Certifying Authority

CERTIFYING AUTHORITY

INFORMATION TECHNOLOGY ACT, 2000

Section 2 (g) defines certifying authority; it says that certifying authority means a person who has been granted a license to issue a Digital Signature Certificate under Section 24. The provisions under the act include:

Section 19 deals with recognition of foreign certifying authorities.

Subject to the conditions and regulations the Controller may with the prior approval of the Central Government and by notification in the Official Gazette recognise any foreign certifying authority as a certifying authority for the purposes of the act.

Any ESC issued by such foreign certifying authority shall be deemed to be valid under the act. The controller may if satisfied that such certifying authority has contravened any of the conditions or restrictions subject to which it was granted recognition shall by notification and reasons recorded in writing revoke such recognition accorded.

Section 21: Licence to issue Digital Signature Certificates –

(1) Subject to the provisions of sub-section (2), any person may make an application to the Controller for a licence to issue Digital Signature Certificates.

(2) No licence shall be issued under sub-section (1), unless the applicant fulfills such requirements with respect to qualification, expertise, manpower, financial resources and other infrastructure facilities, which are necessary to issue Digital Signature Certificates as may be prescribed by the Central Government.

(3) A licence granted under this section shall-

a)      Be valid for such period as may be prescribed by the Central Government;

b)      Not be transferable or heritable;

c)      Be subject to such terms and conditions as may be specified by the regulations.

Section 22: Application for license

Every application for license shall be in such form as prescribed by the central government. This application shall be accompanied with the following documents: a certificate practice statement; a statement including the procedures with respect to identification of the applicant; payment of fees not exceeding 25000 as prescribed by the central government and any such document as prescribed by the central government.

Section 24: procedure to grant or rejection of license

After receiving all such documents as prescribed by the Act or the Government, the Controller may grant or reject the application for the license. If such license has been rejected, the applicant should be given a reasonable opportunity to be present his case before rejection.

Section 30: Certifying Authority to follow certain procedures

1. They shall make use of such computer hardware, software and procedure that are secure from intrusion and misuse;
2. They shall provide a reasonable level of reliability in its services which are reasonably suited for the performance of certain functions.
3. They shall adhere to security procedures and ensure that secrecy and privacy of the e-signature is assured.
4. They shall be the repository of all ESC's issued under the Act
5. They shall publish information regarding its practices, ESC's and current status of each certificate.
6. They shall observe any such standard as set out by regulations.

Section 31: Certifying authority to ensure compliance of the Act, etc.

Every Certifying authority shall ensure that every person employed by or engaged by it complies in his course of employment or engagement with the provisions of the Act or the rules and regulations made under it.

Section 34: Disclosure

Every certifying authority is to disclose the following:

• Its ESC
• Any certification practice statement
• Notice of suspension or revocation of its Certifying Authority Certificate
• Any other fact or matter that materially affects the reliability of ESC which that authority has issued and the ability to perform its functions.

If the certifying authority is of the opinion that an event which has occurred may materially or adversely affect the integrity of the computer system, or conditions based on which the ESC was granted, then the authority is required to notify the all affected parties and act in accordance with the certification practice statement which provides for the procedure to be followed in such case.

INFORMATION TECHNOLOGY (CERTIFYING AUTHORITY) REGULATIONS, 2001:

The certifying authorities are regulated by the Information Technology (Certifying Authority) Regulations, 2001.  Under these regulations certifying authority means a person who has been granted a license to issue a digital signature certificate under section 24 of the Information Technology Act, 2000.

Section 3: Terms and conditions of  licence to issue Digital Signature Certificate:

Every  licence  to  issue  Digital  Signature  Certificates  shall  be  granted  under  the  Act subject  to  the  following  terms  and  conditions,  namely:  -

Terms and Conditions

General

1. The licence shall be valid for a period of five years from the date of issue.
2. The licence shall not be transferable or heritable;
3. The Controller can revoke or suspend the licence in accordance with the provisions of the Act.
4. The Certifying Authority shall be bound to comply with all the parameters against which it was audited prior to issue of licence and shall consistently and continuously comply with those parameters during the period for which the licence shall remain valid.
5. The Certifying Authority shall subject itself to periodic audits to ensure that all conditions of the licence are consistently complied with by it. As the cryptographic components of the Certifying Authority systems are highly sensitive and critical, the components must be subjected to periodic expert review to ensure their integrity and assurance.
6. The Certifying Authority must maintain secure and reliable records and logs for activities that are core to its operations.
7. Public Key Certificates and Certificate Revocation Lists must be archived for a minimum period of seven years to enable verification of past transactions.
8. The Certifying Authority shall provide Time Stamping Service for its subscribers. Error of the Time Stamping clock shall not be more than 1 in 109.
9. The Certifying Authority shall use methods, which are approved by the Controller, to verify the identity of a subscriber before issuing or renewing any Public Key Certificate.

