry ordered by him, if he has reasonable cause to believe that there is any ground for revoking a licence. However, he cannot suspend a licence for a period exceeding ten days unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed suspension.

Any Certifying Authority shall not issue any electronic signature Certificate during such suspension.

  • The notice for suspension and revocation of licence is given under Section 26 of the Act.
  • Under Section 28 of the Act, the Controller or any officer authorised by him, can take up investigation for any contravention of the provisions of this Act, rules or regulation.
  • Section 30 provides certain that are to be followed by the Certifying Authority, they shall:

a) make use of hardware, software and procedures that are secure from intrusion and misuse;

b) provide an inexpensive level of reliability in its services which are reasonably suited to the performance of intended functions;

c) adhere to security procedures to ensure that the secrecy and privacy of the electronic signatures are assured;

  • be the repository of all electronic signature Certificates issued under this Act;
  • publish information regarding its practices, electronic signature Certificates and current status of such certificates; and

d) observe such other standards as could also be specified by regulations.

Aishwarya Says:

I have always been against Glorifying Over Work and therefore, in the year 2021, I have decided to launch this campaign “Balancing Life”and talk about this wrong practice, that we have been following since last few years. I will be talking to and interviewing around 1 lakh people in the coming 2021 and publish their interview regarding their opinion on glamourising Over Work.

If you are interested in participating in the same, do let me know.

Do follow me on FacebookTwitter  Youtube and Instagram.

The copyright of this Article belongs exclusively to Ms. Aishwarya Sandeep. Reproduction of the same, without permission will amount to Copyright Infringement. Appropriate Legal Action under the Indian Laws will be taken.

If you would also like to contribute to my website, then do share your articles or poems at adv.aishwaryasandeep@gmail.com

We also have a Facebook Group Restarter Moms for Mothers or Women who would like to rejoin their careers post a career break or women who are enterpreneurs.

You may also like to read:

Search and Seizure in Cyber Crime Cases

Data Privacy Law

Cyber Crime During Pandemic

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: