CHAPTER VI
REGULATION OF CERTIFYING AUTHORITIES
17.Appointment of Controller and other officers.
(1) The Central Government may, by notification in the Official
Gazette, appoint a Controller of Certifying Authorities for the purposes of this
Act and may also by the same or subsequent notification appoint such number of
Deputy Controllers and Assistant Controllers as it deems fit.
(2) The Controller shall discharge his functions under this Act
subject to the general control and directions of the Central Government.
(3) The Deputy Controllers and Assistant Controllers shall perform
the functions-assigned to them by the Controller under the general
superintendence and control of the Controller.
(3a) The qualifications, experience and terms and conditions of
service of Controller, Deputy Controller and Assistant Controller shall be such
as may be prescribed by the Central Government.
(4) The Head Office and Branch Offices of the office of the
Controller shall be at such places as the Central Government may specify, and
there may be established at such places as the Central Government may think fit.
(5) There shall be a seal of the Office of the Controller.
Functions of Controller.
18. The Controller may perform all or any of the following functions,
namely:—
(a) exercising supervision over the activities of the Certifying
Authorities;
(b) certifying public keys of the Certifying Authorities;
(c) specifying the qualifications and experience which employees of
the Certifying Authorities should possess;
(d) specifying the conditions subject to which the Certifying
Authorities shall conduct their business;
(e) specifying the content of written printed or visual material and
advertisements that may be distributed or used in respect of a Digital Signature
Certificate and the Public Key;
(f) specifying the form and content of a Digital Signature
Certificate and the key;
(g) specifying the form and manner in which accounts shall be
maintained by the Certifying Authorities;
(h) specifying the terms and conditions subject to which auditors
may be appointed and the remuneration to be paid to them;
(i) facilitating the establishment of any electronic system by a
Certifying Authority either solely or jointly with other Certifying Authorities
and regulation of such systems;
(j) specifying the manner in which the Certifying Authorities shall
conduct their dealings with the subscribers;
(k) resolving any conflict of interests between the Certifying
Authorities and the subscribers;
(/) laying down the duties of the Certifying Authorities;
(m) maintaining a data-base containing of disclosure record of every
Certifying Authority containing such particulars as may be specified by
regulations, which shall be accessible to public.
19.Recognition of foreign Certifying Authorities
(1) Subject to such conditions and restrictions as may be specified
by regulations, the Controller may with the previous approval of the Central
Government, and by notification in the Official Gazette, recognise any
Certifying Authority as a Certifying Authority for the purposes of this Act.
(2) Where any Certifying Authority is recognised under sub-section
(1), the Digital Signature Certificate issued by such Certifying Authority shall
be valid for the purposes of this Act.
(3) The Controller may if he is satisfied that any Certifying
Authority has contravened any of the conditions and restrictions subject to
which it was granted recognition under sub-section (/) he may, for reasons to be
recorded in writing, by notification in the Official Gazette, revoke such
recognition.
20.Controller to act as repository.-(1) The Controller shall be the
repository of all Digital Signature Certificates issued under this Act.
(2) The Controller shall—
(a) make use of hardware, software and procedures that are secure
from instrusion and misuse;
(b) observe such other standards as may be prescribed by the Central
Government,
to ensure that the secrecy and security of the digital signatures
are assured.
(3) The Controller shall maintain a computerised data-base of all
public keys in such a manner that such database and the public keys are
available to any member of the public.
21.- Licence to issue Digital Signature Certificates
(1) Subject to the provisions of sub-section (2), any person may
make an application, to the Controller, for a licence to issue Digital Signature
Certificates.
(2) No licence shall be issued under sub-section (7), unless the
applicant fulfills such requirements with respect to qualification, expertise,
manpower, financial resources and other infrastructure facilities, which are
necessary to issue Digital Signature Certificates as may be prescribed by the
Central Government.
(3) A licence granted under this section shall—
(a) be valid for such period as may be prescribed by the Central
Government;
(b) not be transferable or heritable;
(c) be subject to such terms and conditions as may be specified by
the regulations.
22. Application for Licence
(1) Every application for issue of a licence shall be in such form
as may be licence, prescribed by the Central Government .
(2) Every application for issue of a licence shall be accompanied
by-
(a) a certification practice statement;
(b) a statement including the procedures with respect to
identification of the applicant;
(c) payment of such fees, not exceeding twenty-five thousand rupees
as may be prescribed by the Central Government;
(d) such other documents, as may be prescribed by the Central
Government.
23.Renewal of Licence
An application for renewal of a licence shall be—
(a) in such form;
(b) accompanied by such fees, not exceeding five thousand rupees,
as may be prescribed by the Central Government and shall be made not
less than forty-five days before the date of expiry of the period of validity of
the licence:
24.Procedure for grant or rejection of Licence
The Controller may, on receipt of an application under sub-section
(1) of section grant of 21, after considering the documents accompanying the
application and such other factors, as he deems fit, grant the licence or reject
the application:
Provided that no application shall be rejected under this section
unless the applicant has been given a reasonable opportunity of presenting his
case.
