Regulation of Certifying Authorities, Electronic Signature Certificates and Duties of Subscribers under the Information Technology (Amendment) Act, 2008

Regulation of Certifying Authorities, Electronic Signature Certificates and Duties of Subscribers under the Information Technology (Amendment) Act, 2008

UNIT 5

Regulation of Certifying Authorities, Electronic Signature Certificates and Duties of Subscribers under the Information Technology (Amendment) Act, 2008

Regulation of Certifying Authorities under the Information Technology (Amendment) Act, 2008 hereinafter referred to as (the Act), has been assigned to the Controller of Certifying Authorities by the Central Government. The Deputy Controllers, Assistant Controllers and other officers are also appointed by the Central Government to perform functions assigned to them by the Controller. The Controller has to exercise supervision over the activities of the Certifying Authorities. It has to certify the public keys of the Certifying Authorities as well as lay down standards to be maintained by the Certifying Authorities. It also lays down the duties of the Certifying Authorities and resolves conflicts of interest between them and the subscribers. The Controller has various other functions with respect to the Certifying Authorities which are provided in the Act.

The Act provides that any person can make an application to the Controller for a license to issue Electronic Signature Certificates in India. However no license can be issued unless the applicant fulfills the requirements with respect to qualifications, expertise, manpower, financial resources and other infrastructure facilities which may be prescribed by the Central Government. Every application for issue of a license has to be accompanied by a certification practice statement, payment of fees and other documents as may be prescribed by the Central Government. Further renewal of license has also to be in accordance with the form and fees prescribed by the Central Government and shall not be made less than forty-five days before the date of expiry of the period of validity of the license.

The Controller has the discretion to accept or reject the application for grant of license. In case of rejection, the applicant has to be given a reasonable opportunity of presenting his case. The Controller also has the power to suspend a license if after an inquiry he is satisfied that the Certifying Authority has made false, incorrect statements, failed to comply with the terms and conditions subject to which the license was granted, failed to follow certain procedures prescribed in the

The Act has made the Certifying Authorities the repository of all electronic signature certificates issued under the Act.

and other documents as may be prescribed by the Central Government. Further renewal of license has also to be in accordance with the form and fees prescribed by the Central Government and shall not be made less than forty-five days before the date of expiry of the period of validity of the license.

The Controller has the discretion to accept or reject the application for grant of license. In case of rejection, the applicant has to be given a reasonable opportunity of presenting his case. The Controller also has the power to suspend a license if after an inquiry he is satisfied that the Certifying Authority has made false, incorrect statements, failed to comply with the terms and conditions subject to which the license was granted, failed to follow certain procedures prescribed in the Act or contravened any provisions of the Act, rules, regulations or orders made. However the Certifying Authority has to be given a reasonable opportunity of being heard before revocation of the license. The Controller also has to publish the notice of such suspension or revocation in the data base maintained by him. The Controller can delegate his powers to Deputy Controller, Assistant Controller or any other officer. The delegation has to be in writing. The Controller or any officer authorized by him shall exercise powers which are conferred on Income-tax authorities under chapter XIII of the Income-Tax Act 1961.The Controller or any person authorized by him shall have access to any computer system or data connected with that system if he has reasonable cause to suspect any contravention of chapter VI of the Act.

Every Certifying Authority shall disclose information as required under The Information Technology (Certifying Authority) Regulations 2001. The Certifying Authorities shall also comply with the security guidelines provided under the Information Technology (Certifying Authorities) Rules 2000.

The Controller is authorized to recognize any Foreign Certifying Authority as a Certifying Authority for the purposes of the IT Act. However such an approval requires the previous approval of the Central Government and is required to be notified in the Official Gazette. Such recognition can be revoked by the Controller if the Foreign Certifying Authority contravenes any of the conditions and restrictions subject to which it was granted recognition. The reasons for such revocation are required to be recorded in writing and the revocation is required to be notified in the Official Gazette. The Act has made the Certifying Authorities the repository of all electronic signature certificates issued under the Act. The Certifying Authorities have to follow certain procedures prescribed in the Act and also to ensure that every person employed by it complies with the Act. The Certifying Authority has to display its license at a conspicuous place of the business premises. Every Certifying Authority shall disclose information as required under The Information Technology (Certifying Authority) Regulations 2001. The Certifying Authorities shall also comply with the security guidelines provided under The Information Technology (Certifying Authorities) Rules 2000.

In the event of surrender or revocation of  his license, the Certifying Authority shall immediately surrender the license to the Controller failing which he shall be guilty of an offence and punishable with imprisonment which may extend upto six months or a fine which may extend upto ten thousand rupees or both.

Electronic Signature Certificates

Any person can make an application to the Certifying Authority for the issuance of an Electronic Signature Certificate. The Application must be accompanied by a certification practice statement or a statement containing specified particulars as may be specified by the Regulations. The Central Government prescribes different fees for different class of applicants. The Certifying Authority has to give a reasonable opportunity to the applicant of being heard in the event of rejection of the application. A Digital Signature Certificate issued by a Certifying Authority can be revoked if the subscriber or any person authorized by him makes a request to that effect or upon the death of the subscriber or upon the dissolution of the firm or company which is the subscriber. The Certifying Authority can also revoke a Digital Signature Certificate which has been issued by it if it is of the opinion that a material fact represented in the Digital Signature Certificate is false or has been concealed or there has been any

The subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.

violation of the provisions as stated in section 38 of the Act. The Certifying Authority has to publish a notice of suspension or revocation in the repository specified in the Digital Signature Certificate.

Duties of Subscribers

With respect to the Electronic Signature Certificate the subscriber has to perform such duties as may be prescribed by the Act. Further every subscriber has to exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate. He has to take all steps to prevent its disclosure. In the event of the private key being compromised the subscriber has to communicate the same immediately to the Certifying Authority as specified by the Regulations. The subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.

E: contact@alayalegal.com; T: +91 124 4288371 /2 /3; F: +91 124 437 0997 3
©Copyright Protected. Privileged & Confidential for private circulation only.
For information purposes only. This paper is not to be construed as ‘legal advice’
The Author(s) and the Firm disclaim any and all liability in respect of the present circulation.

Leave your comment

*

code