REGULATION CERTIFYING AUTHORITIES
REGULATION
CERTIFYING AUTHORITIES
1.
Appointment of Controller and other officers
(1) The
Central Government may, by notification in the Official Gazette, appoint a
Controller of Certifying Authorities for the purpose of this Act and may also
by the same or subsequent notification appoint such of Deputy Controllers and
Assistant Controllers as it deems fit.
(2) The
Controller shall discharge his functions under this Act subject to the general
control and directions of the Central Government.
(3) The
Deputy Controllers and Assistant Controllers shall perform the functions
assigned to them by the Controller under the general superintendence and
control of the Controller.
(4) The
qualifications, experience and terms and conditions of service of Controller,
Deputy Controllers and Assistant Controllers shall be such as may be prescribed
by the Central Government.
(5) The Head
Office and Branch Office of the office of the Controller shall be at such
places as the Central Government may specify, and these may be established at
such places as the Central Government may think fit.
(6) There
shall be a seal of the Office of the Controller.
2. Functions
of Controller
The
Controller may perform all or any of the following functions, namely:-
(a)
exercising supervision over the activities of the Certifying functions, namely
:-
(b)
certifying public keys of the Certifying Authorities;
(c) laying
down the standards to be maintained by the Certifying Authorities;
(d)
specifying the qualifications and experience which employees of the Certifying
Authority should possess;
(e)
specifying the conditions subject to which the Certifying Authorities shall
conduct their business;
(f)
specifying the contents of written, printed or visual materials and
advertisements that may be distributed or used in respect of a Digital
Signature Certificate and the public key;
(g)
specifying the form and content of a Digital Signature Certificate and the key;
(h)
specifying the form and manner in which accounts shall be maintained by the
Certifying Authorities;
(i)
specifying the terms and conditions subject to which auditors may be appointed
and the remuneration to be paid to them;
(j) facilitating
the establishment of any electronic system by a Certifying Authority either
solely or jointly with other Certifying Authorities and regulation of such
systems;
(k)
specifying the manner in which the Certifying Authorities shall conduct their
dealings with the subscribers;
(l)
resolving any conflict of interests between the Certifying Authorities and the
subscribers;
(m) laying
down the duties of the Certifying Authorities;
(n)
maintaining a data base containing the disclosure record of every Certifying
Authority containing such particulars as may be specified by regulations, which
shall be accessible to public.
3.
Recognition of foreign Certifying Authorities
(1) Subject
to such conditions and restrictions as may be specified by regulations, the
Controller may with the previous approval of the Central Government, and by
notification in the Official Gazette, recognise any foreign Certifying
Authority as a Certifying Authority for the purpose of this Act.
(2) Where
any Certifying Authority is recognised under sub-section (1), the Digital
Signature Certificate issued by such Certifying Authority shall be valid for
the purposes of this Act.
(3) The
Controller may, if he is satisfied that the Certifying Authority has
contravened any of the conditions and restrictions subject to which it was
granted recognition under sub-section (1) he may, for reasons to be recorded in
writing in the Official Gazette, revoke such recognition.
4. Controller
to act as repository
(1) The
Controller shall be the repository of all Digital Signature Certificates issued
under this Act.
(2) The
Controller shall-
(a) make use
of hardware, software and procedures that are secure from intrusion and misuse;
(b) observe
such other standards as may be prescribed by the Central Government, to ensure
that the secrecy and security of the digital signatures are assured.
(3) The
Controller shall maintain a computerised data base of all public keys in such a
manner that such data base and the public keys are available to any member of
the public.
5. Licence
to issue Digital Signature Certificates
(1) Subject
to the provisions of sub-section (2), any person may make an application, to
the Controller, for a licence to issue Digital Signature Certificates.
(2) No
licence shall be issued under sub-section (1), unless the applicant fulfills
such requirements with respect to qualification, expertise, manpower, financial
resources and other infrastructure facilities, which are necessary to issue
Digital signature Certificates as may be prescribed by the Central Government.
(3) A
licence granted under this sections shall-
(a) be valid
for such period as may be prescribed by the Central Government;
(b) not be
transferable or heritable;
(c) be
subject to such terms and conditions as may be specified by the regulations.
6.
Application for licence
(1) Every
application for issue of a licence shall be in such form as may be prescribed
by the Central Government.
(2) Every
application for issue of a licence shall be accompanied by-
(a) a
certification practice statement;
(b) a
statement including the procedures with respect to identification of the
applicant;
(c) payment
of such fees, not exceeding twenty-five thousand rupees as may be prescribed by
the Central Government;
(d) such
other documents, as may be prescribed by the Central Government.
7. Renewal
of licence
An
application for renewal of a licence shall be-
(a) in such
form;
(b)
accompanied by such fees, not exceeding five thousand rupees, as may be
prescribed by the Central Government and shall be made not less than forty-five
days before the date of expiry of the period of validity of the licence.
8. Procedure
for grant or rejection of licence
The Controller
may, on receipt of an application under sub-section (1) of section 21, after
considering the documents accompanying the application and such other factors,
as he deems fit, grant the licence or reject the application: Provided that no
application shall be rejected under this section unless the applicant has been
given a reasonable opportunity of presenting his case.