25.Suspension of Licence
(1) The Controller may, if he is satisfied after making such
inquiry, as he may think fit, that a Certifying Authority has,—
(a) made a statement in, or in relation to, the application fo-r the
issue or renewal of the licence, which is incorrect or false in material
particulars;
(b) failed to comply with the terms and conditions subject to which
the licence was granted;
(c) failed to maintain the standards specified under clause (b) of
sub-section (2) of section 20;
(d) has contravened any provisions of this Act, rule, regulation or
order made thereunder,
revoke the
licence:
Provided that no licence shall be revoked unless the Certifying
Authority has been given a reasonable opportunity of showing cause against the
proposed revocation.
(2) The Controller may, if he has reasonable cause to believe that
there is any ground for revoking a licence under sub-section (1), by order
suspend such licence pending the completion of any enquiry ordered by him:
Provided that no licence shall be suspended for a period exceeding
ten days unless the Certifying Authority has been given a reasonable opportunity
of showing cause against the proposed suspension.
(3) No Certifying Authority whose license has been suspended shall
issue any Digital Signature Certificate during such suspension.
26.Notice of suspension or revocation of
licence.
(1) Where the licence of the Certifying Authority is suspended or
revoked, the Controller shall publish notice of such suspension or revocation,
as the case may be, in the data-base maintained by him.
(2) Where one or more repositories are specified, the Controller
shall publish notices of such suspension or revocation, as the case may be, in
all such repositories.
Provided that the database containing the notice of such suspension
or revocation, as the case may be, shall be made available through a website
which shall be accessible round the Clock.
Provided further that the controller may, if he considers necessary,
publicise the contents of database in such electronic or other media, as he may
consider appropriate.
27. Power to delegate.
The Controller may, in writing, authorise the Deputy Controller,
Assistant Controller or any officer to exercise any of the powers of the
Controller under this Chapter.
28.Power to investigate contraventions.
(1) The Controller or any officer authorised by him in this behalf
shall take up for investigation any contravention of the provisions of this Act,
rules or regulations made thereunder.
(2) The Controller or any officer authorised by him in this behalf
shall exercise the like powers which are conferred on Income-tax authorities
under Chapter XIII of the Income-tax Act, 1961 and shall exercise such powers,
subject to such limitations laid down under that Act.
29. Access to computers and data.
(1) Without prejudice to the provisions of sub-section (2) of
section 68, the Controller or any person authorised by him shall, if he has
reasonable cause to suspect that any contravention of the provisions of this
Act, rules or regulations made thereunder has been committed, have access to any
computer system, any apparatus, data or any other material connected with such
system, for the purpose of searching or causing a search to be made for
obtaining any information or data contained in or available to such computer
system.
(2) For the purposes of sub-section (1), the Controller or any
person authorised by him may, by order, direct any person incharge of, or
otherwise concerned with :he operation of, the computer system, data apparatus
or material, to provide him with such reasonable technical and other
assistant... as he may consider necessary.
30.Certifying Authority to follow certain procedures.- Every Certifying
Authority shall.—
(a) make use Of hardware, software, and
procedures that are secure from intrusion and misuse:
(b) provide a reasonable level of
reliability in its .services which arc reasonably suited to the performance of
intended functions;
(c) adhere to security procedures to
ensure that the secrecy and privacy of the digital signatures are assured; and
(d) observe such other standards as may
be specified by regulations.
31. Certifying Authority to ensure compliance of the Act, etc.
Every Certifying Authority shall ensure that every person employed
or otherwise engaged by it complies, in the course of his employment or
engagement, with the provisions of this Act, rules, regulations and orders made
thereunder.
32.Display of
licence.
Every Certifying Authority shall display its licence at a
conspicuous place of the premises in which it carries on its business.
Surrender of
licence.
33(1). Every Certifying Authority whose licence is suspended or
revoked shall immediately after such suspension or revocation, surrender the
licence to the Controller.
(2) Where any certifying authority fails to surrender a licence
under sub-section (1), the person in whose favour a licence is issued shall be
guilty of offence and shall be punished with imprisonment which may extend upto
six months or a fine which may extend upto Rs. 10,000 or with both.
34.Disclosure.
(1) Every Certifying Authority shall disclose in the manner
specified by regulations—
(a) its Digital Signature Certificate
which contains the public key corresponding to the private key used by that
Certifying Authority to digitally sign another Digital Signature Certificate;
(b) any certification practice statement
relevant thereto;
(c) notice of die revocation or
suspension of its Certifying Authority certificate, if any; and
(d) any other fact that materially and
adversely affects either the reliability of a Digital Signature Certificate,
which that Authority has issued, or the Authority's ability to perform its
services.
(2) Where in the opinion of the Certifying Authority any event has
occurred or any situation has arisen which may materially and adversely affect
the integrity of its computer system or the conditions subject to which a
Digital Signature Certificate was granted, then, the Certifying Authority
shall—
(a) use reasonable efforts to notify any
person who is likely to be affected by that occurrence; or
(b) act in accordance
with the procedure specified in its certification practice statement to deal
with such event or situation.
Literary Freeware:
Not for Commercial Use. Copyright (c) |