CHAPTER- VI

REGULATION OF CERTIFYING AUTHORITIES.

The world of internet has the problems of integrity, authentication and

confidentiality of communication channels and processes. The Information
Technology Act, 2000 accorded legal recognition to Digital Signatures, after
which the Digital signatures are being treated at par with handwritten
signatures. The success of electronic transactions depends on the trust that the
transacting parties place in the security of the transmission and content of
their communications. Therefore the issues of authenticity, non-repudiability,
confidentiality and integrity arise in such transactions. The question arises as
to an authority who can authenticate the identity and functions relating to that.
There should be an authority who confirms that a particular digital signature
belongs to a specific signer.
The answer to the question comes in the form of one or more third
parties, who are the authorities, who is dispensed with the public keys and who
can authenticate the that the a digital signature belongs to a specific signer.
Such authority is known as the "certifying authority".

Definition of a Certifying Authority.

Section 2(1)(g) of Information Technology Act, 2000 defines a certifying officer
as “a person who has been granted a license to issue a Electronic Signature
Certificate under section 24”. With regard to this, section 24 of the Act lays
down that a certifying authority is granted license by the Controller after
receiving an application to grant license under sub-section (1) of section 21
and considering the documents accompanying the application and such other
factors, as he deems fit. Sub-section (2) of section 21 says that an
applicant the applicant must fulfils such requirements with respect to
qualification, expertise, manpower, financial resources and other infrastructure
facilities, which are necessary to issue Digital Signature Certificates as may be
prescribed by the Central Government.
Some of the cyber legislations use the term “certification authority” in
place of “certifying authority”. For example, under Electronic Transactions
Ordinance 2004 of Hong Kong, the term "certification authority" has been
defined as “a person who issues a certificate to a person (who may be another
certification authority) [under Section 2]. Electronic Transactions Law, 2004 of
the Union of Myanmar also uses the term certification authority and defines it
as “a person or an organization that has been granted a licence by the Control
Board under this Law for services in respect of the electronic signature”[Section
2(g)]. The Security Guidelines for Certification Authorities, 1999 of Singapore
define a Certification Authority (CA) as “the relied-upon entity that issues,
publishes, suspends and revokes a certificate. The CA’s basic role is to verify
and vouch for the identity of the subscriber and to provide certificate
management services. The CA may delegate the registration and publication
functions to a registration authority or repository service provider. References
to CA include RA and repository service provider unless otherwise stated”.
Under Electronic Transactions Act of 1998 of Singapore, it has been
defined as "a person who or an organization that issues a certificate". Digital
Signatures Act, 1997 of Bundesgesetzblatt defines it as “a natural or legal
person who certifies the assignment of public signature keys to natural persons
and to this end holds a licence pursuant to § 4 of this Act” [under § 2 (2)].
California Code of Regulations, 1998 defines says "Certification Authority
means a person or entity that issues a certificate, or in the case of certain
certification processes, certifies amendments to an existing certificate” [under
22003.a.1.E].
As per the definition provided under the Act, the certifying authority can
only issue a digital signature certificte after he gets the license from the
Controller to issue such license. Apart from the Act, the Information Technology
(Certifying Authorities) Rules, 2000 and Information Technology (Certifying
Authority) Regulations, 2001 also provide guidelines governing the Certifying
Authorities.

Ambit and Scope of the Chapter. The chapter deals with the regulation and
governance of the certifying authorities. It also lays down who will excercise
control over these authorities.

1. Appointment of Controller and Other Officers;

2. Provisions Pertaining to Digital Signature Certificates;
3. Powers of the Controller; and
4. Procedure and Compliances by the Certifying Authority.

Who is a Controller?
Under the Information Technology Act, 2000, the controller has been defined as
“the Controller of Certifying Authorities appointed under sub-section (1) of
section 17” [under Section 2(1)(m)]. Further, under section 17 of the Act, the
Central Government has been authorized to appoint a Controller of Certifying
Authorities and such number of Deputy Controllers and Assistant Controllers, as
it deems fit for the purposes of the Act, by notification in the Official Gazette. In
Directive 95/46/EC of the European Parliament and of the Council, it has been
defined as “the natural or legal person, public authority, agency or any other
body which alone or jointly with others determines the purposes and means of
the processing of personal data; where the purposes and means of processing
are determined by national or Community laws or regulations, the controller or
the specific criteria for his nomination may be designated by national or
Community law” [under Article 2(d)]. Under section 2(b) of Electronic
Transactions (Amendment) Act, 2009 of Mauritius, reference has been made to
section 37 of the Act.
In furtherance of this, clause (1) of section 37 lays down that for the
purposes of this Act, there shall be a Controller of Certification Authorities.
Clause (2) of this section says that “for the purposes of this Act, the ICT
Authority shall be the Controller and may be assisted by such of its officers and
other members of its staff as may be necessary.
Taking the note of the provisions in various legislations a clear definition
of “controller” emerges. Under the IT Act, 2000, controller refers to the
Controller of Certifying Authorities as appointed by the Central Government, by
notification in the Official Gazette. The Controller has the duty to discharge his
functions subject to the general control and directions of the Central
Government. The Office of the CCA came into existence on November 1, 2000.
It aims at promoting the growth of E-Commerce and E-Governance through the
wide use of digital signatures. Section 57 of the Information Technology Act,
2000 vests in Cyber Appellate Tribunal the jurisdiction to hear appeals from the
orders of the Controller and the Appellate Tribunal has been set up with the
express and limited purpose of providing any party aggrieved from the order of
the Controller, a forum to seek redress. Any complaint filed before the
Controller of Certifying Authorities will not serve the requirement of complaint
before the Adjudicating Officer, for the purpose of adjudication under the
Information Technology Act. The appellant is required to file a complaint before
the Adjudicating Officer who has the jurisdiction for deciding the disputes of
such nature (Mascon Global Limited v. Controller of Certifying
Authorities, GMAIL.COM and Google Inc. MANU/CY/ 0006/2010).