9.
Suspension of licence
(1) The
Controller may, if he is satisfied after making such inquiry, as he may think
fit, that a Certifying Authority has,-
(a) made a
statement in, or in relation to, the application for the issue or renewal of
the licence, which is incorrect or false in material particulars;
(b) failed
to comply with the terms and conditions subject to which the licence was
granted;
(c) failed
to maintain the standards specified under clause (b) of sub-section
(2) of
section 20;
(d)
contravened any provisions of this Act, rule, regulation or order made
thereunder, revoke the licence :
Provided
that no licence shall be revoked unless the Certifying Authority has been given
a reasonable opportunity of showing cause against the proposed revocation.
(2) The
Controller may, if he has reasonable cause to believe that there is any ground
for revoking a licence under sub-section (1), by order suspend such licence
pending the completion of any inquiry ordered by him : Provided that no licence
shall be suspended for a period exceeding ten days unless the Certifying
Authority has been given a reasonable opportunity of showing cause against the
proposed suspension.
(3) No
certifying Authority whose licence has been suspended shall issue any Digital
Signature Certificate during such suspension.
10. Notice
of suspension or revocation of licence
(1) Where
the licence of the Certifying Authority is suspended or revoked, the Controller
shall publish notice of such suspension or revocation, as the case may be, in
the data base maintained by him.
(2) Where
one or more repositories are specified, the Controller shall publish notices of
such suspension or revocation, as the case may be, in all such repositories:
Provided that the data base containing the notice of such suspension or
revocation, as the case may be, shall be made available through a web site
shall be accessible round the clock : Provided further that the Controller may,
if he considers necessary, publicise the contents of data base in such
electronic or other media, as he may consider appropriate.
11. Power to
delegate
The
Controller may, in writing, authorise the Deputy Controller, Assistant
Controller or any officer to exercise any of the powers of the Controller under
this Chapter.
12. Power to
investigate contraventions
(1) The
Controller or any officer authorised by him in this behalf shall take up for
investigation any contravention of the provisions of this Act, rules or
regulations made thereunder.
(2) The
Controller or any officer authorised by him in this behalf shall exercise the
like powers which are conferred on Income-tax authorities under Chapter XIII of
the Income-tax Act, 1961 and shall exercise such powers, subject to such
limitation laid down under that Act.
13. Access
to computers and data
(1) Without
prejudice to the provisions of sub-section (1) of section 69, the Controller or
any person authorised by him shall, if he has reasonable cause to suspect that
nay contravention of the provisions of this Act, rules or regulations made
thereunder has been committed, have access to any computer system, any
apparatus, data or any other material connected with such system, for the
purpose of searching or causing a search to be made for obtaining any
information or data contained in or available to such computer system.
(2) For the
purpose of sub-section (1), the Controller or any person authorised by him may,
by order, direct any person incharge of, or otherwise concerned with the
operation of, the computer system, data apparatus or material, to provide him
with such reasonable technical and other assistance as he may consider
necessary.
14.
Certifying Authority to follow certain procedures
Every
Certifying Authority shall,-
(a) make use
of hardware, software and procedures that are secure from intrusion and misuse;
(b) provide
a reasonable level of reliability in its services which are reasonably suited
to the performance of intended functions;
(c) adhere
to security procedures to ensure that the secrecy and privacy of the digital
signatures are assured; and
(d) observe
such other standards as may be specified by regulations.
15.
Certifying Authority to ensure compliance of the Act, etc.
Every
Certifying Authority shall ensure that every person employed or otherwise
engaged by it complies, in the course of his employment or engagement, with the
provisions of this Act, rules, regulations and orders made thereunder.
16. Display
of licence
Every
Certifying Authority shall display its licence at a conspicuous place of the
premises in which it carries on its business.
17.
Surrender of licence
(1) Every
Certifying Authority whose licence is suspended or revoked shall immediately
after such suspension or revocation, surrender the licence to the Controller.
(2) Where
any Certifying Authority fails to surrender a licence under sub-section (1),
the person in whose favour a licence is issued, shall be guilty of an offence
and shall be punished with imprisonment which may extend up to six months or a
fine which may extend up to ten thousand rupees or with both.
18.
Disclosure
(1) Every
Certifying Authority shall disclose in the manner specified by regulations-
(a) its
Digital Signature Certificate which contains the public key corresponding to
the private key used by that Certifying Authority to digitally sign another
Digital Signature Certificate;
(b) any
certification practice statement relevant thereto;
(c) notice
of the revocation or suspension of its Certifying Authority certificate, if
any; and
(d) any
other fact that materially and adversely affects either the reliability of a
Digital Signature Certificate, which that Authority has issued, or the
Authority's ability to perform its services.
(2) Where in
the opinion of the Certifying Authority any event has occurred or any situation
has arisen which may materially and adversely affect the integrity of its
computer system or the conditions subject to which a Digital Signature
Certificate was granted, then, the Certifying Authority shall-
(a) use reasonable
efforts to notify any person who is likely to be affected by that occurrence;
or
(b) act in
accordance with the procedure specified in its certification practice statement
to deal with such event or situation.