10.  The Certifying Authority shall publish a notice of suspension or revocation of any certificate in the Certificate Revocation List in its repository immediately after receiving an authorised request of such suspension or revocation.

11.  The Certifying Authority shall always assure the confidentiality of subscriber information.

12.  All changes in Certificate Policy and certification practice statement shall be published on the web site of the Certifying Authority and brought to the notice of the Controller well in advance of such publication. However any change shall not contravene any provision of the Act, rule or regulation or made there under.

13.  The Certifying Authority shall comply with every order or direction issued by the Controller within the stipulated period.

Overall Management And Obligations

1. The Certifying Authority shall manage its functions in accordance with the levels of integrity and security approved by the Controller from time to time.
2. The Certifying Authority shall disclose information on the assurance levels of the certificates that it issues and the limitations of its liabilities to each of its subscribers and relying parties.
3. The Certifying Authority shall as approved, in respect of security and risk management controls continuously ensure that security policies and safeguards are in place.  Such controls include personnel security  and  incident handling  measures  to  prevent  fraud  and  security  breaches.

Certificate And Key Management

1. To  ensure  the  integrity  of  its  digital  certificates,  the  Certifying  Authority  shall ensure  the  use  of approved  security  controls  in  the  certificate  management processes, i.e. certificate  registration,  generation,  issuance,  publication, renewal,  suspension,  revocation  and  archival.
2. The  method  of  verification  of  the  identity  of  the  applicant  of  a  Public  Key Certificates  shall  be  commensurate with  the  level  of  assurance  accorded  to the  certificate.
3. The  Certifying  Authority  shall  ensure  the  continued  accessibility  and availability  of  its  Public  Key  Certificates  and  Certificate  Revocation  Lists  in its  repository  to  its  subscribers  and  relying  parties.
4. In  the  event  of  a  compromise  of  the  private  key  the  Certifying  Authority  shall follow  the  established  procedures  for  immediate  revocation  of  the  affected subscribers'  certificates.
5. The  Certifying  Authority  shall  make  available  the  information  relating  to certificates  issued  and/or  revoked  by  it  to  the  Controller  for  inclusion  in  the National  Repository.
6. The  private  key  of  the  Certifying  Authority  shall  be  adequately  secured  at each  phase  of  its  life  cycle,  i.e.  Key generation,  distribution,  storage,  usage, backup,  archival  and  destruction.
7. The  private  key  of  the  Certifying  Authority  shall  be  stored  in  high  security module  in  accordance  with  FIPS  140-1  level  3  recommendations  for Cryptographic  Modules  Validation  List.
8. Continued  availability  of  the  private  key  be  ensured  through  approved  backup measures  in  the  event  of  loss  or  corruption  of  its  private  key.
9. All  submissions  of  Public  Key  Certificates  and  Certificate  Revocation  Lists to  the  National  Repository  of  the  Controller  must  ensure  that  subscribers  and relying  parties  are  able  to  access  the  National  Repository  using  LDAP  ver 3  for  X.500  Directories.

10.  The  Certifying  Authority  shall  ensure  that  the  subscriber  can  verify  the Certifying  Authority's  Public  Key  Certificate,  if  he  chooses  to  do  so,  by  having access  to  the  Public  Key  Certificate  of  the  Controller.

Systems And Operations

1. The  Certifying  Authority  shall  prepare  detailed  manuals  for  performing  all  its activities  and  shall  scrupulously  adhere  to  them.
2. Approved  access  and  integrity  controls  such  as  intrusion  detection,  virus scanning,  prevention  of  denial-of  service  attacks  and  physical  security measures  shall  be  followed  by  the  Certifying  Authority  for  all  its  systems  that store  and  process  the  subscribers'  information  and  certificates.
3. The  Certifying  Authority  shall  maintain  records  of  all  activities  and  review them  regularly  to  detect  any  anomaly  in  the  system.

Physical, Procedural And Personnel Security

a) Every  Certifying  Authority  shall  get  an  independent  periodic  audit  done through  an  approved  auditor.  Such  periodic  audits  shall  focus  on  the  following issues  among  others  :-

i.            changes/additions  in  physical  controls  such  as  site  location,  access,  etc;

ii.            re-deployment  of  personnel  from  an  approved  role/task  to  a  new  one;

iii.            appropriate  security  clearances  for  outgoing  employees  such  as  deletion of  keys  and  all  access  privileges;

iv.            thorough  background  checks,  etc.  during  employment  of  new  personnel.

b) The  Certifying  Authority  shall  follow  approved  procedures  to  ensure  that  all the  activities  referred  to  in  (i)  to  (iv)  in  sub-regulation  (a)  are  recorded properly  and  made  available  during  audits.

Financial

1. Every  Certifying  Authority  shall  comply  with  all  the  financial  parameters  during the  period  of  validity  of  the  licence,  issued  under  the  Act.
2. Any  loss  to  the  subscriber,  which  is  attributable  to  the  Certifying  Authority, shall  be  made  good  by  the  Certifying  Authority.

Compliance Audits

1. The  Certifying  Authority  shall  subject  itself  to  Compliance  Audits  that  shall be  carried  out  by  one  of  the  empanelled  Auditors  duly  authorized  by  the Controller  for  the  purpose.  Such  audits  shall  be  based  on  the  Internet Engineering  Task  Force  document  RFC  2527  –  Internet  X.509  PKI  Certificate Policy  and  Certification  Practices  Framework.
2. If  a  Digital  Signature  Certificate  issued  by  the  Certifying  Authority  is  found to  be  fictitious  or  that  proper  identification  procedures  have  not  been  followed by  the  Certifying  Authority  while  issuing  such  certificate,  the  Certifying Authority  shall  be  liable  for  any  losses  resulting  out  of  this  lapse  and  shall be  liable  to  pay  compensation  as  decided  by  the  Controller.

Section 4:  The  standards  followed  by  the  Certifying  Authority  for  carrying  out  its functions

(1)     Every  Certifying  Authority  shall  observe  the  following  standards  for  carrying out  different  activities  associated  with  its  functions.

1. PKIX  (Public  Key  Infrastructure)

Public  Key  Infrastructure  as  recommended  by  Internet  Engineering  Task  Force (IETF)  document  draft-ietf-pkix-roadmap-05  for  "Internet  X.509  Public  Key  infrastructure"  (March  10,  2000);

2. Public-key  cryptography

Based  on  the  emerging  Institute  of  Electrical and  Electronics  Engineers  (IEEE)  standard  P1363  for  three  families:

• Discrete  Logarithm  (DL)  systems
• Elliptic  Curve  Discrete  Logarithm  (EC)  systems
• Integer  Factorization  (IF)  systems;

3. Public-key  Cryptography  Standards  (PKCS)

-          PKCS#1  RSA  Encryption  Standard  (512,  1024,  2048  bit)

-          PKCS#3  Diffie-Hellman  Key  Agreement  Standard

-          PKCS#5  Password  Based  Encryption  Standard

-          PKCS#6  Extended-Certificate  Syntax  Standard

-          PKCS#7  Cryptographic  Message  Syntax  standard

-          PKCS#8  Private  Key  Information  Syntax  standard

-          PKCS#9  Selected  Attribute  Types

-          PKCS#10  RSA  Certification  Request

-          PKCS#11  Cryptographic  Token  Interface  Standard

-          PKCS#12  Portable  format  for  storing/transporting  a  user's  private  keys  and

-          certificates

-          PKCS#13  Elliptic  Curve  Cryptography  Standard

-          PKCS#15  Cryptographic  Token  Information  Format  Standard;

4. Federal  Information  Processing  Standards  (FIPS)

-          FIPS  180-1,  Secure  Hash  Standard;

-          FIPS  186-1,  Digital  Signature  Standard  (DSS);

-          FIPS  140-1  level  3,  Security  Requirement  for  Cryptographic  Modules;

5. Discrete  Logarithm  (DL)  systems

-          Diffie-Hellman,  MQV  key  agreement;

-          DSA,  Nyberg-Rueppel  signatures;

6. Elliptic  Curve  (EC)  systems

Elliptic  curve  analogs  of  DL  systems;

7. Integer  Factorization  (IF)  systems

-          RSA  encryption, RSA,

-          Rabin-Williams  signatures;

8. Key  agreement  schemes

9. Signature  schemes

10. Encryption  schemes

11. Form  and  size  of  the  key  pairs

(1)     The  minimum  key  length  for  Asymmetric  cryptosystem  (RSA  Algorithm) shall  be  2048  for  the  Certifying  Authority's  key  pairs  and  1024  for  the key  pairs  used  by  subscribers.

(2)     The  Certifying  Authority's  key  pairs  shall  be  changed  every  three  to  five years  (except  during  exigencies  as  in  the  case  of  key  compromise when  the  key  shall  be  changed  immediately).  The  Certifying  Authority shall  take  appropriate  steps  to  ensure  that  key  changeover  procedures as  mentioned  in  the  approved  Certificate  Practice  Statements  are adhered  to.

(3)     The  subscriber's  key  pairs  shall  be  changed  every  one  to  two  years;

12. Directory  Services  (LDAP  ver  3)

X.500 for  publication  of  Public  Key certificates  and  Certificate  Revocation Lists

i)        X.509  version  3  Certificates  as  specified  in  ITU  RFC  1422

ii)      X.509  version  2  Certificate  Revocation  Lists;

13. Publication of Public Key Certificate.

The  Certifying  Authority  shall,  on  acceptance  of  a  Public  Key  Certificate by  a  subscriber,  publish  it  on  its  web  site  for  access  by  the  subscribers and  relying  parties.  The  Certifying  Authority  shall  be  responsible  and shall  ensure  the  transmission  of  Public  Key  Certificates  and  Certificate Revocation  Lists  to  the  National  Repository  of  the  Controller,  for  access by  subscribers  and  relying  parties.  The  National  Repository  shall conform  to  X.500  Directory  Services  and  provide  for  access  through LDAP  Ver  3.  The  Certifying  Authority  shall  be  responsible  for  ensuring that  Public  Key  Certificates  and  Certificate  Revocation  Lists  integrate seamlessly  with  the  National  Repository  on  their  transmission;

14. Public  Key  Certificate  Standard

All  Public  Key  Certificates  issued  by  the  Certifying  Authorities  shall  conform to  International  Telecommunication  Union  X.509  version  3  standard.

This includes:

-          Certificate

-          Version

-          Serial number

-          Signature

-          Issuer

-          Validity

-          Subject

-          Subject public key information

-          Unique identifiers

-          Extensions

-          Signature algorithm

-          Signature value

15. Certificate Revocation list standard

CRL  and  CRL  Extensions  Profile  -  The  CRL  contents  as  per  International Telecommunications  Union  standard

This includes:

-          TBC Cert List

-          Version

-          Signature

-          Issuer name

-          This update

-          Next update

-          Revoked certificates

-          CRL entry extensions

-          Issuing distribution point

-          Signature algorithm

-          Signature value

Section 4  (2) states that the list of standards in section 4(1) shall be updated at least once a year to include new standards  that  may  emerge  from  the  international  bodies. Also if  any  Certifying  Authority  or  a  group  of  Certifying  Authorities  brings a  set  of  standards  to  the  Controller  for  a  specific  user  community,  the  Controller shall  examine  the  same  and  respond  to  them  within  ninety  days.

Section 5:

(1) Every Certifying  Authority  shall  disclose  :-

a)      its  Digital  Signature  Certificate  which  contains  the  public  key corresponding  to  the  private  key  used  by  that  Certifying  Authority  to digitally  sign  another  Digital  Signature  Certificate;

b)      any  Certification  Practice  Statement  relevant  thereto;

c)      notice  of  the  revocation  or  suspension  of  its  Certifying  Authority Certificate,  if  any;  and

d)      any  other  fact  that  materially  or  adversely  affect  either  the  reliability  of a  Digital  Signature  Certificate,  which  that  Authority  has  issued  by  it  or the  Authority's  ability  to  perform  its  services

(2) The  above  disclosure  shall  be  made  available  to  the  Controller  through  filling up  of  online  forms  on  the  Web  site  of  the  Controller  on  the  date  and  time the  information  is  made  public.  The Certifying  Authority  shall  digitally  sign  the information.

Section 6:  Communication  of  compromise  of  Private  Key.-

(1)     Where  the  private  key  corresponding  to  the  public  key  listed  in  the  Digital Signature  Certificate  has  been  compromised,  the  subscriber  shall communicate  the  same  without  any  delay  to  the  Certifying  Authority.

(2)     An  application  for  revocation  of  the  key  pair  shall  made  in  Form  online  on the  web  site  of  the  concerned  Certifying  Authority  to  enable  revocation  and publication  in  the  Certificate  Revocation  List.  The  Subscriber  shall  encrypt  this transaction  by  using  the  public  key  of  the  Certifying  Authority.  The  transaction shall  be  further  authenticated  with  the  private  key  of  the  subscriber  even though  it  may  have  already  been  compromised.